xref: /linux/net/wireless/nl80211.c (revision 3591e3b9a7cae0f412665f3f5f5f53a29a950d87) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2024 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
319 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
320 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
466 	.min = 0,
467 	.max = 0xffff,
468 };
469 
470 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
471 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
472 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
473 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
474 				      .len = 20-1 },
475 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
476 
477 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
478 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
479 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
480 						NL80211_EDMG_CHANNELS_MIN,
481 						NL80211_EDMG_CHANNELS_MAX),
482 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
483 						NL80211_EDMG_BW_CONFIG_MIN,
484 						NL80211_EDMG_BW_CONFIG_MAX),
485 
486 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
487 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
488 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
489 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
490 
491 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
492 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
493 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
494 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
495 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
496 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
497 
498 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
499 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
500 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
501 
502 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
503 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
504 
505 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
506 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
507 				    .len = WLAN_MAX_KEY_LEN },
508 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
509 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
510 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
511 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
512 	[NL80211_ATTR_KEY_TYPE] =
513 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
514 
515 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
516 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
517 	[NL80211_ATTR_BEACON_HEAD] =
518 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
519 				       IEEE80211_MAX_DATA_LEN),
520 	[NL80211_ATTR_BEACON_TAIL] =
521 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
522 				       IEEE80211_MAX_DATA_LEN),
523 	[NL80211_ATTR_STA_AID] =
524 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
525 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
526 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
527 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
528 					       .len = NL80211_MAX_SUPP_RATES },
529 	[NL80211_ATTR_STA_PLINK_ACTION] =
530 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
531 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
532 		NLA_POLICY_RANGE(NLA_U8,
533 				 NL80211_TX_POWER_AUTOMATIC,
534 				 NL80211_TX_POWER_FIXED),
535 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
536 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
537 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
538 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
539 				   .len = IEEE80211_MAX_MESH_ID_LEN },
540 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
541 
542 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
543 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
544 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
545 
546 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
547 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
548 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
549 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
550 					   .len = NL80211_MAX_SUPP_RATES },
551 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
552 
553 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
554 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
555 
556 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
557 
558 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
559 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
560 						   validate_ie_attr,
561 						   IEEE80211_MAX_DATA_LEN),
562 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
563 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
564 
565 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
566 				.len = IEEE80211_MAX_SSID_LEN },
567 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
568 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
569 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
572 						  NL80211_MFP_NO,
573 						  NL80211_MFP_OPTIONAL),
574 	[NL80211_ATTR_STA_FLAGS2] =
575 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
576 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
577 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
578 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
579 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
580 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
583 	[NL80211_ATTR_WPA_VERSIONS] =
584 		NLA_POLICY_RANGE(NLA_U32, 0,
585 				 NL80211_WPA_VERSION_1 |
586 				 NL80211_WPA_VERSION_2 |
587 				 NL80211_WPA_VERSION_3),
588 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
589 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
590 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
591 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
592 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
593 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
594 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
595 				 .len = IEEE80211_MAX_DATA_LEN },
596 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
597 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
598 						   NL80211_PS_DISABLED,
599 						   NL80211_PS_ENABLED),
600 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
601 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
603 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
604 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
605 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
606 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
607 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
608 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
609 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
610 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
611 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
612 	[NL80211_ATTR_STA_PLINK_STATE] =
613 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
614 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
615 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
616 	[NL80211_ATTR_MESH_PEER_AID] =
617 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
618 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
619 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
620 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
621 	[NL80211_ATTR_HIDDEN_SSID] =
622 		NLA_POLICY_RANGE(NLA_U32,
623 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
624 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
625 	[NL80211_ATTR_IE_PROBE_RESP] =
626 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
627 				       IEEE80211_MAX_DATA_LEN),
628 	[NL80211_ATTR_IE_ASSOC_RESP] =
629 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
630 				       IEEE80211_MAX_DATA_LEN),
631 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
632 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
633 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
634 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
635 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
636 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
637 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
638 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
640 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
641 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
642 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
643 				      .len = IEEE80211_MAX_DATA_LEN },
644 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
645 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
646 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
647 		.len = NL80211_HT_CAPABILITY_LEN
648 	},
649 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
650 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
651 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
652 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
653 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
654 
655 	/* need to include at least Auth Transaction and Status Code */
656 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
657 
658 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
659 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
660 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
661 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
662 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
663 		NLA_POLICY_RANGE(NLA_U32,
664 				 NL80211_MESH_POWER_UNKNOWN + 1,
665 				 NL80211_MESH_POWER_MAX),
666 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
667 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
668 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
669 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
670 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
671 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
672 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
673 		.len = NL80211_VHT_CAPABILITY_LEN,
674 	},
675 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
676 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
677 				  .len = IEEE80211_MAX_DATA_LEN },
678 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
679 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
680 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
681 	[NL80211_ATTR_PEER_AID] =
682 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
683 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
684 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
685 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
686 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
687 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
688 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
689 	/*
690 	 * The value of the Length field of the Supported Operating
691 	 * Classes element is between 2 and 253.
692 	 */
693 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
694 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
695 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
696 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
697 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
698 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
699 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
700 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
701 						  IEEE80211_QOS_MAP_LEN_MIN,
702 						  IEEE80211_QOS_MAP_LEN_MAX),
703 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
704 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
705 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
706 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
707 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
708 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
709 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
710 	[NL80211_ATTR_USER_PRIO] =
711 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
712 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
713 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
714 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
715 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
716 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
717 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
718 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
719 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
720 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
721 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
722 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
723 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
724 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
725 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
726 	},
727 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
728 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
729 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
730 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
731 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
732 				    .len = FILS_MAX_KEK_LEN },
733 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
734 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
735 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
736 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
737 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
738 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
739 	},
740 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
741 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
742 					     .len = FILS_ERP_MAX_USERNAME_LEN },
743 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
744 					  .len = FILS_ERP_MAX_REALM_LEN },
745 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
746 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
747 					.len = FILS_ERP_MAX_RRK_LEN },
748 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
749 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
750 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
751 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
752 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
753 
754 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
755 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
756 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
757 	[NL80211_ATTR_HE_CAPABILITY] =
758 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
759 				       NL80211_HE_MAX_CAPABILITY_LEN),
760 	[NL80211_ATTR_FTM_RESPONDER] =
761 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
762 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
763 	[NL80211_ATTR_PEER_MEASUREMENTS] =
764 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
765 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
766 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
767 					.len = SAE_PASSWORD_MAX_LEN },
768 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
769 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
770 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
771 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
772 	[NL80211_ATTR_TID_CONFIG] =
773 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
774 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
775 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
776 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
777 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
778 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
779 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
780 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
781 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
782 	[NL80211_ATTR_FILS_DISCOVERY] =
783 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
784 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
785 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
786 	[NL80211_ATTR_S1G_CAPABILITY] =
787 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
788 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
789 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
790 	[NL80211_ATTR_SAE_PWE] =
791 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
792 				 NL80211_SAE_PWE_BOTH),
793 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
794 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
795 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
796 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
797 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
798 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
799 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
800 	[NL80211_ATTR_MBSSID_CONFIG] =
801 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
802 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
803 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
804 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
805 	[NL80211_ATTR_EHT_CAPABILITY] =
806 		NLA_POLICY_RANGE(NLA_BINARY,
807 				 NL80211_EHT_MIN_CAPABILITY_LEN,
808 				 NL80211_EHT_MAX_CAPABILITY_LEN),
809 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
810 	[NL80211_ATTR_MLO_LINKS] =
811 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
812 	[NL80211_ATTR_MLO_LINK_ID] =
813 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
814 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
815 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
816 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
817 	[NL80211_ATTR_PUNCT_BITMAP] =
818 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
819 
820 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
821 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
822 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
823 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
824 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
825 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
826 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
827 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
828 };
829 
830 /* policy for the key attributes */
831 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
832 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
833 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
834 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
835 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
836 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
837 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
838 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
839 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
840 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
841 };
842 
843 /* policy for the key default flags */
844 static const struct nla_policy
845 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
846 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
847 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
848 };
849 
850 #ifdef CONFIG_PM
851 /* policy for WoWLAN attributes */
852 static const struct nla_policy
853 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
854 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
855 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
856 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
857 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
858 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
859 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
860 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
861 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
862 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
863 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
864 };
865 
866 static const struct nla_policy
867 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
868 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
869 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
870 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
871 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
872 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
873 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
874 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
875 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
876 	},
877 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
878 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
879 	},
880 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
881 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
882 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
883 };
884 #endif /* CONFIG_PM */
885 
886 /* policy for coalesce rule attributes */
887 static const struct nla_policy
888 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
889 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
890 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
891 		NLA_POLICY_RANGE(NLA_U32,
892 				 NL80211_COALESCE_CONDITION_MATCH,
893 				 NL80211_COALESCE_CONDITION_NO_MATCH),
894 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
895 };
896 
897 /* policy for GTK rekey offload attributes */
898 static const struct nla_policy
899 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
900 	[NL80211_REKEY_DATA_KEK] = {
901 		.type = NLA_BINARY,
902 		.len = NL80211_KEK_EXT_LEN
903 	},
904 	[NL80211_REKEY_DATA_KCK] = {
905 		.type = NLA_BINARY,
906 		.len = NL80211_KCK_EXT_LEN_32
907 	},
908 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
909 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
910 };
911 
912 static const struct nla_policy
913 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
914 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
915 						 .len = IEEE80211_MAX_SSID_LEN },
916 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
917 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
918 };
919 
920 static const struct nla_policy
921 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
922 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
923 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
924 };
925 
926 static const struct nla_policy
927 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
928 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
929 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
930 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
931 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
932 	},
933 };
934 
935 /* policy for NAN function attributes */
936 static const struct nla_policy
937 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
938 	[NL80211_NAN_FUNC_TYPE] =
939 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
940 	[NL80211_NAN_FUNC_SERVICE_ID] = {
941 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
942 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
943 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
944 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
945 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
946 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
947 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
948 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
949 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
950 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
951 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
952 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
953 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
954 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
955 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
956 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
957 };
958 
959 /* policy for Service Response Filter attributes */
960 static const struct nla_policy
961 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
962 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
963 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
964 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
965 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
966 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
967 };
968 
969 /* policy for packet pattern attributes */
970 static const struct nla_policy
971 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
972 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
973 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
974 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
975 };
976 
977 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
978 				     struct cfg80211_registered_device **rdev,
979 				     struct wireless_dev **wdev,
980 				     struct nlattr **attrbuf)
981 {
982 	int err;
983 
984 	if (!cb->args[0]) {
985 		struct nlattr **attrbuf_free = NULL;
986 
987 		if (!attrbuf) {
988 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
989 					  GFP_KERNEL);
990 			if (!attrbuf)
991 				return -ENOMEM;
992 			attrbuf_free = attrbuf;
993 		}
994 
995 		err = nlmsg_parse_deprecated(cb->nlh,
996 					     GENL_HDRLEN + nl80211_fam.hdrsize,
997 					     attrbuf, nl80211_fam.maxattr,
998 					     nl80211_policy, NULL);
999 		if (err) {
1000 			kfree(attrbuf_free);
1001 			return err;
1002 		}
1003 
1004 		rtnl_lock();
1005 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1006 						   attrbuf);
1007 		kfree(attrbuf_free);
1008 		if (IS_ERR(*wdev)) {
1009 			rtnl_unlock();
1010 			return PTR_ERR(*wdev);
1011 		}
1012 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1013 		mutex_lock(&(*rdev)->wiphy.mtx);
1014 		rtnl_unlock();
1015 		/* 0 is the first index - add 1 to parse only once */
1016 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1017 		cb->args[1] = (*wdev)->identifier;
1018 	} else {
1019 		/* subtract the 1 again here */
1020 		struct wiphy *wiphy;
1021 		struct wireless_dev *tmp;
1022 
1023 		rtnl_lock();
1024 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1025 		if (!wiphy) {
1026 			rtnl_unlock();
1027 			return -ENODEV;
1028 		}
1029 		*rdev = wiphy_to_rdev(wiphy);
1030 		*wdev = NULL;
1031 
1032 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1033 			if (tmp->identifier == cb->args[1]) {
1034 				*wdev = tmp;
1035 				break;
1036 			}
1037 		}
1038 
1039 		if (!*wdev) {
1040 			rtnl_unlock();
1041 			return -ENODEV;
1042 		}
1043 		mutex_lock(&(*rdev)->wiphy.mtx);
1044 		rtnl_unlock();
1045 	}
1046 
1047 	return 0;
1048 }
1049 
1050 /* message building helper */
1051 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1052 		     int flags, u8 cmd)
1053 {
1054 	/* since there is no private header just add the generic one */
1055 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1056 }
1057 
1058 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1059 				     const struct ieee80211_reg_rule *rule)
1060 {
1061 	int j;
1062 	struct nlattr *nl_wmm_rules =
1063 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1064 
1065 	if (!nl_wmm_rules)
1066 		goto nla_put_failure;
1067 
1068 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1069 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1070 
1071 		if (!nl_wmm_rule)
1072 			goto nla_put_failure;
1073 
1074 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1075 				rule->wmm_rule.client[j].cw_min) ||
1076 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1077 				rule->wmm_rule.client[j].cw_max) ||
1078 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1079 			       rule->wmm_rule.client[j].aifsn) ||
1080 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1081 			        rule->wmm_rule.client[j].cot))
1082 			goto nla_put_failure;
1083 
1084 		nla_nest_end(msg, nl_wmm_rule);
1085 	}
1086 	nla_nest_end(msg, nl_wmm_rules);
1087 
1088 	return 0;
1089 
1090 nla_put_failure:
1091 	return -ENOBUFS;
1092 }
1093 
1094 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1095 				   struct ieee80211_channel *chan,
1096 				   bool large)
1097 {
1098 	/* Some channels must be completely excluded from the
1099 	 * list to protect old user-space tools from breaking
1100 	 */
1101 	if (!large && chan->flags &
1102 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1103 		return 0;
1104 	if (!large && chan->freq_offset)
1105 		return 0;
1106 
1107 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1108 			chan->center_freq))
1109 		goto nla_put_failure;
1110 
1111 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1112 		goto nla_put_failure;
1113 
1114 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1115 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1116 		goto nla_put_failure;
1117 
1118 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1119 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1120 		goto nla_put_failure;
1121 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1122 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1123 			goto nla_put_failure;
1124 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1125 			goto nla_put_failure;
1126 	}
1127 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1128 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1129 			goto nla_put_failure;
1130 		if (large) {
1131 			u32 time;
1132 
1133 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1134 
1135 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1136 					chan->dfs_state))
1137 				goto nla_put_failure;
1138 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1139 					time))
1140 				goto nla_put_failure;
1141 			if (nla_put_u32(msg,
1142 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1143 					chan->dfs_cac_ms))
1144 				goto nla_put_failure;
1145 		}
1146 	}
1147 
1148 	if (large) {
1149 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1150 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1151 			goto nla_put_failure;
1152 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1153 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1154 			goto nla_put_failure;
1155 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1156 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1157 			goto nla_put_failure;
1158 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1159 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1160 			goto nla_put_failure;
1161 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1162 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1163 			goto nla_put_failure;
1164 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1165 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1166 			goto nla_put_failure;
1167 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1168 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1169 			goto nla_put_failure;
1170 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1171 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1172 			goto nla_put_failure;
1173 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1174 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1175 			goto nla_put_failure;
1176 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1177 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1178 			goto nla_put_failure;
1179 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1180 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1181 			goto nla_put_failure;
1182 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1183 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1184 			goto nla_put_failure;
1185 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1186 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1187 			goto nla_put_failure;
1188 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1189 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1190 			goto nla_put_failure;
1191 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1192 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1193 			goto nla_put_failure;
1194 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1195 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1196 			goto nla_put_failure;
1197 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1198 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1199 			goto nla_put_failure;
1200 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1201 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1202 			goto nla_put_failure;
1203 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1204 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1205 			goto nla_put_failure;
1206 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1207 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1208 			goto nla_put_failure;
1209 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1210 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1211 			goto nla_put_failure;
1212 	}
1213 
1214 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1215 			DBM_TO_MBM(chan->max_power)))
1216 		goto nla_put_failure;
1217 
1218 	if (large) {
1219 		const struct ieee80211_reg_rule *rule =
1220 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1221 
1222 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1223 			if (nl80211_msg_put_wmm_rules(msg, rule))
1224 				goto nla_put_failure;
1225 		}
1226 	}
1227 
1228 	return 0;
1229 
1230  nla_put_failure:
1231 	return -ENOBUFS;
1232 }
1233 
1234 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1235 				  struct cfg80211_txq_stats *txqstats,
1236 				  int attrtype)
1237 {
1238 	struct nlattr *txqattr;
1239 
1240 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1241 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1242 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1243 		return false;						  \
1244 	} while (0)
1245 
1246 	txqattr = nla_nest_start_noflag(msg, attrtype);
1247 	if (!txqattr)
1248 		return false;
1249 
1250 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1251 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1252 	PUT_TXQVAL_U32(FLOWS, flows);
1253 	PUT_TXQVAL_U32(DROPS, drops);
1254 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1255 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1256 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1257 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1258 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1259 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1260 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1261 	nla_nest_end(msg, txqattr);
1262 
1263 #undef PUT_TXQVAL_U32
1264 	return true;
1265 }
1266 
1267 /* netlink command implementations */
1268 
1269 /**
1270  * nl80211_link_id - return link ID
1271  * @attrs: attributes to look at
1272  *
1273  * Returns: the link ID or 0 if not given
1274  *
1275  * Note this function doesn't do any validation of the link
1276  * ID validity wrt. links that were actually added, so it must
1277  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1278  * or if additional validation is done.
1279  */
1280 static unsigned int nl80211_link_id(struct nlattr **attrs)
1281 {
1282 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1283 
1284 	if (!linkid)
1285 		return 0;
1286 
1287 	return nla_get_u8(linkid);
1288 }
1289 
1290 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1291 {
1292 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1293 
1294 	if (!linkid)
1295 		return -1;
1296 
1297 	return nla_get_u8(linkid);
1298 }
1299 
1300 struct key_parse {
1301 	struct key_params p;
1302 	int idx;
1303 	int type;
1304 	bool def, defmgmt, defbeacon;
1305 	bool def_uni, def_multi;
1306 };
1307 
1308 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1309 				 struct key_parse *k)
1310 {
1311 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1312 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1313 					      nl80211_key_policy,
1314 					      info->extack);
1315 	if (err)
1316 		return err;
1317 
1318 	k->def = !!tb[NL80211_KEY_DEFAULT];
1319 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1320 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1321 
1322 	if (k->def) {
1323 		k->def_uni = true;
1324 		k->def_multi = true;
1325 	}
1326 	if (k->defmgmt || k->defbeacon)
1327 		k->def_multi = true;
1328 
1329 	if (tb[NL80211_KEY_IDX])
1330 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1331 
1332 	if (tb[NL80211_KEY_DATA]) {
1333 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1334 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1335 	}
1336 
1337 	if (tb[NL80211_KEY_SEQ]) {
1338 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1339 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1340 	}
1341 
1342 	if (tb[NL80211_KEY_CIPHER])
1343 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1344 
1345 	if (tb[NL80211_KEY_TYPE])
1346 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1347 
1348 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1349 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1350 
1351 		err = nla_parse_nested_deprecated(kdt,
1352 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1353 						  tb[NL80211_KEY_DEFAULT_TYPES],
1354 						  nl80211_key_default_policy,
1355 						  info->extack);
1356 		if (err)
1357 			return err;
1358 
1359 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1360 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1361 	}
1362 
1363 	if (tb[NL80211_KEY_MODE])
1364 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1365 
1366 	return 0;
1367 }
1368 
1369 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1370 {
1371 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1372 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1373 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1374 	}
1375 
1376 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1377 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1378 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1379 	}
1380 
1381 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1382 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1383 
1384 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1385 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1386 
1387 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1388 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1389 
1390 	if (k->def) {
1391 		k->def_uni = true;
1392 		k->def_multi = true;
1393 	}
1394 	if (k->defmgmt)
1395 		k->def_multi = true;
1396 
1397 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1398 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1399 
1400 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1401 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1402 		int err = nla_parse_nested_deprecated(kdt,
1403 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1404 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1405 						      nl80211_key_default_policy,
1406 						      info->extack);
1407 		if (err)
1408 			return err;
1409 
1410 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1411 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1412 	}
1413 
1414 	return 0;
1415 }
1416 
1417 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1418 {
1419 	int err;
1420 
1421 	memset(k, 0, sizeof(*k));
1422 	k->idx = -1;
1423 	k->type = -1;
1424 
1425 	if (info->attrs[NL80211_ATTR_KEY])
1426 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1427 	else
1428 		err = nl80211_parse_key_old(info, k);
1429 
1430 	if (err)
1431 		return err;
1432 
1433 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1434 	    (k->defbeacon ? 1 : 0) > 1) {
1435 		GENL_SET_ERR_MSG(info,
1436 				 "key with multiple default flags is invalid");
1437 		return -EINVAL;
1438 	}
1439 
1440 	if (k->defmgmt || k->defbeacon) {
1441 		if (k->def_uni || !k->def_multi) {
1442 			GENL_SET_ERR_MSG(info,
1443 					 "defmgmt/defbeacon key must be mcast");
1444 			return -EINVAL;
1445 		}
1446 	}
1447 
1448 	if (k->idx != -1) {
1449 		if (k->defmgmt) {
1450 			if (k->idx < 4 || k->idx > 5) {
1451 				GENL_SET_ERR_MSG(info,
1452 						 "defmgmt key idx not 4 or 5");
1453 				return -EINVAL;
1454 			}
1455 		} else if (k->defbeacon) {
1456 			if (k->idx < 6 || k->idx > 7) {
1457 				GENL_SET_ERR_MSG(info,
1458 						 "defbeacon key idx not 6 or 7");
1459 				return -EINVAL;
1460 			}
1461 		} else if (k->def) {
1462 			if (k->idx < 0 || k->idx > 3) {
1463 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1464 				return -EINVAL;
1465 			}
1466 		} else {
1467 			if (k->idx < 0 || k->idx > 7) {
1468 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1469 				return -EINVAL;
1470 			}
1471 		}
1472 	}
1473 
1474 	return 0;
1475 }
1476 
1477 static struct cfg80211_cached_keys *
1478 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1479 		       struct genl_info *info, bool *no_ht)
1480 {
1481 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1482 	struct key_parse parse;
1483 	struct nlattr *key;
1484 	struct cfg80211_cached_keys *result;
1485 	int rem, err, def = 0;
1486 	bool have_key = false;
1487 
1488 	nla_for_each_nested(key, keys, rem) {
1489 		have_key = true;
1490 		break;
1491 	}
1492 
1493 	if (!have_key)
1494 		return NULL;
1495 
1496 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1497 	if (!result)
1498 		return ERR_PTR(-ENOMEM);
1499 
1500 	result->def = -1;
1501 
1502 	nla_for_each_nested(key, keys, rem) {
1503 		memset(&parse, 0, sizeof(parse));
1504 		parse.idx = -1;
1505 
1506 		err = nl80211_parse_key_new(info, key, &parse);
1507 		if (err)
1508 			goto error;
1509 		err = -EINVAL;
1510 		if (!parse.p.key)
1511 			goto error;
1512 		if (parse.idx < 0 || parse.idx > 3) {
1513 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1514 			goto error;
1515 		}
1516 		if (parse.def) {
1517 			if (def) {
1518 				GENL_SET_ERR_MSG(info,
1519 						 "only one key can be default");
1520 				goto error;
1521 			}
1522 			def = 1;
1523 			result->def = parse.idx;
1524 			if (!parse.def_uni || !parse.def_multi)
1525 				goto error;
1526 		} else if (parse.defmgmt)
1527 			goto error;
1528 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1529 						     parse.idx, false, NULL);
1530 		if (err)
1531 			goto error;
1532 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1533 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1534 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1535 			err = -EINVAL;
1536 			goto error;
1537 		}
1538 		result->params[parse.idx].cipher = parse.p.cipher;
1539 		result->params[parse.idx].key_len = parse.p.key_len;
1540 		result->params[parse.idx].key = result->data[parse.idx];
1541 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1542 
1543 		/* must be WEP key if we got here */
1544 		if (no_ht)
1545 			*no_ht = true;
1546 	}
1547 
1548 	if (result->def < 0) {
1549 		err = -EINVAL;
1550 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1551 		goto error;
1552 	}
1553 
1554 	return result;
1555  error:
1556 	kfree(result);
1557 	return ERR_PTR(err);
1558 }
1559 
1560 static int nl80211_key_allowed(struct wireless_dev *wdev)
1561 {
1562 	lockdep_assert_wiphy(wdev->wiphy);
1563 
1564 	switch (wdev->iftype) {
1565 	case NL80211_IFTYPE_AP:
1566 	case NL80211_IFTYPE_AP_VLAN:
1567 	case NL80211_IFTYPE_P2P_GO:
1568 	case NL80211_IFTYPE_MESH_POINT:
1569 		break;
1570 	case NL80211_IFTYPE_ADHOC:
1571 		if (wdev->u.ibss.current_bss)
1572 			return 0;
1573 		return -ENOLINK;
1574 	case NL80211_IFTYPE_STATION:
1575 	case NL80211_IFTYPE_P2P_CLIENT:
1576 		if (wdev->connected)
1577 			return 0;
1578 		return -ENOLINK;
1579 	case NL80211_IFTYPE_NAN:
1580 		if (wiphy_ext_feature_isset(wdev->wiphy,
1581 					    NL80211_EXT_FEATURE_SECURE_NAN))
1582 			return 0;
1583 		return -EINVAL;
1584 	case NL80211_IFTYPE_UNSPECIFIED:
1585 	case NL80211_IFTYPE_OCB:
1586 	case NL80211_IFTYPE_MONITOR:
1587 	case NL80211_IFTYPE_P2P_DEVICE:
1588 	case NL80211_IFTYPE_WDS:
1589 	case NUM_NL80211_IFTYPES:
1590 		return -EINVAL;
1591 	}
1592 
1593 	return 0;
1594 }
1595 
1596 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1597 							u32 freq)
1598 {
1599 	struct ieee80211_channel *chan;
1600 
1601 	chan = ieee80211_get_channel_khz(wiphy, freq);
1602 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1603 		return NULL;
1604 	return chan;
1605 }
1606 
1607 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1608 {
1609 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1610 	int i;
1611 
1612 	if (!nl_modes)
1613 		goto nla_put_failure;
1614 
1615 	i = 0;
1616 	while (ifmodes) {
1617 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1618 			goto nla_put_failure;
1619 		ifmodes >>= 1;
1620 		i++;
1621 	}
1622 
1623 	nla_nest_end(msg, nl_modes);
1624 	return 0;
1625 
1626 nla_put_failure:
1627 	return -ENOBUFS;
1628 }
1629 
1630 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1631 					  struct sk_buff *msg,
1632 					  bool large)
1633 {
1634 	struct nlattr *nl_combis;
1635 	int i, j;
1636 
1637 	nl_combis = nla_nest_start_noflag(msg,
1638 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1639 	if (!nl_combis)
1640 		goto nla_put_failure;
1641 
1642 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1643 		const struct ieee80211_iface_combination *c;
1644 		struct nlattr *nl_combi, *nl_limits;
1645 
1646 		c = &wiphy->iface_combinations[i];
1647 
1648 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1649 		if (!nl_combi)
1650 			goto nla_put_failure;
1651 
1652 		nl_limits = nla_nest_start_noflag(msg,
1653 						  NL80211_IFACE_COMB_LIMITS);
1654 		if (!nl_limits)
1655 			goto nla_put_failure;
1656 
1657 		for (j = 0; j < c->n_limits; j++) {
1658 			struct nlattr *nl_limit;
1659 
1660 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1661 			if (!nl_limit)
1662 				goto nla_put_failure;
1663 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1664 					c->limits[j].max))
1665 				goto nla_put_failure;
1666 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1667 						c->limits[j].types))
1668 				goto nla_put_failure;
1669 			nla_nest_end(msg, nl_limit);
1670 		}
1671 
1672 		nla_nest_end(msg, nl_limits);
1673 
1674 		if (c->beacon_int_infra_match &&
1675 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1676 			goto nla_put_failure;
1677 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1678 				c->num_different_channels) ||
1679 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1680 				c->max_interfaces))
1681 			goto nla_put_failure;
1682 		if (large &&
1683 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1684 				c->radar_detect_widths) ||
1685 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1686 				c->radar_detect_regions)))
1687 			goto nla_put_failure;
1688 		if (c->beacon_int_min_gcd &&
1689 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1690 				c->beacon_int_min_gcd))
1691 			goto nla_put_failure;
1692 
1693 		nla_nest_end(msg, nl_combi);
1694 	}
1695 
1696 	nla_nest_end(msg, nl_combis);
1697 
1698 	return 0;
1699 nla_put_failure:
1700 	return -ENOBUFS;
1701 }
1702 
1703 #ifdef CONFIG_PM
1704 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1705 					struct sk_buff *msg)
1706 {
1707 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1708 	struct nlattr *nl_tcp;
1709 
1710 	if (!tcp)
1711 		return 0;
1712 
1713 	nl_tcp = nla_nest_start_noflag(msg,
1714 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1715 	if (!nl_tcp)
1716 		return -ENOBUFS;
1717 
1718 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1719 			tcp->data_payload_max))
1720 		return -ENOBUFS;
1721 
1722 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1723 			tcp->data_payload_max))
1724 		return -ENOBUFS;
1725 
1726 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1727 		return -ENOBUFS;
1728 
1729 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1730 				sizeof(*tcp->tok), tcp->tok))
1731 		return -ENOBUFS;
1732 
1733 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1734 			tcp->data_interval_max))
1735 		return -ENOBUFS;
1736 
1737 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1738 			tcp->wake_payload_max))
1739 		return -ENOBUFS;
1740 
1741 	nla_nest_end(msg, nl_tcp);
1742 	return 0;
1743 }
1744 
1745 static int nl80211_send_wowlan(struct sk_buff *msg,
1746 			       struct cfg80211_registered_device *rdev,
1747 			       bool large)
1748 {
1749 	struct nlattr *nl_wowlan;
1750 
1751 	if (!rdev->wiphy.wowlan)
1752 		return 0;
1753 
1754 	nl_wowlan = nla_nest_start_noflag(msg,
1755 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1756 	if (!nl_wowlan)
1757 		return -ENOBUFS;
1758 
1759 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1760 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1761 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1762 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1763 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1764 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1765 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1766 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1767 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1768 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1769 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1770 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1771 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1772 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1773 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1774 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1775 		return -ENOBUFS;
1776 
1777 	if (rdev->wiphy.wowlan->n_patterns) {
1778 		struct nl80211_pattern_support pat = {
1779 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1780 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1781 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1782 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1783 		};
1784 
1785 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1786 			    sizeof(pat), &pat))
1787 			return -ENOBUFS;
1788 	}
1789 
1790 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1791 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1792 			rdev->wiphy.wowlan->max_nd_match_sets))
1793 		return -ENOBUFS;
1794 
1795 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1796 		return -ENOBUFS;
1797 
1798 	nla_nest_end(msg, nl_wowlan);
1799 
1800 	return 0;
1801 }
1802 #endif
1803 
1804 static int nl80211_send_coalesce(struct sk_buff *msg,
1805 				 struct cfg80211_registered_device *rdev)
1806 {
1807 	struct nl80211_coalesce_rule_support rule;
1808 
1809 	if (!rdev->wiphy.coalesce)
1810 		return 0;
1811 
1812 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1813 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1814 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1815 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1816 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1817 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1818 
1819 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1820 		return -ENOBUFS;
1821 
1822 	return 0;
1823 }
1824 
1825 static int
1826 nl80211_send_iftype_data(struct sk_buff *msg,
1827 			 const struct ieee80211_supported_band *sband,
1828 			 const struct ieee80211_sband_iftype_data *iftdata)
1829 {
1830 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1831 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1832 
1833 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1834 				iftdata->types_mask))
1835 		return -ENOBUFS;
1836 
1837 	if (he_cap->has_he) {
1838 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1839 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1840 			    he_cap->he_cap_elem.mac_cap_info) ||
1841 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1842 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1843 			    he_cap->he_cap_elem.phy_cap_info) ||
1844 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1845 			    sizeof(he_cap->he_mcs_nss_supp),
1846 			    &he_cap->he_mcs_nss_supp) ||
1847 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1848 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1849 			return -ENOBUFS;
1850 	}
1851 
1852 	if (eht_cap->has_eht && he_cap->has_he) {
1853 		u8 mcs_nss_size, ppe_thresh_size;
1854 		u16 ppe_thres_hdr;
1855 		bool is_ap;
1856 
1857 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1858 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1859 
1860 		mcs_nss_size =
1861 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1862 						   &eht_cap->eht_cap_elem,
1863 						   is_ap);
1864 
1865 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1866 		ppe_thresh_size =
1867 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1868 					       eht_cap->eht_cap_elem.phy_cap_info);
1869 
1870 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1871 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1872 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1873 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1874 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1875 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1876 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1877 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1878 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1879 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1880 			return -ENOBUFS;
1881 	}
1882 
1883 	if (sband->band == NL80211_BAND_6GHZ &&
1884 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1885 		    sizeof(iftdata->he_6ghz_capa),
1886 		    &iftdata->he_6ghz_capa))
1887 		return -ENOBUFS;
1888 
1889 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1890 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1891 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1892 		return -ENOBUFS;
1893 
1894 	return 0;
1895 }
1896 
1897 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1898 				      struct ieee80211_supported_band *sband,
1899 				      bool large)
1900 {
1901 	struct nlattr *nl_rates, *nl_rate;
1902 	struct ieee80211_rate *rate;
1903 	int i;
1904 
1905 	/* add HT info */
1906 	if (sband->ht_cap.ht_supported &&
1907 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1908 		     sizeof(sband->ht_cap.mcs),
1909 		     &sband->ht_cap.mcs) ||
1910 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1911 			 sband->ht_cap.cap) ||
1912 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1913 			sband->ht_cap.ampdu_factor) ||
1914 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1915 			sband->ht_cap.ampdu_density)))
1916 		return -ENOBUFS;
1917 
1918 	/* add VHT info */
1919 	if (sband->vht_cap.vht_supported &&
1920 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1921 		     sizeof(sband->vht_cap.vht_mcs),
1922 		     &sband->vht_cap.vht_mcs) ||
1923 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1924 			 sband->vht_cap.cap)))
1925 		return -ENOBUFS;
1926 
1927 	if (large && sband->n_iftype_data) {
1928 		struct nlattr *nl_iftype_data =
1929 			nla_nest_start_noflag(msg,
1930 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1931 		const struct ieee80211_sband_iftype_data *iftd;
1932 		int err;
1933 
1934 		if (!nl_iftype_data)
1935 			return -ENOBUFS;
1936 
1937 		for_each_sband_iftype_data(sband, i, iftd) {
1938 			struct nlattr *iftdata;
1939 
1940 			iftdata = nla_nest_start_noflag(msg, i + 1);
1941 			if (!iftdata)
1942 				return -ENOBUFS;
1943 
1944 			err = nl80211_send_iftype_data(msg, sband, iftd);
1945 			if (err)
1946 				return err;
1947 
1948 			nla_nest_end(msg, iftdata);
1949 		}
1950 
1951 		nla_nest_end(msg, nl_iftype_data);
1952 	}
1953 
1954 	/* add EDMG info */
1955 	if (large && sband->edmg_cap.channels &&
1956 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1957 		       sband->edmg_cap.channels) ||
1958 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1959 		       sband->edmg_cap.bw_config)))
1960 
1961 		return -ENOBUFS;
1962 
1963 	/* add bitrates */
1964 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1965 	if (!nl_rates)
1966 		return -ENOBUFS;
1967 
1968 	for (i = 0; i < sband->n_bitrates; i++) {
1969 		nl_rate = nla_nest_start_noflag(msg, i);
1970 		if (!nl_rate)
1971 			return -ENOBUFS;
1972 
1973 		rate = &sband->bitrates[i];
1974 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1975 				rate->bitrate))
1976 			return -ENOBUFS;
1977 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1978 		    nla_put_flag(msg,
1979 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1980 			return -ENOBUFS;
1981 
1982 		nla_nest_end(msg, nl_rate);
1983 	}
1984 
1985 	nla_nest_end(msg, nl_rates);
1986 
1987 	/* S1G capabilities */
1988 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
1989 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
1990 		     sizeof(sband->s1g_cap.cap),
1991 		     sband->s1g_cap.cap) ||
1992 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
1993 		     sizeof(sband->s1g_cap.nss_mcs),
1994 		     sband->s1g_cap.nss_mcs)))
1995 		return -ENOBUFS;
1996 
1997 	return 0;
1998 }
1999 
2000 static int
2001 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2002 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2003 {
2004 	u16 stypes;
2005 	struct nlattr *nl_ftypes, *nl_ifs;
2006 	enum nl80211_iftype ift;
2007 	int i;
2008 
2009 	if (!mgmt_stypes)
2010 		return 0;
2011 
2012 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2013 	if (!nl_ifs)
2014 		return -ENOBUFS;
2015 
2016 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2017 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2018 		if (!nl_ftypes)
2019 			return -ENOBUFS;
2020 		i = 0;
2021 		stypes = mgmt_stypes[ift].tx;
2022 		while (stypes) {
2023 			if ((stypes & 1) &&
2024 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2025 					(i << 4) | IEEE80211_FTYPE_MGMT))
2026 				return -ENOBUFS;
2027 			stypes >>= 1;
2028 			i++;
2029 		}
2030 		nla_nest_end(msg, nl_ftypes);
2031 	}
2032 
2033 	nla_nest_end(msg, nl_ifs);
2034 
2035 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2036 	if (!nl_ifs)
2037 		return -ENOBUFS;
2038 
2039 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2040 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2041 		if (!nl_ftypes)
2042 			return -ENOBUFS;
2043 		i = 0;
2044 		stypes = mgmt_stypes[ift].rx;
2045 		while (stypes) {
2046 			if ((stypes & 1) &&
2047 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2048 					(i << 4) | IEEE80211_FTYPE_MGMT))
2049 				return -ENOBUFS;
2050 			stypes >>= 1;
2051 			i++;
2052 		}
2053 		nla_nest_end(msg, nl_ftypes);
2054 	}
2055 	nla_nest_end(msg, nl_ifs);
2056 
2057 	return 0;
2058 }
2059 
2060 #define CMD(op, n)							\
2061 	 do {								\
2062 		if (rdev->ops->op) {					\
2063 			i++;						\
2064 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2065 				goto nla_put_failure;			\
2066 		}							\
2067 	} while (0)
2068 
2069 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2070 					struct sk_buff *msg)
2071 {
2072 	int i = 0;
2073 
2074 	/*
2075 	 * do *NOT* add anything into this function, new things need to be
2076 	 * advertised only to new versions of userspace that can deal with
2077 	 * the split (and they can't possibly care about new features...
2078 	 */
2079 	CMD(add_virtual_intf, NEW_INTERFACE);
2080 	CMD(change_virtual_intf, SET_INTERFACE);
2081 	CMD(add_key, NEW_KEY);
2082 	CMD(start_ap, START_AP);
2083 	CMD(add_station, NEW_STATION);
2084 	CMD(add_mpath, NEW_MPATH);
2085 	CMD(update_mesh_config, SET_MESH_CONFIG);
2086 	CMD(change_bss, SET_BSS);
2087 	CMD(auth, AUTHENTICATE);
2088 	CMD(assoc, ASSOCIATE);
2089 	CMD(deauth, DEAUTHENTICATE);
2090 	CMD(disassoc, DISASSOCIATE);
2091 	CMD(join_ibss, JOIN_IBSS);
2092 	CMD(join_mesh, JOIN_MESH);
2093 	CMD(set_pmksa, SET_PMKSA);
2094 	CMD(del_pmksa, DEL_PMKSA);
2095 	CMD(flush_pmksa, FLUSH_PMKSA);
2096 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2097 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2098 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2099 	CMD(mgmt_tx, FRAME);
2100 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2101 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2102 		i++;
2103 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2104 			goto nla_put_failure;
2105 	}
2106 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2107 	    rdev->ops->join_mesh) {
2108 		i++;
2109 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2110 			goto nla_put_failure;
2111 	}
2112 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2113 		CMD(tdls_mgmt, TDLS_MGMT);
2114 		CMD(tdls_oper, TDLS_OPER);
2115 	}
2116 	if (rdev->wiphy.max_sched_scan_reqs)
2117 		CMD(sched_scan_start, START_SCHED_SCAN);
2118 	CMD(probe_client, PROBE_CLIENT);
2119 	CMD(set_noack_map, SET_NOACK_MAP);
2120 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2121 		i++;
2122 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2123 			goto nla_put_failure;
2124 	}
2125 	CMD(start_p2p_device, START_P2P_DEVICE);
2126 	CMD(set_mcast_rate, SET_MCAST_RATE);
2127 #ifdef CONFIG_NL80211_TESTMODE
2128 	CMD(testmode_cmd, TESTMODE);
2129 #endif
2130 
2131 	if (rdev->ops->connect || rdev->ops->auth) {
2132 		i++;
2133 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2134 			goto nla_put_failure;
2135 	}
2136 
2137 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2138 		i++;
2139 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2140 			goto nla_put_failure;
2141 	}
2142 
2143 	return i;
2144  nla_put_failure:
2145 	return -ENOBUFS;
2146 }
2147 
2148 static int
2149 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2150 			   struct sk_buff *msg)
2151 {
2152 	struct nlattr *ftm;
2153 
2154 	if (!cap->ftm.supported)
2155 		return 0;
2156 
2157 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2158 	if (!ftm)
2159 		return -ENOBUFS;
2160 
2161 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2162 		return -ENOBUFS;
2163 	if (cap->ftm.non_asap &&
2164 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2165 		return -ENOBUFS;
2166 	if (cap->ftm.request_lci &&
2167 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2168 		return -ENOBUFS;
2169 	if (cap->ftm.request_civicloc &&
2170 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2171 		return -ENOBUFS;
2172 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2173 			cap->ftm.preambles))
2174 		return -ENOBUFS;
2175 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2176 			cap->ftm.bandwidths))
2177 		return -ENOBUFS;
2178 	if (cap->ftm.max_bursts_exponent >= 0 &&
2179 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2180 			cap->ftm.max_bursts_exponent))
2181 		return -ENOBUFS;
2182 	if (cap->ftm.max_ftms_per_burst &&
2183 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2184 			cap->ftm.max_ftms_per_burst))
2185 		return -ENOBUFS;
2186 	if (cap->ftm.trigger_based &&
2187 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2188 		return -ENOBUFS;
2189 	if (cap->ftm.non_trigger_based &&
2190 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2191 		return -ENOBUFS;
2192 
2193 	nla_nest_end(msg, ftm);
2194 	return 0;
2195 }
2196 
2197 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2198 				  struct sk_buff *msg)
2199 {
2200 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2201 	struct nlattr *pmsr, *caps;
2202 
2203 	if (!cap)
2204 		return 0;
2205 
2206 	/*
2207 	 * we don't need to clean up anything here since the caller
2208 	 * will genlmsg_cancel() if we fail
2209 	 */
2210 
2211 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2212 	if (!pmsr)
2213 		return -ENOBUFS;
2214 
2215 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2216 		return -ENOBUFS;
2217 
2218 	if (cap->report_ap_tsf &&
2219 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2220 		return -ENOBUFS;
2221 
2222 	if (cap->randomize_mac_addr &&
2223 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2224 		return -ENOBUFS;
2225 
2226 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2227 	if (!caps)
2228 		return -ENOBUFS;
2229 
2230 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2231 		return -ENOBUFS;
2232 
2233 	nla_nest_end(msg, caps);
2234 	nla_nest_end(msg, pmsr);
2235 
2236 	return 0;
2237 }
2238 
2239 static int
2240 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2241 			      struct sk_buff *msg)
2242 {
2243 	int i;
2244 	struct nlattr *nested, *nested_akms;
2245 	const struct wiphy_iftype_akm_suites *iftype_akms;
2246 
2247 	if (!rdev->wiphy.num_iftype_akm_suites ||
2248 	    !rdev->wiphy.iftype_akm_suites)
2249 		return 0;
2250 
2251 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2252 	if (!nested)
2253 		return -ENOBUFS;
2254 
2255 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2256 		nested_akms = nla_nest_start(msg, i + 1);
2257 		if (!nested_akms)
2258 			return -ENOBUFS;
2259 
2260 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2261 
2262 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2263 					iftype_akms->iftypes_mask))
2264 			return -ENOBUFS;
2265 
2266 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2267 			    sizeof(u32) * iftype_akms->n_akm_suites,
2268 			    iftype_akms->akm_suites)) {
2269 			return -ENOBUFS;
2270 		}
2271 		nla_nest_end(msg, nested_akms);
2272 	}
2273 
2274 	nla_nest_end(msg, nested);
2275 
2276 	return 0;
2277 }
2278 
2279 static int
2280 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2281 			       struct sk_buff *msg)
2282 {
2283 	struct nlattr *supp;
2284 
2285 	if (!rdev->wiphy.tid_config_support.vif &&
2286 	    !rdev->wiphy.tid_config_support.peer)
2287 		return 0;
2288 
2289 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2290 	if (!supp)
2291 		return -ENOSPC;
2292 
2293 	if (rdev->wiphy.tid_config_support.vif &&
2294 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2295 			      rdev->wiphy.tid_config_support.vif,
2296 			      NL80211_TID_CONFIG_ATTR_PAD))
2297 		goto fail;
2298 
2299 	if (rdev->wiphy.tid_config_support.peer &&
2300 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2301 			      rdev->wiphy.tid_config_support.peer,
2302 			      NL80211_TID_CONFIG_ATTR_PAD))
2303 		goto fail;
2304 
2305 	/* for now we just use the same value ... makes more sense */
2306 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2307 		       rdev->wiphy.tid_config_support.max_retry))
2308 		goto fail;
2309 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2310 		       rdev->wiphy.tid_config_support.max_retry))
2311 		goto fail;
2312 
2313 	nla_nest_end(msg, supp);
2314 
2315 	return 0;
2316 fail:
2317 	nla_nest_cancel(msg, supp);
2318 	return -ENOBUFS;
2319 }
2320 
2321 static int
2322 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2323 		      struct sk_buff *msg)
2324 {
2325 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2326 	u8 num_freq_ranges;
2327 	int i;
2328 
2329 	if (!rdev->wiphy.sar_capa)
2330 		return 0;
2331 
2332 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2333 
2334 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2335 	if (!sar_capa)
2336 		return -ENOSPC;
2337 
2338 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2339 		goto fail;
2340 
2341 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2342 	if (!specs)
2343 		goto fail;
2344 
2345 	/* report supported freq_ranges */
2346 	for (i = 0; i < num_freq_ranges; i++) {
2347 		sub_freq_range = nla_nest_start(msg, i + 1);
2348 		if (!sub_freq_range)
2349 			goto fail;
2350 
2351 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2352 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2353 			goto fail;
2354 
2355 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2356 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2357 			goto fail;
2358 
2359 		nla_nest_end(msg, sub_freq_range);
2360 	}
2361 
2362 	nla_nest_end(msg, specs);
2363 	nla_nest_end(msg, sar_capa);
2364 
2365 	return 0;
2366 fail:
2367 	nla_nest_cancel(msg, sar_capa);
2368 	return -ENOBUFS;
2369 }
2370 
2371 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2372 {
2373 	struct nlattr *config;
2374 
2375 	if (!wiphy->mbssid_max_interfaces)
2376 		return 0;
2377 
2378 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2379 	if (!config)
2380 		return -ENOBUFS;
2381 
2382 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2383 		       wiphy->mbssid_max_interfaces))
2384 		goto fail;
2385 
2386 	if (wiphy->ema_max_profile_periodicity &&
2387 	    nla_put_u8(msg,
2388 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2389 		       wiphy->ema_max_profile_periodicity))
2390 		goto fail;
2391 
2392 	nla_nest_end(msg, config);
2393 	return 0;
2394 
2395 fail:
2396 	nla_nest_cancel(msg, config);
2397 	return -ENOBUFS;
2398 }
2399 
2400 struct nl80211_dump_wiphy_state {
2401 	s64 filter_wiphy;
2402 	long start;
2403 	long split_start, band_start, chan_start, capa_start;
2404 	bool split;
2405 };
2406 
2407 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2408 			      enum nl80211_commands cmd,
2409 			      struct sk_buff *msg, u32 portid, u32 seq,
2410 			      int flags, struct nl80211_dump_wiphy_state *state)
2411 {
2412 	void *hdr;
2413 	struct nlattr *nl_bands, *nl_band;
2414 	struct nlattr *nl_freqs, *nl_freq;
2415 	struct nlattr *nl_cmds;
2416 	enum nl80211_band band;
2417 	struct ieee80211_channel *chan;
2418 	int i;
2419 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2420 				rdev->wiphy.mgmt_stypes;
2421 	u32 features;
2422 
2423 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2424 	if (!hdr)
2425 		return -ENOBUFS;
2426 
2427 	if (WARN_ON(!state))
2428 		return -EINVAL;
2429 
2430 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2431 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2432 			   wiphy_name(&rdev->wiphy)) ||
2433 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2434 			cfg80211_rdev_list_generation))
2435 		goto nla_put_failure;
2436 
2437 	if (cmd != NL80211_CMD_NEW_WIPHY)
2438 		goto finish;
2439 
2440 	switch (state->split_start) {
2441 	case 0:
2442 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2443 			       rdev->wiphy.retry_short) ||
2444 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2445 			       rdev->wiphy.retry_long) ||
2446 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2447 				rdev->wiphy.frag_threshold) ||
2448 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2449 				rdev->wiphy.rts_threshold) ||
2450 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2451 			       rdev->wiphy.coverage_class) ||
2452 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2453 			       rdev->wiphy.max_scan_ssids) ||
2454 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2455 			       rdev->wiphy.max_sched_scan_ssids) ||
2456 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2457 				rdev->wiphy.max_scan_ie_len) ||
2458 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2459 				rdev->wiphy.max_sched_scan_ie_len) ||
2460 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2461 			       rdev->wiphy.max_match_sets))
2462 			goto nla_put_failure;
2463 
2464 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2465 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2466 			goto nla_put_failure;
2467 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2468 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2469 			goto nla_put_failure;
2470 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2471 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2472 			goto nla_put_failure;
2473 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2474 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2475 			goto nla_put_failure;
2476 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2477 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2478 			goto nla_put_failure;
2479 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2480 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2481 			goto nla_put_failure;
2482 		state->split_start++;
2483 		if (state->split)
2484 			break;
2485 		fallthrough;
2486 	case 1:
2487 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2488 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2489 			    rdev->wiphy.cipher_suites))
2490 			goto nla_put_failure;
2491 
2492 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2493 			       rdev->wiphy.max_num_pmkids))
2494 			goto nla_put_failure;
2495 
2496 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2497 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2498 			goto nla_put_failure;
2499 
2500 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2501 				rdev->wiphy.available_antennas_tx) ||
2502 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2503 				rdev->wiphy.available_antennas_rx))
2504 			goto nla_put_failure;
2505 
2506 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2507 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2508 				rdev->wiphy.probe_resp_offload))
2509 			goto nla_put_failure;
2510 
2511 		if ((rdev->wiphy.available_antennas_tx ||
2512 		     rdev->wiphy.available_antennas_rx) &&
2513 		    rdev->ops->get_antenna) {
2514 			u32 tx_ant = 0, rx_ant = 0;
2515 			int res;
2516 
2517 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2518 			if (!res) {
2519 				if (nla_put_u32(msg,
2520 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2521 						tx_ant) ||
2522 				    nla_put_u32(msg,
2523 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2524 						rx_ant))
2525 					goto nla_put_failure;
2526 			}
2527 		}
2528 
2529 		state->split_start++;
2530 		if (state->split)
2531 			break;
2532 		fallthrough;
2533 	case 2:
2534 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2535 					rdev->wiphy.interface_modes))
2536 				goto nla_put_failure;
2537 		state->split_start++;
2538 		if (state->split)
2539 			break;
2540 		fallthrough;
2541 	case 3:
2542 		nl_bands = nla_nest_start_noflag(msg,
2543 						 NL80211_ATTR_WIPHY_BANDS);
2544 		if (!nl_bands)
2545 			goto nla_put_failure;
2546 
2547 		for (band = state->band_start;
2548 		     band < (state->split ?
2549 				NUM_NL80211_BANDS :
2550 				NL80211_BAND_60GHZ + 1);
2551 		     band++) {
2552 			struct ieee80211_supported_band *sband;
2553 
2554 			/* omit higher bands for ancient software */
2555 			if (band > NL80211_BAND_5GHZ && !state->split)
2556 				break;
2557 
2558 			sband = rdev->wiphy.bands[band];
2559 
2560 			if (!sband)
2561 				continue;
2562 
2563 			nl_band = nla_nest_start_noflag(msg, band);
2564 			if (!nl_band)
2565 				goto nla_put_failure;
2566 
2567 			switch (state->chan_start) {
2568 			case 0:
2569 				if (nl80211_send_band_rateinfo(msg, sband,
2570 							       state->split))
2571 					goto nla_put_failure;
2572 				state->chan_start++;
2573 				if (state->split)
2574 					break;
2575 				fallthrough;
2576 			default:
2577 				/* add frequencies */
2578 				nl_freqs = nla_nest_start_noflag(msg,
2579 								 NL80211_BAND_ATTR_FREQS);
2580 				if (!nl_freqs)
2581 					goto nla_put_failure;
2582 
2583 				for (i = state->chan_start - 1;
2584 				     i < sband->n_channels;
2585 				     i++) {
2586 					nl_freq = nla_nest_start_noflag(msg,
2587 									i);
2588 					if (!nl_freq)
2589 						goto nla_put_failure;
2590 
2591 					chan = &sband->channels[i];
2592 
2593 					if (nl80211_msg_put_channel(
2594 							msg, &rdev->wiphy, chan,
2595 							state->split))
2596 						goto nla_put_failure;
2597 
2598 					nla_nest_end(msg, nl_freq);
2599 					if (state->split)
2600 						break;
2601 				}
2602 				if (i < sband->n_channels)
2603 					state->chan_start = i + 2;
2604 				else
2605 					state->chan_start = 0;
2606 				nla_nest_end(msg, nl_freqs);
2607 			}
2608 
2609 			nla_nest_end(msg, nl_band);
2610 
2611 			if (state->split) {
2612 				/* start again here */
2613 				if (state->chan_start)
2614 					band--;
2615 				break;
2616 			}
2617 		}
2618 		nla_nest_end(msg, nl_bands);
2619 
2620 		if (band < NUM_NL80211_BANDS)
2621 			state->band_start = band + 1;
2622 		else
2623 			state->band_start = 0;
2624 
2625 		/* if bands & channels are done, continue outside */
2626 		if (state->band_start == 0 && state->chan_start == 0)
2627 			state->split_start++;
2628 		if (state->split)
2629 			break;
2630 		fallthrough;
2631 	case 4:
2632 		nl_cmds = nla_nest_start_noflag(msg,
2633 						NL80211_ATTR_SUPPORTED_COMMANDS);
2634 		if (!nl_cmds)
2635 			goto nla_put_failure;
2636 
2637 		i = nl80211_add_commands_unsplit(rdev, msg);
2638 		if (i < 0)
2639 			goto nla_put_failure;
2640 		if (state->split) {
2641 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2642 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2643 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2644 				CMD(channel_switch, CHANNEL_SWITCH);
2645 			CMD(set_qos_map, SET_QOS_MAP);
2646 			if (rdev->wiphy.features &
2647 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2648 				CMD(add_tx_ts, ADD_TX_TS);
2649 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2650 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2651 			CMD(update_ft_ies, UPDATE_FT_IES);
2652 			if (rdev->wiphy.sar_capa)
2653 				CMD(set_sar_specs, SET_SAR_SPECS);
2654 		}
2655 #undef CMD
2656 
2657 		nla_nest_end(msg, nl_cmds);
2658 		state->split_start++;
2659 		if (state->split)
2660 			break;
2661 		fallthrough;
2662 	case 5:
2663 		if (rdev->ops->remain_on_channel &&
2664 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2665 		    nla_put_u32(msg,
2666 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2667 				rdev->wiphy.max_remain_on_channel_duration))
2668 			goto nla_put_failure;
2669 
2670 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2671 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2672 			goto nla_put_failure;
2673 
2674 		state->split_start++;
2675 		if (state->split)
2676 			break;
2677 		fallthrough;
2678 	case 6:
2679 #ifdef CONFIG_PM
2680 		if (nl80211_send_wowlan(msg, rdev, state->split))
2681 			goto nla_put_failure;
2682 		state->split_start++;
2683 		if (state->split)
2684 			break;
2685 #else
2686 		state->split_start++;
2687 #endif
2688 		fallthrough;
2689 	case 7:
2690 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2691 					rdev->wiphy.software_iftypes))
2692 			goto nla_put_failure;
2693 
2694 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2695 						   state->split))
2696 			goto nla_put_failure;
2697 
2698 		state->split_start++;
2699 		if (state->split)
2700 			break;
2701 		fallthrough;
2702 	case 8:
2703 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2704 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2705 				rdev->wiphy.ap_sme_capa))
2706 			goto nla_put_failure;
2707 
2708 		features = rdev->wiphy.features;
2709 		/*
2710 		 * We can only add the per-channel limit information if the
2711 		 * dump is split, otherwise it makes it too big. Therefore
2712 		 * only advertise it in that case.
2713 		 */
2714 		if (state->split)
2715 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2716 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2717 			goto nla_put_failure;
2718 
2719 		if (rdev->wiphy.ht_capa_mod_mask &&
2720 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2721 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2722 			    rdev->wiphy.ht_capa_mod_mask))
2723 			goto nla_put_failure;
2724 
2725 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2726 		    rdev->wiphy.max_acl_mac_addrs &&
2727 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2728 				rdev->wiphy.max_acl_mac_addrs))
2729 			goto nla_put_failure;
2730 
2731 		/*
2732 		 * Any information below this point is only available to
2733 		 * applications that can deal with it being split. This
2734 		 * helps ensure that newly added capabilities don't break
2735 		 * older tools by overrunning their buffers.
2736 		 *
2737 		 * We still increment split_start so that in the split
2738 		 * case we'll continue with more data in the next round,
2739 		 * but break unconditionally so unsplit data stops here.
2740 		 */
2741 		if (state->split)
2742 			state->split_start++;
2743 		else
2744 			state->split_start = 0;
2745 		break;
2746 	case 9:
2747 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2748 			goto nla_put_failure;
2749 
2750 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2751 				rdev->wiphy.max_sched_scan_plans) ||
2752 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2753 				rdev->wiphy.max_sched_scan_plan_interval) ||
2754 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2755 				rdev->wiphy.max_sched_scan_plan_iterations))
2756 			goto nla_put_failure;
2757 
2758 		if (rdev->wiphy.extended_capabilities &&
2759 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2760 			     rdev->wiphy.extended_capabilities_len,
2761 			     rdev->wiphy.extended_capabilities) ||
2762 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2763 			     rdev->wiphy.extended_capabilities_len,
2764 			     rdev->wiphy.extended_capabilities_mask)))
2765 			goto nla_put_failure;
2766 
2767 		if (rdev->wiphy.vht_capa_mod_mask &&
2768 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2769 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2770 			    rdev->wiphy.vht_capa_mod_mask))
2771 			goto nla_put_failure;
2772 
2773 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2774 			    rdev->wiphy.perm_addr))
2775 			goto nla_put_failure;
2776 
2777 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2778 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2779 			    rdev->wiphy.addr_mask))
2780 			goto nla_put_failure;
2781 
2782 		if (rdev->wiphy.n_addresses > 1) {
2783 			void *attr;
2784 
2785 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2786 			if (!attr)
2787 				goto nla_put_failure;
2788 
2789 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2790 				if (nla_put(msg, i + 1, ETH_ALEN,
2791 					    rdev->wiphy.addresses[i].addr))
2792 					goto nla_put_failure;
2793 
2794 			nla_nest_end(msg, attr);
2795 		}
2796 
2797 		state->split_start++;
2798 		break;
2799 	case 10:
2800 		if (nl80211_send_coalesce(msg, rdev))
2801 			goto nla_put_failure;
2802 
2803 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2804 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2805 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2806 			goto nla_put_failure;
2807 
2808 		if (rdev->wiphy.max_ap_assoc_sta &&
2809 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2810 				rdev->wiphy.max_ap_assoc_sta))
2811 			goto nla_put_failure;
2812 
2813 		state->split_start++;
2814 		break;
2815 	case 11:
2816 		if (rdev->wiphy.n_vendor_commands) {
2817 			const struct nl80211_vendor_cmd_info *info;
2818 			struct nlattr *nested;
2819 
2820 			nested = nla_nest_start_noflag(msg,
2821 						       NL80211_ATTR_VENDOR_DATA);
2822 			if (!nested)
2823 				goto nla_put_failure;
2824 
2825 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2826 				info = &rdev->wiphy.vendor_commands[i].info;
2827 				if (nla_put(msg, i + 1, sizeof(*info), info))
2828 					goto nla_put_failure;
2829 			}
2830 			nla_nest_end(msg, nested);
2831 		}
2832 
2833 		if (rdev->wiphy.n_vendor_events) {
2834 			const struct nl80211_vendor_cmd_info *info;
2835 			struct nlattr *nested;
2836 
2837 			nested = nla_nest_start_noflag(msg,
2838 						       NL80211_ATTR_VENDOR_EVENTS);
2839 			if (!nested)
2840 				goto nla_put_failure;
2841 
2842 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2843 				info = &rdev->wiphy.vendor_events[i];
2844 				if (nla_put(msg, i + 1, sizeof(*info), info))
2845 					goto nla_put_failure;
2846 			}
2847 			nla_nest_end(msg, nested);
2848 		}
2849 		state->split_start++;
2850 		break;
2851 	case 12:
2852 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2853 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2854 			       rdev->wiphy.max_num_csa_counters))
2855 			goto nla_put_failure;
2856 
2857 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2858 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2859 			goto nla_put_failure;
2860 
2861 		if (rdev->wiphy.max_sched_scan_reqs &&
2862 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2863 				rdev->wiphy.max_sched_scan_reqs))
2864 			goto nla_put_failure;
2865 
2866 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2867 			    sizeof(rdev->wiphy.ext_features),
2868 			    rdev->wiphy.ext_features))
2869 			goto nla_put_failure;
2870 
2871 		if (rdev->wiphy.bss_select_support) {
2872 			struct nlattr *nested;
2873 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2874 
2875 			nested = nla_nest_start_noflag(msg,
2876 						       NL80211_ATTR_BSS_SELECT);
2877 			if (!nested)
2878 				goto nla_put_failure;
2879 
2880 			i = 0;
2881 			while (bss_select_support) {
2882 				if ((bss_select_support & 1) &&
2883 				    nla_put_flag(msg, i))
2884 					goto nla_put_failure;
2885 				i++;
2886 				bss_select_support >>= 1;
2887 			}
2888 			nla_nest_end(msg, nested);
2889 		}
2890 
2891 		state->split_start++;
2892 		break;
2893 	case 13:
2894 		if (rdev->wiphy.num_iftype_ext_capab &&
2895 		    rdev->wiphy.iftype_ext_capab) {
2896 			struct nlattr *nested_ext_capab, *nested;
2897 
2898 			nested = nla_nest_start_noflag(msg,
2899 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2900 			if (!nested)
2901 				goto nla_put_failure;
2902 
2903 			for (i = state->capa_start;
2904 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2905 				const struct wiphy_iftype_ext_capab *capab;
2906 
2907 				capab = &rdev->wiphy.iftype_ext_capab[i];
2908 
2909 				nested_ext_capab = nla_nest_start_noflag(msg,
2910 									 i);
2911 				if (!nested_ext_capab ||
2912 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2913 						capab->iftype) ||
2914 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2915 					    capab->extended_capabilities_len,
2916 					    capab->extended_capabilities) ||
2917 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2918 					    capab->extended_capabilities_len,
2919 					    capab->extended_capabilities_mask))
2920 					goto nla_put_failure;
2921 
2922 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2923 				    (nla_put_u16(msg,
2924 						 NL80211_ATTR_EML_CAPABILITY,
2925 						 capab->eml_capabilities) ||
2926 				     nla_put_u16(msg,
2927 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2928 						 capab->mld_capa_and_ops)))
2929 					goto nla_put_failure;
2930 
2931 				nla_nest_end(msg, nested_ext_capab);
2932 				if (state->split)
2933 					break;
2934 			}
2935 			nla_nest_end(msg, nested);
2936 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2937 				state->capa_start = i + 1;
2938 				break;
2939 			}
2940 		}
2941 
2942 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2943 				rdev->wiphy.nan_supported_bands))
2944 			goto nla_put_failure;
2945 
2946 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2947 					    NL80211_EXT_FEATURE_TXQS)) {
2948 			struct cfg80211_txq_stats txqstats = {};
2949 			int res;
2950 
2951 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2952 			if (!res &&
2953 			    !nl80211_put_txq_stats(msg, &txqstats,
2954 						   NL80211_ATTR_TXQ_STATS))
2955 				goto nla_put_failure;
2956 
2957 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2958 					rdev->wiphy.txq_limit))
2959 				goto nla_put_failure;
2960 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2961 					rdev->wiphy.txq_memory_limit))
2962 				goto nla_put_failure;
2963 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2964 					rdev->wiphy.txq_quantum))
2965 				goto nla_put_failure;
2966 		}
2967 
2968 		state->split_start++;
2969 		break;
2970 	case 14:
2971 		if (nl80211_send_pmsr_capa(rdev, msg))
2972 			goto nla_put_failure;
2973 
2974 		state->split_start++;
2975 		break;
2976 	case 15:
2977 		if (rdev->wiphy.akm_suites &&
2978 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2979 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2980 			    rdev->wiphy.akm_suites))
2981 			goto nla_put_failure;
2982 
2983 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2984 			goto nla_put_failure;
2985 
2986 		if (nl80211_put_tid_config_support(rdev, msg))
2987 			goto nla_put_failure;
2988 		state->split_start++;
2989 		break;
2990 	case 16:
2991 		if (nl80211_put_sar_specs(rdev, msg))
2992 			goto nla_put_failure;
2993 
2994 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2995 			goto nla_put_failure;
2996 
2997 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2998 				rdev->wiphy.max_num_akm_suites))
2999 			goto nla_put_failure;
3000 
3001 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3002 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3003 
3004 		if (rdev->wiphy.hw_timestamp_max_peers &&
3005 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3006 				rdev->wiphy.hw_timestamp_max_peers))
3007 			goto nla_put_failure;
3008 
3009 		/* done */
3010 		state->split_start = 0;
3011 		break;
3012 	}
3013  finish:
3014 	genlmsg_end(msg, hdr);
3015 	return 0;
3016 
3017  nla_put_failure:
3018 	genlmsg_cancel(msg, hdr);
3019 	return -EMSGSIZE;
3020 }
3021 
3022 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3023 				    struct netlink_callback *cb,
3024 				    struct nl80211_dump_wiphy_state *state)
3025 {
3026 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3027 	int ret;
3028 
3029 	if (!tb)
3030 		return -ENOMEM;
3031 
3032 	ret = nlmsg_parse_deprecated(cb->nlh,
3033 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3034 				     tb, nl80211_fam.maxattr,
3035 				     nl80211_policy, NULL);
3036 	/* ignore parse errors for backward compatibility */
3037 	if (ret) {
3038 		ret = 0;
3039 		goto out;
3040 	}
3041 
3042 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3043 	if (tb[NL80211_ATTR_WIPHY])
3044 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3045 	if (tb[NL80211_ATTR_WDEV])
3046 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3047 	if (tb[NL80211_ATTR_IFINDEX]) {
3048 		struct net_device *netdev;
3049 		struct cfg80211_registered_device *rdev;
3050 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3051 
3052 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3053 		if (!netdev) {
3054 			ret = -ENODEV;
3055 			goto out;
3056 		}
3057 		if (netdev->ieee80211_ptr) {
3058 			rdev = wiphy_to_rdev(
3059 				netdev->ieee80211_ptr->wiphy);
3060 			state->filter_wiphy = rdev->wiphy_idx;
3061 		}
3062 	}
3063 
3064 	ret = 0;
3065 out:
3066 	kfree(tb);
3067 	return ret;
3068 }
3069 
3070 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3071 {
3072 	int idx = 0, ret;
3073 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3074 	struct cfg80211_registered_device *rdev;
3075 
3076 	rtnl_lock();
3077 	if (!state) {
3078 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3079 		if (!state) {
3080 			rtnl_unlock();
3081 			return -ENOMEM;
3082 		}
3083 		state->filter_wiphy = -1;
3084 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3085 		if (ret) {
3086 			kfree(state);
3087 			rtnl_unlock();
3088 			return ret;
3089 		}
3090 		cb->args[0] = (long)state;
3091 	}
3092 
3093 	for_each_rdev(rdev) {
3094 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3095 			continue;
3096 		if (++idx <= state->start)
3097 			continue;
3098 		if (state->filter_wiphy != -1 &&
3099 		    state->filter_wiphy != rdev->wiphy_idx)
3100 			continue;
3101 		wiphy_lock(&rdev->wiphy);
3102 		/* attempt to fit multiple wiphy data chunks into the skb */
3103 		do {
3104 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3105 						 skb,
3106 						 NETLINK_CB(cb->skb).portid,
3107 						 cb->nlh->nlmsg_seq,
3108 						 NLM_F_MULTI, state);
3109 			if (ret < 0) {
3110 				/*
3111 				 * If sending the wiphy data didn't fit (ENOBUFS
3112 				 * or EMSGSIZE returned), this SKB is still
3113 				 * empty (so it's not too big because another
3114 				 * wiphy dataset is already in the skb) and
3115 				 * we've not tried to adjust the dump allocation
3116 				 * yet ... then adjust the alloc size to be
3117 				 * bigger, and return 1 but with the empty skb.
3118 				 * This results in an empty message being RX'ed
3119 				 * in userspace, but that is ignored.
3120 				 *
3121 				 * We can then retry with the larger buffer.
3122 				 */
3123 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3124 				    !skb->len && !state->split &&
3125 				    cb->min_dump_alloc < 4096) {
3126 					cb->min_dump_alloc = 4096;
3127 					state->split_start = 0;
3128 					wiphy_unlock(&rdev->wiphy);
3129 					rtnl_unlock();
3130 					return 1;
3131 				}
3132 				idx--;
3133 				break;
3134 			}
3135 		} while (state->split_start > 0);
3136 		wiphy_unlock(&rdev->wiphy);
3137 		break;
3138 	}
3139 	rtnl_unlock();
3140 
3141 	state->start = idx;
3142 
3143 	return skb->len;
3144 }
3145 
3146 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3147 {
3148 	kfree((void *)cb->args[0]);
3149 	return 0;
3150 }
3151 
3152 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3153 {
3154 	struct sk_buff *msg;
3155 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3156 	struct nl80211_dump_wiphy_state state = {};
3157 
3158 	msg = nlmsg_new(4096, GFP_KERNEL);
3159 	if (!msg)
3160 		return -ENOMEM;
3161 
3162 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3163 			       info->snd_portid, info->snd_seq, 0,
3164 			       &state) < 0) {
3165 		nlmsg_free(msg);
3166 		return -ENOBUFS;
3167 	}
3168 
3169 	return genlmsg_reply(msg, info);
3170 }
3171 
3172 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3173 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3174 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3175 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3176 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3177 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3178 };
3179 
3180 static int parse_txq_params(struct nlattr *tb[],
3181 			    struct ieee80211_txq_params *txq_params)
3182 {
3183 	u8 ac;
3184 
3185 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3186 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3187 	    !tb[NL80211_TXQ_ATTR_AIFS])
3188 		return -EINVAL;
3189 
3190 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3191 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3192 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3193 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3194 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3195 
3196 	if (ac >= NL80211_NUM_ACS)
3197 		return -EINVAL;
3198 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3199 	return 0;
3200 }
3201 
3202 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3203 {
3204 	/*
3205 	 * You can only set the channel explicitly for some interfaces,
3206 	 * most have their channel managed via their respective
3207 	 * "establish a connection" command (connect, join, ...)
3208 	 *
3209 	 * For AP/GO and mesh mode, the channel can be set with the
3210 	 * channel userspace API, but is only stored and passed to the
3211 	 * low-level driver when the AP starts or the mesh is joined.
3212 	 * This is for backward compatibility, userspace can also give
3213 	 * the channel in the start-ap or join-mesh commands instead.
3214 	 *
3215 	 * Monitors are special as they are normally slaved to
3216 	 * whatever else is going on, so they have their own special
3217 	 * operation to set the monitor channel if possible.
3218 	 */
3219 	return !wdev ||
3220 		wdev->iftype == NL80211_IFTYPE_AP ||
3221 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3222 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3223 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3224 }
3225 
3226 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3227 				  struct genl_info *info, bool monitor,
3228 				  struct cfg80211_chan_def *chandef)
3229 {
3230 	struct netlink_ext_ack *extack = info->extack;
3231 	struct nlattr **attrs = info->attrs;
3232 	u32 control_freq;
3233 
3234 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3235 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3236 				    "Frequency is missing");
3237 		return -EINVAL;
3238 	}
3239 
3240 	control_freq = MHZ_TO_KHZ(
3241 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3242 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3243 		control_freq +=
3244 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3245 
3246 	memset(chandef, 0, sizeof(*chandef));
3247 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3248 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3249 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3250 	chandef->freq1_offset = control_freq % 1000;
3251 	chandef->center_freq2 = 0;
3252 
3253 	if (!chandef->chan) {
3254 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3255 				    "Unknown channel");
3256 		return -EINVAL;
3257 	}
3258 
3259 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3260 		enum nl80211_channel_type chantype;
3261 
3262 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3263 
3264 		switch (chantype) {
3265 		case NL80211_CHAN_NO_HT:
3266 		case NL80211_CHAN_HT20:
3267 		case NL80211_CHAN_HT40PLUS:
3268 		case NL80211_CHAN_HT40MINUS:
3269 			cfg80211_chandef_create(chandef, chandef->chan,
3270 						chantype);
3271 			/* user input for center_freq is incorrect */
3272 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3273 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3274 				NL_SET_ERR_MSG_ATTR(extack,
3275 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3276 						    "bad center frequency 1");
3277 				return -EINVAL;
3278 			}
3279 			/* center_freq2 must be zero */
3280 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3281 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3282 				NL_SET_ERR_MSG_ATTR(extack,
3283 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3284 						    "center frequency 2 can't be used");
3285 				return -EINVAL;
3286 			}
3287 			break;
3288 		default:
3289 			NL_SET_ERR_MSG_ATTR(extack,
3290 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3291 					    "invalid channel type");
3292 			return -EINVAL;
3293 		}
3294 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3295 		chandef->width =
3296 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3297 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3298 			/* User input error for channel width doesn't match channel  */
3299 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3300 				NL_SET_ERR_MSG_ATTR(extack,
3301 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3302 						    "bad channel width");
3303 				return -EINVAL;
3304 			}
3305 		}
3306 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3307 			chandef->center_freq1 =
3308 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3309 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3310 				chandef->freq1_offset = nla_get_u32(
3311 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3312 			else
3313 				chandef->freq1_offset = 0;
3314 		}
3315 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3316 			chandef->center_freq2 =
3317 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3318 	}
3319 
3320 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3321 		chandef->edmg.channels =
3322 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3323 
3324 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3325 			chandef->edmg.bw_config =
3326 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3327 	} else {
3328 		chandef->edmg.bw_config = 0;
3329 		chandef->edmg.channels = 0;
3330 	}
3331 
3332 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3333 		chandef->punctured =
3334 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3335 
3336 		if (chandef->punctured &&
3337 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3338 					     NL80211_EXT_FEATURE_PUNCT)) {
3339 			NL_SET_ERR_MSG(extack,
3340 				       "driver doesn't support puncturing");
3341 			return -EINVAL;
3342 		}
3343 	}
3344 
3345 	if (!cfg80211_chandef_valid(chandef)) {
3346 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3347 		return -EINVAL;
3348 	}
3349 
3350 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3351 				      IEEE80211_CHAN_DISABLED,
3352 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3353 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3354 		return -EINVAL;
3355 	}
3356 
3357 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3358 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3359 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3360 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3361 		return -EINVAL;
3362 	}
3363 
3364 	return 0;
3365 }
3366 
3367 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3368 			  struct genl_info *info,
3369 			  struct cfg80211_chan_def *chandef)
3370 {
3371 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3372 }
3373 
3374 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3375 				 struct net_device *dev,
3376 				 struct genl_info *info,
3377 				 int _link_id)
3378 {
3379 	struct cfg80211_chan_def chandef;
3380 	int result;
3381 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3382 	struct wireless_dev *wdev = NULL;
3383 	int link_id = _link_id;
3384 
3385 	if (dev)
3386 		wdev = dev->ieee80211_ptr;
3387 	if (!nl80211_can_set_dev_channel(wdev))
3388 		return -EOPNOTSUPP;
3389 	if (wdev)
3390 		iftype = wdev->iftype;
3391 
3392 	if (link_id < 0) {
3393 		if (wdev && wdev->valid_links)
3394 			return -EINVAL;
3395 		link_id = 0;
3396 	}
3397 
3398 	result = _nl80211_parse_chandef(rdev, info,
3399 					iftype == NL80211_IFTYPE_MONITOR,
3400 					&chandef);
3401 	if (result)
3402 		return result;
3403 
3404 	switch (iftype) {
3405 	case NL80211_IFTYPE_AP:
3406 	case NL80211_IFTYPE_P2P_GO:
3407 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3408 						   iftype))
3409 			return -EINVAL;
3410 		if (wdev->links[link_id].ap.beacon_interval) {
3411 			struct ieee80211_channel *cur_chan;
3412 
3413 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3414 			    !(rdev->wiphy.features &
3415 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3416 				return -EBUSY;
3417 
3418 			/* Only allow dynamic channel width changes */
3419 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3420 			if (chandef.chan != cur_chan)
3421 				return -EBUSY;
3422 
3423 			/* only allow this for regular channel widths */
3424 			switch (wdev->links[link_id].ap.chandef.width) {
3425 			case NL80211_CHAN_WIDTH_20_NOHT:
3426 			case NL80211_CHAN_WIDTH_20:
3427 			case NL80211_CHAN_WIDTH_40:
3428 			case NL80211_CHAN_WIDTH_80:
3429 			case NL80211_CHAN_WIDTH_80P80:
3430 			case NL80211_CHAN_WIDTH_160:
3431 			case NL80211_CHAN_WIDTH_320:
3432 				break;
3433 			default:
3434 				return -EINVAL;
3435 			}
3436 
3437 			switch (chandef.width) {
3438 			case NL80211_CHAN_WIDTH_20_NOHT:
3439 			case NL80211_CHAN_WIDTH_20:
3440 			case NL80211_CHAN_WIDTH_40:
3441 			case NL80211_CHAN_WIDTH_80:
3442 			case NL80211_CHAN_WIDTH_80P80:
3443 			case NL80211_CHAN_WIDTH_160:
3444 			case NL80211_CHAN_WIDTH_320:
3445 				break;
3446 			default:
3447 				return -EINVAL;
3448 			}
3449 
3450 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3451 						       &chandef);
3452 			if (result)
3453 				return result;
3454 			wdev->links[link_id].ap.chandef = chandef;
3455 		} else {
3456 			wdev->u.ap.preset_chandef = chandef;
3457 		}
3458 		return 0;
3459 	case NL80211_IFTYPE_MESH_POINT:
3460 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3461 	case NL80211_IFTYPE_MONITOR:
3462 		return cfg80211_set_monitor_channel(rdev, &chandef);
3463 	default:
3464 		break;
3465 	}
3466 
3467 	return -EINVAL;
3468 }
3469 
3470 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3471 {
3472 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3473 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3474 	struct net_device *netdev = info->user_ptr[1];
3475 
3476 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3477 }
3478 
3479 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3480 {
3481 	struct cfg80211_registered_device *rdev = NULL;
3482 	struct net_device *netdev = NULL;
3483 	struct wireless_dev *wdev;
3484 	int result = 0, rem_txq_params = 0;
3485 	struct nlattr *nl_txq_params;
3486 	u32 changed;
3487 	u8 retry_short = 0, retry_long = 0;
3488 	u32 frag_threshold = 0, rts_threshold = 0;
3489 	u8 coverage_class = 0;
3490 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3491 
3492 	rtnl_lock();
3493 	/*
3494 	 * Try to find the wiphy and netdev. Normally this
3495 	 * function shouldn't need the netdev, but this is
3496 	 * done for backward compatibility -- previously
3497 	 * setting the channel was done per wiphy, but now
3498 	 * it is per netdev. Previous userland like hostapd
3499 	 * also passed a netdev to set_wiphy, so that it is
3500 	 * possible to let that go to the right netdev!
3501 	 */
3502 
3503 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3504 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3505 
3506 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3507 		if (netdev && netdev->ieee80211_ptr)
3508 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3509 		else
3510 			netdev = NULL;
3511 	}
3512 
3513 	if (!netdev) {
3514 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3515 						  info->attrs);
3516 		if (IS_ERR(rdev)) {
3517 			rtnl_unlock();
3518 			return PTR_ERR(rdev);
3519 		}
3520 		wdev = NULL;
3521 		netdev = NULL;
3522 		result = 0;
3523 	} else
3524 		wdev = netdev->ieee80211_ptr;
3525 
3526 	wiphy_lock(&rdev->wiphy);
3527 
3528 	/*
3529 	 * end workaround code, by now the rdev is available
3530 	 * and locked, and wdev may or may not be NULL.
3531 	 */
3532 
3533 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3534 		result = cfg80211_dev_rename(
3535 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3536 	rtnl_unlock();
3537 
3538 	if (result)
3539 		goto out;
3540 
3541 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3542 		struct ieee80211_txq_params txq_params;
3543 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3544 
3545 		if (!rdev->ops->set_txq_params) {
3546 			result = -EOPNOTSUPP;
3547 			goto out;
3548 		}
3549 
3550 		if (!netdev) {
3551 			result = -EINVAL;
3552 			goto out;
3553 		}
3554 
3555 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3556 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3557 			result = -EINVAL;
3558 			goto out;
3559 		}
3560 
3561 		if (!netif_running(netdev)) {
3562 			result = -ENETDOWN;
3563 			goto out;
3564 		}
3565 
3566 		nla_for_each_nested(nl_txq_params,
3567 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3568 				    rem_txq_params) {
3569 			result = nla_parse_nested_deprecated(tb,
3570 							     NL80211_TXQ_ATTR_MAX,
3571 							     nl_txq_params,
3572 							     txq_params_policy,
3573 							     info->extack);
3574 			if (result)
3575 				goto out;
3576 			result = parse_txq_params(tb, &txq_params);
3577 			if (result)
3578 				goto out;
3579 
3580 			txq_params.link_id =
3581 				nl80211_link_id_or_invalid(info->attrs);
3582 
3583 			if (txq_params.link_id >= 0 &&
3584 			    !(netdev->ieee80211_ptr->valid_links &
3585 			      BIT(txq_params.link_id)))
3586 				result = -ENOLINK;
3587 			else if (txq_params.link_id >= 0 &&
3588 				 !netdev->ieee80211_ptr->valid_links)
3589 				result = -EINVAL;
3590 			else
3591 				result = rdev_set_txq_params(rdev, netdev,
3592 							     &txq_params);
3593 			if (result)
3594 				goto out;
3595 		}
3596 	}
3597 
3598 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3599 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3600 
3601 		if (wdev) {
3602 			result = __nl80211_set_channel(
3603 				rdev,
3604 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3605 				info, link_id);
3606 		} else {
3607 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3608 		}
3609 
3610 		if (result)
3611 			goto out;
3612 	}
3613 
3614 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3615 		struct wireless_dev *txp_wdev = wdev;
3616 		enum nl80211_tx_power_setting type;
3617 		int idx, mbm = 0;
3618 
3619 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3620 			txp_wdev = NULL;
3621 
3622 		if (!rdev->ops->set_tx_power) {
3623 			result = -EOPNOTSUPP;
3624 			goto out;
3625 		}
3626 
3627 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3628 		type = nla_get_u32(info->attrs[idx]);
3629 
3630 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3631 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3632 			result = -EINVAL;
3633 			goto out;
3634 		}
3635 
3636 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3637 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3638 			mbm = nla_get_u32(info->attrs[idx]);
3639 		}
3640 
3641 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3642 		if (result)
3643 			goto out;
3644 	}
3645 
3646 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3647 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3648 		u32 tx_ant, rx_ant;
3649 
3650 		if ((!rdev->wiphy.available_antennas_tx &&
3651 		     !rdev->wiphy.available_antennas_rx) ||
3652 		    !rdev->ops->set_antenna) {
3653 			result = -EOPNOTSUPP;
3654 			goto out;
3655 		}
3656 
3657 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3658 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3659 
3660 		/* reject antenna configurations which don't match the
3661 		 * available antenna masks, except for the "all" mask */
3662 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3663 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3664 			result = -EINVAL;
3665 			goto out;
3666 		}
3667 
3668 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3669 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3670 
3671 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3672 		if (result)
3673 			goto out;
3674 	}
3675 
3676 	changed = 0;
3677 
3678 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3679 		retry_short = nla_get_u8(
3680 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3681 
3682 		changed |= WIPHY_PARAM_RETRY_SHORT;
3683 	}
3684 
3685 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3686 		retry_long = nla_get_u8(
3687 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3688 
3689 		changed |= WIPHY_PARAM_RETRY_LONG;
3690 	}
3691 
3692 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3693 		frag_threshold = nla_get_u32(
3694 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3695 		if (frag_threshold < 256) {
3696 			result = -EINVAL;
3697 			goto out;
3698 		}
3699 
3700 		if (frag_threshold != (u32) -1) {
3701 			/*
3702 			 * Fragments (apart from the last one) are required to
3703 			 * have even length. Make the fragmentation code
3704 			 * simpler by stripping LSB should someone try to use
3705 			 * odd threshold value.
3706 			 */
3707 			frag_threshold &= ~0x1;
3708 		}
3709 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3710 	}
3711 
3712 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3713 		rts_threshold = nla_get_u32(
3714 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3715 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3716 	}
3717 
3718 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3719 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3720 			result = -EINVAL;
3721 			goto out;
3722 		}
3723 
3724 		coverage_class = nla_get_u8(
3725 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3726 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3727 	}
3728 
3729 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3730 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3731 			result = -EOPNOTSUPP;
3732 			goto out;
3733 		}
3734 
3735 		changed |= WIPHY_PARAM_DYN_ACK;
3736 	}
3737 
3738 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3739 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3740 					     NL80211_EXT_FEATURE_TXQS)) {
3741 			result = -EOPNOTSUPP;
3742 			goto out;
3743 		}
3744 		txq_limit = nla_get_u32(
3745 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3746 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3747 	}
3748 
3749 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3750 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3751 					     NL80211_EXT_FEATURE_TXQS)) {
3752 			result = -EOPNOTSUPP;
3753 			goto out;
3754 		}
3755 		txq_memory_limit = nla_get_u32(
3756 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3757 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3758 	}
3759 
3760 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3761 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3762 					     NL80211_EXT_FEATURE_TXQS)) {
3763 			result = -EOPNOTSUPP;
3764 			goto out;
3765 		}
3766 		txq_quantum = nla_get_u32(
3767 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3768 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3769 	}
3770 
3771 	if (changed) {
3772 		u8 old_retry_short, old_retry_long;
3773 		u32 old_frag_threshold, old_rts_threshold;
3774 		u8 old_coverage_class;
3775 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3776 
3777 		if (!rdev->ops->set_wiphy_params) {
3778 			result = -EOPNOTSUPP;
3779 			goto out;
3780 		}
3781 
3782 		old_retry_short = rdev->wiphy.retry_short;
3783 		old_retry_long = rdev->wiphy.retry_long;
3784 		old_frag_threshold = rdev->wiphy.frag_threshold;
3785 		old_rts_threshold = rdev->wiphy.rts_threshold;
3786 		old_coverage_class = rdev->wiphy.coverage_class;
3787 		old_txq_limit = rdev->wiphy.txq_limit;
3788 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3789 		old_txq_quantum = rdev->wiphy.txq_quantum;
3790 
3791 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3792 			rdev->wiphy.retry_short = retry_short;
3793 		if (changed & WIPHY_PARAM_RETRY_LONG)
3794 			rdev->wiphy.retry_long = retry_long;
3795 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3796 			rdev->wiphy.frag_threshold = frag_threshold;
3797 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3798 			rdev->wiphy.rts_threshold = rts_threshold;
3799 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3800 			rdev->wiphy.coverage_class = coverage_class;
3801 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3802 			rdev->wiphy.txq_limit = txq_limit;
3803 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3804 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3805 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3806 			rdev->wiphy.txq_quantum = txq_quantum;
3807 
3808 		result = rdev_set_wiphy_params(rdev, changed);
3809 		if (result) {
3810 			rdev->wiphy.retry_short = old_retry_short;
3811 			rdev->wiphy.retry_long = old_retry_long;
3812 			rdev->wiphy.frag_threshold = old_frag_threshold;
3813 			rdev->wiphy.rts_threshold = old_rts_threshold;
3814 			rdev->wiphy.coverage_class = old_coverage_class;
3815 			rdev->wiphy.txq_limit = old_txq_limit;
3816 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3817 			rdev->wiphy.txq_quantum = old_txq_quantum;
3818 			goto out;
3819 		}
3820 	}
3821 
3822 	result = 0;
3823 
3824 out:
3825 	wiphy_unlock(&rdev->wiphy);
3826 	return result;
3827 }
3828 
3829 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3830 {
3831 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3832 		return -EINVAL;
3833 
3834 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3835 			chandef->chan->center_freq))
3836 		return -ENOBUFS;
3837 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3838 			chandef->chan->freq_offset))
3839 		return -ENOBUFS;
3840 	switch (chandef->width) {
3841 	case NL80211_CHAN_WIDTH_20_NOHT:
3842 	case NL80211_CHAN_WIDTH_20:
3843 	case NL80211_CHAN_WIDTH_40:
3844 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3845 				cfg80211_get_chandef_type(chandef)))
3846 			return -ENOBUFS;
3847 		break;
3848 	default:
3849 		break;
3850 	}
3851 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3852 		return -ENOBUFS;
3853 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3854 		return -ENOBUFS;
3855 	if (chandef->center_freq2 &&
3856 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3857 		return -ENOBUFS;
3858 	if (chandef->punctured &&
3859 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
3860 		return -ENOBUFS;
3861 
3862 	return 0;
3863 }
3864 EXPORT_SYMBOL(nl80211_send_chandef);
3865 
3866 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3867 			      struct cfg80211_registered_device *rdev,
3868 			      struct wireless_dev *wdev,
3869 			      enum nl80211_commands cmd)
3870 {
3871 	struct net_device *dev = wdev->netdev;
3872 	void *hdr;
3873 
3874 	lockdep_assert_wiphy(&rdev->wiphy);
3875 
3876 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3877 		cmd != NL80211_CMD_DEL_INTERFACE &&
3878 		cmd != NL80211_CMD_SET_INTERFACE);
3879 
3880 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3881 	if (!hdr)
3882 		return -1;
3883 
3884 	if (dev &&
3885 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3886 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3887 		goto nla_put_failure;
3888 
3889 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3890 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3891 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3892 			      NL80211_ATTR_PAD) ||
3893 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3894 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3895 			rdev->devlist_generation ^
3896 			(cfg80211_rdev_list_generation << 2)) ||
3897 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3898 		goto nla_put_failure;
3899 
3900 	if (rdev->ops->get_channel && !wdev->valid_links) {
3901 		struct cfg80211_chan_def chandef = {};
3902 		int ret;
3903 
3904 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3905 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3906 			goto nla_put_failure;
3907 	}
3908 
3909 	if (rdev->ops->get_tx_power) {
3910 		int dbm, ret;
3911 
3912 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3913 		if (ret == 0 &&
3914 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3915 				DBM_TO_MBM(dbm)))
3916 			goto nla_put_failure;
3917 	}
3918 
3919 	switch (wdev->iftype) {
3920 	case NL80211_IFTYPE_AP:
3921 	case NL80211_IFTYPE_P2P_GO:
3922 		if (wdev->u.ap.ssid_len &&
3923 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3924 			    wdev->u.ap.ssid))
3925 			goto nla_put_failure;
3926 		break;
3927 	case NL80211_IFTYPE_STATION:
3928 	case NL80211_IFTYPE_P2P_CLIENT:
3929 		if (wdev->u.client.ssid_len &&
3930 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3931 			    wdev->u.client.ssid))
3932 			goto nla_put_failure;
3933 		break;
3934 	case NL80211_IFTYPE_ADHOC:
3935 		if (wdev->u.ibss.ssid_len &&
3936 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3937 			    wdev->u.ibss.ssid))
3938 			goto nla_put_failure;
3939 		break;
3940 	default:
3941 		/* nothing */
3942 		break;
3943 	}
3944 
3945 	if (rdev->ops->get_txq_stats) {
3946 		struct cfg80211_txq_stats txqstats = {};
3947 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3948 
3949 		if (ret == 0 &&
3950 		    !nl80211_put_txq_stats(msg, &txqstats,
3951 					   NL80211_ATTR_TXQ_STATS))
3952 			goto nla_put_failure;
3953 	}
3954 
3955 	if (wdev->valid_links) {
3956 		unsigned int link_id;
3957 		struct nlattr *links = nla_nest_start(msg,
3958 						      NL80211_ATTR_MLO_LINKS);
3959 
3960 		if (!links)
3961 			goto nla_put_failure;
3962 
3963 		for_each_valid_link(wdev, link_id) {
3964 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3965 			struct cfg80211_chan_def chandef = {};
3966 			int ret;
3967 
3968 			if (!link)
3969 				goto nla_put_failure;
3970 
3971 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3972 				goto nla_put_failure;
3973 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3974 				    wdev->links[link_id].addr))
3975 				goto nla_put_failure;
3976 
3977 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
3978 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3979 				goto nla_put_failure;
3980 
3981 			nla_nest_end(msg, link);
3982 		}
3983 
3984 		nla_nest_end(msg, links);
3985 	}
3986 
3987 	genlmsg_end(msg, hdr);
3988 	return 0;
3989 
3990  nla_put_failure:
3991 	genlmsg_cancel(msg, hdr);
3992 	return -EMSGSIZE;
3993 }
3994 
3995 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3996 {
3997 	int wp_idx = 0;
3998 	int if_idx = 0;
3999 	int wp_start = cb->args[0];
4000 	int if_start = cb->args[1];
4001 	int filter_wiphy = -1;
4002 	struct cfg80211_registered_device *rdev;
4003 	struct wireless_dev *wdev;
4004 	int ret;
4005 
4006 	rtnl_lock();
4007 	if (!cb->args[2]) {
4008 		struct nl80211_dump_wiphy_state state = {
4009 			.filter_wiphy = -1,
4010 		};
4011 
4012 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4013 		if (ret)
4014 			goto out_unlock;
4015 
4016 		filter_wiphy = state.filter_wiphy;
4017 
4018 		/*
4019 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4020 		 * value needed to determine that parsing is necessary.
4021 		 */
4022 		if (filter_wiphy >= 0)
4023 			cb->args[2] = filter_wiphy + 1;
4024 		else
4025 			cb->args[2] = -1;
4026 	} else if (cb->args[2] > 0) {
4027 		filter_wiphy = cb->args[2] - 1;
4028 	}
4029 
4030 	for_each_rdev(rdev) {
4031 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4032 			continue;
4033 		if (wp_idx < wp_start) {
4034 			wp_idx++;
4035 			continue;
4036 		}
4037 
4038 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4039 			continue;
4040 
4041 		if_idx = 0;
4042 
4043 		wiphy_lock(&rdev->wiphy);
4044 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4045 			if (if_idx < if_start) {
4046 				if_idx++;
4047 				continue;
4048 			}
4049 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4050 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4051 					       rdev, wdev,
4052 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4053 				wiphy_unlock(&rdev->wiphy);
4054 				goto out;
4055 			}
4056 			if_idx++;
4057 		}
4058 		wiphy_unlock(&rdev->wiphy);
4059 
4060 		if_start = 0;
4061 		wp_idx++;
4062 	}
4063  out:
4064 	cb->args[0] = wp_idx;
4065 	cb->args[1] = if_idx;
4066 
4067 	ret = skb->len;
4068  out_unlock:
4069 	rtnl_unlock();
4070 
4071 	return ret;
4072 }
4073 
4074 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4075 {
4076 	struct sk_buff *msg;
4077 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4078 	struct wireless_dev *wdev = info->user_ptr[1];
4079 
4080 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4081 	if (!msg)
4082 		return -ENOMEM;
4083 
4084 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4085 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4086 		nlmsg_free(msg);
4087 		return -ENOBUFS;
4088 	}
4089 
4090 	return genlmsg_reply(msg, info);
4091 }
4092 
4093 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4094 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4095 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4096 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4097 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4098 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4099 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4100 };
4101 
4102 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4103 {
4104 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4105 	int flag;
4106 
4107 	*mntrflags = 0;
4108 
4109 	if (!nla)
4110 		return -EINVAL;
4111 
4112 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4113 		return -EINVAL;
4114 
4115 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4116 		if (flags[flag])
4117 			*mntrflags |= (1<<flag);
4118 
4119 	*mntrflags |= MONITOR_FLAG_CHANGED;
4120 
4121 	return 0;
4122 }
4123 
4124 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4125 				     enum nl80211_iftype type,
4126 				     struct genl_info *info,
4127 				     struct vif_params *params)
4128 {
4129 	bool change = false;
4130 	int err;
4131 
4132 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4133 		if (type != NL80211_IFTYPE_MONITOR)
4134 			return -EINVAL;
4135 
4136 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4137 					  &params->flags);
4138 		if (err)
4139 			return err;
4140 
4141 		change = true;
4142 	}
4143 
4144 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4145 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4146 		return -EOPNOTSUPP;
4147 
4148 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4149 		const u8 *mumimo_groups;
4150 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4151 
4152 		if (type != NL80211_IFTYPE_MONITOR)
4153 			return -EINVAL;
4154 
4155 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4156 			return -EOPNOTSUPP;
4157 
4158 		mumimo_groups =
4159 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4160 
4161 		/* bits 0 and 63 are reserved and must be zero */
4162 		if ((mumimo_groups[0] & BIT(0)) ||
4163 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4164 			return -EINVAL;
4165 
4166 		params->vht_mumimo_groups = mumimo_groups;
4167 		change = true;
4168 	}
4169 
4170 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4171 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4172 
4173 		if (type != NL80211_IFTYPE_MONITOR)
4174 			return -EINVAL;
4175 
4176 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4177 			return -EOPNOTSUPP;
4178 
4179 		params->vht_mumimo_follow_addr =
4180 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4181 		change = true;
4182 	}
4183 
4184 	return change ? 1 : 0;
4185 }
4186 
4187 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4188 			       struct net_device *netdev, u8 use_4addr,
4189 			       enum nl80211_iftype iftype)
4190 {
4191 	if (!use_4addr) {
4192 		if (netdev && netif_is_bridge_port(netdev))
4193 			return -EBUSY;
4194 		return 0;
4195 	}
4196 
4197 	switch (iftype) {
4198 	case NL80211_IFTYPE_AP_VLAN:
4199 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4200 			return 0;
4201 		break;
4202 	case NL80211_IFTYPE_STATION:
4203 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4204 			return 0;
4205 		break;
4206 	default:
4207 		break;
4208 	}
4209 
4210 	return -EOPNOTSUPP;
4211 }
4212 
4213 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4214 {
4215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4216 	struct vif_params params;
4217 	int err;
4218 	enum nl80211_iftype otype, ntype;
4219 	struct net_device *dev = info->user_ptr[1];
4220 	bool change = false;
4221 
4222 	memset(&params, 0, sizeof(params));
4223 
4224 	otype = ntype = dev->ieee80211_ptr->iftype;
4225 
4226 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4227 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4228 		if (otype != ntype)
4229 			change = true;
4230 	}
4231 
4232 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4233 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4234 
4235 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4236 			return -EINVAL;
4237 		if (otype != NL80211_IFTYPE_MESH_POINT)
4238 			return -EINVAL;
4239 		if (netif_running(dev))
4240 			return -EBUSY;
4241 
4242 		wdev->u.mesh.id_up_len =
4243 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4244 		memcpy(wdev->u.mesh.id,
4245 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4246 		       wdev->u.mesh.id_up_len);
4247 	}
4248 
4249 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4250 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4251 		change = true;
4252 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4253 		if (err)
4254 			return err;
4255 	} else {
4256 		params.use_4addr = -1;
4257 	}
4258 
4259 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4260 	if (err < 0)
4261 		return err;
4262 	if (err > 0)
4263 		change = true;
4264 
4265 	if (change)
4266 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4267 	else
4268 		err = 0;
4269 
4270 	if (!err && params.use_4addr != -1)
4271 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4272 
4273 	if (change && !err) {
4274 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4275 
4276 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4277 	}
4278 
4279 	return err;
4280 }
4281 
4282 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4283 {
4284 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4285 	struct vif_params params;
4286 	struct wireless_dev *wdev;
4287 	struct sk_buff *msg;
4288 	int err;
4289 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4290 
4291 	memset(&params, 0, sizeof(params));
4292 
4293 	if (!info->attrs[NL80211_ATTR_IFNAME])
4294 		return -EINVAL;
4295 
4296 	if (info->attrs[NL80211_ATTR_IFTYPE])
4297 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4298 
4299 	if (!rdev->ops->add_virtual_intf)
4300 		return -EOPNOTSUPP;
4301 
4302 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4303 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4304 	    info->attrs[NL80211_ATTR_MAC]) {
4305 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4306 			   ETH_ALEN);
4307 		if (!is_valid_ether_addr(params.macaddr))
4308 			return -EADDRNOTAVAIL;
4309 	}
4310 
4311 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4312 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4313 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4314 		if (err)
4315 			return err;
4316 	}
4317 
4318 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4319 		return -EOPNOTSUPP;
4320 
4321 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4322 	if (err < 0)
4323 		return err;
4324 
4325 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4326 	if (!msg)
4327 		return -ENOMEM;
4328 
4329 	wdev = rdev_add_virtual_intf(rdev,
4330 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4331 				NET_NAME_USER, type, &params);
4332 	if (WARN_ON(!wdev)) {
4333 		nlmsg_free(msg);
4334 		return -EPROTO;
4335 	} else if (IS_ERR(wdev)) {
4336 		nlmsg_free(msg);
4337 		return PTR_ERR(wdev);
4338 	}
4339 
4340 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4341 		wdev->owner_nlportid = info->snd_portid;
4342 
4343 	switch (type) {
4344 	case NL80211_IFTYPE_MESH_POINT:
4345 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4346 			break;
4347 		wdev->u.mesh.id_up_len =
4348 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4349 		memcpy(wdev->u.mesh.id,
4350 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4351 		       wdev->u.mesh.id_up_len);
4352 		break;
4353 	case NL80211_IFTYPE_NAN:
4354 	case NL80211_IFTYPE_P2P_DEVICE:
4355 		/*
4356 		 * P2P Device and NAN do not have a netdev, so don't go
4357 		 * through the netdev notifier and must be added here
4358 		 */
4359 		cfg80211_init_wdev(wdev);
4360 		cfg80211_register_wdev(rdev, wdev);
4361 		break;
4362 	default:
4363 		break;
4364 	}
4365 
4366 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4367 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4368 		nlmsg_free(msg);
4369 		return -ENOBUFS;
4370 	}
4371 
4372 	return genlmsg_reply(msg, info);
4373 }
4374 
4375 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4376 {
4377 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4378 	int ret;
4379 
4380 	/* to avoid failing a new interface creation due to pending removal */
4381 	cfg80211_destroy_ifaces(rdev);
4382 
4383 	wiphy_lock(&rdev->wiphy);
4384 	ret = _nl80211_new_interface(skb, info);
4385 	wiphy_unlock(&rdev->wiphy);
4386 
4387 	return ret;
4388 }
4389 
4390 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4391 {
4392 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4393 	struct wireless_dev *wdev = info->user_ptr[1];
4394 
4395 	if (!rdev->ops->del_virtual_intf)
4396 		return -EOPNOTSUPP;
4397 
4398 	/*
4399 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4400 	 * reach 0, and thus the rdev cannot be deleted.
4401 	 *
4402 	 * We need to do it for the dev_close(), since that will call
4403 	 * the netdev notifiers, and we need to acquire the mutex there
4404 	 * but don't know if we get there from here or from some other
4405 	 * place (e.g. "ip link set ... down").
4406 	 */
4407 	mutex_unlock(&rdev->wiphy.mtx);
4408 
4409 	/*
4410 	 * If we remove a wireless device without a netdev then clear
4411 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4412 	 * to check if it needs to do dev_put(). Otherwise it crashes
4413 	 * since the wdev has been freed, unlike with a netdev where
4414 	 * we need the dev_put() for the netdev to really be freed.
4415 	 */
4416 	if (!wdev->netdev)
4417 		info->user_ptr[1] = NULL;
4418 	else
4419 		dev_close(wdev->netdev);
4420 
4421 	mutex_lock(&rdev->wiphy.mtx);
4422 
4423 	return cfg80211_remove_virtual_intf(rdev, wdev);
4424 }
4425 
4426 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4427 {
4428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4429 	struct net_device *dev = info->user_ptr[1];
4430 	u16 noack_map;
4431 
4432 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4433 		return -EINVAL;
4434 
4435 	if (!rdev->ops->set_noack_map)
4436 		return -EOPNOTSUPP;
4437 
4438 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4439 
4440 	return rdev_set_noack_map(rdev, dev, noack_map);
4441 }
4442 
4443 static int nl80211_validate_key_link_id(struct genl_info *info,
4444 					struct wireless_dev *wdev,
4445 					int link_id, bool pairwise)
4446 {
4447 	if (pairwise) {
4448 		if (link_id != -1) {
4449 			GENL_SET_ERR_MSG(info,
4450 					 "link ID not allowed for pairwise key");
4451 			return -EINVAL;
4452 		}
4453 
4454 		return 0;
4455 	}
4456 
4457 	if (wdev->valid_links) {
4458 		if (link_id == -1) {
4459 			GENL_SET_ERR_MSG(info,
4460 					 "link ID must for MLO group key");
4461 			return -EINVAL;
4462 		}
4463 		if (!(wdev->valid_links & BIT(link_id))) {
4464 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4465 			return -EINVAL;
4466 		}
4467 	} else if (link_id != -1) {
4468 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4469 		return -EINVAL;
4470 	}
4471 
4472 	return 0;
4473 }
4474 
4475 struct get_key_cookie {
4476 	struct sk_buff *msg;
4477 	int error;
4478 	int idx;
4479 };
4480 
4481 static void get_key_callback(void *c, struct key_params *params)
4482 {
4483 	struct nlattr *key;
4484 	struct get_key_cookie *cookie = c;
4485 
4486 	if ((params->key &&
4487 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4488 		     params->key_len, params->key)) ||
4489 	    (params->seq &&
4490 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4491 		     params->seq_len, params->seq)) ||
4492 	    (params->cipher &&
4493 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4494 			 params->cipher)))
4495 		goto nla_put_failure;
4496 
4497 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4498 	if (!key)
4499 		goto nla_put_failure;
4500 
4501 	if ((params->key &&
4502 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4503 		     params->key_len, params->key)) ||
4504 	    (params->seq &&
4505 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4506 		     params->seq_len, params->seq)) ||
4507 	    (params->cipher &&
4508 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4509 			 params->cipher)))
4510 		goto nla_put_failure;
4511 
4512 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4513 		goto nla_put_failure;
4514 
4515 	nla_nest_end(cookie->msg, key);
4516 
4517 	return;
4518  nla_put_failure:
4519 	cookie->error = 1;
4520 }
4521 
4522 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4523 {
4524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4525 	int err;
4526 	struct net_device *dev = info->user_ptr[1];
4527 	u8 key_idx = 0;
4528 	const u8 *mac_addr = NULL;
4529 	bool pairwise;
4530 	struct get_key_cookie cookie = {
4531 		.error = 0,
4532 	};
4533 	void *hdr;
4534 	struct sk_buff *msg;
4535 	bool bigtk_support = false;
4536 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4537 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4538 
4539 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4540 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4541 		bigtk_support = true;
4542 
4543 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4544 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4545 	    wiphy_ext_feature_isset(&rdev->wiphy,
4546 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4547 		bigtk_support = true;
4548 
4549 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4550 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4551 
4552 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4553 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4554 			return -EINVAL;
4555 		}
4556 	}
4557 
4558 	if (info->attrs[NL80211_ATTR_MAC])
4559 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4560 
4561 	pairwise = !!mac_addr;
4562 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4563 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4564 
4565 		if (kt != NL80211_KEYTYPE_GROUP &&
4566 		    kt != NL80211_KEYTYPE_PAIRWISE)
4567 			return -EINVAL;
4568 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4569 	}
4570 
4571 	if (!rdev->ops->get_key)
4572 		return -EOPNOTSUPP;
4573 
4574 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4575 		return -ENOENT;
4576 
4577 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4578 	if (!msg)
4579 		return -ENOMEM;
4580 
4581 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4582 			     NL80211_CMD_NEW_KEY);
4583 	if (!hdr)
4584 		goto nla_put_failure;
4585 
4586 	cookie.msg = msg;
4587 	cookie.idx = key_idx;
4588 
4589 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4590 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4591 		goto nla_put_failure;
4592 	if (mac_addr &&
4593 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4594 		goto nla_put_failure;
4595 
4596 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4597 	if (err)
4598 		goto free_msg;
4599 
4600 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4601 			   &cookie, get_key_callback);
4602 
4603 	if (err)
4604 		goto free_msg;
4605 
4606 	if (cookie.error)
4607 		goto nla_put_failure;
4608 
4609 	genlmsg_end(msg, hdr);
4610 	return genlmsg_reply(msg, info);
4611 
4612  nla_put_failure:
4613 	err = -ENOBUFS;
4614  free_msg:
4615 	nlmsg_free(msg);
4616 	return err;
4617 }
4618 
4619 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4620 {
4621 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4622 	struct key_parse key;
4623 	int err;
4624 	struct net_device *dev = info->user_ptr[1];
4625 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4626 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4627 
4628 	err = nl80211_parse_key(info, &key);
4629 	if (err)
4630 		return err;
4631 
4632 	if (key.idx < 0)
4633 		return -EINVAL;
4634 
4635 	/* Only support setting default key and
4636 	 * Extended Key ID action NL80211_KEY_SET_TX.
4637 	 */
4638 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4639 	    !(key.p.mode == NL80211_KEY_SET_TX))
4640 		return -EINVAL;
4641 
4642 	if (key.def) {
4643 		if (!rdev->ops->set_default_key)
4644 			return -EOPNOTSUPP;
4645 
4646 		err = nl80211_key_allowed(wdev);
4647 		if (err)
4648 			return err;
4649 
4650 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4651 		if (err)
4652 			return err;
4653 
4654 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4655 					   key.def_uni, key.def_multi);
4656 
4657 		if (err)
4658 			return err;
4659 
4660 #ifdef CONFIG_CFG80211_WEXT
4661 		wdev->wext.default_key = key.idx;
4662 #endif
4663 		return 0;
4664 	} else if (key.defmgmt) {
4665 		if (key.def_uni || !key.def_multi)
4666 			return -EINVAL;
4667 
4668 		if (!rdev->ops->set_default_mgmt_key)
4669 			return -EOPNOTSUPP;
4670 
4671 		err = nl80211_key_allowed(wdev);
4672 		if (err)
4673 			return err;
4674 
4675 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4676 		if (err)
4677 			return err;
4678 
4679 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4680 		if (err)
4681 			return err;
4682 
4683 #ifdef CONFIG_CFG80211_WEXT
4684 		wdev->wext.default_mgmt_key = key.idx;
4685 #endif
4686 		return 0;
4687 	} else if (key.defbeacon) {
4688 		if (key.def_uni || !key.def_multi)
4689 			return -EINVAL;
4690 
4691 		if (!rdev->ops->set_default_beacon_key)
4692 			return -EOPNOTSUPP;
4693 
4694 		err = nl80211_key_allowed(wdev);
4695 		if (err)
4696 			return err;
4697 
4698 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4699 		if (err)
4700 			return err;
4701 
4702 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4703 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4704 		   wiphy_ext_feature_isset(&rdev->wiphy,
4705 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4706 		u8 *mac_addr = NULL;
4707 
4708 		if (info->attrs[NL80211_ATTR_MAC])
4709 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4710 
4711 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4712 			return -EINVAL;
4713 
4714 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4715 		if (err)
4716 			return err;
4717 
4718 		return rdev_add_key(rdev, dev, link_id, key.idx,
4719 				    NL80211_KEYTYPE_PAIRWISE,
4720 				    mac_addr, &key.p);
4721 	}
4722 
4723 	return -EINVAL;
4724 }
4725 
4726 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4727 {
4728 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4729 	int err;
4730 	struct net_device *dev = info->user_ptr[1];
4731 	struct key_parse key;
4732 	const u8 *mac_addr = NULL;
4733 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4734 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4735 
4736 	err = nl80211_parse_key(info, &key);
4737 	if (err)
4738 		return err;
4739 
4740 	if (!key.p.key) {
4741 		GENL_SET_ERR_MSG(info, "no key");
4742 		return -EINVAL;
4743 	}
4744 
4745 	if (info->attrs[NL80211_ATTR_MAC])
4746 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4747 
4748 	if (key.type == -1) {
4749 		if (mac_addr)
4750 			key.type = NL80211_KEYTYPE_PAIRWISE;
4751 		else
4752 			key.type = NL80211_KEYTYPE_GROUP;
4753 	}
4754 
4755 	/* for now */
4756 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4757 	    key.type != NL80211_KEYTYPE_GROUP) {
4758 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4759 		return -EINVAL;
4760 	}
4761 
4762 	if (key.type == NL80211_KEYTYPE_GROUP &&
4763 	    info->attrs[NL80211_ATTR_VLAN_ID])
4764 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4765 
4766 	if (!rdev->ops->add_key)
4767 		return -EOPNOTSUPP;
4768 
4769 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4770 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4771 					   mac_addr)) {
4772 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4773 		return -EINVAL;
4774 	}
4775 
4776 	err = nl80211_key_allowed(wdev);
4777 	if (err)
4778 		GENL_SET_ERR_MSG(info, "key not allowed");
4779 
4780 	if (!err)
4781 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4782 				key.type == NL80211_KEYTYPE_PAIRWISE);
4783 
4784 	if (!err) {
4785 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4786 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4787 				    mac_addr, &key.p);
4788 		if (err)
4789 			GENL_SET_ERR_MSG(info, "key addition failed");
4790 	}
4791 
4792 	return err;
4793 }
4794 
4795 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4796 {
4797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4798 	int err;
4799 	struct net_device *dev = info->user_ptr[1];
4800 	u8 *mac_addr = NULL;
4801 	struct key_parse key;
4802 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4803 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4804 
4805 	err = nl80211_parse_key(info, &key);
4806 	if (err)
4807 		return err;
4808 
4809 	if (info->attrs[NL80211_ATTR_MAC])
4810 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4811 
4812 	if (key.type == -1) {
4813 		if (mac_addr)
4814 			key.type = NL80211_KEYTYPE_PAIRWISE;
4815 		else
4816 			key.type = NL80211_KEYTYPE_GROUP;
4817 	}
4818 
4819 	/* for now */
4820 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4821 	    key.type != NL80211_KEYTYPE_GROUP)
4822 		return -EINVAL;
4823 
4824 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4825 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4826 		return -EINVAL;
4827 
4828 	if (!rdev->ops->del_key)
4829 		return -EOPNOTSUPP;
4830 
4831 	err = nl80211_key_allowed(wdev);
4832 
4833 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4834 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4835 		err = -ENOENT;
4836 
4837 	if (!err)
4838 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4839 				key.type == NL80211_KEYTYPE_PAIRWISE);
4840 
4841 	if (!err)
4842 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4843 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4844 				   mac_addr);
4845 
4846 #ifdef CONFIG_CFG80211_WEXT
4847 	if (!err) {
4848 		if (key.idx == wdev->wext.default_key)
4849 			wdev->wext.default_key = -1;
4850 		else if (key.idx == wdev->wext.default_mgmt_key)
4851 			wdev->wext.default_mgmt_key = -1;
4852 	}
4853 #endif
4854 
4855 	return err;
4856 }
4857 
4858 /* This function returns an error or the number of nested attributes */
4859 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4860 {
4861 	struct nlattr *attr;
4862 	int n_entries = 0, tmp;
4863 
4864 	nla_for_each_nested(attr, nl_attr, tmp) {
4865 		if (nla_len(attr) != ETH_ALEN)
4866 			return -EINVAL;
4867 
4868 		n_entries++;
4869 	}
4870 
4871 	return n_entries;
4872 }
4873 
4874 /*
4875  * This function parses ACL information and allocates memory for ACL data.
4876  * On successful return, the calling function is responsible to free the
4877  * ACL buffer returned by this function.
4878  */
4879 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4880 						struct genl_info *info)
4881 {
4882 	enum nl80211_acl_policy acl_policy;
4883 	struct nlattr *attr;
4884 	struct cfg80211_acl_data *acl;
4885 	int i = 0, n_entries, tmp;
4886 
4887 	if (!wiphy->max_acl_mac_addrs)
4888 		return ERR_PTR(-EOPNOTSUPP);
4889 
4890 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4891 		return ERR_PTR(-EINVAL);
4892 
4893 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4894 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4895 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4896 		return ERR_PTR(-EINVAL);
4897 
4898 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4899 		return ERR_PTR(-EINVAL);
4900 
4901 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4902 	if (n_entries < 0)
4903 		return ERR_PTR(n_entries);
4904 
4905 	if (n_entries > wiphy->max_acl_mac_addrs)
4906 		return ERR_PTR(-EOPNOTSUPP);
4907 
4908 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4909 	if (!acl)
4910 		return ERR_PTR(-ENOMEM);
4911 	acl->n_acl_entries = n_entries;
4912 
4913 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4914 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4915 		i++;
4916 	}
4917 	acl->acl_policy = acl_policy;
4918 
4919 	return acl;
4920 }
4921 
4922 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4923 {
4924 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4925 	struct net_device *dev = info->user_ptr[1];
4926 	struct cfg80211_acl_data *acl;
4927 	int err;
4928 
4929 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4930 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4931 		return -EOPNOTSUPP;
4932 
4933 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4934 		return -EINVAL;
4935 
4936 	acl = parse_acl_data(&rdev->wiphy, info);
4937 	if (IS_ERR(acl))
4938 		return PTR_ERR(acl);
4939 
4940 	err = rdev_set_mac_acl(rdev, dev, acl);
4941 
4942 	kfree(acl);
4943 
4944 	return err;
4945 }
4946 
4947 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4948 			   u8 *rates, u8 rates_len)
4949 {
4950 	u8 i;
4951 	u32 mask = 0;
4952 
4953 	for (i = 0; i < rates_len; i++) {
4954 		int rate = (rates[i] & 0x7f) * 5;
4955 		int ridx;
4956 
4957 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4958 			struct ieee80211_rate *srate =
4959 				&sband->bitrates[ridx];
4960 			if (rate == srate->bitrate) {
4961 				mask |= 1 << ridx;
4962 				break;
4963 			}
4964 		}
4965 		if (ridx == sband->n_bitrates)
4966 			return 0; /* rate not found */
4967 	}
4968 
4969 	return mask;
4970 }
4971 
4972 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4973 			       u8 *rates, u8 rates_len,
4974 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4975 {
4976 	u8 i;
4977 
4978 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4979 
4980 	for (i = 0; i < rates_len; i++) {
4981 		int ridx, rbit;
4982 
4983 		ridx = rates[i] / 8;
4984 		rbit = BIT(rates[i] % 8);
4985 
4986 		/* check validity */
4987 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4988 			return false;
4989 
4990 		/* check availability */
4991 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4992 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4993 			mcs[ridx] |= rbit;
4994 		else
4995 			return false;
4996 	}
4997 
4998 	return true;
4999 }
5000 
5001 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5002 {
5003 	u16 mcs_mask = 0;
5004 
5005 	switch (vht_mcs_map) {
5006 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5007 		break;
5008 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5009 		mcs_mask = 0x00FF;
5010 		break;
5011 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5012 		mcs_mask = 0x01FF;
5013 		break;
5014 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5015 		mcs_mask = 0x03FF;
5016 		break;
5017 	default:
5018 		break;
5019 	}
5020 
5021 	return mcs_mask;
5022 }
5023 
5024 static void vht_build_mcs_mask(u16 vht_mcs_map,
5025 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5026 {
5027 	u8 nss;
5028 
5029 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5030 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5031 		vht_mcs_map >>= 2;
5032 	}
5033 }
5034 
5035 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5036 			     struct nl80211_txrate_vht *txrate,
5037 			     u16 mcs[NL80211_VHT_NSS_MAX])
5038 {
5039 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5040 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5041 	u8 i;
5042 
5043 	if (!sband->vht_cap.vht_supported)
5044 		return false;
5045 
5046 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5047 
5048 	/* Build vht_mcs_mask from VHT capabilities */
5049 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5050 
5051 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5052 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5053 			mcs[i] = txrate->mcs[i];
5054 		else
5055 			return false;
5056 	}
5057 
5058 	return true;
5059 }
5060 
5061 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5062 {
5063 	switch (he_mcs_map) {
5064 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5065 		return 0;
5066 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5067 		return 0x00FF;
5068 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5069 		return 0x03FF;
5070 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5071 		return 0xFFF;
5072 	default:
5073 		break;
5074 	}
5075 	return 0;
5076 }
5077 
5078 static void he_build_mcs_mask(u16 he_mcs_map,
5079 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5080 {
5081 	u8 nss;
5082 
5083 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5084 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5085 		he_mcs_map >>= 2;
5086 	}
5087 }
5088 
5089 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5090 			   const struct ieee80211_sta_he_cap *he_cap)
5091 {
5092 	struct net_device *dev = info->user_ptr[1];
5093 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5094 	struct cfg80211_chan_def *chandef;
5095 	__le16 tx_mcs;
5096 
5097 	chandef = wdev_chandef(wdev, link_id);
5098 	if (!chandef) {
5099 		/*
5100 		 * This is probably broken, but we never maintained
5101 		 * a chandef in these cases, so it always was.
5102 		 */
5103 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5104 	}
5105 
5106 	switch (chandef->width) {
5107 	case NL80211_CHAN_WIDTH_80P80:
5108 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5109 		break;
5110 	case NL80211_CHAN_WIDTH_160:
5111 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5112 		break;
5113 	default:
5114 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5115 		break;
5116 	}
5117 
5118 	return le16_to_cpu(tx_mcs);
5119 }
5120 
5121 static bool he_set_mcs_mask(struct genl_info *info,
5122 			    struct wireless_dev *wdev,
5123 			    struct ieee80211_supported_band *sband,
5124 			    struct nl80211_txrate_he *txrate,
5125 			    u16 mcs[NL80211_HE_NSS_MAX],
5126 			    unsigned int link_id)
5127 {
5128 	const struct ieee80211_sta_he_cap *he_cap;
5129 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5130 	u16 tx_mcs_map = 0;
5131 	u8 i;
5132 
5133 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5134 	if (!he_cap)
5135 		return false;
5136 
5137 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5138 
5139 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5140 
5141 	/* Build he_mcs_mask from HE capabilities */
5142 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5143 
5144 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5145 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5146 			mcs[i] = txrate->mcs[i];
5147 		else
5148 			return false;
5149 	}
5150 
5151 	return true;
5152 }
5153 
5154 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5155 					 struct nlattr *attrs[],
5156 					 enum nl80211_attrs attr,
5157 					 struct cfg80211_bitrate_mask *mask,
5158 					 struct net_device *dev,
5159 					 bool default_all_enabled,
5160 					 unsigned int link_id)
5161 {
5162 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5163 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5164 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5165 	int rem, i;
5166 	struct nlattr *tx_rates;
5167 	struct ieee80211_supported_band *sband;
5168 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5169 
5170 	memset(mask, 0, sizeof(*mask));
5171 	/* Default to all rates enabled */
5172 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5173 		const struct ieee80211_sta_he_cap *he_cap;
5174 
5175 		if (!default_all_enabled)
5176 			break;
5177 
5178 		sband = rdev->wiphy.bands[i];
5179 
5180 		if (!sband)
5181 			continue;
5182 
5183 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5184 		memcpy(mask->control[i].ht_mcs,
5185 		       sband->ht_cap.mcs.rx_mask,
5186 		       sizeof(mask->control[i].ht_mcs));
5187 
5188 		if (sband->vht_cap.vht_supported) {
5189 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5190 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5191 		}
5192 
5193 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5194 		if (!he_cap)
5195 			continue;
5196 
5197 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5198 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5199 
5200 		mask->control[i].he_gi = 0xFF;
5201 		mask->control[i].he_ltf = 0xFF;
5202 	}
5203 
5204 	/* if no rates are given set it back to the defaults */
5205 	if (!attrs[attr])
5206 		goto out;
5207 
5208 	/* The nested attribute uses enum nl80211_band as the index. This maps
5209 	 * directly to the enum nl80211_band values used in cfg80211.
5210 	 */
5211 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5212 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5213 		enum nl80211_band band = nla_type(tx_rates);
5214 		int err;
5215 
5216 		if (band < 0 || band >= NUM_NL80211_BANDS)
5217 			return -EINVAL;
5218 		sband = rdev->wiphy.bands[band];
5219 		if (sband == NULL)
5220 			return -EINVAL;
5221 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5222 						  tx_rates,
5223 						  nl80211_txattr_policy,
5224 						  info->extack);
5225 		if (err)
5226 			return err;
5227 		if (tb[NL80211_TXRATE_LEGACY]) {
5228 			mask->control[band].legacy = rateset_to_mask(
5229 				sband,
5230 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5231 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5232 			if ((mask->control[band].legacy == 0) &&
5233 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5234 				return -EINVAL;
5235 		}
5236 		if (tb[NL80211_TXRATE_HT]) {
5237 			if (!ht_rateset_to_mask(
5238 					sband,
5239 					nla_data(tb[NL80211_TXRATE_HT]),
5240 					nla_len(tb[NL80211_TXRATE_HT]),
5241 					mask->control[band].ht_mcs))
5242 				return -EINVAL;
5243 		}
5244 
5245 		if (tb[NL80211_TXRATE_VHT]) {
5246 			if (!vht_set_mcs_mask(
5247 					sband,
5248 					nla_data(tb[NL80211_TXRATE_VHT]),
5249 					mask->control[band].vht_mcs))
5250 				return -EINVAL;
5251 		}
5252 
5253 		if (tb[NL80211_TXRATE_GI]) {
5254 			mask->control[band].gi =
5255 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5256 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5257 				return -EINVAL;
5258 		}
5259 		if (tb[NL80211_TXRATE_HE] &&
5260 		    !he_set_mcs_mask(info, wdev, sband,
5261 				     nla_data(tb[NL80211_TXRATE_HE]),
5262 				     mask->control[band].he_mcs,
5263 				     link_id))
5264 			return -EINVAL;
5265 
5266 		if (tb[NL80211_TXRATE_HE_GI])
5267 			mask->control[band].he_gi =
5268 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5269 		if (tb[NL80211_TXRATE_HE_LTF])
5270 			mask->control[band].he_ltf =
5271 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5272 
5273 		if (mask->control[band].legacy == 0) {
5274 			/* don't allow empty legacy rates if HT, VHT or HE
5275 			 * are not even supported.
5276 			 */
5277 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5278 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5279 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5280 				return -EINVAL;
5281 
5282 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5283 				if (mask->control[band].ht_mcs[i])
5284 					goto out;
5285 
5286 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5287 				if (mask->control[band].vht_mcs[i])
5288 					goto out;
5289 
5290 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5291 				if (mask->control[band].he_mcs[i])
5292 					goto out;
5293 
5294 			/* legacy and mcs rates may not be both empty */
5295 			return -EINVAL;
5296 		}
5297 	}
5298 
5299 out:
5300 	return 0;
5301 }
5302 
5303 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5304 				   enum nl80211_band band,
5305 				   struct cfg80211_bitrate_mask *beacon_rate)
5306 {
5307 	u32 count_ht, count_vht, count_he, i;
5308 	u32 rate = beacon_rate->control[band].legacy;
5309 
5310 	/* Allow only one rate */
5311 	if (hweight32(rate) > 1)
5312 		return -EINVAL;
5313 
5314 	count_ht = 0;
5315 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5316 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5317 			return -EINVAL;
5318 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5319 			count_ht++;
5320 			if (count_ht > 1)
5321 				return -EINVAL;
5322 		}
5323 		if (count_ht && rate)
5324 			return -EINVAL;
5325 	}
5326 
5327 	count_vht = 0;
5328 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5329 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5330 			return -EINVAL;
5331 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5332 			count_vht++;
5333 			if (count_vht > 1)
5334 				return -EINVAL;
5335 		}
5336 		if (count_vht && rate)
5337 			return -EINVAL;
5338 	}
5339 
5340 	count_he = 0;
5341 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5342 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5343 			return -EINVAL;
5344 		} else if (beacon_rate->control[band].he_mcs[i]) {
5345 			count_he++;
5346 			if (count_he > 1)
5347 				return -EINVAL;
5348 		}
5349 		if (count_he && rate)
5350 			return -EINVAL;
5351 	}
5352 
5353 	if ((count_ht && count_vht && count_he) ||
5354 	    (!rate && !count_ht && !count_vht && !count_he))
5355 		return -EINVAL;
5356 
5357 	if (rate &&
5358 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5359 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5360 		return -EINVAL;
5361 	if (count_ht &&
5362 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5363 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5364 		return -EINVAL;
5365 	if (count_vht &&
5366 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5367 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5368 		return -EINVAL;
5369 	if (count_he &&
5370 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5371 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5372 		return -EINVAL;
5373 
5374 	return 0;
5375 }
5376 
5377 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5378 				       struct net_device *dev,
5379 				       struct nlattr *attrs,
5380 				       struct cfg80211_mbssid_config *config,
5381 				       u8 num_elems)
5382 {
5383 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5384 
5385 	if (!wiphy->mbssid_max_interfaces)
5386 		return -EOPNOTSUPP;
5387 
5388 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5389 			     NULL) ||
5390 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5391 		return -EINVAL;
5392 
5393 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5394 	if (config->ema) {
5395 		if (!wiphy->ema_max_profile_periodicity)
5396 			return -EOPNOTSUPP;
5397 
5398 		if (num_elems > wiphy->ema_max_profile_periodicity)
5399 			return -EINVAL;
5400 	}
5401 
5402 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5403 	if (config->index >= wiphy->mbssid_max_interfaces ||
5404 	    (!config->index && !num_elems))
5405 		return -EINVAL;
5406 
5407 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5408 		u32 tx_ifindex =
5409 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5410 
5411 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5412 		    (config->index && tx_ifindex == dev->ifindex))
5413 			return -EINVAL;
5414 
5415 		if (tx_ifindex != dev->ifindex) {
5416 			struct net_device *tx_netdev =
5417 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5418 
5419 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5420 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5421 			    tx_netdev->ieee80211_ptr->iftype !=
5422 							NL80211_IFTYPE_AP) {
5423 				dev_put(tx_netdev);
5424 				return -EINVAL;
5425 			}
5426 
5427 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5428 		} else {
5429 			config->tx_wdev = dev->ieee80211_ptr;
5430 		}
5431 	} else if (!config->index) {
5432 		config->tx_wdev = dev->ieee80211_ptr;
5433 	} else {
5434 		return -EINVAL;
5435 	}
5436 
5437 	return 0;
5438 }
5439 
5440 static struct cfg80211_mbssid_elems *
5441 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5442 {
5443 	struct nlattr *nl_elems;
5444 	struct cfg80211_mbssid_elems *elems;
5445 	int rem_elems;
5446 	u8 i = 0, num_elems = 0;
5447 
5448 	if (!wiphy->mbssid_max_interfaces)
5449 		return ERR_PTR(-EINVAL);
5450 
5451 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5452 		if (num_elems >= 255)
5453 			return ERR_PTR(-EINVAL);
5454 		num_elems++;
5455 	}
5456 
5457 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5458 	if (!elems)
5459 		return ERR_PTR(-ENOMEM);
5460 	elems->cnt = num_elems;
5461 
5462 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5463 		elems->elem[i].data = nla_data(nl_elems);
5464 		elems->elem[i].len = nla_len(nl_elems);
5465 		i++;
5466 	}
5467 	return elems;
5468 }
5469 
5470 static struct cfg80211_rnr_elems *
5471 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5472 			struct netlink_ext_ack *extack)
5473 {
5474 	struct nlattr *nl_elems;
5475 	struct cfg80211_rnr_elems *elems;
5476 	int rem_elems;
5477 	u8 i = 0, num_elems = 0;
5478 
5479 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5480 		int ret;
5481 
5482 		ret = validate_ie_attr(nl_elems, extack);
5483 		if (ret)
5484 			return ERR_PTR(ret);
5485 
5486 		num_elems++;
5487 	}
5488 
5489 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5490 	if (!elems)
5491 		return ERR_PTR(-ENOMEM);
5492 	elems->cnt = num_elems;
5493 
5494 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5495 		elems->elem[i].data = nla_data(nl_elems);
5496 		elems->elem[i].len = nla_len(nl_elems);
5497 		i++;
5498 	}
5499 	return elems;
5500 }
5501 
5502 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5503 				      struct cfg80211_he_bss_color *he_bss_color)
5504 {
5505 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5506 	int err;
5507 
5508 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5509 			       he_bss_color_policy, NULL);
5510 	if (err)
5511 		return err;
5512 
5513 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5514 		return -EINVAL;
5515 
5516 	he_bss_color->color =
5517 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5518 	he_bss_color->enabled =
5519 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5520 	he_bss_color->partial =
5521 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5522 
5523 	return 0;
5524 }
5525 
5526 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5527 				struct nlattr *attrs[],
5528 				struct cfg80211_beacon_data *bcn,
5529 				struct netlink_ext_ack *extack)
5530 {
5531 	bool haveinfo = false;
5532 	int err;
5533 
5534 	memset(bcn, 0, sizeof(*bcn));
5535 
5536 	bcn->link_id = nl80211_link_id(attrs);
5537 
5538 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5539 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5540 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5541 		if (!bcn->head_len)
5542 			return -EINVAL;
5543 		haveinfo = true;
5544 	}
5545 
5546 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5547 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5548 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5549 		haveinfo = true;
5550 	}
5551 
5552 	if (!haveinfo)
5553 		return -EINVAL;
5554 
5555 	if (attrs[NL80211_ATTR_IE]) {
5556 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5557 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5558 	}
5559 
5560 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5561 		bcn->proberesp_ies =
5562 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5563 		bcn->proberesp_ies_len =
5564 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5565 	}
5566 
5567 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5568 		bcn->assocresp_ies =
5569 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5570 		bcn->assocresp_ies_len =
5571 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5572 	}
5573 
5574 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5575 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5576 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5577 	}
5578 
5579 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5580 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5581 
5582 		err = nla_parse_nested_deprecated(tb,
5583 						  NL80211_FTM_RESP_ATTR_MAX,
5584 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5585 						  NULL, NULL);
5586 		if (err)
5587 			return err;
5588 
5589 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5590 		    wiphy_ext_feature_isset(&rdev->wiphy,
5591 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5592 			bcn->ftm_responder = 1;
5593 		else
5594 			return -EOPNOTSUPP;
5595 
5596 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5597 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5598 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5599 		}
5600 
5601 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5602 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5603 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5604 		}
5605 	} else {
5606 		bcn->ftm_responder = -1;
5607 	}
5608 
5609 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5610 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5611 						 &bcn->he_bss_color);
5612 		if (err)
5613 			return err;
5614 		bcn->he_bss_color_valid = true;
5615 	}
5616 
5617 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5618 		struct cfg80211_mbssid_elems *mbssid =
5619 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5620 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5621 
5622 		if (IS_ERR(mbssid))
5623 			return PTR_ERR(mbssid);
5624 
5625 		bcn->mbssid_ies = mbssid;
5626 
5627 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5628 			struct cfg80211_rnr_elems *rnr =
5629 				nl80211_parse_rnr_elems(&rdev->wiphy,
5630 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5631 							extack);
5632 
5633 			if (IS_ERR(rnr))
5634 				return PTR_ERR(rnr);
5635 
5636 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5637 				return -EINVAL;
5638 
5639 			bcn->rnr_ies = rnr;
5640 		}
5641 	}
5642 
5643 	return 0;
5644 }
5645 
5646 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5647 				    struct ieee80211_he_obss_pd *he_obss_pd)
5648 {
5649 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5650 	int err;
5651 
5652 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5653 			       he_obss_pd_policy, NULL);
5654 	if (err)
5655 		return err;
5656 
5657 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5658 		return -EINVAL;
5659 
5660 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5661 
5662 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5663 		he_obss_pd->min_offset =
5664 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5665 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5666 		he_obss_pd->max_offset =
5667 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5668 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5669 		he_obss_pd->non_srg_max_offset =
5670 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5671 
5672 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5673 		return -EINVAL;
5674 
5675 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5676 		memcpy(he_obss_pd->bss_color_bitmap,
5677 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5678 		       sizeof(he_obss_pd->bss_color_bitmap));
5679 
5680 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5681 		memcpy(he_obss_pd->partial_bssid_bitmap,
5682 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5683 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5684 
5685 	he_obss_pd->enable = true;
5686 
5687 	return 0;
5688 }
5689 
5690 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5691 					struct nlattr *attrs,
5692 					struct cfg80211_fils_discovery *fd)
5693 {
5694 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5695 	int ret;
5696 
5697 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5698 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5699 		return -EINVAL;
5700 
5701 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5702 			       NULL, NULL);
5703 	if (ret)
5704 		return ret;
5705 
5706 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5707 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5708 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5709 		fd->update = true;
5710 		return 0;
5711 	}
5712 
5713 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5714 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5715 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5716 		return -EINVAL;
5717 
5718 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5719 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5720 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5721 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5722 	fd->update = true;
5723 	return 0;
5724 }
5725 
5726 static int
5727 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5728 				     struct nlattr *attrs,
5729 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5730 {
5731 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5732 	int ret;
5733 
5734 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5735 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5736 		return -EINVAL;
5737 
5738 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5739 			       attrs, NULL, NULL);
5740 	if (ret)
5741 		return ret;
5742 
5743 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5744 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5745 		presp->update = true;
5746 		return 0;
5747 	}
5748 
5749 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5750 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5751 		return -EINVAL;
5752 
5753 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5754 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5755 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5756 	presp->update = true;
5757 	return 0;
5758 }
5759 
5760 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5761 					    const struct element *rates)
5762 {
5763 	int i;
5764 
5765 	if (!rates)
5766 		return;
5767 
5768 	for (i = 0; i < rates->datalen; i++) {
5769 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5770 			params->ht_required = true;
5771 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5772 			params->vht_required = true;
5773 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5774 			params->he_required = true;
5775 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5776 			params->sae_h2e_required = true;
5777 	}
5778 }
5779 
5780 /*
5781  * Since the nl80211 API didn't include, from the beginning, attributes about
5782  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5783  * benefit of drivers that rebuild IEs in the firmware.
5784  */
5785 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5786 {
5787 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5788 	size_t ies_len = bcn->tail_len;
5789 	const u8 *ies = bcn->tail;
5790 	const struct element *rates;
5791 	const struct element *cap;
5792 
5793 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5794 	nl80211_check_ap_rate_selectors(params, rates);
5795 
5796 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5797 	nl80211_check_ap_rate_selectors(params, rates);
5798 
5799 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5800 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5801 		params->ht_cap = (void *)cap->data;
5802 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5803 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5804 		params->vht_cap = (void *)cap->data;
5805 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5806 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5807 		params->he_cap = (void *)(cap->data + 1);
5808 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5809 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5810 		params->he_oper = (void *)(cap->data + 1);
5811 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5812 	if (cap) {
5813 		if (!cap->datalen)
5814 			return -EINVAL;
5815 		params->eht_cap = (void *)(cap->data + 1);
5816 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5817 						(const u8 *)params->eht_cap,
5818 						cap->datalen - 1, true))
5819 			return -EINVAL;
5820 	}
5821 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5822 	if (cap) {
5823 		if (!cap->datalen)
5824 			return -EINVAL;
5825 		params->eht_oper = (void *)(cap->data + 1);
5826 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5827 						cap->datalen - 1))
5828 			return -EINVAL;
5829 	}
5830 	return 0;
5831 }
5832 
5833 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5834 				   struct cfg80211_ap_settings *params)
5835 {
5836 	struct wireless_dev *wdev;
5837 
5838 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5839 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5840 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5841 			continue;
5842 
5843 		if (!wdev->u.ap.preset_chandef.chan)
5844 			continue;
5845 
5846 		params->chandef = wdev->u.ap.preset_chandef;
5847 		return true;
5848 	}
5849 
5850 	return false;
5851 }
5852 
5853 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5854 				    enum nl80211_auth_type auth_type,
5855 				    enum nl80211_commands cmd)
5856 {
5857 	if (auth_type > NL80211_AUTHTYPE_MAX)
5858 		return false;
5859 
5860 	switch (cmd) {
5861 	case NL80211_CMD_AUTHENTICATE:
5862 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5863 		    auth_type == NL80211_AUTHTYPE_SAE)
5864 			return false;
5865 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5866 					     NL80211_EXT_FEATURE_FILS_STA) &&
5867 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5868 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5869 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5870 			return false;
5871 		return true;
5872 	case NL80211_CMD_CONNECT:
5873 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5874 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5875 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5876 		    auth_type == NL80211_AUTHTYPE_SAE)
5877 			return false;
5878 
5879 		/* FILS with SK PFS or PK not supported yet */
5880 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5881 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5882 			return false;
5883 		if (!wiphy_ext_feature_isset(
5884 			    &rdev->wiphy,
5885 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5886 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5887 			return false;
5888 		return true;
5889 	case NL80211_CMD_START_AP:
5890 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5891 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5892 		    auth_type == NL80211_AUTHTYPE_SAE)
5893 			return false;
5894 		/* FILS not supported yet */
5895 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5896 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5897 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5898 			return false;
5899 		return true;
5900 	default:
5901 		return false;
5902 	}
5903 }
5904 
5905 static void nl80211_send_ap_started(struct wireless_dev *wdev,
5906 				    unsigned int link_id)
5907 {
5908 	struct wiphy *wiphy = wdev->wiphy;
5909 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
5910 	struct sk_buff *msg;
5911 	void *hdr;
5912 
5913 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5914 	if (!msg)
5915 		return;
5916 
5917 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
5918 	if (!hdr)
5919 		goto out;
5920 
5921 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
5922 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
5923 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5924 			      NL80211_ATTR_PAD) ||
5925 	    (wdev->u.ap.ssid_len &&
5926 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
5927 		     wdev->u.ap.ssid)) ||
5928 	    (wdev->valid_links &&
5929 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
5930 		goto out;
5931 
5932 	genlmsg_end(msg, hdr);
5933 
5934 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
5935 				NL80211_MCGRP_MLME, GFP_KERNEL);
5936 	return;
5937 out:
5938 	nlmsg_free(msg);
5939 }
5940 
5941 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
5942 {
5943 	struct ieee80211_channel *channel = params->chandef.chan;
5944 
5945 	if ((params->he_cap ||  params->he_oper) &&
5946 	    (channel->flags & IEEE80211_CHAN_NO_HE))
5947 		return -EOPNOTSUPP;
5948 
5949 	if ((params->eht_cap || params->eht_oper) &&
5950 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
5951 		return -EOPNOTSUPP;
5952 
5953 	return 0;
5954 }
5955 
5956 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5957 {
5958 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5959 	struct cfg80211_beaconing_check_config beacon_check = {};
5960 	unsigned int link_id = nl80211_link_id(info->attrs);
5961 	struct net_device *dev = info->user_ptr[1];
5962 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5963 	struct cfg80211_ap_settings *params;
5964 	int err;
5965 
5966 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5967 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5968 		return -EOPNOTSUPP;
5969 
5970 	if (!rdev->ops->start_ap)
5971 		return -EOPNOTSUPP;
5972 
5973 	if (wdev->cac_started)
5974 		return -EBUSY;
5975 
5976 	if (wdev->links[link_id].ap.beacon_interval)
5977 		return -EALREADY;
5978 
5979 	/* these are required for START_AP */
5980 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5981 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5982 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5983 		return -EINVAL;
5984 
5985 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5986 	if (!params)
5987 		return -ENOMEM;
5988 
5989 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
5990 				   info->extack);
5991 	if (err)
5992 		goto out;
5993 
5994 	params->beacon_interval =
5995 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5996 	params->dtim_period =
5997 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5998 
5999 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6000 					   params->beacon_interval);
6001 	if (err)
6002 		goto out;
6003 
6004 	/*
6005 	 * In theory, some of these attributes should be required here
6006 	 * but since they were not used when the command was originally
6007 	 * added, keep them optional for old user space programs to let
6008 	 * them continue to work with drivers that do not need the
6009 	 * additional information -- drivers must check!
6010 	 */
6011 	if (info->attrs[NL80211_ATTR_SSID]) {
6012 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6013 		params->ssid_len =
6014 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6015 		if (params->ssid_len == 0) {
6016 			err = -EINVAL;
6017 			goto out;
6018 		}
6019 
6020 		if (wdev->u.ap.ssid_len &&
6021 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6022 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6023 			/* require identical SSID for MLO */
6024 			err = -EINVAL;
6025 			goto out;
6026 		}
6027 	} else if (wdev->valid_links) {
6028 		/* require SSID for MLO */
6029 		err = -EINVAL;
6030 		goto out;
6031 	}
6032 
6033 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6034 		params->hidden_ssid = nla_get_u32(
6035 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6036 
6037 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6038 
6039 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6040 		params->auth_type = nla_get_u32(
6041 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6042 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6043 					     NL80211_CMD_START_AP)) {
6044 			err = -EINVAL;
6045 			goto out;
6046 		}
6047 	} else
6048 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6049 
6050 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6051 				      NL80211_MAX_NR_CIPHER_SUITES);
6052 	if (err)
6053 		goto out;
6054 
6055 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6056 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6057 			err = -EOPNOTSUPP;
6058 			goto out;
6059 		}
6060 		params->inactivity_timeout = nla_get_u16(
6061 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6062 	}
6063 
6064 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6065 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6066 			err = -EINVAL;
6067 			goto out;
6068 		}
6069 		params->p2p_ctwindow =
6070 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6071 		if (params->p2p_ctwindow != 0 &&
6072 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6073 			err = -EINVAL;
6074 			goto out;
6075 		}
6076 	}
6077 
6078 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6079 		u8 tmp;
6080 
6081 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6082 			err = -EINVAL;
6083 			goto out;
6084 		}
6085 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6086 		params->p2p_opp_ps = tmp;
6087 		if (params->p2p_opp_ps != 0 &&
6088 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6089 			err = -EINVAL;
6090 			goto out;
6091 		}
6092 	}
6093 
6094 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6095 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6096 		if (err)
6097 			goto out;
6098 	} else if (wdev->valid_links) {
6099 		/* with MLD need to specify the channel configuration */
6100 		err = -EINVAL;
6101 		goto out;
6102 	} else if (wdev->u.ap.preset_chandef.chan) {
6103 		params->chandef = wdev->u.ap.preset_chandef;
6104 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6105 		err = -EINVAL;
6106 		goto out;
6107 	}
6108 
6109 	beacon_check.iftype = wdev->iftype;
6110 	beacon_check.relax = true;
6111 	beacon_check.reg_power =
6112 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6113 					     params->beacon.tail_len);
6114 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6115 					  &beacon_check)) {
6116 		err = -EINVAL;
6117 		goto out;
6118 	}
6119 
6120 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6121 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6122 						    NL80211_ATTR_TX_RATES,
6123 						    &params->beacon_rate,
6124 						    dev, false, link_id);
6125 		if (err)
6126 			goto out;
6127 
6128 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6129 					      &params->beacon_rate);
6130 		if (err)
6131 			goto out;
6132 	}
6133 
6134 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6135 		params->smps_mode =
6136 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6137 		switch (params->smps_mode) {
6138 		case NL80211_SMPS_OFF:
6139 			break;
6140 		case NL80211_SMPS_STATIC:
6141 			if (!(rdev->wiphy.features &
6142 			      NL80211_FEATURE_STATIC_SMPS)) {
6143 				err = -EINVAL;
6144 				goto out;
6145 			}
6146 			break;
6147 		case NL80211_SMPS_DYNAMIC:
6148 			if (!(rdev->wiphy.features &
6149 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6150 				err = -EINVAL;
6151 				goto out;
6152 			}
6153 			break;
6154 		default:
6155 			err = -EINVAL;
6156 			goto out;
6157 		}
6158 	} else {
6159 		params->smps_mode = NL80211_SMPS_OFF;
6160 	}
6161 
6162 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6163 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6164 		err = -EOPNOTSUPP;
6165 		goto out;
6166 	}
6167 
6168 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6169 		params->acl = parse_acl_data(&rdev->wiphy, info);
6170 		if (IS_ERR(params->acl)) {
6171 			err = PTR_ERR(params->acl);
6172 			params->acl = NULL;
6173 			goto out;
6174 		}
6175 	}
6176 
6177 	params->twt_responder =
6178 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6179 
6180 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6181 		err = nl80211_parse_he_obss_pd(
6182 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6183 					&params->he_obss_pd);
6184 		if (err)
6185 			goto out;
6186 	}
6187 
6188 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6189 		err = nl80211_parse_fils_discovery(rdev,
6190 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6191 						   &params->fils_discovery);
6192 		if (err)
6193 			goto out;
6194 	}
6195 
6196 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6197 		err = nl80211_parse_unsol_bcast_probe_resp(
6198 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6199 			&params->unsol_bcast_probe_resp);
6200 		if (err)
6201 			goto out;
6202 	}
6203 
6204 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6205 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6206 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6207 						  &params->mbssid_config,
6208 						  params->beacon.mbssid_ies ?
6209 							params->beacon.mbssid_ies->cnt :
6210 							0);
6211 		if (err)
6212 			goto out;
6213 	}
6214 
6215 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6216 		err = -EINVAL;
6217 		goto out;
6218 	}
6219 
6220 	err = nl80211_calculate_ap_params(params);
6221 	if (err)
6222 		goto out;
6223 
6224 	err = nl80211_validate_ap_phy_operation(params);
6225 	if (err)
6226 		goto out;
6227 
6228 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6229 		params->flags = nla_get_u32(
6230 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6231 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6232 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6233 
6234 	if (wdev->conn_owner_nlportid &&
6235 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6236 	    wdev->conn_owner_nlportid != info->snd_portid) {
6237 		err = -EINVAL;
6238 		goto out;
6239 	}
6240 
6241 	/* FIXME: validate MLO/link-id against driver capabilities */
6242 
6243 	err = rdev_start_ap(rdev, dev, params);
6244 	if (!err) {
6245 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6246 		wdev->links[link_id].ap.chandef = params->chandef;
6247 		wdev->u.ap.ssid_len = params->ssid_len;
6248 		memcpy(wdev->u.ap.ssid, params->ssid,
6249 		       params->ssid_len);
6250 
6251 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6252 			wdev->conn_owner_nlportid = info->snd_portid;
6253 
6254 		nl80211_send_ap_started(wdev, link_id);
6255 	}
6256 out:
6257 	kfree(params->acl);
6258 	kfree(params->beacon.mbssid_ies);
6259 	if (params->mbssid_config.tx_wdev &&
6260 	    params->mbssid_config.tx_wdev->netdev &&
6261 	    params->mbssid_config.tx_wdev->netdev != dev)
6262 		dev_put(params->mbssid_config.tx_wdev->netdev);
6263 	kfree(params->beacon.rnr_ies);
6264 	kfree(params);
6265 
6266 	return err;
6267 }
6268 
6269 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6270 {
6271 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6272 	struct cfg80211_beaconing_check_config beacon_check = {};
6273 	unsigned int link_id = nl80211_link_id(info->attrs);
6274 	struct net_device *dev = info->user_ptr[1];
6275 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6276 	struct cfg80211_ap_update *params;
6277 	struct nlattr *attr;
6278 	int err;
6279 
6280 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6281 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6282 		return -EOPNOTSUPP;
6283 
6284 	if (!rdev->ops->change_beacon)
6285 		return -EOPNOTSUPP;
6286 
6287 	if (!wdev->links[link_id].ap.beacon_interval)
6288 		return -EINVAL;
6289 
6290 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6291 	if (!params)
6292 		return -ENOMEM;
6293 
6294 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6295 				   info->extack);
6296 	if (err)
6297 		goto out;
6298 
6299 	/* recheck beaconing is permitted with possibly changed power type */
6300 	beacon_check.iftype = wdev->iftype;
6301 	beacon_check.relax = true;
6302 	beacon_check.reg_power =
6303 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6304 					     params->beacon.tail_len);
6305 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6306 					  &wdev->links[link_id].ap.chandef,
6307 					  &beacon_check)) {
6308 		err = -EINVAL;
6309 		goto out;
6310 	}
6311 
6312 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6313 	if (attr) {
6314 		err = nl80211_parse_fils_discovery(rdev, attr,
6315 						   &params->fils_discovery);
6316 		if (err)
6317 			goto out;
6318 	}
6319 
6320 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6321 	if (attr) {
6322 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6323 							   &params->unsol_bcast_probe_resp);
6324 		if (err)
6325 			goto out;
6326 	}
6327 
6328 	err = rdev_change_beacon(rdev, dev, params);
6329 
6330 out:
6331 	kfree(params->beacon.mbssid_ies);
6332 	kfree(params->beacon.rnr_ies);
6333 	kfree(params);
6334 	return err;
6335 }
6336 
6337 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6338 {
6339 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6340 	unsigned int link_id = nl80211_link_id(info->attrs);
6341 	struct net_device *dev = info->user_ptr[1];
6342 
6343 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6344 }
6345 
6346 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6347 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6348 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6349 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6350 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6351 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6352 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6353 };
6354 
6355 static int parse_station_flags(struct genl_info *info,
6356 			       enum nl80211_iftype iftype,
6357 			       struct station_parameters *params)
6358 {
6359 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6360 	struct nlattr *nla;
6361 	int flag;
6362 
6363 	/*
6364 	 * Try parsing the new attribute first so userspace
6365 	 * can specify both for older kernels.
6366 	 */
6367 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6368 	if (nla) {
6369 		struct nl80211_sta_flag_update *sta_flags;
6370 
6371 		sta_flags = nla_data(nla);
6372 		params->sta_flags_mask = sta_flags->mask;
6373 		params->sta_flags_set = sta_flags->set;
6374 		params->sta_flags_set &= params->sta_flags_mask;
6375 		if ((params->sta_flags_mask |
6376 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6377 			return -EINVAL;
6378 		return 0;
6379 	}
6380 
6381 	/* if present, parse the old attribute */
6382 
6383 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6384 	if (!nla)
6385 		return 0;
6386 
6387 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6388 		return -EINVAL;
6389 
6390 	/*
6391 	 * Only allow certain flags for interface types so that
6392 	 * other attributes are silently ignored. Remember that
6393 	 * this is backward compatibility code with old userspace
6394 	 * and shouldn't be hit in other cases anyway.
6395 	 */
6396 	switch (iftype) {
6397 	case NL80211_IFTYPE_AP:
6398 	case NL80211_IFTYPE_AP_VLAN:
6399 	case NL80211_IFTYPE_P2P_GO:
6400 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6401 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6402 					 BIT(NL80211_STA_FLAG_WME) |
6403 					 BIT(NL80211_STA_FLAG_MFP);
6404 		break;
6405 	case NL80211_IFTYPE_P2P_CLIENT:
6406 	case NL80211_IFTYPE_STATION:
6407 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6408 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6409 		break;
6410 	case NL80211_IFTYPE_MESH_POINT:
6411 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6412 					 BIT(NL80211_STA_FLAG_MFP) |
6413 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6414 		break;
6415 	default:
6416 		return -EINVAL;
6417 	}
6418 
6419 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6420 		if (flags[flag]) {
6421 			params->sta_flags_set |= (1<<flag);
6422 
6423 			/* no longer support new API additions in old API */
6424 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6425 				return -EINVAL;
6426 		}
6427 	}
6428 
6429 	return 0;
6430 }
6431 
6432 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6433 {
6434 	struct nlattr *rate;
6435 	u32 bitrate;
6436 	u16 bitrate_compat;
6437 	enum nl80211_rate_info rate_flg;
6438 
6439 	rate = nla_nest_start_noflag(msg, attr);
6440 	if (!rate)
6441 		return false;
6442 
6443 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6444 	bitrate = cfg80211_calculate_bitrate(info);
6445 	/* report 16-bit bitrate only if we can */
6446 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6447 	if (bitrate > 0 &&
6448 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6449 		return false;
6450 	if (bitrate_compat > 0 &&
6451 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6452 		return false;
6453 
6454 	switch (info->bw) {
6455 	case RATE_INFO_BW_1:
6456 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6457 		break;
6458 	case RATE_INFO_BW_2:
6459 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6460 		break;
6461 	case RATE_INFO_BW_4:
6462 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6463 		break;
6464 	case RATE_INFO_BW_5:
6465 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6466 		break;
6467 	case RATE_INFO_BW_8:
6468 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6469 		break;
6470 	case RATE_INFO_BW_10:
6471 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6472 		break;
6473 	case RATE_INFO_BW_16:
6474 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6475 		break;
6476 	default:
6477 		WARN_ON(1);
6478 		fallthrough;
6479 	case RATE_INFO_BW_20:
6480 		rate_flg = 0;
6481 		break;
6482 	case RATE_INFO_BW_40:
6483 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6484 		break;
6485 	case RATE_INFO_BW_80:
6486 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6487 		break;
6488 	case RATE_INFO_BW_160:
6489 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6490 		break;
6491 	case RATE_INFO_BW_HE_RU:
6492 		rate_flg = 0;
6493 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6494 		break;
6495 	case RATE_INFO_BW_320:
6496 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6497 		break;
6498 	case RATE_INFO_BW_EHT_RU:
6499 		rate_flg = 0;
6500 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6501 		break;
6502 	}
6503 
6504 	if (rate_flg && nla_put_flag(msg, rate_flg))
6505 		return false;
6506 
6507 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6508 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6509 			return false;
6510 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6511 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6512 			return false;
6513 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6514 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6515 			return false;
6516 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6517 			return false;
6518 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6519 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6520 			return false;
6521 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6522 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6523 			return false;
6524 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6525 			return false;
6526 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6527 			return false;
6528 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6529 			return false;
6530 		if (info->bw == RATE_INFO_BW_HE_RU &&
6531 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6532 			       info->he_ru_alloc))
6533 			return false;
6534 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6535 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6536 			return false;
6537 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6538 			return false;
6539 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6540 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6541 			return false;
6542 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6543 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6544 			return false;
6545 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6546 			return false;
6547 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6548 			return false;
6549 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6550 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6551 			       info->eht_ru_alloc))
6552 			return false;
6553 	}
6554 
6555 	nla_nest_end(msg, rate);
6556 	return true;
6557 }
6558 
6559 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6560 			       int id)
6561 {
6562 	void *attr;
6563 	int i = 0;
6564 
6565 	if (!mask)
6566 		return true;
6567 
6568 	attr = nla_nest_start_noflag(msg, id);
6569 	if (!attr)
6570 		return false;
6571 
6572 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6573 		if (!(mask & BIT(i)))
6574 			continue;
6575 
6576 		if (nla_put_u8(msg, i, signal[i]))
6577 			return false;
6578 	}
6579 
6580 	nla_nest_end(msg, attr);
6581 
6582 	return true;
6583 }
6584 
6585 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6586 				u32 seq, int flags,
6587 				struct cfg80211_registered_device *rdev,
6588 				struct net_device *dev,
6589 				const u8 *mac_addr, struct station_info *sinfo)
6590 {
6591 	void *hdr;
6592 	struct nlattr *sinfoattr, *bss_param;
6593 
6594 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6595 	if (!hdr) {
6596 		cfg80211_sinfo_release_content(sinfo);
6597 		return -1;
6598 	}
6599 
6600 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6601 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6602 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6603 		goto nla_put_failure;
6604 
6605 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6606 	if (!sinfoattr)
6607 		goto nla_put_failure;
6608 
6609 #define PUT_SINFO(attr, memb, type) do {				\
6610 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6611 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6612 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6613 			     sinfo->memb))				\
6614 		goto nla_put_failure;					\
6615 	} while (0)
6616 #define PUT_SINFO_U64(attr, memb) do {					\
6617 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6618 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6619 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6620 		goto nla_put_failure;					\
6621 	} while (0)
6622 
6623 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6624 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6625 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6626 
6627 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6628 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6629 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6630 			(u32)sinfo->rx_bytes))
6631 		goto nla_put_failure;
6632 
6633 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6634 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6635 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6636 			(u32)sinfo->tx_bytes))
6637 		goto nla_put_failure;
6638 
6639 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6640 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6641 	PUT_SINFO(LLID, llid, u16);
6642 	PUT_SINFO(PLID, plid, u16);
6643 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6644 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6645 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6646 
6647 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6648 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6649 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6650 
6651 	switch (rdev->wiphy.signal_type) {
6652 	case CFG80211_SIGNAL_TYPE_MBM:
6653 		PUT_SINFO(SIGNAL, signal, u8);
6654 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6655 		break;
6656 	default:
6657 		break;
6658 	}
6659 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6660 		if (!nl80211_put_signal(msg, sinfo->chains,
6661 					sinfo->chain_signal,
6662 					NL80211_STA_INFO_CHAIN_SIGNAL))
6663 			goto nla_put_failure;
6664 	}
6665 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6666 		if (!nl80211_put_signal(msg, sinfo->chains,
6667 					sinfo->chain_signal_avg,
6668 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6669 			goto nla_put_failure;
6670 	}
6671 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6672 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6673 					  NL80211_STA_INFO_TX_BITRATE))
6674 			goto nla_put_failure;
6675 	}
6676 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6677 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6678 					  NL80211_STA_INFO_RX_BITRATE))
6679 			goto nla_put_failure;
6680 	}
6681 
6682 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6683 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6684 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6685 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6686 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6687 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6688 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6689 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6690 	PUT_SINFO(PEER_PM, peer_pm, u32);
6691 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6692 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6693 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6694 
6695 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6696 		bss_param = nla_nest_start_noflag(msg,
6697 						  NL80211_STA_INFO_BSS_PARAM);
6698 		if (!bss_param)
6699 			goto nla_put_failure;
6700 
6701 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6702 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6703 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6704 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6705 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6706 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6707 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6708 			       sinfo->bss_param.dtim_period) ||
6709 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6710 				sinfo->bss_param.beacon_interval))
6711 			goto nla_put_failure;
6712 
6713 		nla_nest_end(msg, bss_param);
6714 	}
6715 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6716 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6717 		    sizeof(struct nl80211_sta_flag_update),
6718 		    &sinfo->sta_flags))
6719 		goto nla_put_failure;
6720 
6721 	PUT_SINFO_U64(T_OFFSET, t_offset);
6722 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6723 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6724 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6725 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6726 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6727 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6728 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6729 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6730 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6731 	}
6732 
6733 #undef PUT_SINFO
6734 #undef PUT_SINFO_U64
6735 
6736 	if (sinfo->pertid) {
6737 		struct nlattr *tidsattr;
6738 		int tid;
6739 
6740 		tidsattr = nla_nest_start_noflag(msg,
6741 						 NL80211_STA_INFO_TID_STATS);
6742 		if (!tidsattr)
6743 			goto nla_put_failure;
6744 
6745 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6746 			struct cfg80211_tid_stats *tidstats;
6747 			struct nlattr *tidattr;
6748 
6749 			tidstats = &sinfo->pertid[tid];
6750 
6751 			if (!tidstats->filled)
6752 				continue;
6753 
6754 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6755 			if (!tidattr)
6756 				goto nla_put_failure;
6757 
6758 #define PUT_TIDVAL_U64(attr, memb) do {					\
6759 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6760 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6761 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6762 		goto nla_put_failure;					\
6763 	} while (0)
6764 
6765 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6766 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6767 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6768 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6769 
6770 #undef PUT_TIDVAL_U64
6771 			if ((tidstats->filled &
6772 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6773 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6774 						   NL80211_TID_STATS_TXQ_STATS))
6775 				goto nla_put_failure;
6776 
6777 			nla_nest_end(msg, tidattr);
6778 		}
6779 
6780 		nla_nest_end(msg, tidsattr);
6781 	}
6782 
6783 	nla_nest_end(msg, sinfoattr);
6784 
6785 	if (sinfo->assoc_req_ies_len &&
6786 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6787 		    sinfo->assoc_req_ies))
6788 		goto nla_put_failure;
6789 
6790 	if (sinfo->assoc_resp_ies_len &&
6791 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6792 		    sinfo->assoc_resp_ies))
6793 		goto nla_put_failure;
6794 
6795 	if (sinfo->mlo_params_valid) {
6796 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6797 			       sinfo->assoc_link_id))
6798 			goto nla_put_failure;
6799 
6800 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6801 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6802 			    sinfo->mld_addr))
6803 			goto nla_put_failure;
6804 	}
6805 
6806 	cfg80211_sinfo_release_content(sinfo);
6807 	genlmsg_end(msg, hdr);
6808 	return 0;
6809 
6810  nla_put_failure:
6811 	cfg80211_sinfo_release_content(sinfo);
6812 	genlmsg_cancel(msg, hdr);
6813 	return -EMSGSIZE;
6814 }
6815 
6816 static int nl80211_dump_station(struct sk_buff *skb,
6817 				struct netlink_callback *cb)
6818 {
6819 	struct station_info sinfo;
6820 	struct cfg80211_registered_device *rdev;
6821 	struct wireless_dev *wdev;
6822 	u8 mac_addr[ETH_ALEN];
6823 	int sta_idx = cb->args[2];
6824 	int err;
6825 
6826 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6827 	if (err)
6828 		return err;
6829 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6830 	__acquire(&rdev->wiphy.mtx);
6831 
6832 	if (!wdev->netdev) {
6833 		err = -EINVAL;
6834 		goto out_err;
6835 	}
6836 
6837 	if (!rdev->ops->dump_station) {
6838 		err = -EOPNOTSUPP;
6839 		goto out_err;
6840 	}
6841 
6842 	while (1) {
6843 		memset(&sinfo, 0, sizeof(sinfo));
6844 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6845 					mac_addr, &sinfo);
6846 		if (err == -ENOENT)
6847 			break;
6848 		if (err)
6849 			goto out_err;
6850 
6851 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6852 				NETLINK_CB(cb->skb).portid,
6853 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6854 				rdev, wdev->netdev, mac_addr,
6855 				&sinfo) < 0)
6856 			goto out;
6857 
6858 		sta_idx++;
6859 	}
6860 
6861  out:
6862 	cb->args[2] = sta_idx;
6863 	err = skb->len;
6864  out_err:
6865 	wiphy_unlock(&rdev->wiphy);
6866 
6867 	return err;
6868 }
6869 
6870 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6871 {
6872 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6873 	struct net_device *dev = info->user_ptr[1];
6874 	struct station_info sinfo;
6875 	struct sk_buff *msg;
6876 	u8 *mac_addr = NULL;
6877 	int err;
6878 
6879 	memset(&sinfo, 0, sizeof(sinfo));
6880 
6881 	if (!info->attrs[NL80211_ATTR_MAC])
6882 		return -EINVAL;
6883 
6884 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6885 
6886 	if (!rdev->ops->get_station)
6887 		return -EOPNOTSUPP;
6888 
6889 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6890 	if (err)
6891 		return err;
6892 
6893 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6894 	if (!msg) {
6895 		cfg80211_sinfo_release_content(&sinfo);
6896 		return -ENOMEM;
6897 	}
6898 
6899 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6900 				 info->snd_portid, info->snd_seq, 0,
6901 				 rdev, dev, mac_addr, &sinfo) < 0) {
6902 		nlmsg_free(msg);
6903 		return -ENOBUFS;
6904 	}
6905 
6906 	return genlmsg_reply(msg, info);
6907 }
6908 
6909 int cfg80211_check_station_change(struct wiphy *wiphy,
6910 				  struct station_parameters *params,
6911 				  enum cfg80211_station_type statype)
6912 {
6913 	if (params->listen_interval != -1 &&
6914 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6915 		return -EINVAL;
6916 
6917 	if (params->support_p2p_ps != -1 &&
6918 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6919 		return -EINVAL;
6920 
6921 	if (params->aid &&
6922 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6923 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6924 		return -EINVAL;
6925 
6926 	/* When you run into this, adjust the code below for the new flag */
6927 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
6928 
6929 	switch (statype) {
6930 	case CFG80211_STA_MESH_PEER_KERNEL:
6931 	case CFG80211_STA_MESH_PEER_USER:
6932 		/*
6933 		 * No ignoring the TDLS flag here -- the userspace mesh
6934 		 * code doesn't have the bug of including TDLS in the
6935 		 * mask everywhere.
6936 		 */
6937 		if (params->sta_flags_mask &
6938 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6939 				  BIT(NL80211_STA_FLAG_MFP) |
6940 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6941 			return -EINVAL;
6942 		break;
6943 	case CFG80211_STA_TDLS_PEER_SETUP:
6944 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6945 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6946 			return -EINVAL;
6947 		/* ignore since it can't change */
6948 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6949 		break;
6950 	default:
6951 		/* disallow mesh-specific things */
6952 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6953 			return -EINVAL;
6954 		if (params->local_pm)
6955 			return -EINVAL;
6956 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6957 			return -EINVAL;
6958 	}
6959 
6960 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6961 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6962 		/* TDLS can't be set, ... */
6963 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6964 			return -EINVAL;
6965 		/*
6966 		 * ... but don't bother the driver with it. This works around
6967 		 * a hostapd/wpa_supplicant issue -- it always includes the
6968 		 * TLDS_PEER flag in the mask even for AP mode.
6969 		 */
6970 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6971 	}
6972 
6973 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6974 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6975 		/* reject other things that can't change */
6976 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6977 			return -EINVAL;
6978 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6979 			return -EINVAL;
6980 		if (params->link_sta_params.supported_rates)
6981 			return -EINVAL;
6982 		if (params->ext_capab || params->link_sta_params.ht_capa ||
6983 		    params->link_sta_params.vht_capa ||
6984 		    params->link_sta_params.he_capa ||
6985 		    params->link_sta_params.eht_capa)
6986 			return -EINVAL;
6987 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
6988 			return -EINVAL;
6989 	}
6990 
6991 	if (statype != CFG80211_STA_AP_CLIENT &&
6992 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6993 		if (params->vlan)
6994 			return -EINVAL;
6995 	}
6996 
6997 	switch (statype) {
6998 	case CFG80211_STA_AP_MLME_CLIENT:
6999 		/* Use this only for authorizing/unauthorizing a station */
7000 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7001 			return -EOPNOTSUPP;
7002 		break;
7003 	case CFG80211_STA_AP_CLIENT:
7004 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7005 		/* accept only the listed bits */
7006 		if (params->sta_flags_mask &
7007 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7008 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7009 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7010 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7011 				  BIT(NL80211_STA_FLAG_WME) |
7012 				  BIT(NL80211_STA_FLAG_MFP) |
7013 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7014 			return -EINVAL;
7015 
7016 		/* but authenticated/associated only if driver handles it */
7017 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7018 		    params->sta_flags_mask &
7019 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7020 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7021 			return -EINVAL;
7022 		break;
7023 	case CFG80211_STA_IBSS:
7024 	case CFG80211_STA_AP_STA:
7025 		/* reject any changes other than AUTHORIZED */
7026 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7027 			return -EINVAL;
7028 		break;
7029 	case CFG80211_STA_TDLS_PEER_SETUP:
7030 		/* reject any changes other than AUTHORIZED or WME */
7031 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7032 					       BIT(NL80211_STA_FLAG_WME)))
7033 			return -EINVAL;
7034 		/* force (at least) rates when authorizing */
7035 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7036 		    !params->link_sta_params.supported_rates)
7037 			return -EINVAL;
7038 		break;
7039 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7040 		/* reject any changes */
7041 		return -EINVAL;
7042 	case CFG80211_STA_MESH_PEER_KERNEL:
7043 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7044 			return -EINVAL;
7045 		break;
7046 	case CFG80211_STA_MESH_PEER_USER:
7047 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7048 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7049 			return -EINVAL;
7050 		break;
7051 	}
7052 
7053 	/*
7054 	 * Older kernel versions ignored this attribute entirely, so don't
7055 	 * reject attempts to update it but mark it as unused instead so the
7056 	 * driver won't look at the data.
7057 	 */
7058 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7059 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7060 		params->link_sta_params.opmode_notif_used = false;
7061 
7062 	return 0;
7063 }
7064 EXPORT_SYMBOL(cfg80211_check_station_change);
7065 
7066 /*
7067  * Get vlan interface making sure it is running and on the right wiphy.
7068  */
7069 static struct net_device *get_vlan(struct genl_info *info,
7070 				   struct cfg80211_registered_device *rdev)
7071 {
7072 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7073 	struct net_device *v;
7074 	int ret;
7075 
7076 	if (!vlanattr)
7077 		return NULL;
7078 
7079 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7080 	if (!v)
7081 		return ERR_PTR(-ENODEV);
7082 
7083 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7084 		ret = -EINVAL;
7085 		goto error;
7086 	}
7087 
7088 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7089 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7090 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7091 		ret = -EINVAL;
7092 		goto error;
7093 	}
7094 
7095 	if (!netif_running(v)) {
7096 		ret = -ENETDOWN;
7097 		goto error;
7098 	}
7099 
7100 	return v;
7101  error:
7102 	dev_put(v);
7103 	return ERR_PTR(ret);
7104 }
7105 
7106 static int nl80211_parse_sta_wme(struct genl_info *info,
7107 				 struct station_parameters *params)
7108 {
7109 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7110 	struct nlattr *nla;
7111 	int err;
7112 
7113 	/* parse WME attributes if present */
7114 	if (!info->attrs[NL80211_ATTR_STA_WME])
7115 		return 0;
7116 
7117 	nla = info->attrs[NL80211_ATTR_STA_WME];
7118 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7119 					  nl80211_sta_wme_policy,
7120 					  info->extack);
7121 	if (err)
7122 		return err;
7123 
7124 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7125 		params->uapsd_queues = nla_get_u8(
7126 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7127 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7128 		return -EINVAL;
7129 
7130 	if (tb[NL80211_STA_WME_MAX_SP])
7131 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7132 
7133 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7134 		return -EINVAL;
7135 
7136 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7137 
7138 	return 0;
7139 }
7140 
7141 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7142 				      struct station_parameters *params)
7143 {
7144 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7145 		params->supported_channels =
7146 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7147 		params->supported_channels_len =
7148 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7149 		/*
7150 		 * Need to include at least one (first channel, number of
7151 		 * channels) tuple for each subband (checked in policy),
7152 		 * and must have proper tuples for the rest of the data as well.
7153 		 */
7154 		if (params->supported_channels_len % 2)
7155 			return -EINVAL;
7156 	}
7157 
7158 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7159 		params->supported_oper_classes =
7160 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7161 		params->supported_oper_classes_len =
7162 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7163 	}
7164 	return 0;
7165 }
7166 
7167 static int nl80211_set_station_tdls(struct genl_info *info,
7168 				    struct station_parameters *params)
7169 {
7170 	int err;
7171 	/* Dummy STA entry gets updated once the peer capabilities are known */
7172 	if (info->attrs[NL80211_ATTR_PEER_AID])
7173 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7174 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7175 		params->link_sta_params.ht_capa =
7176 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7177 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7178 		params->link_sta_params.vht_capa =
7179 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7180 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7181 		params->link_sta_params.he_capa =
7182 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7183 		params->link_sta_params.he_capa_len =
7184 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7185 
7186 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7187 			params->link_sta_params.eht_capa =
7188 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7189 			params->link_sta_params.eht_capa_len =
7190 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7191 
7192 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7193 							(const u8 *)params->link_sta_params.eht_capa,
7194 							params->link_sta_params.eht_capa_len,
7195 							false))
7196 				return -EINVAL;
7197 		}
7198 	}
7199 
7200 	err = nl80211_parse_sta_channel_info(info, params);
7201 	if (err)
7202 		return err;
7203 
7204 	return nl80211_parse_sta_wme(info, params);
7205 }
7206 
7207 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7208 					     struct sta_txpwr *txpwr,
7209 					     bool *txpwr_set)
7210 {
7211 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7212 	int idx;
7213 
7214 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7215 		if (!rdev->ops->set_tx_power ||
7216 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7217 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7218 			return -EOPNOTSUPP;
7219 
7220 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7221 		txpwr->type = nla_get_u8(info->attrs[idx]);
7222 
7223 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7224 			idx = NL80211_ATTR_STA_TX_POWER;
7225 
7226 			if (info->attrs[idx])
7227 				txpwr->power = nla_get_s16(info->attrs[idx]);
7228 			else
7229 				return -EINVAL;
7230 		}
7231 
7232 		*txpwr_set = true;
7233 	} else {
7234 		*txpwr_set = false;
7235 	}
7236 
7237 	return 0;
7238 }
7239 
7240 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7241 {
7242 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7243 	struct net_device *dev = info->user_ptr[1];
7244 	struct station_parameters params;
7245 	u8 *mac_addr;
7246 	int err;
7247 
7248 	memset(&params, 0, sizeof(params));
7249 
7250 	if (!rdev->ops->change_station)
7251 		return -EOPNOTSUPP;
7252 
7253 	/*
7254 	 * AID and listen_interval properties can be set only for unassociated
7255 	 * station. Include these parameters here and will check them in
7256 	 * cfg80211_check_station_change().
7257 	 */
7258 	if (info->attrs[NL80211_ATTR_STA_AID])
7259 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7260 
7261 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7262 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7263 
7264 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7265 		params.listen_interval =
7266 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7267 	else
7268 		params.listen_interval = -1;
7269 
7270 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7271 		params.support_p2p_ps =
7272 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7273 	else
7274 		params.support_p2p_ps = -1;
7275 
7276 	if (!info->attrs[NL80211_ATTR_MAC])
7277 		return -EINVAL;
7278 
7279 	params.link_sta_params.link_id =
7280 		nl80211_link_id_or_invalid(info->attrs);
7281 
7282 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7283 		/* If MLD_ADDR attribute is set then this is an MLD station
7284 		 * and the MLD_ADDR attribute holds the MLD address and the
7285 		 * MAC attribute holds for the LINK address.
7286 		 * In that case, the link_id is also expected to be valid.
7287 		 */
7288 		if (params.link_sta_params.link_id < 0)
7289 			return -EINVAL;
7290 
7291 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7292 		params.link_sta_params.mld_mac = mac_addr;
7293 		params.link_sta_params.link_mac =
7294 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7295 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7296 			return -EINVAL;
7297 	} else {
7298 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7299 	}
7300 
7301 
7302 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7303 		params.link_sta_params.supported_rates =
7304 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7305 		params.link_sta_params.supported_rates_len =
7306 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7307 	}
7308 
7309 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7310 		params.capability =
7311 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7312 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7313 	}
7314 
7315 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7316 		params.ext_capab =
7317 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7318 		params.ext_capab_len =
7319 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7320 	}
7321 
7322 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7323 		return -EINVAL;
7324 
7325 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7326 		params.plink_action =
7327 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7328 
7329 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7330 		params.plink_state =
7331 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7332 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7333 			params.peer_aid = nla_get_u16(
7334 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7335 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7336 	}
7337 
7338 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7339 		params.local_pm = nla_get_u32(
7340 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7341 
7342 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7343 		params.link_sta_params.opmode_notif_used = true;
7344 		params.link_sta_params.opmode_notif =
7345 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7346 	}
7347 
7348 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7349 		params.link_sta_params.he_6ghz_capa =
7350 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7351 
7352 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7353 		params.airtime_weight =
7354 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7355 
7356 	if (params.airtime_weight &&
7357 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7358 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7359 		return -EOPNOTSUPP;
7360 
7361 	err = nl80211_parse_sta_txpower_setting(info,
7362 						&params.link_sta_params.txpwr,
7363 						&params.link_sta_params.txpwr_set);
7364 	if (err)
7365 		return err;
7366 
7367 	/* Include parameters for TDLS peer (will check later) */
7368 	err = nl80211_set_station_tdls(info, &params);
7369 	if (err)
7370 		return err;
7371 
7372 	params.vlan = get_vlan(info, rdev);
7373 	if (IS_ERR(params.vlan))
7374 		return PTR_ERR(params.vlan);
7375 
7376 	switch (dev->ieee80211_ptr->iftype) {
7377 	case NL80211_IFTYPE_AP:
7378 	case NL80211_IFTYPE_AP_VLAN:
7379 	case NL80211_IFTYPE_P2P_GO:
7380 	case NL80211_IFTYPE_P2P_CLIENT:
7381 	case NL80211_IFTYPE_STATION:
7382 	case NL80211_IFTYPE_ADHOC:
7383 	case NL80211_IFTYPE_MESH_POINT:
7384 		break;
7385 	default:
7386 		err = -EOPNOTSUPP;
7387 		goto out_put_vlan;
7388 	}
7389 
7390 	/* driver will call cfg80211_check_station_change() */
7391 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7392 
7393  out_put_vlan:
7394 	dev_put(params.vlan);
7395 
7396 	return err;
7397 }
7398 
7399 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7400 {
7401 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7402 	int err;
7403 	struct net_device *dev = info->user_ptr[1];
7404 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7405 	struct station_parameters params;
7406 	u8 *mac_addr = NULL;
7407 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7408 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7409 
7410 	memset(&params, 0, sizeof(params));
7411 
7412 	if (!rdev->ops->add_station)
7413 		return -EOPNOTSUPP;
7414 
7415 	if (!info->attrs[NL80211_ATTR_MAC])
7416 		return -EINVAL;
7417 
7418 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7419 		return -EINVAL;
7420 
7421 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7422 		return -EINVAL;
7423 
7424 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7425 	    !info->attrs[NL80211_ATTR_PEER_AID])
7426 		return -EINVAL;
7427 
7428 	params.link_sta_params.link_id =
7429 		nl80211_link_id_or_invalid(info->attrs);
7430 
7431 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7432 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7433 		params.link_sta_params.mld_mac = mac_addr;
7434 		params.link_sta_params.link_mac =
7435 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7436 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7437 			return -EINVAL;
7438 	} else {
7439 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7440 	}
7441 
7442 	params.link_sta_params.supported_rates =
7443 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7444 	params.link_sta_params.supported_rates_len =
7445 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7446 	params.listen_interval =
7447 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7448 
7449 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7450 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7451 
7452 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7453 		params.support_p2p_ps =
7454 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7455 	} else {
7456 		/*
7457 		 * if not specified, assume it's supported for P2P GO interface,
7458 		 * and is NOT supported for AP interface
7459 		 */
7460 		params.support_p2p_ps =
7461 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7462 	}
7463 
7464 	if (info->attrs[NL80211_ATTR_PEER_AID])
7465 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7466 	else
7467 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7468 
7469 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7470 		params.capability =
7471 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7472 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7473 	}
7474 
7475 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7476 		params.ext_capab =
7477 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7478 		params.ext_capab_len =
7479 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7480 	}
7481 
7482 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7483 		params.link_sta_params.ht_capa =
7484 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7485 
7486 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7487 		params.link_sta_params.vht_capa =
7488 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7489 
7490 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7491 		params.link_sta_params.he_capa =
7492 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7493 		params.link_sta_params.he_capa_len =
7494 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7495 
7496 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7497 			params.link_sta_params.eht_capa =
7498 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7499 			params.link_sta_params.eht_capa_len =
7500 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7501 
7502 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7503 							(const u8 *)params.link_sta_params.eht_capa,
7504 							params.link_sta_params.eht_capa_len,
7505 							false))
7506 				return -EINVAL;
7507 		}
7508 	}
7509 
7510 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7511 		params.link_sta_params.he_6ghz_capa =
7512 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7513 
7514 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7515 		params.link_sta_params.opmode_notif_used = true;
7516 		params.link_sta_params.opmode_notif =
7517 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7518 	}
7519 
7520 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7521 		params.plink_action =
7522 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7523 
7524 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7525 		params.airtime_weight =
7526 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7527 
7528 	if (params.airtime_weight &&
7529 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7530 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7531 		return -EOPNOTSUPP;
7532 
7533 	err = nl80211_parse_sta_txpower_setting(info,
7534 						&params.link_sta_params.txpwr,
7535 						&params.link_sta_params.txpwr_set);
7536 	if (err)
7537 		return err;
7538 
7539 	err = nl80211_parse_sta_channel_info(info, &params);
7540 	if (err)
7541 		return err;
7542 
7543 	err = nl80211_parse_sta_wme(info, &params);
7544 	if (err)
7545 		return err;
7546 
7547 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7548 		return -EINVAL;
7549 
7550 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7551 	 * as userspace might just pass through the capabilities from the IEs
7552 	 * directly, rather than enforcing this restriction and returning an
7553 	 * error in this case.
7554 	 */
7555 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7556 		params.link_sta_params.ht_capa = NULL;
7557 		params.link_sta_params.vht_capa = NULL;
7558 
7559 		/* HE and EHT require WME */
7560 		if (params.link_sta_params.he_capa_len ||
7561 		    params.link_sta_params.he_6ghz_capa ||
7562 		    params.link_sta_params.eht_capa_len)
7563 			return -EINVAL;
7564 	}
7565 
7566 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7567 	if (params.link_sta_params.he_6ghz_capa &&
7568 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7569 		return -EINVAL;
7570 
7571 	/* When you run into this, adjust the code below for the new flag */
7572 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7573 
7574 	switch (dev->ieee80211_ptr->iftype) {
7575 	case NL80211_IFTYPE_AP:
7576 	case NL80211_IFTYPE_AP_VLAN:
7577 	case NL80211_IFTYPE_P2P_GO:
7578 		/* ignore WME attributes if iface/sta is not capable */
7579 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7580 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7581 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7582 
7583 		/* TDLS peers cannot be added */
7584 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7585 		    info->attrs[NL80211_ATTR_PEER_AID])
7586 			return -EINVAL;
7587 		/* but don't bother the driver with it */
7588 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7589 
7590 		/* allow authenticated/associated only if driver handles it */
7591 		if (!(rdev->wiphy.features &
7592 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7593 		    params.sta_flags_mask & auth_assoc)
7594 			return -EINVAL;
7595 
7596 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7597 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
7598 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7599 			return -EINVAL;
7600 
7601 		/* Older userspace, or userspace wanting to be compatible with
7602 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7603 		 * and assoc flags in the mask, but assumes the station will be
7604 		 * added as associated anyway since this was the required driver
7605 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7606 		 * introduced.
7607 		 * In order to not bother drivers with this quirk in the API
7608 		 * set the flags in both the mask and set for new stations in
7609 		 * this case.
7610 		 */
7611 		if (!(params.sta_flags_mask & auth_assoc)) {
7612 			params.sta_flags_mask |= auth_assoc;
7613 			params.sta_flags_set |= auth_assoc;
7614 		}
7615 
7616 		/* must be last in here for error handling */
7617 		params.vlan = get_vlan(info, rdev);
7618 		if (IS_ERR(params.vlan))
7619 			return PTR_ERR(params.vlan);
7620 		break;
7621 	case NL80211_IFTYPE_MESH_POINT:
7622 		/* ignore uAPSD data */
7623 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7624 
7625 		/* associated is disallowed */
7626 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7627 			return -EINVAL;
7628 		/* TDLS peers cannot be added */
7629 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7630 		    info->attrs[NL80211_ATTR_PEER_AID])
7631 			return -EINVAL;
7632 		break;
7633 	case NL80211_IFTYPE_STATION:
7634 	case NL80211_IFTYPE_P2P_CLIENT:
7635 		/* ignore uAPSD data */
7636 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7637 
7638 		/* these are disallowed */
7639 		if (params.sta_flags_mask &
7640 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7641 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7642 			return -EINVAL;
7643 		/* Only TDLS peers can be added */
7644 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7645 			return -EINVAL;
7646 		/* Can only add if TDLS ... */
7647 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7648 			return -EOPNOTSUPP;
7649 		/* ... with external setup is supported */
7650 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7651 			return -EOPNOTSUPP;
7652 		/*
7653 		 * Older wpa_supplicant versions always mark the TDLS peer
7654 		 * as authorized, but it shouldn't yet be.
7655 		 */
7656 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7657 		break;
7658 	default:
7659 		return -EOPNOTSUPP;
7660 	}
7661 
7662 	/* be aware of params.vlan when changing code here */
7663 
7664 	if (wdev->valid_links) {
7665 		if (params.link_sta_params.link_id < 0) {
7666 			err = -EINVAL;
7667 			goto out;
7668 		}
7669 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7670 			err = -ENOLINK;
7671 			goto out;
7672 		}
7673 	} else {
7674 		if (params.link_sta_params.link_id >= 0) {
7675 			err = -EINVAL;
7676 			goto out;
7677 		}
7678 	}
7679 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7680 out:
7681 	dev_put(params.vlan);
7682 	return err;
7683 }
7684 
7685 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7686 {
7687 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7688 	struct net_device *dev = info->user_ptr[1];
7689 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7690 	struct station_del_parameters params;
7691 	int link_id = nl80211_link_id_or_invalid(info->attrs);
7692 
7693 	memset(&params, 0, sizeof(params));
7694 
7695 	if (info->attrs[NL80211_ATTR_MAC])
7696 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7697 
7698 	switch (wdev->iftype) {
7699 	case NL80211_IFTYPE_AP:
7700 	case NL80211_IFTYPE_AP_VLAN:
7701 	case NL80211_IFTYPE_MESH_POINT:
7702 	case NL80211_IFTYPE_P2P_GO:
7703 		/* always accept these */
7704 		break;
7705 	case NL80211_IFTYPE_ADHOC:
7706 		/* conditionally accept */
7707 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7708 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7709 			break;
7710 		return -EINVAL;
7711 	default:
7712 		return -EINVAL;
7713 	}
7714 
7715 	if (!rdev->ops->del_station)
7716 		return -EOPNOTSUPP;
7717 
7718 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7719 		params.subtype =
7720 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7721 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7722 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7723 			return -EINVAL;
7724 	} else {
7725 		/* Default to Deauthentication frame */
7726 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7727 	}
7728 
7729 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7730 		params.reason_code =
7731 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7732 		if (params.reason_code == 0)
7733 			return -EINVAL; /* 0 is reserved */
7734 	} else {
7735 		/* Default to reason code 2 */
7736 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7737 	}
7738 
7739 	/* Link ID not expected in case of non-ML operation */
7740 	if (!wdev->valid_links && link_id != -1)
7741 		return -EINVAL;
7742 
7743 	/* If given, a valid link ID should be passed during MLO */
7744 	if (wdev->valid_links && link_id >= 0 &&
7745 	    !(wdev->valid_links & BIT(link_id)))
7746 		return -EINVAL;
7747 
7748 	params.link_id = link_id;
7749 
7750 	return rdev_del_station(rdev, dev, &params);
7751 }
7752 
7753 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7754 				int flags, struct net_device *dev,
7755 				u8 *dst, u8 *next_hop,
7756 				struct mpath_info *pinfo)
7757 {
7758 	void *hdr;
7759 	struct nlattr *pinfoattr;
7760 
7761 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7762 	if (!hdr)
7763 		return -1;
7764 
7765 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7766 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7767 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7768 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7769 		goto nla_put_failure;
7770 
7771 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7772 	if (!pinfoattr)
7773 		goto nla_put_failure;
7774 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7775 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7776 			pinfo->frame_qlen))
7777 		goto nla_put_failure;
7778 	if (((pinfo->filled & MPATH_INFO_SN) &&
7779 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7780 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7781 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7782 			 pinfo->metric)) ||
7783 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7784 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7785 			 pinfo->exptime)) ||
7786 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7787 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7788 			pinfo->flags)) ||
7789 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7790 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7791 			 pinfo->discovery_timeout)) ||
7792 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7793 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7794 			pinfo->discovery_retries)) ||
7795 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7796 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7797 			pinfo->hop_count)) ||
7798 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7799 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7800 			 pinfo->path_change_count)))
7801 		goto nla_put_failure;
7802 
7803 	nla_nest_end(msg, pinfoattr);
7804 
7805 	genlmsg_end(msg, hdr);
7806 	return 0;
7807 
7808  nla_put_failure:
7809 	genlmsg_cancel(msg, hdr);
7810 	return -EMSGSIZE;
7811 }
7812 
7813 static int nl80211_dump_mpath(struct sk_buff *skb,
7814 			      struct netlink_callback *cb)
7815 {
7816 	struct mpath_info pinfo;
7817 	struct cfg80211_registered_device *rdev;
7818 	struct wireless_dev *wdev;
7819 	u8 dst[ETH_ALEN];
7820 	u8 next_hop[ETH_ALEN];
7821 	int path_idx = cb->args[2];
7822 	int err;
7823 
7824 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7825 	if (err)
7826 		return err;
7827 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7828 	__acquire(&rdev->wiphy.mtx);
7829 
7830 	if (!rdev->ops->dump_mpath) {
7831 		err = -EOPNOTSUPP;
7832 		goto out_err;
7833 	}
7834 
7835 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7836 		err = -EOPNOTSUPP;
7837 		goto out_err;
7838 	}
7839 
7840 	while (1) {
7841 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7842 				      next_hop, &pinfo);
7843 		if (err == -ENOENT)
7844 			break;
7845 		if (err)
7846 			goto out_err;
7847 
7848 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7849 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7850 				       wdev->netdev, dst, next_hop,
7851 				       &pinfo) < 0)
7852 			goto out;
7853 
7854 		path_idx++;
7855 	}
7856 
7857  out:
7858 	cb->args[2] = path_idx;
7859 	err = skb->len;
7860  out_err:
7861 	wiphy_unlock(&rdev->wiphy);
7862 	return err;
7863 }
7864 
7865 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7866 {
7867 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7868 	int err;
7869 	struct net_device *dev = info->user_ptr[1];
7870 	struct mpath_info pinfo;
7871 	struct sk_buff *msg;
7872 	u8 *dst = NULL;
7873 	u8 next_hop[ETH_ALEN];
7874 
7875 	memset(&pinfo, 0, sizeof(pinfo));
7876 
7877 	if (!info->attrs[NL80211_ATTR_MAC])
7878 		return -EINVAL;
7879 
7880 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7881 
7882 	if (!rdev->ops->get_mpath)
7883 		return -EOPNOTSUPP;
7884 
7885 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7886 		return -EOPNOTSUPP;
7887 
7888 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7889 	if (err)
7890 		return err;
7891 
7892 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7893 	if (!msg)
7894 		return -ENOMEM;
7895 
7896 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7897 				 dev, dst, next_hop, &pinfo) < 0) {
7898 		nlmsg_free(msg);
7899 		return -ENOBUFS;
7900 	}
7901 
7902 	return genlmsg_reply(msg, info);
7903 }
7904 
7905 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7906 {
7907 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7908 	struct net_device *dev = info->user_ptr[1];
7909 	u8 *dst = NULL;
7910 	u8 *next_hop = NULL;
7911 
7912 	if (!info->attrs[NL80211_ATTR_MAC])
7913 		return -EINVAL;
7914 
7915 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7916 		return -EINVAL;
7917 
7918 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7919 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7920 
7921 	if (!rdev->ops->change_mpath)
7922 		return -EOPNOTSUPP;
7923 
7924 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7925 		return -EOPNOTSUPP;
7926 
7927 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7928 }
7929 
7930 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7931 {
7932 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7933 	struct net_device *dev = info->user_ptr[1];
7934 	u8 *dst = NULL;
7935 	u8 *next_hop = NULL;
7936 
7937 	if (!info->attrs[NL80211_ATTR_MAC])
7938 		return -EINVAL;
7939 
7940 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7941 		return -EINVAL;
7942 
7943 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7944 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7945 
7946 	if (!rdev->ops->add_mpath)
7947 		return -EOPNOTSUPP;
7948 
7949 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7950 		return -EOPNOTSUPP;
7951 
7952 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7953 }
7954 
7955 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7956 {
7957 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7958 	struct net_device *dev = info->user_ptr[1];
7959 	u8 *dst = NULL;
7960 
7961 	if (info->attrs[NL80211_ATTR_MAC])
7962 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7963 
7964 	if (!rdev->ops->del_mpath)
7965 		return -EOPNOTSUPP;
7966 
7967 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7968 		return -EOPNOTSUPP;
7969 
7970 	return rdev_del_mpath(rdev, dev, dst);
7971 }
7972 
7973 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7974 {
7975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7976 	int err;
7977 	struct net_device *dev = info->user_ptr[1];
7978 	struct mpath_info pinfo;
7979 	struct sk_buff *msg;
7980 	u8 *dst = NULL;
7981 	u8 mpp[ETH_ALEN];
7982 
7983 	memset(&pinfo, 0, sizeof(pinfo));
7984 
7985 	if (!info->attrs[NL80211_ATTR_MAC])
7986 		return -EINVAL;
7987 
7988 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7989 
7990 	if (!rdev->ops->get_mpp)
7991 		return -EOPNOTSUPP;
7992 
7993 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7994 		return -EOPNOTSUPP;
7995 
7996 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7997 	if (err)
7998 		return err;
7999 
8000 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8001 	if (!msg)
8002 		return -ENOMEM;
8003 
8004 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8005 			       dev, dst, mpp, &pinfo) < 0) {
8006 		nlmsg_free(msg);
8007 		return -ENOBUFS;
8008 	}
8009 
8010 	return genlmsg_reply(msg, info);
8011 }
8012 
8013 static int nl80211_dump_mpp(struct sk_buff *skb,
8014 			    struct netlink_callback *cb)
8015 {
8016 	struct mpath_info pinfo;
8017 	struct cfg80211_registered_device *rdev;
8018 	struct wireless_dev *wdev;
8019 	u8 dst[ETH_ALEN];
8020 	u8 mpp[ETH_ALEN];
8021 	int path_idx = cb->args[2];
8022 	int err;
8023 
8024 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8025 	if (err)
8026 		return err;
8027 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8028 	__acquire(&rdev->wiphy.mtx);
8029 
8030 	if (!rdev->ops->dump_mpp) {
8031 		err = -EOPNOTSUPP;
8032 		goto out_err;
8033 	}
8034 
8035 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8036 		err = -EOPNOTSUPP;
8037 		goto out_err;
8038 	}
8039 
8040 	while (1) {
8041 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8042 				    mpp, &pinfo);
8043 		if (err == -ENOENT)
8044 			break;
8045 		if (err)
8046 			goto out_err;
8047 
8048 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8049 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8050 				       wdev->netdev, dst, mpp,
8051 				       &pinfo) < 0)
8052 			goto out;
8053 
8054 		path_idx++;
8055 	}
8056 
8057  out:
8058 	cb->args[2] = path_idx;
8059 	err = skb->len;
8060  out_err:
8061 	wiphy_unlock(&rdev->wiphy);
8062 	return err;
8063 }
8064 
8065 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8066 {
8067 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8068 	struct net_device *dev = info->user_ptr[1];
8069 	struct bss_parameters params;
8070 
8071 	memset(&params, 0, sizeof(params));
8072 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8073 	/* default to not changing parameters */
8074 	params.use_cts_prot = -1;
8075 	params.use_short_preamble = -1;
8076 	params.use_short_slot_time = -1;
8077 	params.ap_isolate = -1;
8078 	params.ht_opmode = -1;
8079 	params.p2p_ctwindow = -1;
8080 	params.p2p_opp_ps = -1;
8081 
8082 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8083 		params.use_cts_prot =
8084 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8085 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8086 		params.use_short_preamble =
8087 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8088 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8089 		params.use_short_slot_time =
8090 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8091 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8092 		params.basic_rates =
8093 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8094 		params.basic_rates_len =
8095 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8096 	}
8097 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8098 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8099 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8100 		params.ht_opmode =
8101 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8102 
8103 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8104 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8105 			return -EINVAL;
8106 		params.p2p_ctwindow =
8107 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8108 		if (params.p2p_ctwindow != 0 &&
8109 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8110 			return -EINVAL;
8111 	}
8112 
8113 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8114 		u8 tmp;
8115 
8116 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8117 			return -EINVAL;
8118 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8119 		params.p2p_opp_ps = tmp;
8120 		if (params.p2p_opp_ps &&
8121 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8122 			return -EINVAL;
8123 	}
8124 
8125 	if (!rdev->ops->change_bss)
8126 		return -EOPNOTSUPP;
8127 
8128 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8129 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8130 		return -EOPNOTSUPP;
8131 
8132 	return rdev_change_bss(rdev, dev, &params);
8133 }
8134 
8135 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8136 {
8137 	char *data = NULL;
8138 	bool is_indoor;
8139 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8140 	u32 owner_nlportid;
8141 
8142 	/*
8143 	 * You should only get this when cfg80211 hasn't yet initialized
8144 	 * completely when built-in to the kernel right between the time
8145 	 * window between nl80211_init() and regulatory_init(), if that is
8146 	 * even possible.
8147 	 */
8148 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8149 		return -EINPROGRESS;
8150 
8151 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8152 		user_reg_hint_type =
8153 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8154 	else
8155 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8156 
8157 	switch (user_reg_hint_type) {
8158 	case NL80211_USER_REG_HINT_USER:
8159 	case NL80211_USER_REG_HINT_CELL_BASE:
8160 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8161 			return -EINVAL;
8162 
8163 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8164 		return regulatory_hint_user(data, user_reg_hint_type);
8165 	case NL80211_USER_REG_HINT_INDOOR:
8166 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8167 			owner_nlportid = info->snd_portid;
8168 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8169 		} else {
8170 			owner_nlportid = 0;
8171 			is_indoor = true;
8172 		}
8173 
8174 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8175 		return 0;
8176 	default:
8177 		return -EINVAL;
8178 	}
8179 }
8180 
8181 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8182 {
8183 	return reg_reload_regdb();
8184 }
8185 
8186 static int nl80211_get_mesh_config(struct sk_buff *skb,
8187 				   struct genl_info *info)
8188 {
8189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8190 	struct net_device *dev = info->user_ptr[1];
8191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8192 	struct mesh_config cur_params;
8193 	int err = 0;
8194 	void *hdr;
8195 	struct nlattr *pinfoattr;
8196 	struct sk_buff *msg;
8197 
8198 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8199 		return -EOPNOTSUPP;
8200 
8201 	if (!rdev->ops->get_mesh_config)
8202 		return -EOPNOTSUPP;
8203 
8204 	/* If not connected, get default parameters */
8205 	if (!wdev->u.mesh.id_len)
8206 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8207 	else
8208 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8209 
8210 	if (err)
8211 		return err;
8212 
8213 	/* Draw up a netlink message to send back */
8214 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8215 	if (!msg)
8216 		return -ENOMEM;
8217 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8218 			     NL80211_CMD_GET_MESH_CONFIG);
8219 	if (!hdr)
8220 		goto out;
8221 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8222 	if (!pinfoattr)
8223 		goto nla_put_failure;
8224 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8225 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8226 			cur_params.dot11MeshRetryTimeout) ||
8227 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8228 			cur_params.dot11MeshConfirmTimeout) ||
8229 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8230 			cur_params.dot11MeshHoldingTimeout) ||
8231 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8232 			cur_params.dot11MeshMaxPeerLinks) ||
8233 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8234 		       cur_params.dot11MeshMaxRetries) ||
8235 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8236 		       cur_params.dot11MeshTTL) ||
8237 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8238 		       cur_params.element_ttl) ||
8239 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8240 		       cur_params.auto_open_plinks) ||
8241 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8242 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8243 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8244 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8245 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8246 			cur_params.path_refresh_time) ||
8247 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8248 			cur_params.min_discovery_timeout) ||
8249 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8250 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8251 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8252 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8253 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8254 			cur_params.dot11MeshHWMPperrMinInterval) ||
8255 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8256 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8257 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8258 		       cur_params.dot11MeshHWMPRootMode) ||
8259 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8260 			cur_params.dot11MeshHWMPRannInterval) ||
8261 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8262 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8263 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8264 		       cur_params.dot11MeshForwarding) ||
8265 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8266 			cur_params.rssi_threshold) ||
8267 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8268 			cur_params.ht_opmode) ||
8269 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8270 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8271 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8272 			cur_params.dot11MeshHWMProotInterval) ||
8273 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8274 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8275 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8276 			cur_params.power_mode) ||
8277 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8278 			cur_params.dot11MeshAwakeWindowDuration) ||
8279 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8280 			cur_params.plink_timeout) ||
8281 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8282 		       cur_params.dot11MeshConnectedToMeshGate) ||
8283 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8284 		       cur_params.dot11MeshNolearn) ||
8285 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8286 		       cur_params.dot11MeshConnectedToAuthServer))
8287 		goto nla_put_failure;
8288 	nla_nest_end(msg, pinfoattr);
8289 	genlmsg_end(msg, hdr);
8290 	return genlmsg_reply(msg, info);
8291 
8292  nla_put_failure:
8293  out:
8294 	nlmsg_free(msg);
8295 	return -ENOBUFS;
8296 }
8297 
8298 static const struct nla_policy
8299 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8300 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8301 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8302 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8303 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8304 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8305 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8306 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8307 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8308 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8309 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8310 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8311 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8312 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8313 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8314 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8315 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8316 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8317 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8318 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8319 		NLA_POLICY_MIN(NLA_U16, 1),
8320 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8321 		NLA_POLICY_MIN(NLA_U16, 1),
8322 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8323 		NLA_POLICY_MIN(NLA_U16, 1),
8324 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8325 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8326 		NLA_POLICY_MIN(NLA_U16, 1),
8327 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8328 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8329 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8330 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8331 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8332 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8333 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8334 		NLA_POLICY_MIN(NLA_U16, 1),
8335 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8336 		NLA_POLICY_MIN(NLA_U16, 1),
8337 	[NL80211_MESHCONF_POWER_MODE] =
8338 		NLA_POLICY_RANGE(NLA_U32,
8339 				 NL80211_MESH_POWER_ACTIVE,
8340 				 NL80211_MESH_POWER_MAX),
8341 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8342 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8343 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8344 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8345 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8346 };
8347 
8348 static const struct nla_policy
8349 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8350 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8351 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8352 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8353 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8354 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8355 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8356 	[NL80211_MESH_SETUP_IE] =
8357 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8358 				       IEEE80211_MAX_DATA_LEN),
8359 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8360 };
8361 
8362 static int nl80211_parse_mesh_config(struct genl_info *info,
8363 				     struct mesh_config *cfg,
8364 				     u32 *mask_out)
8365 {
8366 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8367 	u32 mask = 0;
8368 	u16 ht_opmode;
8369 
8370 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8371 do {									\
8372 	if (tb[attr]) {							\
8373 		cfg->param = fn(tb[attr]);				\
8374 		mask |= BIT((attr) - 1);				\
8375 	}								\
8376 } while (0)
8377 
8378 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8379 		return -EINVAL;
8380 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8381 		return -EINVAL;
8382 
8383 	/* This makes sure that there aren't more than 32 mesh config
8384 	 * parameters (otherwise our bitfield scheme would not work.) */
8385 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8386 
8387 	/* Fill in the params struct */
8388 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8389 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8390 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8391 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8392 				  nla_get_u16);
8393 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8394 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8395 				  nla_get_u16);
8396 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8397 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8398 				  nla_get_u16);
8399 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8400 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8401 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8402 				  NL80211_MESHCONF_TTL, nla_get_u8);
8403 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8404 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8405 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8406 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8407 				  nla_get_u8);
8408 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8409 				  mask,
8410 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8411 				  nla_get_u32);
8412 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8413 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8414 				  nla_get_u8);
8415 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8416 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8417 				  nla_get_u32);
8418 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8419 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8420 		return -EINVAL;
8421 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8422 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8423 				  nla_get_u16);
8424 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8425 				  mask,
8426 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8427 				  nla_get_u32);
8428 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8429 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8430 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8431 		return -EINVAL;
8432 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8433 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8434 				  nla_get_u16);
8435 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8436 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8437 				  nla_get_u16);
8438 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8439 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8440 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8441 				  nla_get_u16);
8442 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8443 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8444 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8445 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8446 				  nla_get_u16);
8447 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8448 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8449 				  nla_get_u8);
8450 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8451 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8452 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8453 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8454 				  nla_get_s32);
8455 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8456 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8457 				  nla_get_u8);
8458 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8459 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8460 				  nla_get_u8);
8461 	/*
8462 	 * Check HT operation mode based on
8463 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8464 	 */
8465 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8466 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8467 
8468 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8469 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8470 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8471 			return -EINVAL;
8472 
8473 		/* NON_HT_STA bit is reserved, but some programs set it */
8474 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8475 
8476 		cfg->ht_opmode = ht_opmode;
8477 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8478 	}
8479 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8480 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8481 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8482 				  nla_get_u32);
8483 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8484 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8485 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8486 		return -EINVAL;
8487 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8488 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8489 				  nla_get_u16);
8490 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8491 				  mask,
8492 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8493 				  nla_get_u16);
8494 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8495 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8496 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8497 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8498 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8499 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8500 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8501 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8502 	if (mask_out)
8503 		*mask_out = mask;
8504 
8505 	return 0;
8506 
8507 #undef FILL_IN_MESH_PARAM_IF_SET
8508 }
8509 
8510 static int nl80211_parse_mesh_setup(struct genl_info *info,
8511 				     struct mesh_setup *setup)
8512 {
8513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8514 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8515 
8516 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8517 		return -EINVAL;
8518 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8519 		return -EINVAL;
8520 
8521 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8522 		setup->sync_method =
8523 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8524 		 IEEE80211_SYNC_METHOD_VENDOR :
8525 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8526 
8527 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8528 		setup->path_sel_proto =
8529 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8530 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8531 		 IEEE80211_PATH_PROTOCOL_HWMP;
8532 
8533 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8534 		setup->path_metric =
8535 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8536 		 IEEE80211_PATH_METRIC_VENDOR :
8537 		 IEEE80211_PATH_METRIC_AIRTIME;
8538 
8539 	if (tb[NL80211_MESH_SETUP_IE]) {
8540 		struct nlattr *ieattr =
8541 			tb[NL80211_MESH_SETUP_IE];
8542 		setup->ie = nla_data(ieattr);
8543 		setup->ie_len = nla_len(ieattr);
8544 	}
8545 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8546 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8547 		return -EINVAL;
8548 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8549 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8550 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8551 	if (setup->is_secure)
8552 		setup->user_mpm = true;
8553 
8554 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8555 		if (!setup->user_mpm)
8556 			return -EINVAL;
8557 		setup->auth_id =
8558 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8559 	}
8560 
8561 	return 0;
8562 }
8563 
8564 static int nl80211_update_mesh_config(struct sk_buff *skb,
8565 				      struct genl_info *info)
8566 {
8567 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8568 	struct net_device *dev = info->user_ptr[1];
8569 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8570 	struct mesh_config cfg = {};
8571 	u32 mask;
8572 	int err;
8573 
8574 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8575 		return -EOPNOTSUPP;
8576 
8577 	if (!rdev->ops->update_mesh_config)
8578 		return -EOPNOTSUPP;
8579 
8580 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8581 	if (err)
8582 		return err;
8583 
8584 	if (!wdev->u.mesh.id_len)
8585 		err = -ENOLINK;
8586 
8587 	if (!err)
8588 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8589 
8590 	return err;
8591 }
8592 
8593 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8594 			      struct sk_buff *msg)
8595 {
8596 	struct nlattr *nl_reg_rules;
8597 	unsigned int i;
8598 
8599 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8600 	    (regdom->dfs_region &&
8601 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8602 		goto nla_put_failure;
8603 
8604 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8605 	if (!nl_reg_rules)
8606 		goto nla_put_failure;
8607 
8608 	for (i = 0; i < regdom->n_reg_rules; i++) {
8609 		struct nlattr *nl_reg_rule;
8610 		const struct ieee80211_reg_rule *reg_rule;
8611 		const struct ieee80211_freq_range *freq_range;
8612 		const struct ieee80211_power_rule *power_rule;
8613 		unsigned int max_bandwidth_khz;
8614 
8615 		reg_rule = &regdom->reg_rules[i];
8616 		freq_range = &reg_rule->freq_range;
8617 		power_rule = &reg_rule->power_rule;
8618 
8619 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8620 		if (!nl_reg_rule)
8621 			goto nla_put_failure;
8622 
8623 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8624 		if (!max_bandwidth_khz)
8625 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8626 								  reg_rule);
8627 
8628 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8629 				reg_rule->flags) ||
8630 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8631 				freq_range->start_freq_khz) ||
8632 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8633 				freq_range->end_freq_khz) ||
8634 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8635 				max_bandwidth_khz) ||
8636 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8637 				power_rule->max_antenna_gain) ||
8638 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8639 				power_rule->max_eirp) ||
8640 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8641 				reg_rule->dfs_cac_ms))
8642 			goto nla_put_failure;
8643 
8644 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
8645 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
8646 			       reg_rule->psd))
8647 			goto nla_put_failure;
8648 
8649 		nla_nest_end(msg, nl_reg_rule);
8650 	}
8651 
8652 	nla_nest_end(msg, nl_reg_rules);
8653 	return 0;
8654 
8655 nla_put_failure:
8656 	return -EMSGSIZE;
8657 }
8658 
8659 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8660 {
8661 	const struct ieee80211_regdomain *regdom = NULL;
8662 	struct cfg80211_registered_device *rdev;
8663 	struct wiphy *wiphy = NULL;
8664 	struct sk_buff *msg;
8665 	int err = -EMSGSIZE;
8666 	void *hdr;
8667 
8668 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8669 	if (!msg)
8670 		return -ENOBUFS;
8671 
8672 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8673 			     NL80211_CMD_GET_REG);
8674 	if (!hdr)
8675 		goto put_failure;
8676 
8677 	rtnl_lock();
8678 
8679 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8680 		bool self_managed;
8681 
8682 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8683 		if (IS_ERR(rdev)) {
8684 			err = PTR_ERR(rdev);
8685 			goto nla_put_failure;
8686 		}
8687 
8688 		wiphy = &rdev->wiphy;
8689 		self_managed = wiphy->regulatory_flags &
8690 			       REGULATORY_WIPHY_SELF_MANAGED;
8691 
8692 		rcu_read_lock();
8693 
8694 		regdom = get_wiphy_regdom(wiphy);
8695 
8696 		/* a self-managed-reg device must have a private regdom */
8697 		if (WARN_ON(!regdom && self_managed)) {
8698 			err = -EINVAL;
8699 			goto nla_put_failure_rcu;
8700 		}
8701 
8702 		if (regdom &&
8703 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8704 			goto nla_put_failure_rcu;
8705 	} else {
8706 		rcu_read_lock();
8707 	}
8708 
8709 	if (!wiphy && reg_last_request_cell_base() &&
8710 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8711 			NL80211_USER_REG_HINT_CELL_BASE))
8712 		goto nla_put_failure_rcu;
8713 
8714 	if (!regdom)
8715 		regdom = rcu_dereference(cfg80211_regdomain);
8716 
8717 	if (nl80211_put_regdom(regdom, msg))
8718 		goto nla_put_failure_rcu;
8719 
8720 	rcu_read_unlock();
8721 
8722 	genlmsg_end(msg, hdr);
8723 	rtnl_unlock();
8724 	return genlmsg_reply(msg, info);
8725 
8726 nla_put_failure_rcu:
8727 	rcu_read_unlock();
8728 nla_put_failure:
8729 	rtnl_unlock();
8730 put_failure:
8731 	nlmsg_free(msg);
8732 	return err;
8733 }
8734 
8735 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8736 			       u32 seq, int flags, struct wiphy *wiphy,
8737 			       const struct ieee80211_regdomain *regdom)
8738 {
8739 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8740 				   NL80211_CMD_GET_REG);
8741 
8742 	if (!hdr)
8743 		return -1;
8744 
8745 	genl_dump_check_consistent(cb, hdr);
8746 
8747 	if (nl80211_put_regdom(regdom, msg))
8748 		goto nla_put_failure;
8749 
8750 	if (!wiphy && reg_last_request_cell_base() &&
8751 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8752 			NL80211_USER_REG_HINT_CELL_BASE))
8753 		goto nla_put_failure;
8754 
8755 	if (wiphy &&
8756 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8757 		goto nla_put_failure;
8758 
8759 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8760 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8761 		goto nla_put_failure;
8762 
8763 	genlmsg_end(msg, hdr);
8764 	return 0;
8765 
8766 nla_put_failure:
8767 	genlmsg_cancel(msg, hdr);
8768 	return -EMSGSIZE;
8769 }
8770 
8771 static int nl80211_get_reg_dump(struct sk_buff *skb,
8772 				struct netlink_callback *cb)
8773 {
8774 	const struct ieee80211_regdomain *regdom = NULL;
8775 	struct cfg80211_registered_device *rdev;
8776 	int err, reg_idx, start = cb->args[2];
8777 
8778 	rcu_read_lock();
8779 
8780 	if (cfg80211_regdomain && start == 0) {
8781 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8782 					  NLM_F_MULTI, NULL,
8783 					  rcu_dereference(cfg80211_regdomain));
8784 		if (err < 0)
8785 			goto out_err;
8786 	}
8787 
8788 	/* the global regdom is idx 0 */
8789 	reg_idx = 1;
8790 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8791 		regdom = get_wiphy_regdom(&rdev->wiphy);
8792 		if (!regdom)
8793 			continue;
8794 
8795 		if (++reg_idx <= start)
8796 			continue;
8797 
8798 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8799 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8800 		if (err < 0) {
8801 			reg_idx--;
8802 			break;
8803 		}
8804 	}
8805 
8806 	cb->args[2] = reg_idx;
8807 	err = skb->len;
8808 out_err:
8809 	rcu_read_unlock();
8810 	return err;
8811 }
8812 
8813 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8814 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8815 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8816 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8817 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8818 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8819 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8820 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8821 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8822 };
8823 
8824 static int parse_reg_rule(struct nlattr *tb[],
8825 	struct ieee80211_reg_rule *reg_rule)
8826 {
8827 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8828 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8829 
8830 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8831 		return -EINVAL;
8832 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8833 		return -EINVAL;
8834 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8835 		return -EINVAL;
8836 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8837 		return -EINVAL;
8838 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8839 		return -EINVAL;
8840 
8841 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8842 
8843 	freq_range->start_freq_khz =
8844 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8845 	freq_range->end_freq_khz =
8846 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8847 	freq_range->max_bandwidth_khz =
8848 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8849 
8850 	power_rule->max_eirp =
8851 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8852 
8853 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8854 		power_rule->max_antenna_gain =
8855 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8856 
8857 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8858 		reg_rule->dfs_cac_ms =
8859 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8860 
8861 	return 0;
8862 }
8863 
8864 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8865 {
8866 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8867 	struct nlattr *nl_reg_rule;
8868 	char *alpha2;
8869 	int rem_reg_rules, r;
8870 	u32 num_rules = 0, rule_idx = 0;
8871 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8872 	struct ieee80211_regdomain *rd;
8873 
8874 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8875 		return -EINVAL;
8876 
8877 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8878 		return -EINVAL;
8879 
8880 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8881 
8882 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8883 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8884 
8885 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8886 			    rem_reg_rules) {
8887 		num_rules++;
8888 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8889 			return -EINVAL;
8890 	}
8891 
8892 	rtnl_lock();
8893 	if (!reg_is_valid_request(alpha2)) {
8894 		r = -EINVAL;
8895 		goto out;
8896 	}
8897 
8898 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8899 	if (!rd) {
8900 		r = -ENOMEM;
8901 		goto out;
8902 	}
8903 
8904 	rd->n_reg_rules = num_rules;
8905 	rd->alpha2[0] = alpha2[0];
8906 	rd->alpha2[1] = alpha2[1];
8907 
8908 	/*
8909 	 * Disable DFS master mode if the DFS region was
8910 	 * not supported or known on this kernel.
8911 	 */
8912 	if (reg_supported_dfs_region(dfs_region))
8913 		rd->dfs_region = dfs_region;
8914 
8915 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8916 			    rem_reg_rules) {
8917 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8918 						nl_reg_rule, reg_rule_policy,
8919 						info->extack);
8920 		if (r)
8921 			goto bad_reg;
8922 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8923 		if (r)
8924 			goto bad_reg;
8925 
8926 		rule_idx++;
8927 
8928 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8929 			r = -EINVAL;
8930 			goto bad_reg;
8931 		}
8932 	}
8933 
8934 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8935 	/* set_regdom takes ownership of rd */
8936 	rd = NULL;
8937  bad_reg:
8938 	kfree(rd);
8939  out:
8940 	rtnl_unlock();
8941 	return r;
8942 }
8943 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8944 
8945 static int validate_scan_freqs(struct nlattr *freqs)
8946 {
8947 	struct nlattr *attr1, *attr2;
8948 	int n_channels = 0, tmp1, tmp2;
8949 
8950 	nla_for_each_nested(attr1, freqs, tmp1)
8951 		if (nla_len(attr1) != sizeof(u32))
8952 			return 0;
8953 
8954 	nla_for_each_nested(attr1, freqs, tmp1) {
8955 		n_channels++;
8956 		/*
8957 		 * Some hardware has a limited channel list for
8958 		 * scanning, and it is pretty much nonsensical
8959 		 * to scan for a channel twice, so disallow that
8960 		 * and don't require drivers to check that the
8961 		 * channel list they get isn't longer than what
8962 		 * they can scan, as long as they can scan all
8963 		 * the channels they registered at once.
8964 		 */
8965 		nla_for_each_nested(attr2, freqs, tmp2)
8966 			if (attr1 != attr2 &&
8967 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8968 				return 0;
8969 	}
8970 
8971 	return n_channels;
8972 }
8973 
8974 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8975 {
8976 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8977 }
8978 
8979 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8980 			    struct cfg80211_bss_selection *bss_select)
8981 {
8982 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8983 	struct nlattr *nest;
8984 	int err;
8985 	bool found = false;
8986 	int i;
8987 
8988 	/* only process one nested attribute */
8989 	nest = nla_data(nla);
8990 	if (!nla_ok(nest, nla_len(nest)))
8991 		return -EINVAL;
8992 
8993 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8994 					  nest, nl80211_bss_select_policy,
8995 					  NULL);
8996 	if (err)
8997 		return err;
8998 
8999 	/* only one attribute may be given */
9000 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9001 		if (attr[i]) {
9002 			if (found)
9003 				return -EINVAL;
9004 			found = true;
9005 		}
9006 	}
9007 
9008 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9009 
9010 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9011 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9012 
9013 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9014 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9015 		bss_select->param.band_pref =
9016 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9017 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9018 			return -EINVAL;
9019 	}
9020 
9021 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9022 		struct nl80211_bss_select_rssi_adjust *adj_param;
9023 
9024 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9025 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9026 		bss_select->param.adjust.band = adj_param->band;
9027 		bss_select->param.adjust.delta = adj_param->delta;
9028 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9029 			return -EINVAL;
9030 	}
9031 
9032 	/* user-space did not provide behaviour attribute */
9033 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9034 		return -EINVAL;
9035 
9036 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9037 		return -EINVAL;
9038 
9039 	return 0;
9040 }
9041 
9042 int nl80211_parse_random_mac(struct nlattr **attrs,
9043 			     u8 *mac_addr, u8 *mac_addr_mask)
9044 {
9045 	int i;
9046 
9047 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9048 		eth_zero_addr(mac_addr);
9049 		eth_zero_addr(mac_addr_mask);
9050 		mac_addr[0] = 0x2;
9051 		mac_addr_mask[0] = 0x3;
9052 
9053 		return 0;
9054 	}
9055 
9056 	/* need both or none */
9057 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9058 		return -EINVAL;
9059 
9060 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9061 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9062 
9063 	/* don't allow or configure an mcast address */
9064 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9065 	    is_multicast_ether_addr(mac_addr))
9066 		return -EINVAL;
9067 
9068 	/*
9069 	 * allow users to pass a MAC address that has bits set outside
9070 	 * of the mask, but don't bother drivers with having to deal
9071 	 * with such bits
9072 	 */
9073 	for (i = 0; i < ETH_ALEN; i++)
9074 		mac_addr[i] &= mac_addr_mask[i];
9075 
9076 	return 0;
9077 }
9078 
9079 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9080 					      struct ieee80211_channel *chan)
9081 {
9082 	unsigned int link_id;
9083 	bool all_ok = true;
9084 
9085 	lockdep_assert_wiphy(wdev->wiphy);
9086 
9087 	if (!cfg80211_beaconing_iface_active(wdev))
9088 		return true;
9089 
9090 	/*
9091 	 * FIXME: check if we have a free HW resource/link for chan
9092 	 *
9093 	 * This, as well as the FIXME below, requires knowing the link
9094 	 * capabilities of the hardware.
9095 	 */
9096 
9097 	/* we cannot leave radar channels */
9098 	for_each_valid_link(wdev, link_id) {
9099 		struct cfg80211_chan_def *chandef;
9100 
9101 		chandef = wdev_chandef(wdev, link_id);
9102 		if (!chandef || !chandef->chan)
9103 			continue;
9104 
9105 		/*
9106 		 * FIXME: don't require all_ok, but rather check only the
9107 		 *	  correct HW resource/link onto which 'chan' falls,
9108 		 *	  as only that link leaves the channel for doing
9109 		 *	  the off-channel operation.
9110 		 */
9111 
9112 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9113 			all_ok = false;
9114 	}
9115 
9116 	if (all_ok)
9117 		return true;
9118 
9119 	return regulatory_pre_cac_allowed(wdev->wiphy);
9120 }
9121 
9122 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9123 				    enum nl80211_ext_feature_index feat)
9124 {
9125 	if (!(flags & flag))
9126 		return true;
9127 	if (wiphy_ext_feature_isset(wiphy, feat))
9128 		return true;
9129 	return false;
9130 }
9131 
9132 static int
9133 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9134 			 void *request, struct nlattr **attrs,
9135 			 bool is_sched_scan)
9136 {
9137 	u8 *mac_addr, *mac_addr_mask;
9138 	u32 *flags;
9139 	enum nl80211_feature_flags randomness_flag;
9140 
9141 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9142 		return 0;
9143 
9144 	if (is_sched_scan) {
9145 		struct cfg80211_sched_scan_request *req = request;
9146 
9147 		randomness_flag = wdev ?
9148 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9149 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9150 		flags = &req->flags;
9151 		mac_addr = req->mac_addr;
9152 		mac_addr_mask = req->mac_addr_mask;
9153 	} else {
9154 		struct cfg80211_scan_request *req = request;
9155 
9156 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9157 		flags = &req->flags;
9158 		mac_addr = req->mac_addr;
9159 		mac_addr_mask = req->mac_addr_mask;
9160 	}
9161 
9162 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9163 
9164 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9165 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9166 	    !nl80211_check_scan_feat(wiphy, *flags,
9167 				     NL80211_SCAN_FLAG_LOW_SPAN,
9168 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9169 	    !nl80211_check_scan_feat(wiphy, *flags,
9170 				     NL80211_SCAN_FLAG_LOW_POWER,
9171 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9172 	    !nl80211_check_scan_feat(wiphy, *flags,
9173 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9174 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9175 	    !nl80211_check_scan_feat(wiphy, *flags,
9176 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9177 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9178 	    !nl80211_check_scan_feat(wiphy, *flags,
9179 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9180 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9181 	    !nl80211_check_scan_feat(wiphy, *flags,
9182 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9183 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9184 	    !nl80211_check_scan_feat(wiphy, *flags,
9185 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9186 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9187 	    !nl80211_check_scan_feat(wiphy, *flags,
9188 				     NL80211_SCAN_FLAG_RANDOM_SN,
9189 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9190 	    !nl80211_check_scan_feat(wiphy, *flags,
9191 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9192 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9193 		return -EOPNOTSUPP;
9194 
9195 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9196 		int err;
9197 
9198 		if (!(wiphy->features & randomness_flag) ||
9199 		    (wdev && wdev->connected))
9200 			return -EOPNOTSUPP;
9201 
9202 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9203 		if (err)
9204 			return err;
9205 	}
9206 
9207 	return 0;
9208 }
9209 
9210 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9211 {
9212 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9213 	struct wireless_dev *wdev = info->user_ptr[1];
9214 	struct cfg80211_scan_request *request;
9215 	struct nlattr *scan_freqs = NULL;
9216 	bool scan_freqs_khz = false;
9217 	struct nlattr *attr;
9218 	struct wiphy *wiphy;
9219 	int err, tmp, n_ssids = 0, n_channels, i;
9220 	size_t ie_len, size;
9221 	size_t ssids_offset, ie_offset;
9222 
9223 	wiphy = &rdev->wiphy;
9224 
9225 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9226 		return -EOPNOTSUPP;
9227 
9228 	if (!rdev->ops->scan)
9229 		return -EOPNOTSUPP;
9230 
9231 	if (rdev->scan_req || rdev->scan_msg)
9232 		return -EBUSY;
9233 
9234 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9235 		if (!wiphy_ext_feature_isset(wiphy,
9236 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9237 			return -EOPNOTSUPP;
9238 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9239 		scan_freqs_khz = true;
9240 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9241 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9242 
9243 	if (scan_freqs) {
9244 		n_channels = validate_scan_freqs(scan_freqs);
9245 		if (!n_channels)
9246 			return -EINVAL;
9247 	} else {
9248 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9249 	}
9250 
9251 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9252 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9253 			n_ssids++;
9254 
9255 	if (n_ssids > wiphy->max_scan_ssids)
9256 		return -EINVAL;
9257 
9258 	if (info->attrs[NL80211_ATTR_IE])
9259 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9260 	else
9261 		ie_len = 0;
9262 
9263 	if (ie_len > wiphy->max_scan_ie_len)
9264 		return -EINVAL;
9265 
9266 	size = struct_size(request, channels, n_channels);
9267 	ssids_offset = size;
9268 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9269 	ie_offset = size;
9270 	size = size_add(size, ie_len);
9271 	request = kzalloc(size, GFP_KERNEL);
9272 	if (!request)
9273 		return -ENOMEM;
9274 	request->n_channels = n_channels;
9275 
9276 	if (n_ssids)
9277 		request->ssids = (void *)request + ssids_offset;
9278 	request->n_ssids = n_ssids;
9279 	if (ie_len)
9280 		request->ie = (void *)request + ie_offset;
9281 
9282 	i = 0;
9283 	if (scan_freqs) {
9284 		/* user specified, bail out if channel not found */
9285 		nla_for_each_nested(attr, scan_freqs, tmp) {
9286 			struct ieee80211_channel *chan;
9287 			int freq = nla_get_u32(attr);
9288 
9289 			if (!scan_freqs_khz)
9290 				freq = MHZ_TO_KHZ(freq);
9291 
9292 			chan = ieee80211_get_channel_khz(wiphy, freq);
9293 			if (!chan) {
9294 				err = -EINVAL;
9295 				goto out_free;
9296 			}
9297 
9298 			/* ignore disabled channels */
9299 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9300 				continue;
9301 
9302 			request->channels[i] = chan;
9303 			i++;
9304 		}
9305 	} else {
9306 		enum nl80211_band band;
9307 
9308 		/* all channels */
9309 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9310 			int j;
9311 
9312 			if (!wiphy->bands[band])
9313 				continue;
9314 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9315 				struct ieee80211_channel *chan;
9316 
9317 				chan = &wiphy->bands[band]->channels[j];
9318 
9319 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9320 					continue;
9321 
9322 				request->channels[i] = chan;
9323 				i++;
9324 			}
9325 		}
9326 	}
9327 
9328 	if (!i) {
9329 		err = -EINVAL;
9330 		goto out_free;
9331 	}
9332 
9333 	request->n_channels = i;
9334 
9335 	for (i = 0; i < request->n_channels; i++) {
9336 		struct ieee80211_channel *chan = request->channels[i];
9337 
9338 		/* if we can go off-channel to the target channel we're good */
9339 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9340 			continue;
9341 
9342 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9343 			err = -EBUSY;
9344 			goto out_free;
9345 		}
9346 	}
9347 
9348 	i = 0;
9349 	if (n_ssids) {
9350 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9351 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9352 				err = -EINVAL;
9353 				goto out_free;
9354 			}
9355 			request->ssids[i].ssid_len = nla_len(attr);
9356 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9357 			i++;
9358 		}
9359 	}
9360 
9361 	if (info->attrs[NL80211_ATTR_IE]) {
9362 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9363 		memcpy((void *)request->ie,
9364 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9365 		       request->ie_len);
9366 	}
9367 
9368 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9369 		if (wiphy->bands[i])
9370 			request->rates[i] =
9371 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9372 
9373 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9374 		nla_for_each_nested(attr,
9375 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9376 				    tmp) {
9377 			enum nl80211_band band = nla_type(attr);
9378 
9379 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9380 				err = -EINVAL;
9381 				goto out_free;
9382 			}
9383 
9384 			if (!wiphy->bands[band])
9385 				continue;
9386 
9387 			err = ieee80211_get_ratemask(wiphy->bands[band],
9388 						     nla_data(attr),
9389 						     nla_len(attr),
9390 						     &request->rates[band]);
9391 			if (err)
9392 				goto out_free;
9393 		}
9394 	}
9395 
9396 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9397 		request->duration =
9398 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9399 		request->duration_mandatory =
9400 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9401 	}
9402 
9403 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9404 				       false);
9405 	if (err)
9406 		goto out_free;
9407 
9408 	request->no_cck =
9409 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9410 
9411 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9412 	 * BSSID to scan for. This was problematic because that same attribute
9413 	 * was already used for another purpose (local random MAC address). The
9414 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9415 	 * compatibility with older userspace components, also use the
9416 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9417 	 * the specific BSSID use case instead of the random MAC address
9418 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9419 	 */
9420 	if (info->attrs[NL80211_ATTR_BSSID])
9421 		memcpy(request->bssid,
9422 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9423 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9424 		 info->attrs[NL80211_ATTR_MAC])
9425 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9426 		       ETH_ALEN);
9427 	else
9428 		eth_broadcast_addr(request->bssid);
9429 
9430 	request->tsf_report_link_id = nl80211_link_id_or_invalid(info->attrs);
9431 	request->wdev = wdev;
9432 	request->wiphy = &rdev->wiphy;
9433 	request->scan_start = jiffies;
9434 
9435 	rdev->scan_req = request;
9436 	err = cfg80211_scan(rdev);
9437 
9438 	if (err)
9439 		goto out_free;
9440 
9441 	nl80211_send_scan_start(rdev, wdev);
9442 	dev_hold(wdev->netdev);
9443 
9444 	return 0;
9445 
9446  out_free:
9447 	rdev->scan_req = NULL;
9448 	kfree(request);
9449 
9450 	return err;
9451 }
9452 
9453 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9454 {
9455 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9456 	struct wireless_dev *wdev = info->user_ptr[1];
9457 
9458 	if (!rdev->ops->abort_scan)
9459 		return -EOPNOTSUPP;
9460 
9461 	if (rdev->scan_msg)
9462 		return 0;
9463 
9464 	if (!rdev->scan_req)
9465 		return -ENOENT;
9466 
9467 	rdev_abort_scan(rdev, wdev);
9468 	return 0;
9469 }
9470 
9471 static int
9472 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9473 			       struct cfg80211_sched_scan_request *request,
9474 			       struct nlattr **attrs)
9475 {
9476 	int tmp, err, i = 0;
9477 	struct nlattr *attr;
9478 
9479 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9480 		u32 interval;
9481 
9482 		/*
9483 		 * If scan plans are not specified,
9484 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9485 		 * case one scan plan will be set with the specified scan
9486 		 * interval and infinite number of iterations.
9487 		 */
9488 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9489 		if (!interval)
9490 			return -EINVAL;
9491 
9492 		request->scan_plans[0].interval =
9493 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9494 		if (!request->scan_plans[0].interval)
9495 			return -EINVAL;
9496 
9497 		if (request->scan_plans[0].interval >
9498 		    wiphy->max_sched_scan_plan_interval)
9499 			request->scan_plans[0].interval =
9500 				wiphy->max_sched_scan_plan_interval;
9501 
9502 		return 0;
9503 	}
9504 
9505 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9506 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9507 
9508 		if (WARN_ON(i >= n_plans))
9509 			return -EINVAL;
9510 
9511 		err = nla_parse_nested_deprecated(plan,
9512 						  NL80211_SCHED_SCAN_PLAN_MAX,
9513 						  attr, nl80211_plan_policy,
9514 						  NULL);
9515 		if (err)
9516 			return err;
9517 
9518 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9519 			return -EINVAL;
9520 
9521 		request->scan_plans[i].interval =
9522 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9523 		if (!request->scan_plans[i].interval ||
9524 		    request->scan_plans[i].interval >
9525 		    wiphy->max_sched_scan_plan_interval)
9526 			return -EINVAL;
9527 
9528 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9529 			request->scan_plans[i].iterations =
9530 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9531 			if (!request->scan_plans[i].iterations ||
9532 			    (request->scan_plans[i].iterations >
9533 			     wiphy->max_sched_scan_plan_iterations))
9534 				return -EINVAL;
9535 		} else if (i < n_plans - 1) {
9536 			/*
9537 			 * All scan plans but the last one must specify
9538 			 * a finite number of iterations
9539 			 */
9540 			return -EINVAL;
9541 		}
9542 
9543 		i++;
9544 	}
9545 
9546 	/*
9547 	 * The last scan plan must not specify the number of
9548 	 * iterations, it is supposed to run infinitely
9549 	 */
9550 	if (request->scan_plans[n_plans - 1].iterations)
9551 		return  -EINVAL;
9552 
9553 	return 0;
9554 }
9555 
9556 static struct cfg80211_sched_scan_request *
9557 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9558 			 struct nlattr **attrs, int max_match_sets)
9559 {
9560 	struct cfg80211_sched_scan_request *request;
9561 	struct nlattr *attr;
9562 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9563 	enum nl80211_band band;
9564 	size_t ie_len, size;
9565 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9566 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9567 
9568 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9569 		n_channels = validate_scan_freqs(
9570 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9571 		if (!n_channels)
9572 			return ERR_PTR(-EINVAL);
9573 	} else {
9574 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9575 	}
9576 
9577 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9578 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9579 				    tmp)
9580 			n_ssids++;
9581 
9582 	if (n_ssids > wiphy->max_sched_scan_ssids)
9583 		return ERR_PTR(-EINVAL);
9584 
9585 	/*
9586 	 * First, count the number of 'real' matchsets. Due to an issue with
9587 	 * the old implementation, matchsets containing only the RSSI attribute
9588 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9589 	 * RSSI for all matchsets, rather than their own matchset for reporting
9590 	 * all APs with a strong RSSI. This is needed to be compatible with
9591 	 * older userspace that treated a matchset with only the RSSI as the
9592 	 * global RSSI for all other matchsets - if there are other matchsets.
9593 	 */
9594 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9595 		nla_for_each_nested(attr,
9596 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9597 				    tmp) {
9598 			struct nlattr *rssi;
9599 
9600 			err = nla_parse_nested_deprecated(tb,
9601 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9602 							  attr,
9603 							  nl80211_match_policy,
9604 							  NULL);
9605 			if (err)
9606 				return ERR_PTR(err);
9607 
9608 			/* SSID and BSSID are mutually exclusive */
9609 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9610 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9611 				return ERR_PTR(-EINVAL);
9612 
9613 			/* add other standalone attributes here */
9614 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9615 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9616 				n_match_sets++;
9617 				continue;
9618 			}
9619 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9620 			if (rssi)
9621 				default_match_rssi = nla_get_s32(rssi);
9622 		}
9623 	}
9624 
9625 	/* However, if there's no other matchset, add the RSSI one */
9626 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9627 		n_match_sets = 1;
9628 
9629 	if (n_match_sets > max_match_sets)
9630 		return ERR_PTR(-EINVAL);
9631 
9632 	if (attrs[NL80211_ATTR_IE])
9633 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9634 	else
9635 		ie_len = 0;
9636 
9637 	if (ie_len > wiphy->max_sched_scan_ie_len)
9638 		return ERR_PTR(-EINVAL);
9639 
9640 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9641 		/*
9642 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9643 		 * each scan plan already specifies its own interval
9644 		 */
9645 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9646 			return ERR_PTR(-EINVAL);
9647 
9648 		nla_for_each_nested(attr,
9649 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9650 			n_plans++;
9651 	} else {
9652 		/*
9653 		 * The scan interval attribute is kept for backward
9654 		 * compatibility. If no scan plans are specified and sched scan
9655 		 * interval is specified, one scan plan will be set with this
9656 		 * scan interval and infinite number of iterations.
9657 		 */
9658 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9659 			return ERR_PTR(-EINVAL);
9660 
9661 		n_plans = 1;
9662 	}
9663 
9664 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9665 		return ERR_PTR(-EINVAL);
9666 
9667 	if (!wiphy_ext_feature_isset(
9668 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9669 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9670 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9671 		return ERR_PTR(-EINVAL);
9672 
9673 	size = struct_size(request, channels, n_channels);
9674 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9675 	size = size_add(size, array_size(sizeof(*request->match_sets),
9676 					 n_match_sets));
9677 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9678 					 n_plans));
9679 	size = size_add(size, ie_len);
9680 	request = kzalloc(size, GFP_KERNEL);
9681 	if (!request)
9682 		return ERR_PTR(-ENOMEM);
9683 
9684 	if (n_ssids)
9685 		request->ssids = (void *)&request->channels[n_channels];
9686 	request->n_ssids = n_ssids;
9687 	if (ie_len) {
9688 		if (n_ssids)
9689 			request->ie = (void *)(request->ssids + n_ssids);
9690 		else
9691 			request->ie = (void *)(request->channels + n_channels);
9692 	}
9693 
9694 	if (n_match_sets) {
9695 		if (request->ie)
9696 			request->match_sets = (void *)(request->ie + ie_len);
9697 		else if (n_ssids)
9698 			request->match_sets =
9699 				(void *)(request->ssids + n_ssids);
9700 		else
9701 			request->match_sets =
9702 				(void *)(request->channels + n_channels);
9703 	}
9704 	request->n_match_sets = n_match_sets;
9705 
9706 	if (n_match_sets)
9707 		request->scan_plans = (void *)(request->match_sets +
9708 					       n_match_sets);
9709 	else if (request->ie)
9710 		request->scan_plans = (void *)(request->ie + ie_len);
9711 	else if (n_ssids)
9712 		request->scan_plans = (void *)(request->ssids + n_ssids);
9713 	else
9714 		request->scan_plans = (void *)(request->channels + n_channels);
9715 
9716 	request->n_scan_plans = n_plans;
9717 
9718 	i = 0;
9719 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9720 		/* user specified, bail out if channel not found */
9721 		nla_for_each_nested(attr,
9722 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9723 				    tmp) {
9724 			struct ieee80211_channel *chan;
9725 
9726 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9727 
9728 			if (!chan) {
9729 				err = -EINVAL;
9730 				goto out_free;
9731 			}
9732 
9733 			/* ignore disabled channels */
9734 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9735 				continue;
9736 
9737 			request->channels[i] = chan;
9738 			i++;
9739 		}
9740 	} else {
9741 		/* all channels */
9742 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9743 			int j;
9744 
9745 			if (!wiphy->bands[band])
9746 				continue;
9747 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9748 				struct ieee80211_channel *chan;
9749 
9750 				chan = &wiphy->bands[band]->channels[j];
9751 
9752 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9753 					continue;
9754 
9755 				request->channels[i] = chan;
9756 				i++;
9757 			}
9758 		}
9759 	}
9760 
9761 	if (!i) {
9762 		err = -EINVAL;
9763 		goto out_free;
9764 	}
9765 
9766 	request->n_channels = i;
9767 
9768 	i = 0;
9769 	if (n_ssids) {
9770 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9771 				    tmp) {
9772 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9773 				err = -EINVAL;
9774 				goto out_free;
9775 			}
9776 			request->ssids[i].ssid_len = nla_len(attr);
9777 			memcpy(request->ssids[i].ssid, nla_data(attr),
9778 			       nla_len(attr));
9779 			i++;
9780 		}
9781 	}
9782 
9783 	i = 0;
9784 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9785 		nla_for_each_nested(attr,
9786 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9787 				    tmp) {
9788 			struct nlattr *ssid, *bssid, *rssi;
9789 
9790 			err = nla_parse_nested_deprecated(tb,
9791 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9792 							  attr,
9793 							  nl80211_match_policy,
9794 							  NULL);
9795 			if (err)
9796 				goto out_free;
9797 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9798 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9799 
9800 			if (!ssid && !bssid) {
9801 				i++;
9802 				continue;
9803 			}
9804 
9805 			if (WARN_ON(i >= n_match_sets)) {
9806 				/* this indicates a programming error,
9807 				 * the loop above should have verified
9808 				 * things properly
9809 				 */
9810 				err = -EINVAL;
9811 				goto out_free;
9812 			}
9813 
9814 			if (ssid) {
9815 				memcpy(request->match_sets[i].ssid.ssid,
9816 				       nla_data(ssid), nla_len(ssid));
9817 				request->match_sets[i].ssid.ssid_len =
9818 					nla_len(ssid);
9819 			}
9820 			if (bssid)
9821 				memcpy(request->match_sets[i].bssid,
9822 				       nla_data(bssid), ETH_ALEN);
9823 
9824 			/* special attribute - old implementation w/a */
9825 			request->match_sets[i].rssi_thold = default_match_rssi;
9826 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9827 			if (rssi)
9828 				request->match_sets[i].rssi_thold =
9829 					nla_get_s32(rssi);
9830 			i++;
9831 		}
9832 
9833 		/* there was no other matchset, so the RSSI one is alone */
9834 		if (i == 0 && n_match_sets)
9835 			request->match_sets[0].rssi_thold = default_match_rssi;
9836 
9837 		request->min_rssi_thold = INT_MAX;
9838 		for (i = 0; i < n_match_sets; i++)
9839 			request->min_rssi_thold =
9840 				min(request->match_sets[i].rssi_thold,
9841 				    request->min_rssi_thold);
9842 	} else {
9843 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9844 	}
9845 
9846 	if (ie_len) {
9847 		request->ie_len = ie_len;
9848 		memcpy((void *)request->ie,
9849 		       nla_data(attrs[NL80211_ATTR_IE]),
9850 		       request->ie_len);
9851 	}
9852 
9853 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9854 	if (err)
9855 		goto out_free;
9856 
9857 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9858 		request->delay =
9859 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9860 
9861 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9862 		request->relative_rssi = nla_get_s8(
9863 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9864 		request->relative_rssi_set = true;
9865 	}
9866 
9867 	if (request->relative_rssi_set &&
9868 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9869 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9870 
9871 		rssi_adjust = nla_data(
9872 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9873 		request->rssi_adjust.band = rssi_adjust->band;
9874 		request->rssi_adjust.delta = rssi_adjust->delta;
9875 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9876 			err = -EINVAL;
9877 			goto out_free;
9878 		}
9879 	}
9880 
9881 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9882 	if (err)
9883 		goto out_free;
9884 
9885 	request->scan_start = jiffies;
9886 
9887 	return request;
9888 
9889 out_free:
9890 	kfree(request);
9891 	return ERR_PTR(err);
9892 }
9893 
9894 static int nl80211_start_sched_scan(struct sk_buff *skb,
9895 				    struct genl_info *info)
9896 {
9897 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9898 	struct net_device *dev = info->user_ptr[1];
9899 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9900 	struct cfg80211_sched_scan_request *sched_scan_req;
9901 	bool want_multi;
9902 	int err;
9903 
9904 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9905 		return -EOPNOTSUPP;
9906 
9907 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9908 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9909 	if (err)
9910 		return err;
9911 
9912 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9913 						  info->attrs,
9914 						  rdev->wiphy.max_match_sets);
9915 
9916 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9917 	if (err)
9918 		goto out_err;
9919 
9920 	/* leave request id zero for legacy request
9921 	 * or if driver does not support multi-scheduled scan
9922 	 */
9923 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9924 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9925 
9926 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9927 	if (err)
9928 		goto out_free;
9929 
9930 	sched_scan_req->dev = dev;
9931 	sched_scan_req->wiphy = &rdev->wiphy;
9932 
9933 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9934 		sched_scan_req->owner_nlportid = info->snd_portid;
9935 
9936 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9937 
9938 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9939 	return 0;
9940 
9941 out_free:
9942 	kfree(sched_scan_req);
9943 out_err:
9944 	return err;
9945 }
9946 
9947 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9948 				   struct genl_info *info)
9949 {
9950 	struct cfg80211_sched_scan_request *req;
9951 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9952 	u64 cookie;
9953 
9954 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9955 		return -EOPNOTSUPP;
9956 
9957 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9958 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9959 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9960 	}
9961 
9962 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9963 				     struct cfg80211_sched_scan_request,
9964 				     list);
9965 	if (!req || req->reqid ||
9966 	    (req->owner_nlportid &&
9967 	     req->owner_nlportid != info->snd_portid))
9968 		return -ENOENT;
9969 
9970 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9971 }
9972 
9973 static int nl80211_start_radar_detection(struct sk_buff *skb,
9974 					 struct genl_info *info)
9975 {
9976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9977 	struct net_device *dev = info->user_ptr[1];
9978 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9979 	struct wiphy *wiphy = wdev->wiphy;
9980 	struct cfg80211_chan_def chandef;
9981 	enum nl80211_dfs_regions dfs_region;
9982 	unsigned int cac_time_ms;
9983 	int err = -EINVAL;
9984 
9985 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9986 
9987 	switch (wdev->iftype) {
9988 	case NL80211_IFTYPE_AP:
9989 	case NL80211_IFTYPE_P2P_GO:
9990 	case NL80211_IFTYPE_MESH_POINT:
9991 	case NL80211_IFTYPE_ADHOC:
9992 		break;
9993 	default:
9994 		/* caution - see cfg80211_beaconing_iface_active() below */
9995 		return -EINVAL;
9996 	}
9997 
9998 	wiphy_lock(wiphy);
9999 
10000 	dfs_region = reg_get_dfs_region(wiphy);
10001 	if (dfs_region == NL80211_DFS_UNSET)
10002 		goto unlock;
10003 
10004 	err = nl80211_parse_chandef(rdev, info, &chandef);
10005 	if (err)
10006 		goto unlock;
10007 
10008 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10009 	if (err < 0)
10010 		goto unlock;
10011 
10012 	if (err == 0) {
10013 		err = -EINVAL;
10014 		goto unlock;
10015 	}
10016 
10017 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
10018 		err = -EINVAL;
10019 		goto unlock;
10020 	}
10021 
10022 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
10023 		err = cfg80211_start_background_radar_detection(rdev, wdev,
10024 								&chandef);
10025 		goto unlock;
10026 	}
10027 
10028 	if (cfg80211_beaconing_iface_active(wdev) || wdev->cac_started) {
10029 		err = -EBUSY;
10030 		goto unlock;
10031 	}
10032 
10033 	/* CAC start is offloaded to HW and can't be started manually */
10034 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
10035 		err = -EOPNOTSUPP;
10036 		goto unlock;
10037 	}
10038 
10039 	if (!rdev->ops->start_radar_detection) {
10040 		err = -EOPNOTSUPP;
10041 		goto unlock;
10042 	}
10043 
10044 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10045 	if (WARN_ON(!cac_time_ms))
10046 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10047 
10048 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
10049 	if (!err) {
10050 		wdev->links[0].ap.chandef = chandef;
10051 		wdev->cac_started = true;
10052 		wdev->cac_start_time = jiffies;
10053 		wdev->cac_time_ms = cac_time_ms;
10054 	}
10055 unlock:
10056 	wiphy_unlock(wiphy);
10057 
10058 	return err;
10059 }
10060 
10061 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10062 					  struct genl_info *info)
10063 {
10064 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10065 	struct net_device *dev = info->user_ptr[1];
10066 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10067 	struct wiphy *wiphy = wdev->wiphy;
10068 	struct cfg80211_chan_def chandef;
10069 	enum nl80211_dfs_regions dfs_region;
10070 	int err;
10071 
10072 	dfs_region = reg_get_dfs_region(wiphy);
10073 	if (dfs_region == NL80211_DFS_UNSET) {
10074 		GENL_SET_ERR_MSG(info,
10075 				 "DFS Region is not set. Unexpected Radar indication");
10076 		return -EINVAL;
10077 	}
10078 
10079 	err = nl80211_parse_chandef(rdev, info, &chandef);
10080 	if (err) {
10081 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10082 		return err;
10083 	}
10084 
10085 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10086 	if (err < 0) {
10087 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10088 		return err;
10089 	}
10090 
10091 	if (err == 0) {
10092 		GENL_SET_ERR_MSG(info,
10093 				 "Unexpected Radar indication for chandef/iftype");
10094 		return -EINVAL;
10095 	}
10096 
10097 	/* Do not process this notification if radar is already detected
10098 	 * by kernel on this channel, and return success.
10099 	 */
10100 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10101 		return 0;
10102 
10103 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10104 
10105 	cfg80211_sched_dfs_chan_update(rdev);
10106 
10107 	rdev->radar_chandef = chandef;
10108 
10109 	/* Propagate this notification to other radios as well */
10110 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10111 
10112 	return 0;
10113 }
10114 
10115 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10116 					 const u8 *data, size_t datalen,
10117 					 int first_count, struct nlattr *attr,
10118 					 const u16 **offsets, unsigned int *n_offsets)
10119 {
10120 	int i;
10121 
10122 	*n_offsets = 0;
10123 
10124 	if (!attr)
10125 		return 0;
10126 
10127 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10128 		return -EINVAL;
10129 
10130 	*n_offsets = nla_len(attr) / sizeof(u16);
10131 	if (rdev->wiphy.max_num_csa_counters &&
10132 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10133 		return -EINVAL;
10134 
10135 	*offsets = nla_data(attr);
10136 
10137 	/* sanity checks - counters should fit and be the same */
10138 	for (i = 0; i < *n_offsets; i++) {
10139 		u16 offset = (*offsets)[i];
10140 
10141 		if (offset >= datalen)
10142 			return -EINVAL;
10143 
10144 		if (first_count != -1 && data[offset] != first_count)
10145 			return -EINVAL;
10146 	}
10147 
10148 	return 0;
10149 }
10150 
10151 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10152 {
10153 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10154 	unsigned int link_id = nl80211_link_id(info->attrs);
10155 	struct net_device *dev = info->user_ptr[1];
10156 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10157 	struct cfg80211_csa_settings params;
10158 	struct nlattr **csa_attrs = NULL;
10159 	int err;
10160 	bool need_new_beacon = false;
10161 	bool need_handle_dfs_flag = true;
10162 	u32 cs_count;
10163 
10164 	if (!rdev->ops->channel_switch ||
10165 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10166 		return -EOPNOTSUPP;
10167 
10168 	switch (dev->ieee80211_ptr->iftype) {
10169 	case NL80211_IFTYPE_AP:
10170 	case NL80211_IFTYPE_P2P_GO:
10171 		need_new_beacon = true;
10172 		/* For all modes except AP the handle_dfs flag needs to be
10173 		 * supplied to tell the kernel that userspace will handle radar
10174 		 * events when they happen. Otherwise a switch to a channel
10175 		 * requiring DFS will be rejected.
10176 		 */
10177 		need_handle_dfs_flag = false;
10178 
10179 		/* useless if AP is not running */
10180 		if (!wdev->links[link_id].ap.beacon_interval)
10181 			return -ENOTCONN;
10182 		break;
10183 	case NL80211_IFTYPE_ADHOC:
10184 		if (!wdev->u.ibss.ssid_len)
10185 			return -ENOTCONN;
10186 		break;
10187 	case NL80211_IFTYPE_MESH_POINT:
10188 		if (!wdev->u.mesh.id_len)
10189 			return -ENOTCONN;
10190 		break;
10191 	default:
10192 		return -EOPNOTSUPP;
10193 	}
10194 
10195 	memset(&params, 0, sizeof(params));
10196 	params.beacon_csa.ftm_responder = -1;
10197 
10198 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10199 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10200 		return -EINVAL;
10201 
10202 	/* only important for AP, IBSS and mesh create IEs internally */
10203 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10204 		return -EINVAL;
10205 
10206 	/* Even though the attribute is u32, the specification says
10207 	 * u8, so let's make sure we don't overflow.
10208 	 */
10209 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10210 	if (cs_count > 255)
10211 		return -EINVAL;
10212 
10213 	params.count = cs_count;
10214 
10215 	if (!need_new_beacon)
10216 		goto skip_beacons;
10217 
10218 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10219 				   info->extack);
10220 	if (err)
10221 		goto free;
10222 
10223 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10224 			    GFP_KERNEL);
10225 	if (!csa_attrs) {
10226 		err = -ENOMEM;
10227 		goto free;
10228 	}
10229 
10230 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10231 					  info->attrs[NL80211_ATTR_CSA_IES],
10232 					  nl80211_policy, info->extack);
10233 	if (err)
10234 		goto free;
10235 
10236 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10237 				   info->extack);
10238 	if (err)
10239 		goto free;
10240 
10241 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10242 		err = -EINVAL;
10243 		goto free;
10244 	}
10245 
10246 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10247 					    params.beacon_csa.tail_len,
10248 					    params.count,
10249 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10250 					    &params.counter_offsets_beacon,
10251 					    &params.n_counter_offsets_beacon);
10252 	if (err)
10253 		goto free;
10254 
10255 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10256 					    params.beacon_csa.probe_resp_len,
10257 					    params.count,
10258 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10259 					    &params.counter_offsets_presp,
10260 					    &params.n_counter_offsets_presp);
10261 	if (err)
10262 		goto free;
10263 
10264 skip_beacons:
10265 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10266 	if (err)
10267 		goto free;
10268 
10269 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10270 					   wdev->iftype)) {
10271 		err = -EINVAL;
10272 		goto free;
10273 	}
10274 
10275 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10276 					    &params.chandef,
10277 					    wdev->iftype);
10278 	if (err < 0)
10279 		goto free;
10280 
10281 	if (err > 0) {
10282 		params.radar_required = true;
10283 		if (need_handle_dfs_flag &&
10284 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10285 			err = -EINVAL;
10286 			goto free;
10287 		}
10288 	}
10289 
10290 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10291 		params.block_tx = true;
10292 
10293 	params.link_id = link_id;
10294 	err = rdev_channel_switch(rdev, dev, &params);
10295 
10296 free:
10297 	kfree(params.beacon_after.mbssid_ies);
10298 	kfree(params.beacon_csa.mbssid_ies);
10299 	kfree(params.beacon_after.rnr_ies);
10300 	kfree(params.beacon_csa.rnr_ies);
10301 	kfree(csa_attrs);
10302 	return err;
10303 }
10304 
10305 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10306 			    u32 seq, int flags,
10307 			    struct cfg80211_registered_device *rdev,
10308 			    struct wireless_dev *wdev,
10309 			    struct cfg80211_internal_bss *intbss)
10310 {
10311 	struct cfg80211_bss *res = &intbss->pub;
10312 	const struct cfg80211_bss_ies *ies;
10313 	unsigned int link_id;
10314 	void *hdr;
10315 	struct nlattr *bss;
10316 
10317 	lockdep_assert_wiphy(wdev->wiphy);
10318 
10319 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10320 			     NL80211_CMD_NEW_SCAN_RESULTS);
10321 	if (!hdr)
10322 		return -1;
10323 
10324 	genl_dump_check_consistent(cb, hdr);
10325 
10326 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10327 		goto nla_put_failure;
10328 	if (wdev->netdev &&
10329 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10330 		goto nla_put_failure;
10331 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10332 			      NL80211_ATTR_PAD))
10333 		goto nla_put_failure;
10334 
10335 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10336 	if (!bss)
10337 		goto nla_put_failure;
10338 	if ((!is_zero_ether_addr(res->bssid) &&
10339 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10340 		goto nla_put_failure;
10341 
10342 	rcu_read_lock();
10343 	/* indicate whether we have probe response data or not */
10344 	if (rcu_access_pointer(res->proberesp_ies) &&
10345 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10346 		goto fail_unlock_rcu;
10347 
10348 	/* this pointer prefers to be pointed to probe response data
10349 	 * but is always valid
10350 	 */
10351 	ies = rcu_dereference(res->ies);
10352 	if (ies) {
10353 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10354 				      NL80211_BSS_PAD))
10355 			goto fail_unlock_rcu;
10356 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10357 					ies->len, ies->data))
10358 			goto fail_unlock_rcu;
10359 	}
10360 
10361 	/* and this pointer is always (unless driver didn't know) beacon data */
10362 	ies = rcu_dereference(res->beacon_ies);
10363 	if (ies && ies->from_beacon) {
10364 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10365 				      NL80211_BSS_PAD))
10366 			goto fail_unlock_rcu;
10367 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10368 					ies->len, ies->data))
10369 			goto fail_unlock_rcu;
10370 	}
10371 	rcu_read_unlock();
10372 
10373 	if (res->beacon_interval &&
10374 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10375 		goto nla_put_failure;
10376 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10377 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10378 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10379 			res->channel->freq_offset) ||
10380 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10381 			jiffies_to_msecs(jiffies - intbss->ts)))
10382 		goto nla_put_failure;
10383 
10384 	if (intbss->parent_tsf &&
10385 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10386 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10387 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10388 		     intbss->parent_bssid)))
10389 		goto nla_put_failure;
10390 
10391 	if (intbss->ts_boottime &&
10392 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10393 			      intbss->ts_boottime, NL80211_BSS_PAD))
10394 		goto nla_put_failure;
10395 
10396 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10397 				intbss->pub.chain_signal,
10398 				NL80211_BSS_CHAIN_SIGNAL))
10399 		goto nla_put_failure;
10400 
10401 	switch (rdev->wiphy.signal_type) {
10402 	case CFG80211_SIGNAL_TYPE_MBM:
10403 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10404 			goto nla_put_failure;
10405 		break;
10406 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10407 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10408 			goto nla_put_failure;
10409 		break;
10410 	default:
10411 		break;
10412 	}
10413 
10414 	switch (wdev->iftype) {
10415 	case NL80211_IFTYPE_P2P_CLIENT:
10416 	case NL80211_IFTYPE_STATION:
10417 		for_each_valid_link(wdev, link_id) {
10418 			if (intbss == wdev->links[link_id].client.current_bss &&
10419 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10420 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10421 			     (wdev->valid_links &&
10422 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10423 					  link_id) ||
10424 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10425 				       wdev->u.client.connected_addr)))))
10426 				goto nla_put_failure;
10427 		}
10428 		break;
10429 	case NL80211_IFTYPE_ADHOC:
10430 		if (intbss == wdev->u.ibss.current_bss &&
10431 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10432 				NL80211_BSS_STATUS_IBSS_JOINED))
10433 			goto nla_put_failure;
10434 		break;
10435 	default:
10436 		break;
10437 	}
10438 
10439 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
10440 		goto nla_put_failure;
10441 
10442 	if (res->cannot_use_reasons &&
10443 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
10444 			      res->cannot_use_reasons,
10445 			      NL80211_BSS_PAD))
10446 		goto nla_put_failure;
10447 
10448 	nla_nest_end(msg, bss);
10449 
10450 	genlmsg_end(msg, hdr);
10451 	return 0;
10452 
10453  fail_unlock_rcu:
10454 	rcu_read_unlock();
10455  nla_put_failure:
10456 	genlmsg_cancel(msg, hdr);
10457 	return -EMSGSIZE;
10458 }
10459 
10460 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10461 {
10462 	struct cfg80211_registered_device *rdev;
10463 	struct cfg80211_internal_bss *scan;
10464 	struct wireless_dev *wdev;
10465 	struct nlattr **attrbuf;
10466 	int start = cb->args[2], idx = 0;
10467 	bool dump_include_use_data;
10468 	int err;
10469 
10470 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10471 	if (!attrbuf)
10472 		return -ENOMEM;
10473 
10474 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10475 	if (err) {
10476 		kfree(attrbuf);
10477 		return err;
10478 	}
10479 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10480 	__acquire(&rdev->wiphy.mtx);
10481 
10482 	dump_include_use_data =
10483 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
10484 	kfree(attrbuf);
10485 
10486 	spin_lock_bh(&rdev->bss_lock);
10487 
10488 	/*
10489 	 * dump_scan will be called multiple times to break up the scan results
10490 	 * into multiple messages.  It is unlikely that any more bss-es will be
10491 	 * expired after the first call, so only call only call this on the
10492 	 * first dump_scan invocation.
10493 	 */
10494 	if (start == 0)
10495 		cfg80211_bss_expire(rdev);
10496 
10497 	cb->seq = rdev->bss_generation;
10498 
10499 	list_for_each_entry(scan, &rdev->bss_list, list) {
10500 		if (++idx <= start)
10501 			continue;
10502 		if (!dump_include_use_data &&
10503 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
10504 			continue;
10505 		if (nl80211_send_bss(skb, cb,
10506 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10507 				rdev, wdev, scan) < 0) {
10508 			idx--;
10509 			break;
10510 		}
10511 	}
10512 
10513 	spin_unlock_bh(&rdev->bss_lock);
10514 
10515 	cb->args[2] = idx;
10516 	wiphy_unlock(&rdev->wiphy);
10517 
10518 	return skb->len;
10519 }
10520 
10521 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10522 			       int flags, struct net_device *dev,
10523 			       bool allow_radio_stats,
10524 			       struct survey_info *survey)
10525 {
10526 	void *hdr;
10527 	struct nlattr *infoattr;
10528 
10529 	/* skip radio stats if userspace didn't request them */
10530 	if (!survey->channel && !allow_radio_stats)
10531 		return 0;
10532 
10533 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10534 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10535 	if (!hdr)
10536 		return -ENOMEM;
10537 
10538 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10539 		goto nla_put_failure;
10540 
10541 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10542 	if (!infoattr)
10543 		goto nla_put_failure;
10544 
10545 	if (survey->channel &&
10546 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10547 			survey->channel->center_freq))
10548 		goto nla_put_failure;
10549 
10550 	if (survey->channel && survey->channel->freq_offset &&
10551 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10552 			survey->channel->freq_offset))
10553 		goto nla_put_failure;
10554 
10555 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10556 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10557 		goto nla_put_failure;
10558 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10559 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10560 		goto nla_put_failure;
10561 	if ((survey->filled & SURVEY_INFO_TIME) &&
10562 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10563 			survey->time, NL80211_SURVEY_INFO_PAD))
10564 		goto nla_put_failure;
10565 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10566 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10567 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10568 		goto nla_put_failure;
10569 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10570 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10571 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10572 		goto nla_put_failure;
10573 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10574 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10575 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10576 		goto nla_put_failure;
10577 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10578 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10579 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10580 		goto nla_put_failure;
10581 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10582 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10583 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10584 		goto nla_put_failure;
10585 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10586 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10587 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10588 		goto nla_put_failure;
10589 
10590 	nla_nest_end(msg, infoattr);
10591 
10592 	genlmsg_end(msg, hdr);
10593 	return 0;
10594 
10595  nla_put_failure:
10596 	genlmsg_cancel(msg, hdr);
10597 	return -EMSGSIZE;
10598 }
10599 
10600 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10601 {
10602 	struct nlattr **attrbuf;
10603 	struct survey_info survey;
10604 	struct cfg80211_registered_device *rdev;
10605 	struct wireless_dev *wdev;
10606 	int survey_idx = cb->args[2];
10607 	int res;
10608 	bool radio_stats;
10609 
10610 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10611 	if (!attrbuf)
10612 		return -ENOMEM;
10613 
10614 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10615 	if (res) {
10616 		kfree(attrbuf);
10617 		return res;
10618 	}
10619 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10620 	__acquire(&rdev->wiphy.mtx);
10621 
10622 	/* prepare_wdev_dump parsed the attributes */
10623 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10624 
10625 	if (!wdev->netdev) {
10626 		res = -EINVAL;
10627 		goto out_err;
10628 	}
10629 
10630 	if (!rdev->ops->dump_survey) {
10631 		res = -EOPNOTSUPP;
10632 		goto out_err;
10633 	}
10634 
10635 	while (1) {
10636 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10637 		if (res == -ENOENT)
10638 			break;
10639 		if (res)
10640 			goto out_err;
10641 
10642 		/* don't send disabled channels, but do send non-channel data */
10643 		if (survey.channel &&
10644 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10645 			survey_idx++;
10646 			continue;
10647 		}
10648 
10649 		if (nl80211_send_survey(skb,
10650 				NETLINK_CB(cb->skb).portid,
10651 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10652 				wdev->netdev, radio_stats, &survey) < 0)
10653 			goto out;
10654 		survey_idx++;
10655 	}
10656 
10657  out:
10658 	cb->args[2] = survey_idx;
10659 	res = skb->len;
10660  out_err:
10661 	kfree(attrbuf);
10662 	wiphy_unlock(&rdev->wiphy);
10663 	return res;
10664 }
10665 
10666 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10667 {
10668 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10669 	struct net_device *dev = info->user_ptr[1];
10670 	struct ieee80211_channel *chan;
10671 	const u8 *bssid, *ssid;
10672 	int err, ssid_len;
10673 	enum nl80211_auth_type auth_type;
10674 	struct key_parse key;
10675 	bool local_state_change;
10676 	struct cfg80211_auth_request req = {};
10677 	u32 freq;
10678 
10679 	if (!info->attrs[NL80211_ATTR_MAC])
10680 		return -EINVAL;
10681 
10682 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10683 		return -EINVAL;
10684 
10685 	if (!info->attrs[NL80211_ATTR_SSID])
10686 		return -EINVAL;
10687 
10688 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10689 		return -EINVAL;
10690 
10691 	err = nl80211_parse_key(info, &key);
10692 	if (err)
10693 		return err;
10694 
10695 	if (key.idx >= 0) {
10696 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10697 			return -EINVAL;
10698 		if (!key.p.key || !key.p.key_len)
10699 			return -EINVAL;
10700 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10701 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10702 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10703 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10704 			return -EINVAL;
10705 		if (key.idx > 3)
10706 			return -EINVAL;
10707 	} else {
10708 		key.p.key_len = 0;
10709 		key.p.key = NULL;
10710 	}
10711 
10712 	if (key.idx >= 0) {
10713 		int i;
10714 		bool ok = false;
10715 
10716 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10717 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10718 				ok = true;
10719 				break;
10720 			}
10721 		}
10722 		if (!ok)
10723 			return -EINVAL;
10724 	}
10725 
10726 	if (!rdev->ops->auth)
10727 		return -EOPNOTSUPP;
10728 
10729 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10730 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10731 		return -EOPNOTSUPP;
10732 
10733 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10734 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10735 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10736 		freq +=
10737 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10738 
10739 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10740 	if (!chan)
10741 		return -EINVAL;
10742 
10743 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10744 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10745 
10746 	if (info->attrs[NL80211_ATTR_IE]) {
10747 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10748 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10749 	}
10750 
10751 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10752 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10753 		return -EINVAL;
10754 
10755 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10756 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10757 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10758 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10759 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10760 		return -EINVAL;
10761 
10762 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10763 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10764 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10765 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10766 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10767 			return -EINVAL;
10768 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10769 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10770 	}
10771 
10772 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10773 
10774 	/*
10775 	 * Since we no longer track auth state, ignore
10776 	 * requests to only change local state.
10777 	 */
10778 	if (local_state_change)
10779 		return 0;
10780 
10781 	req.auth_type = auth_type;
10782 	req.key = key.p.key;
10783 	req.key_len = key.p.key_len;
10784 	req.key_idx = key.idx;
10785 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10786 	if (req.link_id >= 0) {
10787 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10788 			return -EINVAL;
10789 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10790 			return -EINVAL;
10791 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10792 		if (!is_valid_ether_addr(req.ap_mld_addr))
10793 			return -EINVAL;
10794 	}
10795 
10796 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10797 				   IEEE80211_BSS_TYPE_ESS,
10798 				   IEEE80211_PRIVACY_ANY);
10799 	if (!req.bss)
10800 		return -ENOENT;
10801 
10802 	err = cfg80211_mlme_auth(rdev, dev, &req);
10803 
10804 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10805 
10806 	return err;
10807 }
10808 
10809 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10810 				     struct genl_info *info)
10811 {
10812 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10813 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10814 		return -EINVAL;
10815 	}
10816 
10817 	if (!rdev->ops->tx_control_port ||
10818 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10819 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10820 		return -EOPNOTSUPP;
10821 
10822 	return 0;
10823 }
10824 
10825 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10826 				   struct genl_info *info,
10827 				   struct cfg80211_crypto_settings *settings,
10828 				   int cipher_limit)
10829 {
10830 	memset(settings, 0, sizeof(*settings));
10831 
10832 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10833 
10834 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10835 		u16 proto;
10836 
10837 		proto = nla_get_u16(
10838 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10839 		settings->control_port_ethertype = cpu_to_be16(proto);
10840 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10841 		    proto != ETH_P_PAE)
10842 			return -EINVAL;
10843 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10844 			settings->control_port_no_encrypt = true;
10845 	} else
10846 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10847 
10848 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10849 		int r = validate_pae_over_nl80211(rdev, info);
10850 
10851 		if (r < 0)
10852 			return r;
10853 
10854 		settings->control_port_over_nl80211 = true;
10855 
10856 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10857 			settings->control_port_no_preauth = true;
10858 	}
10859 
10860 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10861 		void *data;
10862 		int len, i;
10863 
10864 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10865 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10866 		settings->n_ciphers_pairwise = len / sizeof(u32);
10867 
10868 		if (len % sizeof(u32))
10869 			return -EINVAL;
10870 
10871 		if (settings->n_ciphers_pairwise > cipher_limit)
10872 			return -EINVAL;
10873 
10874 		memcpy(settings->ciphers_pairwise, data, len);
10875 
10876 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10877 			if (!cfg80211_supported_cipher_suite(
10878 					&rdev->wiphy,
10879 					settings->ciphers_pairwise[i]))
10880 				return -EINVAL;
10881 	}
10882 
10883 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10884 		settings->cipher_group =
10885 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10886 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10887 						     settings->cipher_group))
10888 			return -EINVAL;
10889 	}
10890 
10891 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
10892 		settings->wpa_versions =
10893 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10894 
10895 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10896 		void *data;
10897 		int len;
10898 
10899 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10900 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10901 		settings->n_akm_suites = len / sizeof(u32);
10902 
10903 		if (len % sizeof(u32))
10904 			return -EINVAL;
10905 
10906 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10907 			return -EINVAL;
10908 
10909 		memcpy(settings->akm_suites, data, len);
10910 	}
10911 
10912 	if (info->attrs[NL80211_ATTR_PMK]) {
10913 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10914 			return -EINVAL;
10915 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10916 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10917 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10918 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10919 			return -EINVAL;
10920 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10921 	}
10922 
10923 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10924 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10925 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10926 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10927 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10928 			return -EINVAL;
10929 		settings->sae_pwd =
10930 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10931 		settings->sae_pwd_len =
10932 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10933 	}
10934 
10935 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10936 		settings->sae_pwe =
10937 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10938 	else
10939 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10940 
10941 	return 0;
10942 }
10943 
10944 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10945 					      const u8 *ssid, int ssid_len,
10946 					      struct nlattr **attrs,
10947 					      int assoc_link_id, int link_id)
10948 {
10949 	struct ieee80211_channel *chan;
10950 	struct cfg80211_bss *bss;
10951 	const u8 *bssid;
10952 	u32 freq, use_for = 0;
10953 
10954 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10955 		return ERR_PTR(-EINVAL);
10956 
10957 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10958 
10959 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10960 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10961 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10962 
10963 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10964 	if (!chan)
10965 		return ERR_PTR(-EINVAL);
10966 
10967 	if (assoc_link_id >= 0)
10968 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
10969 	if (assoc_link_id == link_id)
10970 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
10971 
10972 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10973 				 ssid, ssid_len,
10974 				 IEEE80211_BSS_TYPE_ESS,
10975 				 IEEE80211_PRIVACY_ANY,
10976 				 use_for);
10977 	if (!bss)
10978 		return ERR_PTR(-ENOENT);
10979 
10980 	return bss;
10981 }
10982 
10983 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10984 {
10985 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10986 	struct net_device *dev = info->user_ptr[1];
10987 	struct cfg80211_assoc_request req = {};
10988 	struct nlattr **attrs = NULL;
10989 	const u8 *ap_addr, *ssid;
10990 	unsigned int link_id;
10991 	int err, ssid_len;
10992 
10993 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10994 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10995 		return -EPERM;
10996 
10997 	if (!info->attrs[NL80211_ATTR_SSID])
10998 		return -EINVAL;
10999 
11000 	if (!rdev->ops->assoc)
11001 		return -EOPNOTSUPP;
11002 
11003 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11004 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11005 		return -EOPNOTSUPP;
11006 
11007 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11008 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11009 
11010 	if (info->attrs[NL80211_ATTR_IE]) {
11011 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11012 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11013 
11014 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11015 					   req.ie, req.ie_len)) {
11016 			NL_SET_ERR_MSG_ATTR(info->extack,
11017 					    info->attrs[NL80211_ATTR_IE],
11018 					    "non-inheritance makes no sense");
11019 			return -EINVAL;
11020 		}
11021 	}
11022 
11023 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11024 		enum nl80211_mfp mfp =
11025 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11026 		if (mfp == NL80211_MFP_REQUIRED)
11027 			req.use_mfp = true;
11028 		else if (mfp != NL80211_MFP_NO)
11029 			return -EINVAL;
11030 	}
11031 
11032 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11033 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11034 
11035 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11036 		req.flags |= ASSOC_REQ_DISABLE_HT;
11037 
11038 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11039 		memcpy(&req.ht_capa_mask,
11040 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11041 		       sizeof(req.ht_capa_mask));
11042 
11043 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11044 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11045 			return -EINVAL;
11046 		memcpy(&req.ht_capa,
11047 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11048 		       sizeof(req.ht_capa));
11049 	}
11050 
11051 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11052 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11053 
11054 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11055 		req.flags |= ASSOC_REQ_DISABLE_HE;
11056 
11057 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11058 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11059 
11060 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11061 		memcpy(&req.vht_capa_mask,
11062 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11063 		       sizeof(req.vht_capa_mask));
11064 
11065 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11066 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11067 			return -EINVAL;
11068 		memcpy(&req.vht_capa,
11069 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11070 		       sizeof(req.vht_capa));
11071 	}
11072 
11073 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11074 		if (!((rdev->wiphy.features &
11075 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11076 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11077 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11078 					     NL80211_EXT_FEATURE_RRM))
11079 			return -EINVAL;
11080 		req.flags |= ASSOC_REQ_USE_RRM;
11081 	}
11082 
11083 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11084 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11085 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11086 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11087 			return -EINVAL;
11088 		req.fils_nonces =
11089 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11090 	}
11091 
11092 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11093 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11094 			return -EINVAL;
11095 		memcpy(&req.s1g_capa_mask,
11096 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11097 		       sizeof(req.s1g_capa_mask));
11098 	}
11099 
11100 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11101 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11102 			return -EINVAL;
11103 		memcpy(&req.s1g_capa,
11104 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11105 		       sizeof(req.s1g_capa));
11106 	}
11107 
11108 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11109 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11110 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11111 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11112 			return -EINVAL;
11113 		}
11114 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11115 	}
11116 
11117 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11118 
11119 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11120 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11121 		struct nlattr *link;
11122 		int rem = 0;
11123 
11124 		if (req.link_id < 0)
11125 			return -EINVAL;
11126 
11127 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11128 			return -EINVAL;
11129 
11130 		if (info->attrs[NL80211_ATTR_MAC] ||
11131 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11132 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11133 			return -EINVAL;
11134 
11135 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11136 		ap_addr = req.ap_mld_addr;
11137 
11138 		attrs = kzalloc(attrsize, GFP_KERNEL);
11139 		if (!attrs)
11140 			return -ENOMEM;
11141 
11142 		nla_for_each_nested(link,
11143 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11144 				    rem) {
11145 			memset(attrs, 0, attrsize);
11146 
11147 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11148 					 link, NULL, NULL);
11149 
11150 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11151 				err = -EINVAL;
11152 				NL_SET_BAD_ATTR(info->extack, link);
11153 				goto free;
11154 			}
11155 
11156 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11157 			/* cannot use the same link ID again */
11158 			if (req.links[link_id].bss) {
11159 				err = -EINVAL;
11160 				NL_SET_BAD_ATTR(info->extack, link);
11161 				goto free;
11162 			}
11163 			req.links[link_id].bss =
11164 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11165 						  req.link_id, link_id);
11166 			if (IS_ERR(req.links[link_id].bss)) {
11167 				err = PTR_ERR(req.links[link_id].bss);
11168 				req.links[link_id].bss = NULL;
11169 				NL_SET_ERR_MSG_ATTR(info->extack,
11170 						    link, "Error fetching BSS for link");
11171 				goto free;
11172 			}
11173 
11174 			if (attrs[NL80211_ATTR_IE]) {
11175 				req.links[link_id].elems =
11176 					nla_data(attrs[NL80211_ATTR_IE]);
11177 				req.links[link_id].elems_len =
11178 					nla_len(attrs[NL80211_ATTR_IE]);
11179 
11180 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11181 						       req.links[link_id].elems,
11182 						       req.links[link_id].elems_len)) {
11183 					NL_SET_ERR_MSG_ATTR(info->extack,
11184 							    attrs[NL80211_ATTR_IE],
11185 							    "cannot deal with fragmentation");
11186 					err = -EINVAL;
11187 					goto free;
11188 				}
11189 
11190 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11191 							   req.links[link_id].elems,
11192 							   req.links[link_id].elems_len)) {
11193 					NL_SET_ERR_MSG_ATTR(info->extack,
11194 							    attrs[NL80211_ATTR_IE],
11195 							    "cannot deal with non-inheritance");
11196 					err = -EINVAL;
11197 					goto free;
11198 				}
11199 			}
11200 
11201 			req.links[link_id].disabled =
11202 				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11203 		}
11204 
11205 		if (!req.links[req.link_id].bss) {
11206 			err = -EINVAL;
11207 			goto free;
11208 		}
11209 
11210 		if (req.links[req.link_id].elems_len) {
11211 			GENL_SET_ERR_MSG(info,
11212 					 "cannot have per-link elems on assoc link");
11213 			err = -EINVAL;
11214 			goto free;
11215 		}
11216 
11217 		if (req.links[req.link_id].disabled) {
11218 			GENL_SET_ERR_MSG(info,
11219 					 "cannot have assoc link disabled");
11220 			err = -EINVAL;
11221 			goto free;
11222 		}
11223 
11224 		kfree(attrs);
11225 		attrs = NULL;
11226 	} else {
11227 		if (req.link_id >= 0)
11228 			return -EINVAL;
11229 
11230 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11231 					    -1, -1);
11232 		if (IS_ERR(req.bss))
11233 			return PTR_ERR(req.bss);
11234 		ap_addr = req.bss->bssid;
11235 	}
11236 
11237 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11238 	if (!err) {
11239 		struct nlattr *link;
11240 		int rem = 0;
11241 
11242 		err = cfg80211_mlme_assoc(rdev, dev, &req,
11243 					  info->extack);
11244 
11245 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11246 			dev->ieee80211_ptr->conn_owner_nlportid =
11247 				info->snd_portid;
11248 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11249 			       ap_addr, ETH_ALEN);
11250 		}
11251 
11252 		/* Report error from first problematic link */
11253 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11254 			nla_for_each_nested(link,
11255 					    info->attrs[NL80211_ATTR_MLO_LINKS],
11256 					    rem) {
11257 				struct nlattr *link_id_attr =
11258 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
11259 
11260 				if (!link_id_attr)
11261 					continue;
11262 
11263 				link_id = nla_get_u8(link_id_attr);
11264 
11265 				if (link_id == req.link_id)
11266 					continue;
11267 
11268 				if (!req.links[link_id].error ||
11269 				    WARN_ON(req.links[link_id].error > 0))
11270 					continue;
11271 
11272 				WARN_ON(err >= 0);
11273 
11274 				NL_SET_BAD_ATTR(info->extack, link);
11275 				err = req.links[link_id].error;
11276 				break;
11277 			}
11278 		}
11279 	}
11280 
11281 free:
11282 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11283 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11284 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11285 	kfree(attrs);
11286 
11287 	return err;
11288 }
11289 
11290 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11291 {
11292 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11293 	struct net_device *dev = info->user_ptr[1];
11294 	const u8 *ie = NULL, *bssid;
11295 	int ie_len = 0;
11296 	u16 reason_code;
11297 	bool local_state_change;
11298 
11299 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11300 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11301 		return -EPERM;
11302 
11303 	if (!info->attrs[NL80211_ATTR_MAC])
11304 		return -EINVAL;
11305 
11306 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11307 		return -EINVAL;
11308 
11309 	if (!rdev->ops->deauth)
11310 		return -EOPNOTSUPP;
11311 
11312 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11313 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11314 		return -EOPNOTSUPP;
11315 
11316 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11317 
11318 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11319 	if (reason_code == 0) {
11320 		/* Reason Code 0 is reserved */
11321 		return -EINVAL;
11322 	}
11323 
11324 	if (info->attrs[NL80211_ATTR_IE]) {
11325 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11326 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11327 	}
11328 
11329 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11330 
11331 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11332 				    local_state_change);
11333 }
11334 
11335 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11336 {
11337 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11338 	struct net_device *dev = info->user_ptr[1];
11339 	const u8 *ie = NULL, *bssid;
11340 	int ie_len = 0;
11341 	u16 reason_code;
11342 	bool local_state_change;
11343 
11344 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11345 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11346 		return -EPERM;
11347 
11348 	if (!info->attrs[NL80211_ATTR_MAC])
11349 		return -EINVAL;
11350 
11351 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11352 		return -EINVAL;
11353 
11354 	if (!rdev->ops->disassoc)
11355 		return -EOPNOTSUPP;
11356 
11357 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11358 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11359 		return -EOPNOTSUPP;
11360 
11361 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11362 
11363 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11364 	if (reason_code == 0) {
11365 		/* Reason Code 0 is reserved */
11366 		return -EINVAL;
11367 	}
11368 
11369 	if (info->attrs[NL80211_ATTR_IE]) {
11370 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11371 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11372 	}
11373 
11374 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11375 
11376 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11377 				      local_state_change);
11378 }
11379 
11380 static bool
11381 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11382 			 int mcast_rate[NUM_NL80211_BANDS],
11383 			 int rateval)
11384 {
11385 	struct wiphy *wiphy = &rdev->wiphy;
11386 	bool found = false;
11387 	int band, i;
11388 
11389 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11390 		struct ieee80211_supported_band *sband;
11391 
11392 		sband = wiphy->bands[band];
11393 		if (!sband)
11394 			continue;
11395 
11396 		for (i = 0; i < sband->n_bitrates; i++) {
11397 			if (sband->bitrates[i].bitrate == rateval) {
11398 				mcast_rate[band] = i + 1;
11399 				found = true;
11400 				break;
11401 			}
11402 		}
11403 	}
11404 
11405 	return found;
11406 }
11407 
11408 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11409 {
11410 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11411 	struct net_device *dev = info->user_ptr[1];
11412 	struct cfg80211_ibss_params ibss;
11413 	struct wiphy *wiphy;
11414 	struct cfg80211_cached_keys *connkeys = NULL;
11415 	int err;
11416 
11417 	memset(&ibss, 0, sizeof(ibss));
11418 
11419 	if (!info->attrs[NL80211_ATTR_SSID] ||
11420 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11421 		return -EINVAL;
11422 
11423 	ibss.beacon_interval = 100;
11424 
11425 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11426 		ibss.beacon_interval =
11427 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11428 
11429 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11430 					   ibss.beacon_interval);
11431 	if (err)
11432 		return err;
11433 
11434 	if (!rdev->ops->join_ibss)
11435 		return -EOPNOTSUPP;
11436 
11437 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11438 		return -EOPNOTSUPP;
11439 
11440 	wiphy = &rdev->wiphy;
11441 
11442 	if (info->attrs[NL80211_ATTR_MAC]) {
11443 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11444 
11445 		if (!is_valid_ether_addr(ibss.bssid))
11446 			return -EINVAL;
11447 	}
11448 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11449 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11450 
11451 	if (info->attrs[NL80211_ATTR_IE]) {
11452 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11453 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11454 	}
11455 
11456 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11457 	if (err)
11458 		return err;
11459 
11460 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11461 				     NL80211_IFTYPE_ADHOC))
11462 		return -EINVAL;
11463 
11464 	switch (ibss.chandef.width) {
11465 	case NL80211_CHAN_WIDTH_5:
11466 	case NL80211_CHAN_WIDTH_10:
11467 	case NL80211_CHAN_WIDTH_20_NOHT:
11468 		break;
11469 	case NL80211_CHAN_WIDTH_20:
11470 	case NL80211_CHAN_WIDTH_40:
11471 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11472 			return -EINVAL;
11473 		break;
11474 	case NL80211_CHAN_WIDTH_80:
11475 	case NL80211_CHAN_WIDTH_80P80:
11476 	case NL80211_CHAN_WIDTH_160:
11477 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11478 			return -EINVAL;
11479 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11480 					     NL80211_EXT_FEATURE_VHT_IBSS))
11481 			return -EINVAL;
11482 		break;
11483 	case NL80211_CHAN_WIDTH_320:
11484 		return -EINVAL;
11485 	default:
11486 		return -EINVAL;
11487 	}
11488 
11489 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11490 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11491 
11492 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11493 		u8 *rates =
11494 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11495 		int n_rates =
11496 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11497 		struct ieee80211_supported_band *sband =
11498 			wiphy->bands[ibss.chandef.chan->band];
11499 
11500 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11501 					     &ibss.basic_rates);
11502 		if (err)
11503 			return err;
11504 	}
11505 
11506 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11507 		memcpy(&ibss.ht_capa_mask,
11508 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11509 		       sizeof(ibss.ht_capa_mask));
11510 
11511 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11512 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11513 			return -EINVAL;
11514 		memcpy(&ibss.ht_capa,
11515 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11516 		       sizeof(ibss.ht_capa));
11517 	}
11518 
11519 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11520 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11521 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11522 		return -EINVAL;
11523 
11524 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11525 		bool no_ht = false;
11526 
11527 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11528 		if (IS_ERR(connkeys))
11529 			return PTR_ERR(connkeys);
11530 
11531 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11532 		    no_ht) {
11533 			kfree_sensitive(connkeys);
11534 			return -EINVAL;
11535 		}
11536 	}
11537 
11538 	ibss.control_port =
11539 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11540 
11541 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11542 		int r = validate_pae_over_nl80211(rdev, info);
11543 
11544 		if (r < 0) {
11545 			kfree_sensitive(connkeys);
11546 			return r;
11547 		}
11548 
11549 		ibss.control_port_over_nl80211 = true;
11550 	}
11551 
11552 	ibss.userspace_handles_dfs =
11553 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11554 
11555 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11556 	if (err)
11557 		kfree_sensitive(connkeys);
11558 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11559 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11560 
11561 	return err;
11562 }
11563 
11564 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11565 {
11566 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11567 	struct net_device *dev = info->user_ptr[1];
11568 
11569 	if (!rdev->ops->leave_ibss)
11570 		return -EOPNOTSUPP;
11571 
11572 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11573 		return -EOPNOTSUPP;
11574 
11575 	return cfg80211_leave_ibss(rdev, dev, false);
11576 }
11577 
11578 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11579 {
11580 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11581 	struct net_device *dev = info->user_ptr[1];
11582 	int mcast_rate[NUM_NL80211_BANDS];
11583 	u32 nla_rate;
11584 
11585 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11586 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11587 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11588 		return -EOPNOTSUPP;
11589 
11590 	if (!rdev->ops->set_mcast_rate)
11591 		return -EOPNOTSUPP;
11592 
11593 	memset(mcast_rate, 0, sizeof(mcast_rate));
11594 
11595 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11596 		return -EINVAL;
11597 
11598 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11599 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11600 		return -EINVAL;
11601 
11602 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11603 }
11604 
11605 static struct sk_buff *
11606 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11607 			    struct wireless_dev *wdev, int approxlen,
11608 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11609 			    enum nl80211_attrs attr,
11610 			    const struct nl80211_vendor_cmd_info *info,
11611 			    gfp_t gfp)
11612 {
11613 	struct sk_buff *skb;
11614 	void *hdr;
11615 	struct nlattr *data;
11616 
11617 	skb = nlmsg_new(approxlen + 100, gfp);
11618 	if (!skb)
11619 		return NULL;
11620 
11621 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11622 	if (!hdr) {
11623 		kfree_skb(skb);
11624 		return NULL;
11625 	}
11626 
11627 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11628 		goto nla_put_failure;
11629 
11630 	if (info) {
11631 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11632 				info->vendor_id))
11633 			goto nla_put_failure;
11634 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11635 				info->subcmd))
11636 			goto nla_put_failure;
11637 	}
11638 
11639 	if (wdev) {
11640 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11641 				      wdev_id(wdev), NL80211_ATTR_PAD))
11642 			goto nla_put_failure;
11643 		if (wdev->netdev &&
11644 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11645 				wdev->netdev->ifindex))
11646 			goto nla_put_failure;
11647 	}
11648 
11649 	data = nla_nest_start_noflag(skb, attr);
11650 	if (!data)
11651 		goto nla_put_failure;
11652 
11653 	((void **)skb->cb)[0] = rdev;
11654 	((void **)skb->cb)[1] = hdr;
11655 	((void **)skb->cb)[2] = data;
11656 
11657 	return skb;
11658 
11659  nla_put_failure:
11660 	kfree_skb(skb);
11661 	return NULL;
11662 }
11663 
11664 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11665 					   struct wireless_dev *wdev,
11666 					   enum nl80211_commands cmd,
11667 					   enum nl80211_attrs attr,
11668 					   unsigned int portid,
11669 					   int vendor_event_idx,
11670 					   int approxlen, gfp_t gfp)
11671 {
11672 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11673 	const struct nl80211_vendor_cmd_info *info;
11674 
11675 	switch (cmd) {
11676 	case NL80211_CMD_TESTMODE:
11677 		if (WARN_ON(vendor_event_idx != -1))
11678 			return NULL;
11679 		info = NULL;
11680 		break;
11681 	case NL80211_CMD_VENDOR:
11682 		if (WARN_ON(vendor_event_idx < 0 ||
11683 			    vendor_event_idx >= wiphy->n_vendor_events))
11684 			return NULL;
11685 		info = &wiphy->vendor_events[vendor_event_idx];
11686 		break;
11687 	default:
11688 		WARN_ON(1);
11689 		return NULL;
11690 	}
11691 
11692 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11693 					   cmd, attr, info, gfp);
11694 }
11695 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11696 
11697 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11698 {
11699 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11700 	void *hdr = ((void **)skb->cb)[1];
11701 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11702 	struct nlattr *data = ((void **)skb->cb)[2];
11703 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11704 
11705 	/* clear CB data for netlink core to own from now on */
11706 	memset(skb->cb, 0, sizeof(skb->cb));
11707 
11708 	nla_nest_end(skb, data);
11709 	genlmsg_end(skb, hdr);
11710 
11711 	if (nlhdr->nlmsg_pid) {
11712 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11713 				nlhdr->nlmsg_pid);
11714 	} else {
11715 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11716 			mcgrp = NL80211_MCGRP_VENDOR;
11717 
11718 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11719 					skb, 0, mcgrp, gfp);
11720 	}
11721 }
11722 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11723 
11724 #ifdef CONFIG_NL80211_TESTMODE
11725 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11726 {
11727 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11728 	struct wireless_dev *wdev;
11729 	int err;
11730 
11731 	lockdep_assert_held(&rdev->wiphy.mtx);
11732 
11733 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11734 					  info->attrs);
11735 
11736 	if (!rdev->ops->testmode_cmd)
11737 		return -EOPNOTSUPP;
11738 
11739 	if (IS_ERR(wdev)) {
11740 		err = PTR_ERR(wdev);
11741 		if (err != -EINVAL)
11742 			return err;
11743 		wdev = NULL;
11744 	} else if (wdev->wiphy != &rdev->wiphy) {
11745 		return -EINVAL;
11746 	}
11747 
11748 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11749 		return -EINVAL;
11750 
11751 	rdev->cur_cmd_info = info;
11752 	err = rdev_testmode_cmd(rdev, wdev,
11753 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11754 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11755 	rdev->cur_cmd_info = NULL;
11756 
11757 	return err;
11758 }
11759 
11760 static int nl80211_testmode_dump(struct sk_buff *skb,
11761 				 struct netlink_callback *cb)
11762 {
11763 	struct cfg80211_registered_device *rdev;
11764 	struct nlattr **attrbuf = NULL;
11765 	int err;
11766 	long phy_idx;
11767 	void *data = NULL;
11768 	int data_len = 0;
11769 
11770 	rtnl_lock();
11771 
11772 	if (cb->args[0]) {
11773 		/*
11774 		 * 0 is a valid index, but not valid for args[0],
11775 		 * so we need to offset by 1.
11776 		 */
11777 		phy_idx = cb->args[0] - 1;
11778 
11779 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11780 		if (!rdev) {
11781 			err = -ENOENT;
11782 			goto out_err;
11783 		}
11784 	} else {
11785 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11786 				  GFP_KERNEL);
11787 		if (!attrbuf) {
11788 			err = -ENOMEM;
11789 			goto out_err;
11790 		}
11791 
11792 		err = nlmsg_parse_deprecated(cb->nlh,
11793 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11794 					     attrbuf, nl80211_fam.maxattr,
11795 					     nl80211_policy, NULL);
11796 		if (err)
11797 			goto out_err;
11798 
11799 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11800 		if (IS_ERR(rdev)) {
11801 			err = PTR_ERR(rdev);
11802 			goto out_err;
11803 		}
11804 		phy_idx = rdev->wiphy_idx;
11805 
11806 		if (attrbuf[NL80211_ATTR_TESTDATA])
11807 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11808 	}
11809 
11810 	if (cb->args[1]) {
11811 		data = nla_data((void *)cb->args[1]);
11812 		data_len = nla_len((void *)cb->args[1]);
11813 	}
11814 
11815 	if (!rdev->ops->testmode_dump) {
11816 		err = -EOPNOTSUPP;
11817 		goto out_err;
11818 	}
11819 
11820 	while (1) {
11821 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11822 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11823 					   NL80211_CMD_TESTMODE);
11824 		struct nlattr *tmdata;
11825 
11826 		if (!hdr)
11827 			break;
11828 
11829 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11830 			genlmsg_cancel(skb, hdr);
11831 			break;
11832 		}
11833 
11834 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11835 		if (!tmdata) {
11836 			genlmsg_cancel(skb, hdr);
11837 			break;
11838 		}
11839 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11840 		nla_nest_end(skb, tmdata);
11841 
11842 		if (err == -ENOBUFS || err == -ENOENT) {
11843 			genlmsg_cancel(skb, hdr);
11844 			break;
11845 		} else if (err) {
11846 			genlmsg_cancel(skb, hdr);
11847 			goto out_err;
11848 		}
11849 
11850 		genlmsg_end(skb, hdr);
11851 	}
11852 
11853 	err = skb->len;
11854 	/* see above */
11855 	cb->args[0] = phy_idx + 1;
11856  out_err:
11857 	kfree(attrbuf);
11858 	rtnl_unlock();
11859 	return err;
11860 }
11861 #endif
11862 
11863 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11864 {
11865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11866 	struct net_device *dev = info->user_ptr[1];
11867 	struct cfg80211_connect_params connect;
11868 	struct wiphy *wiphy;
11869 	struct cfg80211_cached_keys *connkeys = NULL;
11870 	u32 freq = 0;
11871 	int err;
11872 
11873 	memset(&connect, 0, sizeof(connect));
11874 
11875 	if (!info->attrs[NL80211_ATTR_SSID] ||
11876 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11877 		return -EINVAL;
11878 
11879 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11880 		connect.auth_type =
11881 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11882 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11883 					     NL80211_CMD_CONNECT))
11884 			return -EINVAL;
11885 	} else
11886 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11887 
11888 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11889 
11890 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11891 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11892 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11893 		return -EINVAL;
11894 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11895 
11896 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11897 				      NL80211_MAX_NR_CIPHER_SUITES);
11898 	if (err)
11899 		return err;
11900 
11901 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11902 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11903 		return -EOPNOTSUPP;
11904 
11905 	wiphy = &rdev->wiphy;
11906 
11907 	connect.bg_scan_period = -1;
11908 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11909 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11910 		connect.bg_scan_period =
11911 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11912 	}
11913 
11914 	if (info->attrs[NL80211_ATTR_MAC])
11915 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11916 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11917 		connect.bssid_hint =
11918 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11919 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11920 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11921 
11922 	if (info->attrs[NL80211_ATTR_IE]) {
11923 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11924 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11925 	}
11926 
11927 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11928 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11929 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11930 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11931 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11932 			return -EOPNOTSUPP;
11933 	} else {
11934 		connect.mfp = NL80211_MFP_NO;
11935 	}
11936 
11937 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11938 		connect.prev_bssid =
11939 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11940 
11941 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11942 		freq = MHZ_TO_KHZ(nla_get_u32(
11943 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11944 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11945 		freq +=
11946 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11947 
11948 	if (freq) {
11949 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11950 		if (!connect.channel)
11951 			return -EINVAL;
11952 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11953 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11954 		freq = MHZ_TO_KHZ(freq);
11955 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11956 		if (!connect.channel_hint)
11957 			return -EINVAL;
11958 	}
11959 
11960 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11961 		connect.edmg.channels =
11962 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11963 
11964 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11965 			connect.edmg.bw_config =
11966 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11967 	}
11968 
11969 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11970 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11971 		if (IS_ERR(connkeys))
11972 			return PTR_ERR(connkeys);
11973 	}
11974 
11975 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11976 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11977 
11978 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11979 		memcpy(&connect.ht_capa_mask,
11980 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11981 		       sizeof(connect.ht_capa_mask));
11982 
11983 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11984 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11985 			kfree_sensitive(connkeys);
11986 			return -EINVAL;
11987 		}
11988 		memcpy(&connect.ht_capa,
11989 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11990 		       sizeof(connect.ht_capa));
11991 	}
11992 
11993 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11994 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11995 
11996 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11997 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11998 
11999 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12000 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12001 
12002 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12003 		memcpy(&connect.vht_capa_mask,
12004 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12005 		       sizeof(connect.vht_capa_mask));
12006 
12007 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12008 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12009 			kfree_sensitive(connkeys);
12010 			return -EINVAL;
12011 		}
12012 		memcpy(&connect.vht_capa,
12013 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12014 		       sizeof(connect.vht_capa));
12015 	}
12016 
12017 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12018 		if (!((rdev->wiphy.features &
12019 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12020 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12021 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12022 					     NL80211_EXT_FEATURE_RRM)) {
12023 			kfree_sensitive(connkeys);
12024 			return -EINVAL;
12025 		}
12026 		connect.flags |= ASSOC_REQ_USE_RRM;
12027 	}
12028 
12029 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12030 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12031 		kfree_sensitive(connkeys);
12032 		return -EOPNOTSUPP;
12033 	}
12034 
12035 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12036 		/* bss selection makes no sense if bssid is set */
12037 		if (connect.bssid) {
12038 			kfree_sensitive(connkeys);
12039 			return -EINVAL;
12040 		}
12041 
12042 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12043 				       wiphy, &connect.bss_select);
12044 		if (err) {
12045 			kfree_sensitive(connkeys);
12046 			return err;
12047 		}
12048 	}
12049 
12050 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12051 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12052 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12053 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12054 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12055 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12056 		connect.fils_erp_username =
12057 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12058 		connect.fils_erp_username_len =
12059 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12060 		connect.fils_erp_realm =
12061 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12062 		connect.fils_erp_realm_len =
12063 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12064 		connect.fils_erp_next_seq_num =
12065 			nla_get_u16(
12066 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12067 		connect.fils_erp_rrk =
12068 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12069 		connect.fils_erp_rrk_len =
12070 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12071 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12072 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12073 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12074 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12075 		kfree_sensitive(connkeys);
12076 		return -EINVAL;
12077 	}
12078 
12079 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12080 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12081 			kfree_sensitive(connkeys);
12082 			GENL_SET_ERR_MSG(info,
12083 					 "external auth requires connection ownership");
12084 			return -EINVAL;
12085 		}
12086 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12087 	}
12088 
12089 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12090 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12091 
12092 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12093 			       connect.prev_bssid);
12094 	if (err)
12095 		kfree_sensitive(connkeys);
12096 
12097 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12098 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12099 		if (connect.bssid)
12100 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12101 			       connect.bssid, ETH_ALEN);
12102 		else
12103 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12104 	}
12105 
12106 	return err;
12107 }
12108 
12109 static int nl80211_update_connect_params(struct sk_buff *skb,
12110 					 struct genl_info *info)
12111 {
12112 	struct cfg80211_connect_params connect = {};
12113 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12114 	struct net_device *dev = info->user_ptr[1];
12115 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12116 	bool fils_sk_offload;
12117 	u32 auth_type;
12118 	u32 changed = 0;
12119 
12120 	if (!rdev->ops->update_connect_params)
12121 		return -EOPNOTSUPP;
12122 
12123 	if (info->attrs[NL80211_ATTR_IE]) {
12124 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12125 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12126 		changed |= UPDATE_ASSOC_IES;
12127 	}
12128 
12129 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12130 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12131 
12132 	/*
12133 	 * when driver supports fils-sk offload all attributes must be
12134 	 * provided. So the else covers "fils-sk-not-all" and
12135 	 * "no-fils-sk-any".
12136 	 */
12137 	if (fils_sk_offload &&
12138 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12139 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12140 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12141 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12142 		connect.fils_erp_username =
12143 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12144 		connect.fils_erp_username_len =
12145 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12146 		connect.fils_erp_realm =
12147 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12148 		connect.fils_erp_realm_len =
12149 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12150 		connect.fils_erp_next_seq_num =
12151 			nla_get_u16(
12152 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12153 		connect.fils_erp_rrk =
12154 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12155 		connect.fils_erp_rrk_len =
12156 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12157 		changed |= UPDATE_FILS_ERP_INFO;
12158 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12159 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12160 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12161 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12162 		return -EINVAL;
12163 	}
12164 
12165 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12166 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12167 		if (!nl80211_valid_auth_type(rdev, auth_type,
12168 					     NL80211_CMD_CONNECT))
12169 			return -EINVAL;
12170 
12171 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12172 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12173 			return -EINVAL;
12174 
12175 		connect.auth_type = auth_type;
12176 		changed |= UPDATE_AUTH_TYPE;
12177 	}
12178 
12179 	if (!wdev->connected)
12180 		return -ENOLINK;
12181 
12182 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12183 }
12184 
12185 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12186 {
12187 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12188 	struct net_device *dev = info->user_ptr[1];
12189 	u16 reason;
12190 
12191 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12192 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12193 		return -EPERM;
12194 
12195 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12196 		reason = WLAN_REASON_DEAUTH_LEAVING;
12197 	else
12198 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12199 
12200 	if (reason == 0)
12201 		return -EINVAL;
12202 
12203 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12204 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12205 		return -EOPNOTSUPP;
12206 
12207 	return cfg80211_disconnect(rdev, dev, reason, true);
12208 }
12209 
12210 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12211 {
12212 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12213 	struct net *net;
12214 	int err;
12215 
12216 	if (info->attrs[NL80211_ATTR_PID]) {
12217 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12218 
12219 		net = get_net_ns_by_pid(pid);
12220 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12221 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12222 
12223 		net = get_net_ns_by_fd(fd);
12224 	} else {
12225 		return -EINVAL;
12226 	}
12227 
12228 	if (IS_ERR(net))
12229 		return PTR_ERR(net);
12230 
12231 	err = 0;
12232 
12233 	/* check if anything to do */
12234 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12235 		err = cfg80211_switch_netns(rdev, net);
12236 
12237 	put_net(net);
12238 	return err;
12239 }
12240 
12241 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12242 {
12243 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12244 	struct net_device *dev = info->user_ptr[1];
12245 	struct cfg80211_pmksa pmksa;
12246 	bool ap_pmksa_caching_support = false;
12247 
12248 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12249 
12250 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12251 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12252 
12253 	if (!info->attrs[NL80211_ATTR_PMKID])
12254 		return -EINVAL;
12255 
12256 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12257 
12258 	if (info->attrs[NL80211_ATTR_MAC]) {
12259 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12260 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12261 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12262 	           info->attrs[NL80211_ATTR_PMK]) {
12263 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12264 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12265 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12266 	} else {
12267 		return -EINVAL;
12268 	}
12269 
12270 	if (info->attrs[NL80211_ATTR_PMK]) {
12271 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12272 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12273 	}
12274 
12275 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12276 		pmksa.pmk_lifetime =
12277 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12278 
12279 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12280 		pmksa.pmk_reauth_threshold =
12281 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12282 
12283 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12284 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12285 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12286 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12287 	       ap_pmksa_caching_support))
12288 		return -EOPNOTSUPP;
12289 
12290 	if (!rdev->ops->set_pmksa)
12291 		return -EOPNOTSUPP;
12292 
12293 	return rdev_set_pmksa(rdev, dev, &pmksa);
12294 }
12295 
12296 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
12297 {
12298 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12299 	struct net_device *dev = info->user_ptr[1];
12300 	struct cfg80211_pmksa pmksa;
12301 	bool sae_offload_support = false;
12302 	bool owe_offload_support = false;
12303 	bool ap_pmksa_caching_support = false;
12304 
12305 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12306 
12307 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12308 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
12309 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12310 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
12311 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12312 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12313 
12314 	if (info->attrs[NL80211_ATTR_PMKID])
12315 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12316 
12317 	if (info->attrs[NL80211_ATTR_MAC]) {
12318 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12319 	} else if (info->attrs[NL80211_ATTR_SSID]) {
12320 		/* SSID based pmksa flush suppported only for FILS,
12321 		 * OWE/SAE OFFLOAD cases
12322 		 */
12323 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12324 		    info->attrs[NL80211_ATTR_PMK]) {
12325 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12326 		} else if (!sae_offload_support && !owe_offload_support) {
12327 			return -EINVAL;
12328 		}
12329 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12330 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12331 	} else {
12332 		return -EINVAL;
12333 	}
12334 
12335 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12336 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12337 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12338 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12339 	       ap_pmksa_caching_support))
12340 		return -EOPNOTSUPP;
12341 
12342 	if (!rdev->ops->del_pmksa)
12343 		return -EOPNOTSUPP;
12344 
12345 	return rdev_del_pmksa(rdev, dev, &pmksa);
12346 }
12347 
12348 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12349 {
12350 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12351 	struct net_device *dev = info->user_ptr[1];
12352 
12353 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12354 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12355 		return -EOPNOTSUPP;
12356 
12357 	if (!rdev->ops->flush_pmksa)
12358 		return -EOPNOTSUPP;
12359 
12360 	return rdev_flush_pmksa(rdev, dev);
12361 }
12362 
12363 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12364 {
12365 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12366 	struct net_device *dev = info->user_ptr[1];
12367 	u8 action_code, dialog_token;
12368 	u32 peer_capability = 0;
12369 	u16 status_code;
12370 	u8 *peer;
12371 	int link_id;
12372 	bool initiator;
12373 
12374 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12375 	    !rdev->ops->tdls_mgmt)
12376 		return -EOPNOTSUPP;
12377 
12378 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12379 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12380 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12381 	    !info->attrs[NL80211_ATTR_IE] ||
12382 	    !info->attrs[NL80211_ATTR_MAC])
12383 		return -EINVAL;
12384 
12385 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12386 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12387 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12388 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12389 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12390 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12391 		peer_capability =
12392 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12393 	link_id = nl80211_link_id_or_invalid(info->attrs);
12394 
12395 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12396 			      dialog_token, status_code, peer_capability,
12397 			      initiator,
12398 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12399 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12400 }
12401 
12402 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12403 {
12404 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12405 	struct net_device *dev = info->user_ptr[1];
12406 	enum nl80211_tdls_operation operation;
12407 	u8 *peer;
12408 
12409 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12410 	    !rdev->ops->tdls_oper)
12411 		return -EOPNOTSUPP;
12412 
12413 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12414 	    !info->attrs[NL80211_ATTR_MAC])
12415 		return -EINVAL;
12416 
12417 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12418 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12419 
12420 	return rdev_tdls_oper(rdev, dev, peer, operation);
12421 }
12422 
12423 static int nl80211_remain_on_channel(struct sk_buff *skb,
12424 				     struct genl_info *info)
12425 {
12426 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12427 	unsigned int link_id = nl80211_link_id(info->attrs);
12428 	struct wireless_dev *wdev = info->user_ptr[1];
12429 	struct cfg80211_chan_def chandef;
12430 	struct sk_buff *msg;
12431 	void *hdr;
12432 	u64 cookie;
12433 	u32 duration;
12434 	int err;
12435 
12436 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12437 	    !info->attrs[NL80211_ATTR_DURATION])
12438 		return -EINVAL;
12439 
12440 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12441 
12442 	if (!rdev->ops->remain_on_channel ||
12443 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12444 		return -EOPNOTSUPP;
12445 
12446 	/*
12447 	 * We should be on that channel for at least a minimum amount of
12448 	 * time (10ms) but no longer than the driver supports.
12449 	 */
12450 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12451 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12452 		return -EINVAL;
12453 
12454 	err = nl80211_parse_chandef(rdev, info, &chandef);
12455 	if (err)
12456 		return err;
12457 
12458 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12459 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12460 
12461 		oper_chandef = wdev_chandef(wdev, link_id);
12462 
12463 		if (WARN_ON(!oper_chandef)) {
12464 			/* cannot happen since we must beacon to get here */
12465 			WARN_ON(1);
12466 			return -EBUSY;
12467 		}
12468 
12469 		/* note: returns first one if identical chandefs */
12470 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12471 							     oper_chandef);
12472 
12473 		if (compat_chandef != &chandef)
12474 			return -EBUSY;
12475 	}
12476 
12477 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12478 	if (!msg)
12479 		return -ENOMEM;
12480 
12481 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12482 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12483 	if (!hdr) {
12484 		err = -ENOBUFS;
12485 		goto free_msg;
12486 	}
12487 
12488 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12489 				     duration, &cookie);
12490 
12491 	if (err)
12492 		goto free_msg;
12493 
12494 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12495 			      NL80211_ATTR_PAD))
12496 		goto nla_put_failure;
12497 
12498 	genlmsg_end(msg, hdr);
12499 
12500 	return genlmsg_reply(msg, info);
12501 
12502  nla_put_failure:
12503 	err = -ENOBUFS;
12504  free_msg:
12505 	nlmsg_free(msg);
12506 	return err;
12507 }
12508 
12509 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12510 					    struct genl_info *info)
12511 {
12512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12513 	struct wireless_dev *wdev = info->user_ptr[1];
12514 	u64 cookie;
12515 
12516 	if (!info->attrs[NL80211_ATTR_COOKIE])
12517 		return -EINVAL;
12518 
12519 	if (!rdev->ops->cancel_remain_on_channel)
12520 		return -EOPNOTSUPP;
12521 
12522 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12523 
12524 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12525 }
12526 
12527 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12528 				       struct genl_info *info)
12529 {
12530 	struct cfg80211_bitrate_mask mask;
12531 	unsigned int link_id = nl80211_link_id(info->attrs);
12532 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12533 	struct net_device *dev = info->user_ptr[1];
12534 	int err;
12535 
12536 	if (!rdev->ops->set_bitrate_mask)
12537 		return -EOPNOTSUPP;
12538 
12539 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12540 					    NL80211_ATTR_TX_RATES, &mask,
12541 					    dev, true, link_id);
12542 	if (err)
12543 		return err;
12544 
12545 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12546 }
12547 
12548 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12549 {
12550 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12551 	struct wireless_dev *wdev = info->user_ptr[1];
12552 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12553 
12554 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12555 		return -EINVAL;
12556 
12557 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12558 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12559 
12560 	switch (wdev->iftype) {
12561 	case NL80211_IFTYPE_STATION:
12562 	case NL80211_IFTYPE_ADHOC:
12563 	case NL80211_IFTYPE_P2P_CLIENT:
12564 	case NL80211_IFTYPE_AP:
12565 	case NL80211_IFTYPE_AP_VLAN:
12566 	case NL80211_IFTYPE_MESH_POINT:
12567 	case NL80211_IFTYPE_P2P_GO:
12568 	case NL80211_IFTYPE_P2P_DEVICE:
12569 		break;
12570 	case NL80211_IFTYPE_NAN:
12571 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12572 					     NL80211_EXT_FEATURE_SECURE_NAN))
12573 			return -EOPNOTSUPP;
12574 		break;
12575 	default:
12576 		return -EOPNOTSUPP;
12577 	}
12578 
12579 	/* not much point in registering if we can't reply */
12580 	if (!rdev->ops->mgmt_tx)
12581 		return -EOPNOTSUPP;
12582 
12583 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12584 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12585 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12586 		GENL_SET_ERR_MSG(info,
12587 				 "multicast RX registrations are not supported");
12588 		return -EOPNOTSUPP;
12589 	}
12590 
12591 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12592 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12593 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12594 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12595 					   info->extack);
12596 }
12597 
12598 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12599 {
12600 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12601 	struct wireless_dev *wdev = info->user_ptr[1];
12602 	struct cfg80211_chan_def chandef;
12603 	int err;
12604 	void *hdr = NULL;
12605 	u64 cookie;
12606 	struct sk_buff *msg = NULL;
12607 	struct cfg80211_mgmt_tx_params params = {
12608 		.dont_wait_for_ack =
12609 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12610 	};
12611 
12612 	if (!info->attrs[NL80211_ATTR_FRAME])
12613 		return -EINVAL;
12614 
12615 	if (!rdev->ops->mgmt_tx)
12616 		return -EOPNOTSUPP;
12617 
12618 	switch (wdev->iftype) {
12619 	case NL80211_IFTYPE_P2P_DEVICE:
12620 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12621 			return -EINVAL;
12622 		break;
12623 	case NL80211_IFTYPE_STATION:
12624 	case NL80211_IFTYPE_ADHOC:
12625 	case NL80211_IFTYPE_P2P_CLIENT:
12626 	case NL80211_IFTYPE_AP:
12627 	case NL80211_IFTYPE_AP_VLAN:
12628 	case NL80211_IFTYPE_MESH_POINT:
12629 	case NL80211_IFTYPE_P2P_GO:
12630 		break;
12631 	case NL80211_IFTYPE_NAN:
12632 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12633 					     NL80211_EXT_FEATURE_SECURE_NAN))
12634 			return -EOPNOTSUPP;
12635 		break;
12636 	default:
12637 		return -EOPNOTSUPP;
12638 	}
12639 
12640 	if (info->attrs[NL80211_ATTR_DURATION]) {
12641 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12642 			return -EINVAL;
12643 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12644 
12645 		/*
12646 		 * We should wait on the channel for at least a minimum amount
12647 		 * of time (10ms) but no longer than the driver supports.
12648 		 */
12649 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12650 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12651 			return -EINVAL;
12652 	}
12653 
12654 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12655 
12656 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12657 		return -EINVAL;
12658 
12659 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12660 
12661 	/* get the channel if any has been specified, otherwise pass NULL to
12662 	 * the driver. The latter will use the current one
12663 	 */
12664 	chandef.chan = NULL;
12665 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12666 		err = nl80211_parse_chandef(rdev, info, &chandef);
12667 		if (err)
12668 			return err;
12669 	}
12670 
12671 	if (!chandef.chan && params.offchan)
12672 		return -EINVAL;
12673 
12674 	if (params.offchan &&
12675 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
12676 		return -EBUSY;
12677 
12678 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12679 	/*
12680 	 * This now races due to the unlock, but we cannot check
12681 	 * the valid links for the _station_ anyway, so that's up
12682 	 * to the driver.
12683 	 */
12684 	if (params.link_id >= 0 &&
12685 	    !(wdev->valid_links & BIT(params.link_id)))
12686 		return -EINVAL;
12687 
12688 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12689 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12690 
12691 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
12692 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
12693 					    &params.csa_offsets,
12694 					    &params.n_csa_offsets);
12695 	if (err)
12696 		return err;
12697 
12698 	if (!params.dont_wait_for_ack) {
12699 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12700 		if (!msg)
12701 			return -ENOMEM;
12702 
12703 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12704 				     NL80211_CMD_FRAME);
12705 		if (!hdr) {
12706 			err = -ENOBUFS;
12707 			goto free_msg;
12708 		}
12709 	}
12710 
12711 	params.chan = chandef.chan;
12712 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12713 	if (err)
12714 		goto free_msg;
12715 
12716 	if (msg) {
12717 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12718 				      NL80211_ATTR_PAD))
12719 			goto nla_put_failure;
12720 
12721 		genlmsg_end(msg, hdr);
12722 		return genlmsg_reply(msg, info);
12723 	}
12724 
12725 	return 0;
12726 
12727  nla_put_failure:
12728 	err = -ENOBUFS;
12729  free_msg:
12730 	nlmsg_free(msg);
12731 	return err;
12732 }
12733 
12734 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12735 {
12736 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12737 	struct wireless_dev *wdev = info->user_ptr[1];
12738 	u64 cookie;
12739 
12740 	if (!info->attrs[NL80211_ATTR_COOKIE])
12741 		return -EINVAL;
12742 
12743 	if (!rdev->ops->mgmt_tx_cancel_wait)
12744 		return -EOPNOTSUPP;
12745 
12746 	switch (wdev->iftype) {
12747 	case NL80211_IFTYPE_STATION:
12748 	case NL80211_IFTYPE_ADHOC:
12749 	case NL80211_IFTYPE_P2P_CLIENT:
12750 	case NL80211_IFTYPE_AP:
12751 	case NL80211_IFTYPE_AP_VLAN:
12752 	case NL80211_IFTYPE_P2P_GO:
12753 	case NL80211_IFTYPE_P2P_DEVICE:
12754 		break;
12755 	case NL80211_IFTYPE_NAN:
12756 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12757 					     NL80211_EXT_FEATURE_SECURE_NAN))
12758 			return -EOPNOTSUPP;
12759 		break;
12760 	default:
12761 		return -EOPNOTSUPP;
12762 	}
12763 
12764 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12765 
12766 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12767 }
12768 
12769 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12770 {
12771 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12772 	struct wireless_dev *wdev;
12773 	struct net_device *dev = info->user_ptr[1];
12774 	u8 ps_state;
12775 	bool state;
12776 	int err;
12777 
12778 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12779 		return -EINVAL;
12780 
12781 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12782 
12783 	wdev = dev->ieee80211_ptr;
12784 
12785 	if (!rdev->ops->set_power_mgmt)
12786 		return -EOPNOTSUPP;
12787 
12788 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12789 
12790 	if (state == wdev->ps)
12791 		return 0;
12792 
12793 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12794 	if (!err)
12795 		wdev->ps = state;
12796 	return err;
12797 }
12798 
12799 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12800 {
12801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12802 	enum nl80211_ps_state ps_state;
12803 	struct wireless_dev *wdev;
12804 	struct net_device *dev = info->user_ptr[1];
12805 	struct sk_buff *msg;
12806 	void *hdr;
12807 	int err;
12808 
12809 	wdev = dev->ieee80211_ptr;
12810 
12811 	if (!rdev->ops->set_power_mgmt)
12812 		return -EOPNOTSUPP;
12813 
12814 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12815 	if (!msg)
12816 		return -ENOMEM;
12817 
12818 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12819 			     NL80211_CMD_GET_POWER_SAVE);
12820 	if (!hdr) {
12821 		err = -ENOBUFS;
12822 		goto free_msg;
12823 	}
12824 
12825 	if (wdev->ps)
12826 		ps_state = NL80211_PS_ENABLED;
12827 	else
12828 		ps_state = NL80211_PS_DISABLED;
12829 
12830 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12831 		goto nla_put_failure;
12832 
12833 	genlmsg_end(msg, hdr);
12834 	return genlmsg_reply(msg, info);
12835 
12836  nla_put_failure:
12837 	err = -ENOBUFS;
12838  free_msg:
12839 	nlmsg_free(msg);
12840 	return err;
12841 }
12842 
12843 static const struct nla_policy
12844 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12845 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12846 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12847 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12848 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12849 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12850 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12851 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12852 };
12853 
12854 static int nl80211_set_cqm_txe(struct genl_info *info,
12855 			       u32 rate, u32 pkts, u32 intvl)
12856 {
12857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12858 	struct net_device *dev = info->user_ptr[1];
12859 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12860 
12861 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12862 		return -EINVAL;
12863 
12864 	if (!rdev->ops->set_cqm_txe_config)
12865 		return -EOPNOTSUPP;
12866 
12867 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12868 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12869 		return -EOPNOTSUPP;
12870 
12871 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12872 }
12873 
12874 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12875 				    struct net_device *dev,
12876 				    struct cfg80211_cqm_config *cqm_config)
12877 {
12878 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12879 	s32 last, low, high;
12880 	u32 hyst;
12881 	int i, n, low_index;
12882 	int err;
12883 
12884 	/*
12885 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12886 	 * event has been received yet, we should receive an event after a
12887 	 * connection is established and enough beacons received to calculate
12888 	 * the average.
12889 	 */
12890 	if (!cqm_config->last_rssi_event_value &&
12891 	    wdev->links[0].client.current_bss &&
12892 	    rdev->ops->get_station) {
12893 		struct station_info sinfo = {};
12894 		u8 *mac_addr;
12895 
12896 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12897 
12898 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12899 		if (err)
12900 			return err;
12901 
12902 		cfg80211_sinfo_release_content(&sinfo);
12903 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12904 			cqm_config->last_rssi_event_value =
12905 				(s8) sinfo.rx_beacon_signal_avg;
12906 	}
12907 
12908 	last = cqm_config->last_rssi_event_value;
12909 	hyst = cqm_config->rssi_hyst;
12910 	n = cqm_config->n_rssi_thresholds;
12911 
12912 	for (i = 0; i < n; i++) {
12913 		i = array_index_nospec(i, n);
12914 		if (last < cqm_config->rssi_thresholds[i])
12915 			break;
12916 	}
12917 
12918 	low_index = i - 1;
12919 	if (low_index >= 0) {
12920 		low_index = array_index_nospec(low_index, n);
12921 		low = cqm_config->rssi_thresholds[low_index] - hyst;
12922 	} else {
12923 		low = S32_MIN;
12924 	}
12925 	if (i < n) {
12926 		i = array_index_nospec(i, n);
12927 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
12928 	} else {
12929 		high = S32_MAX;
12930 	}
12931 
12932 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12933 }
12934 
12935 static int nl80211_set_cqm_rssi(struct genl_info *info,
12936 				const s32 *thresholds, int n_thresholds,
12937 				u32 hysteresis)
12938 {
12939 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12940 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
12941 	struct net_device *dev = info->user_ptr[1];
12942 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12943 	s32 prev = S32_MIN;
12944 	int i, err;
12945 
12946 	/* Check all values negative and sorted */
12947 	for (i = 0; i < n_thresholds; i++) {
12948 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12949 			return -EINVAL;
12950 
12951 		prev = thresholds[i];
12952 	}
12953 
12954 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12955 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12956 		return -EOPNOTSUPP;
12957 
12958 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12959 		n_thresholds = 0;
12960 
12961 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
12962 
12963 	/* if already disabled just succeed */
12964 	if (!n_thresholds && !old)
12965 		return 0;
12966 
12967 	if (n_thresholds > 1) {
12968 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12969 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
12970 		    !rdev->ops->set_cqm_rssi_range_config)
12971 			return -EOPNOTSUPP;
12972 	} else {
12973 		if (!rdev->ops->set_cqm_rssi_config)
12974 			return -EOPNOTSUPP;
12975 	}
12976 
12977 	if (n_thresholds) {
12978 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12979 						 n_thresholds),
12980 				     GFP_KERNEL);
12981 		if (!cqm_config)
12982 			return -ENOMEM;
12983 
12984 		cqm_config->rssi_hyst = hysteresis;
12985 		cqm_config->n_rssi_thresholds = n_thresholds;
12986 		memcpy(cqm_config->rssi_thresholds, thresholds,
12987 		       flex_array_size(cqm_config, rssi_thresholds,
12988 				       n_thresholds));
12989 		cqm_config->use_range_api = n_thresholds > 1 ||
12990 					    !rdev->ops->set_cqm_rssi_config;
12991 
12992 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
12993 
12994 		if (cqm_config->use_range_api)
12995 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
12996 		else
12997 			err = rdev_set_cqm_rssi_config(rdev, dev,
12998 						       thresholds[0],
12999 						       hysteresis);
13000 	} else {
13001 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13002 		/* if enabled as range also disable via range */
13003 		if (old->use_range_api)
13004 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13005 		else
13006 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13007 	}
13008 
13009 	if (err) {
13010 		rcu_assign_pointer(wdev->cqm_config, old);
13011 		kfree_rcu(cqm_config, rcu_head);
13012 	} else {
13013 		kfree_rcu(old, rcu_head);
13014 	}
13015 
13016 	return err;
13017 }
13018 
13019 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13020 {
13021 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13022 	struct nlattr *cqm;
13023 	int err;
13024 
13025 	cqm = info->attrs[NL80211_ATTR_CQM];
13026 	if (!cqm)
13027 		return -EINVAL;
13028 
13029 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13030 					  nl80211_attr_cqm_policy,
13031 					  info->extack);
13032 	if (err)
13033 		return err;
13034 
13035 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13036 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13037 		const s32 *thresholds =
13038 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13039 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13040 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13041 
13042 		if (len % 4)
13043 			return -EINVAL;
13044 
13045 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13046 					    hysteresis);
13047 	}
13048 
13049 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13050 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13051 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13052 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13053 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13054 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13055 
13056 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13057 	}
13058 
13059 	return -EINVAL;
13060 }
13061 
13062 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13063 {
13064 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13065 	struct net_device *dev = info->user_ptr[1];
13066 	struct ocb_setup setup = {};
13067 	int err;
13068 
13069 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13070 	if (err)
13071 		return err;
13072 
13073 	return cfg80211_join_ocb(rdev, dev, &setup);
13074 }
13075 
13076 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13077 {
13078 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13079 	struct net_device *dev = info->user_ptr[1];
13080 
13081 	return cfg80211_leave_ocb(rdev, dev);
13082 }
13083 
13084 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13085 {
13086 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13087 	struct net_device *dev = info->user_ptr[1];
13088 	struct mesh_config cfg;
13089 	struct mesh_setup setup;
13090 	int err;
13091 
13092 	/* start with default */
13093 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13094 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13095 
13096 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13097 		/* and parse parameters if given */
13098 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13099 		if (err)
13100 			return err;
13101 	}
13102 
13103 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13104 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13105 		return -EINVAL;
13106 
13107 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13108 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13109 
13110 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13111 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13112 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13113 			return -EINVAL;
13114 
13115 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13116 		setup.beacon_interval =
13117 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13118 
13119 		err = cfg80211_validate_beacon_int(rdev,
13120 						   NL80211_IFTYPE_MESH_POINT,
13121 						   setup.beacon_interval);
13122 		if (err)
13123 			return err;
13124 	}
13125 
13126 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13127 		setup.dtim_period =
13128 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13129 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13130 			return -EINVAL;
13131 	}
13132 
13133 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13134 		/* parse additional setup parameters if given */
13135 		err = nl80211_parse_mesh_setup(info, &setup);
13136 		if (err)
13137 			return err;
13138 	}
13139 
13140 	if (setup.user_mpm)
13141 		cfg.auto_open_plinks = false;
13142 
13143 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13144 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13145 		if (err)
13146 			return err;
13147 	} else {
13148 		/* __cfg80211_join_mesh() will sort it out */
13149 		setup.chandef.chan = NULL;
13150 	}
13151 
13152 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13153 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13154 		int n_rates =
13155 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13156 		struct ieee80211_supported_band *sband;
13157 
13158 		if (!setup.chandef.chan)
13159 			return -EINVAL;
13160 
13161 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13162 
13163 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13164 					     &setup.basic_rates);
13165 		if (err)
13166 			return err;
13167 	}
13168 
13169 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13170 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13171 						    NL80211_ATTR_TX_RATES,
13172 						    &setup.beacon_rate,
13173 						    dev, false, 0);
13174 		if (err)
13175 			return err;
13176 
13177 		if (!setup.chandef.chan)
13178 			return -EINVAL;
13179 
13180 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13181 					      &setup.beacon_rate);
13182 		if (err)
13183 			return err;
13184 	}
13185 
13186 	setup.userspace_handles_dfs =
13187 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13188 
13189 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13190 		int r = validate_pae_over_nl80211(rdev, info);
13191 
13192 		if (r < 0)
13193 			return r;
13194 
13195 		setup.control_port_over_nl80211 = true;
13196 	}
13197 
13198 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13199 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13200 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13201 
13202 	return err;
13203 }
13204 
13205 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13206 {
13207 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13208 	struct net_device *dev = info->user_ptr[1];
13209 
13210 	return cfg80211_leave_mesh(rdev, dev);
13211 }
13212 
13213 #ifdef CONFIG_PM
13214 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13215 					struct cfg80211_registered_device *rdev)
13216 {
13217 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13218 	struct nlattr *nl_pats, *nl_pat;
13219 	int i, pat_len;
13220 
13221 	if (!wowlan->n_patterns)
13222 		return 0;
13223 
13224 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13225 	if (!nl_pats)
13226 		return -ENOBUFS;
13227 
13228 	for (i = 0; i < wowlan->n_patterns; i++) {
13229 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13230 		if (!nl_pat)
13231 			return -ENOBUFS;
13232 		pat_len = wowlan->patterns[i].pattern_len;
13233 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13234 			    wowlan->patterns[i].mask) ||
13235 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13236 			    wowlan->patterns[i].pattern) ||
13237 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13238 				wowlan->patterns[i].pkt_offset))
13239 			return -ENOBUFS;
13240 		nla_nest_end(msg, nl_pat);
13241 	}
13242 	nla_nest_end(msg, nl_pats);
13243 
13244 	return 0;
13245 }
13246 
13247 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13248 				   struct cfg80211_wowlan_tcp *tcp)
13249 {
13250 	struct nlattr *nl_tcp;
13251 
13252 	if (!tcp)
13253 		return 0;
13254 
13255 	nl_tcp = nla_nest_start_noflag(msg,
13256 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13257 	if (!nl_tcp)
13258 		return -ENOBUFS;
13259 
13260 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13261 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13262 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13263 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13264 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13265 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13266 		    tcp->payload_len, tcp->payload) ||
13267 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13268 			tcp->data_interval) ||
13269 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13270 		    tcp->wake_len, tcp->wake_data) ||
13271 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13272 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13273 		return -ENOBUFS;
13274 
13275 	if (tcp->payload_seq.len &&
13276 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13277 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13278 		return -ENOBUFS;
13279 
13280 	if (tcp->payload_tok.len &&
13281 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13282 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13283 		    &tcp->payload_tok))
13284 		return -ENOBUFS;
13285 
13286 	nla_nest_end(msg, nl_tcp);
13287 
13288 	return 0;
13289 }
13290 
13291 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13292 				  struct cfg80211_sched_scan_request *req)
13293 {
13294 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13295 	int i;
13296 
13297 	if (!req)
13298 		return 0;
13299 
13300 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13301 	if (!nd)
13302 		return -ENOBUFS;
13303 
13304 	if (req->n_scan_plans == 1 &&
13305 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13306 			req->scan_plans[0].interval * 1000))
13307 		return -ENOBUFS;
13308 
13309 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13310 		return -ENOBUFS;
13311 
13312 	if (req->relative_rssi_set) {
13313 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13314 
13315 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13316 			       req->relative_rssi))
13317 			return -ENOBUFS;
13318 
13319 		rssi_adjust.band = req->rssi_adjust.band;
13320 		rssi_adjust.delta = req->rssi_adjust.delta;
13321 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13322 			    sizeof(rssi_adjust), &rssi_adjust))
13323 			return -ENOBUFS;
13324 	}
13325 
13326 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13327 	if (!freqs)
13328 		return -ENOBUFS;
13329 
13330 	for (i = 0; i < req->n_channels; i++) {
13331 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13332 			return -ENOBUFS;
13333 	}
13334 
13335 	nla_nest_end(msg, freqs);
13336 
13337 	if (req->n_match_sets) {
13338 		matches = nla_nest_start_noflag(msg,
13339 						NL80211_ATTR_SCHED_SCAN_MATCH);
13340 		if (!matches)
13341 			return -ENOBUFS;
13342 
13343 		for (i = 0; i < req->n_match_sets; i++) {
13344 			match = nla_nest_start_noflag(msg, i);
13345 			if (!match)
13346 				return -ENOBUFS;
13347 
13348 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13349 				    req->match_sets[i].ssid.ssid_len,
13350 				    req->match_sets[i].ssid.ssid))
13351 				return -ENOBUFS;
13352 			nla_nest_end(msg, match);
13353 		}
13354 		nla_nest_end(msg, matches);
13355 	}
13356 
13357 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13358 	if (!scan_plans)
13359 		return -ENOBUFS;
13360 
13361 	for (i = 0; i < req->n_scan_plans; i++) {
13362 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13363 		if (!scan_plan)
13364 			return -ENOBUFS;
13365 
13366 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13367 				req->scan_plans[i].interval) ||
13368 		    (req->scan_plans[i].iterations &&
13369 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13370 				 req->scan_plans[i].iterations)))
13371 			return -ENOBUFS;
13372 		nla_nest_end(msg, scan_plan);
13373 	}
13374 	nla_nest_end(msg, scan_plans);
13375 
13376 	nla_nest_end(msg, nd);
13377 
13378 	return 0;
13379 }
13380 
13381 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13382 {
13383 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13384 	struct sk_buff *msg;
13385 	void *hdr;
13386 	u32 size = NLMSG_DEFAULT_SIZE;
13387 
13388 	if (!rdev->wiphy.wowlan)
13389 		return -EOPNOTSUPP;
13390 
13391 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13392 		/* adjust size to have room for all the data */
13393 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13394 			rdev->wiphy.wowlan_config->tcp->payload_len +
13395 			rdev->wiphy.wowlan_config->tcp->wake_len +
13396 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13397 	}
13398 
13399 	msg = nlmsg_new(size, GFP_KERNEL);
13400 	if (!msg)
13401 		return -ENOMEM;
13402 
13403 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13404 			     NL80211_CMD_GET_WOWLAN);
13405 	if (!hdr)
13406 		goto nla_put_failure;
13407 
13408 	if (rdev->wiphy.wowlan_config) {
13409 		struct nlattr *nl_wowlan;
13410 
13411 		nl_wowlan = nla_nest_start_noflag(msg,
13412 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13413 		if (!nl_wowlan)
13414 			goto nla_put_failure;
13415 
13416 		if ((rdev->wiphy.wowlan_config->any &&
13417 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13418 		    (rdev->wiphy.wowlan_config->disconnect &&
13419 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13420 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13421 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13422 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13423 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13424 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13425 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13426 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13427 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13428 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13429 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13430 			goto nla_put_failure;
13431 
13432 		if (nl80211_send_wowlan_patterns(msg, rdev))
13433 			goto nla_put_failure;
13434 
13435 		if (nl80211_send_wowlan_tcp(msg,
13436 					    rdev->wiphy.wowlan_config->tcp))
13437 			goto nla_put_failure;
13438 
13439 		if (nl80211_send_wowlan_nd(
13440 			    msg,
13441 			    rdev->wiphy.wowlan_config->nd_config))
13442 			goto nla_put_failure;
13443 
13444 		nla_nest_end(msg, nl_wowlan);
13445 	}
13446 
13447 	genlmsg_end(msg, hdr);
13448 	return genlmsg_reply(msg, info);
13449 
13450 nla_put_failure:
13451 	nlmsg_free(msg);
13452 	return -ENOBUFS;
13453 }
13454 
13455 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13456 				    struct nlattr *attr,
13457 				    struct cfg80211_wowlan *trig)
13458 {
13459 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13460 	struct cfg80211_wowlan_tcp *cfg;
13461 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13462 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13463 	u32 size;
13464 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13465 	int err, port;
13466 
13467 	if (!rdev->wiphy.wowlan->tcp)
13468 		return -EINVAL;
13469 
13470 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13471 					  nl80211_wowlan_tcp_policy, NULL);
13472 	if (err)
13473 		return err;
13474 
13475 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13476 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13477 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13478 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13479 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13480 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13481 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13482 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13483 		return -EINVAL;
13484 
13485 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13486 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13487 		return -EINVAL;
13488 
13489 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13490 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13491 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13492 		return -EINVAL;
13493 
13494 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13495 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13496 		return -EINVAL;
13497 
13498 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13499 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13500 		return -EINVAL;
13501 
13502 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13503 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13504 
13505 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13506 		tokens_size = tokln - sizeof(*tok);
13507 
13508 		if (!tok->len || tokens_size % tok->len)
13509 			return -EINVAL;
13510 		if (!rdev->wiphy.wowlan->tcp->tok)
13511 			return -EINVAL;
13512 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13513 			return -EINVAL;
13514 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13515 			return -EINVAL;
13516 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13517 			return -EINVAL;
13518 		if (tok->offset + tok->len > data_size)
13519 			return -EINVAL;
13520 	}
13521 
13522 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13523 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13524 		if (!rdev->wiphy.wowlan->tcp->seq)
13525 			return -EINVAL;
13526 		if (seq->len == 0 || seq->len > 4)
13527 			return -EINVAL;
13528 		if (seq->len + seq->offset > data_size)
13529 			return -EINVAL;
13530 	}
13531 
13532 	size = sizeof(*cfg);
13533 	size += data_size;
13534 	size += wake_size + wake_mask_size;
13535 	size += tokens_size;
13536 
13537 	cfg = kzalloc(size, GFP_KERNEL);
13538 	if (!cfg)
13539 		return -ENOMEM;
13540 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13541 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13542 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13543 	       ETH_ALEN);
13544 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13545 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13546 	else
13547 		port = 0;
13548 #ifdef CONFIG_INET
13549 	/* allocate a socket and port for it and use it */
13550 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13551 			    IPPROTO_TCP, &cfg->sock, 1);
13552 	if (err) {
13553 		kfree(cfg);
13554 		return err;
13555 	}
13556 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13557 		sock_release(cfg->sock);
13558 		kfree(cfg);
13559 		return -EADDRINUSE;
13560 	}
13561 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13562 #else
13563 	if (!port) {
13564 		kfree(cfg);
13565 		return -EINVAL;
13566 	}
13567 	cfg->src_port = port;
13568 #endif
13569 
13570 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13571 	cfg->payload_len = data_size;
13572 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13573 	memcpy((void *)cfg->payload,
13574 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13575 	       data_size);
13576 	if (seq)
13577 		cfg->payload_seq = *seq;
13578 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13579 	cfg->wake_len = wake_size;
13580 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13581 	memcpy((void *)cfg->wake_data,
13582 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13583 	       wake_size);
13584 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13585 			 data_size + wake_size;
13586 	memcpy((void *)cfg->wake_mask,
13587 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13588 	       wake_mask_size);
13589 	if (tok) {
13590 		cfg->tokens_size = tokens_size;
13591 		cfg->payload_tok = *tok;
13592 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13593 		       tokens_size);
13594 	}
13595 
13596 	trig->tcp = cfg;
13597 
13598 	return 0;
13599 }
13600 
13601 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13602 				   const struct wiphy_wowlan_support *wowlan,
13603 				   struct nlattr *attr,
13604 				   struct cfg80211_wowlan *trig)
13605 {
13606 	struct nlattr **tb;
13607 	int err;
13608 
13609 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13610 	if (!tb)
13611 		return -ENOMEM;
13612 
13613 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13614 		err = -EOPNOTSUPP;
13615 		goto out;
13616 	}
13617 
13618 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13619 					  nl80211_policy, NULL);
13620 	if (err)
13621 		goto out;
13622 
13623 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13624 						   wowlan->max_nd_match_sets);
13625 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13626 	if (err)
13627 		trig->nd_config = NULL;
13628 
13629 out:
13630 	kfree(tb);
13631 	return err;
13632 }
13633 
13634 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13635 {
13636 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13637 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13638 	struct cfg80211_wowlan new_triggers = {};
13639 	struct cfg80211_wowlan *ntrig;
13640 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13641 	int err, i;
13642 	bool prev_enabled = rdev->wiphy.wowlan_config;
13643 	bool regular = false;
13644 
13645 	if (!wowlan)
13646 		return -EOPNOTSUPP;
13647 
13648 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13649 		cfg80211_rdev_free_wowlan(rdev);
13650 		rdev->wiphy.wowlan_config = NULL;
13651 		goto set_wakeup;
13652 	}
13653 
13654 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13655 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13656 					  nl80211_wowlan_policy, info->extack);
13657 	if (err)
13658 		return err;
13659 
13660 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13661 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13662 			return -EINVAL;
13663 		new_triggers.any = true;
13664 	}
13665 
13666 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13667 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13668 			return -EINVAL;
13669 		new_triggers.disconnect = true;
13670 		regular = true;
13671 	}
13672 
13673 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13674 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13675 			return -EINVAL;
13676 		new_triggers.magic_pkt = true;
13677 		regular = true;
13678 	}
13679 
13680 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13681 		return -EINVAL;
13682 
13683 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13684 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13685 			return -EINVAL;
13686 		new_triggers.gtk_rekey_failure = true;
13687 		regular = true;
13688 	}
13689 
13690 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13691 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13692 			return -EINVAL;
13693 		new_triggers.eap_identity_req = true;
13694 		regular = true;
13695 	}
13696 
13697 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13698 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13699 			return -EINVAL;
13700 		new_triggers.four_way_handshake = true;
13701 		regular = true;
13702 	}
13703 
13704 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13705 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13706 			return -EINVAL;
13707 		new_triggers.rfkill_release = true;
13708 		regular = true;
13709 	}
13710 
13711 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13712 		struct nlattr *pat;
13713 		int n_patterns = 0;
13714 		int rem, pat_len, mask_len, pkt_offset;
13715 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13716 
13717 		regular = true;
13718 
13719 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13720 				    rem)
13721 			n_patterns++;
13722 		if (n_patterns > wowlan->n_patterns)
13723 			return -EINVAL;
13724 
13725 		new_triggers.patterns = kcalloc(n_patterns,
13726 						sizeof(new_triggers.patterns[0]),
13727 						GFP_KERNEL);
13728 		if (!new_triggers.patterns)
13729 			return -ENOMEM;
13730 
13731 		new_triggers.n_patterns = n_patterns;
13732 		i = 0;
13733 
13734 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13735 				    rem) {
13736 			u8 *mask_pat;
13737 
13738 			err = nla_parse_nested_deprecated(pat_tb,
13739 							  MAX_NL80211_PKTPAT,
13740 							  pat,
13741 							  nl80211_packet_pattern_policy,
13742 							  info->extack);
13743 			if (err)
13744 				goto error;
13745 
13746 			err = -EINVAL;
13747 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13748 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13749 				goto error;
13750 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13751 			mask_len = DIV_ROUND_UP(pat_len, 8);
13752 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13753 				goto error;
13754 			if (pat_len > wowlan->pattern_max_len ||
13755 			    pat_len < wowlan->pattern_min_len)
13756 				goto error;
13757 
13758 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13759 				pkt_offset = 0;
13760 			else
13761 				pkt_offset = nla_get_u32(
13762 					pat_tb[NL80211_PKTPAT_OFFSET]);
13763 			if (pkt_offset > wowlan->max_pkt_offset)
13764 				goto error;
13765 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13766 
13767 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13768 			if (!mask_pat) {
13769 				err = -ENOMEM;
13770 				goto error;
13771 			}
13772 			new_triggers.patterns[i].mask = mask_pat;
13773 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13774 			       mask_len);
13775 			mask_pat += mask_len;
13776 			new_triggers.patterns[i].pattern = mask_pat;
13777 			new_triggers.patterns[i].pattern_len = pat_len;
13778 			memcpy(mask_pat,
13779 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13780 			       pat_len);
13781 			i++;
13782 		}
13783 	}
13784 
13785 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13786 		regular = true;
13787 		err = nl80211_parse_wowlan_tcp(
13788 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13789 			&new_triggers);
13790 		if (err)
13791 			goto error;
13792 	}
13793 
13794 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13795 		regular = true;
13796 		err = nl80211_parse_wowlan_nd(
13797 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13798 			&new_triggers);
13799 		if (err)
13800 			goto error;
13801 	}
13802 
13803 	/* The 'any' trigger means the device continues operating more or less
13804 	 * as in its normal operation mode and wakes up the host on most of the
13805 	 * normal interrupts (like packet RX, ...)
13806 	 * It therefore makes little sense to combine with the more constrained
13807 	 * wakeup trigger modes.
13808 	 */
13809 	if (new_triggers.any && regular) {
13810 		err = -EINVAL;
13811 		goto error;
13812 	}
13813 
13814 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13815 	if (!ntrig) {
13816 		err = -ENOMEM;
13817 		goto error;
13818 	}
13819 	cfg80211_rdev_free_wowlan(rdev);
13820 	rdev->wiphy.wowlan_config = ntrig;
13821 
13822  set_wakeup:
13823 	if (rdev->ops->set_wakeup &&
13824 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13825 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13826 
13827 	return 0;
13828  error:
13829 	for (i = 0; i < new_triggers.n_patterns; i++)
13830 		kfree(new_triggers.patterns[i].mask);
13831 	kfree(new_triggers.patterns);
13832 	if (new_triggers.tcp && new_triggers.tcp->sock)
13833 		sock_release(new_triggers.tcp->sock);
13834 	kfree(new_triggers.tcp);
13835 	kfree(new_triggers.nd_config);
13836 	return err;
13837 }
13838 #endif
13839 
13840 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13841 				       struct cfg80211_registered_device *rdev)
13842 {
13843 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13844 	int i, j, pat_len;
13845 	struct cfg80211_coalesce_rules *rule;
13846 
13847 	if (!rdev->coalesce->n_rules)
13848 		return 0;
13849 
13850 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13851 	if (!nl_rules)
13852 		return -ENOBUFS;
13853 
13854 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13855 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13856 		if (!nl_rule)
13857 			return -ENOBUFS;
13858 
13859 		rule = &rdev->coalesce->rules[i];
13860 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13861 				rule->delay))
13862 			return -ENOBUFS;
13863 
13864 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13865 				rule->condition))
13866 			return -ENOBUFS;
13867 
13868 		nl_pats = nla_nest_start_noflag(msg,
13869 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13870 		if (!nl_pats)
13871 			return -ENOBUFS;
13872 
13873 		for (j = 0; j < rule->n_patterns; j++) {
13874 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13875 			if (!nl_pat)
13876 				return -ENOBUFS;
13877 			pat_len = rule->patterns[j].pattern_len;
13878 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13879 				    DIV_ROUND_UP(pat_len, 8),
13880 				    rule->patterns[j].mask) ||
13881 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13882 				    rule->patterns[j].pattern) ||
13883 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13884 					rule->patterns[j].pkt_offset))
13885 				return -ENOBUFS;
13886 			nla_nest_end(msg, nl_pat);
13887 		}
13888 		nla_nest_end(msg, nl_pats);
13889 		nla_nest_end(msg, nl_rule);
13890 	}
13891 	nla_nest_end(msg, nl_rules);
13892 
13893 	return 0;
13894 }
13895 
13896 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13897 {
13898 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13899 	struct sk_buff *msg;
13900 	void *hdr;
13901 
13902 	if (!rdev->wiphy.coalesce)
13903 		return -EOPNOTSUPP;
13904 
13905 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13906 	if (!msg)
13907 		return -ENOMEM;
13908 
13909 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13910 			     NL80211_CMD_GET_COALESCE);
13911 	if (!hdr)
13912 		goto nla_put_failure;
13913 
13914 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13915 		goto nla_put_failure;
13916 
13917 	genlmsg_end(msg, hdr);
13918 	return genlmsg_reply(msg, info);
13919 
13920 nla_put_failure:
13921 	nlmsg_free(msg);
13922 	return -ENOBUFS;
13923 }
13924 
13925 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
13926 {
13927 	int i, j;
13928 	struct cfg80211_coalesce_rules *rule;
13929 
13930 	if (!coalesce)
13931 		return;
13932 
13933 	for (i = 0; i < coalesce->n_rules; i++) {
13934 		rule = &coalesce->rules[i];
13935 		if (!rule)
13936 			continue;
13937 		for (j = 0; j < rule->n_patterns; j++)
13938 			kfree(rule->patterns[j].mask);
13939 		kfree(rule->patterns);
13940 	}
13941 	kfree(coalesce);
13942 }
13943 
13944 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13945 				       struct nlattr *rule,
13946 				       struct cfg80211_coalesce_rules *new_rule)
13947 {
13948 	int err, i;
13949 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13950 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13951 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13952 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13953 
13954 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13955 					  rule, nl80211_coalesce_policy, NULL);
13956 	if (err)
13957 		return err;
13958 
13959 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13960 		new_rule->delay =
13961 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13962 	if (new_rule->delay > coalesce->max_delay)
13963 		return -EINVAL;
13964 
13965 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13966 		new_rule->condition =
13967 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13968 
13969 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13970 		return -EINVAL;
13971 
13972 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13973 			    rem)
13974 		n_patterns++;
13975 	if (n_patterns > coalesce->n_patterns)
13976 		return -EINVAL;
13977 
13978 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13979 				     GFP_KERNEL);
13980 	if (!new_rule->patterns)
13981 		return -ENOMEM;
13982 
13983 	new_rule->n_patterns = n_patterns;
13984 	i = 0;
13985 
13986 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13987 			    rem) {
13988 		u8 *mask_pat;
13989 
13990 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13991 						  pat,
13992 						  nl80211_packet_pattern_policy,
13993 						  NULL);
13994 		if (err)
13995 			return err;
13996 
13997 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13998 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13999 			return -EINVAL;
14000 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14001 		mask_len = DIV_ROUND_UP(pat_len, 8);
14002 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14003 			return -EINVAL;
14004 		if (pat_len > coalesce->pattern_max_len ||
14005 		    pat_len < coalesce->pattern_min_len)
14006 			return -EINVAL;
14007 
14008 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
14009 			pkt_offset = 0;
14010 		else
14011 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
14012 		if (pkt_offset > coalesce->max_pkt_offset)
14013 			return -EINVAL;
14014 		new_rule->patterns[i].pkt_offset = pkt_offset;
14015 
14016 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14017 		if (!mask_pat)
14018 			return -ENOMEM;
14019 
14020 		new_rule->patterns[i].mask = mask_pat;
14021 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14022 		       mask_len);
14023 
14024 		mask_pat += mask_len;
14025 		new_rule->patterns[i].pattern = mask_pat;
14026 		new_rule->patterns[i].pattern_len = pat_len;
14027 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14028 		       pat_len);
14029 		i++;
14030 	}
14031 
14032 	return 0;
14033 }
14034 
14035 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14036 {
14037 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14038 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14039 	struct cfg80211_coalesce *new_coalesce;
14040 	int err, rem_rule, n_rules = 0, i;
14041 	struct nlattr *rule;
14042 
14043 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14044 		return -EOPNOTSUPP;
14045 
14046 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14047 		cfg80211_free_coalesce(rdev->coalesce);
14048 		rdev->coalesce = NULL;
14049 		rdev_set_coalesce(rdev, NULL);
14050 		return 0;
14051 	}
14052 
14053 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14054 			    rem_rule)
14055 		n_rules++;
14056 	if (n_rules > coalesce->n_rules)
14057 		return -EINVAL;
14058 
14059 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14060 			       GFP_KERNEL);
14061 	if (!new_coalesce)
14062 		return -ENOMEM;
14063 
14064 	new_coalesce->n_rules = n_rules;
14065 	i = 0;
14066 
14067 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14068 			    rem_rule) {
14069 		err = nl80211_parse_coalesce_rule(rdev, rule,
14070 						  &new_coalesce->rules[i]);
14071 		if (err)
14072 			goto error;
14073 
14074 		i++;
14075 	}
14076 
14077 	err = rdev_set_coalesce(rdev, new_coalesce);
14078 	if (err)
14079 		goto error;
14080 
14081 	cfg80211_free_coalesce(rdev->coalesce);
14082 	rdev->coalesce = new_coalesce;
14083 
14084 	return 0;
14085 error:
14086 	cfg80211_free_coalesce(new_coalesce);
14087 
14088 	return err;
14089 }
14090 
14091 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14092 {
14093 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14094 	struct net_device *dev = info->user_ptr[1];
14095 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14096 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14097 	struct cfg80211_gtk_rekey_data rekey_data = {};
14098 	int err;
14099 
14100 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14101 		return -EINVAL;
14102 
14103 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14104 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14105 					  nl80211_rekey_policy, info->extack);
14106 	if (err)
14107 		return err;
14108 
14109 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14110 	    !tb[NL80211_REKEY_DATA_KCK])
14111 		return -EINVAL;
14112 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14113 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14114 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14115 		return -ERANGE;
14116 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14117 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14118 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14119 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14120 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14121 		return -ERANGE;
14122 
14123 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14124 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14125 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14126 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14127 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14128 	if (tb[NL80211_REKEY_DATA_AKM])
14129 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14130 
14131 	if (!wdev->connected)
14132 		return -ENOTCONN;
14133 
14134 	if (!rdev->ops->set_rekey_data)
14135 		return -EOPNOTSUPP;
14136 
14137 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14138 }
14139 
14140 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14141 					     struct genl_info *info)
14142 {
14143 	struct net_device *dev = info->user_ptr[1];
14144 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14145 
14146 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14147 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14148 		return -EINVAL;
14149 
14150 	if (wdev->ap_unexpected_nlportid)
14151 		return -EBUSY;
14152 
14153 	wdev->ap_unexpected_nlportid = info->snd_portid;
14154 	return 0;
14155 }
14156 
14157 static int nl80211_probe_client(struct sk_buff *skb,
14158 				struct genl_info *info)
14159 {
14160 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14161 	struct net_device *dev = info->user_ptr[1];
14162 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14163 	struct sk_buff *msg;
14164 	void *hdr;
14165 	const u8 *addr;
14166 	u64 cookie;
14167 	int err;
14168 
14169 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14170 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14171 		return -EOPNOTSUPP;
14172 
14173 	if (!info->attrs[NL80211_ATTR_MAC])
14174 		return -EINVAL;
14175 
14176 	if (!rdev->ops->probe_client)
14177 		return -EOPNOTSUPP;
14178 
14179 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14180 	if (!msg)
14181 		return -ENOMEM;
14182 
14183 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14184 			     NL80211_CMD_PROBE_CLIENT);
14185 	if (!hdr) {
14186 		err = -ENOBUFS;
14187 		goto free_msg;
14188 	}
14189 
14190 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14191 
14192 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14193 	if (err)
14194 		goto free_msg;
14195 
14196 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14197 			      NL80211_ATTR_PAD))
14198 		goto nla_put_failure;
14199 
14200 	genlmsg_end(msg, hdr);
14201 
14202 	return genlmsg_reply(msg, info);
14203 
14204  nla_put_failure:
14205 	err = -ENOBUFS;
14206  free_msg:
14207 	nlmsg_free(msg);
14208 	return err;
14209 }
14210 
14211 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14212 {
14213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14214 	struct cfg80211_beacon_registration *reg, *nreg;
14215 	int rv;
14216 
14217 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14218 		return -EOPNOTSUPP;
14219 
14220 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14221 	if (!nreg)
14222 		return -ENOMEM;
14223 
14224 	/* First, check if already registered. */
14225 	spin_lock_bh(&rdev->beacon_registrations_lock);
14226 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14227 		if (reg->nlportid == info->snd_portid) {
14228 			rv = -EALREADY;
14229 			goto out_err;
14230 		}
14231 	}
14232 	/* Add it to the list */
14233 	nreg->nlportid = info->snd_portid;
14234 	list_add(&nreg->list, &rdev->beacon_registrations);
14235 
14236 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14237 
14238 	return 0;
14239 out_err:
14240 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14241 	kfree(nreg);
14242 	return rv;
14243 }
14244 
14245 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14246 {
14247 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14248 	struct wireless_dev *wdev = info->user_ptr[1];
14249 	int err;
14250 
14251 	if (!rdev->ops->start_p2p_device)
14252 		return -EOPNOTSUPP;
14253 
14254 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14255 		return -EOPNOTSUPP;
14256 
14257 	if (wdev_running(wdev))
14258 		return 0;
14259 
14260 	if (rfkill_blocked(rdev->wiphy.rfkill))
14261 		return -ERFKILL;
14262 
14263 	err = rdev_start_p2p_device(rdev, wdev);
14264 	if (err)
14265 		return err;
14266 
14267 	wdev->is_running = true;
14268 	rdev->opencount++;
14269 
14270 	return 0;
14271 }
14272 
14273 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14274 {
14275 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14276 	struct wireless_dev *wdev = info->user_ptr[1];
14277 
14278 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14279 		return -EOPNOTSUPP;
14280 
14281 	if (!rdev->ops->stop_p2p_device)
14282 		return -EOPNOTSUPP;
14283 
14284 	cfg80211_stop_p2p_device(rdev, wdev);
14285 
14286 	return 0;
14287 }
14288 
14289 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14290 {
14291 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14292 	struct wireless_dev *wdev = info->user_ptr[1];
14293 	struct cfg80211_nan_conf conf = {};
14294 	int err;
14295 
14296 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14297 		return -EOPNOTSUPP;
14298 
14299 	if (wdev_running(wdev))
14300 		return -EEXIST;
14301 
14302 	if (rfkill_blocked(rdev->wiphy.rfkill))
14303 		return -ERFKILL;
14304 
14305 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14306 		return -EINVAL;
14307 
14308 	conf.master_pref =
14309 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14310 
14311 	if (info->attrs[NL80211_ATTR_BANDS]) {
14312 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14313 
14314 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14315 			return -EOPNOTSUPP;
14316 
14317 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14318 			return -EINVAL;
14319 
14320 		conf.bands = bands;
14321 	}
14322 
14323 	err = rdev_start_nan(rdev, wdev, &conf);
14324 	if (err)
14325 		return err;
14326 
14327 	wdev->is_running = true;
14328 	rdev->opencount++;
14329 
14330 	return 0;
14331 }
14332 
14333 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14334 {
14335 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14336 	struct wireless_dev *wdev = info->user_ptr[1];
14337 
14338 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14339 		return -EOPNOTSUPP;
14340 
14341 	cfg80211_stop_nan(rdev, wdev);
14342 
14343 	return 0;
14344 }
14345 
14346 static int validate_nan_filter(struct nlattr *filter_attr)
14347 {
14348 	struct nlattr *attr;
14349 	int len = 0, n_entries = 0, rem;
14350 
14351 	nla_for_each_nested(attr, filter_attr, rem) {
14352 		len += nla_len(attr);
14353 		n_entries++;
14354 	}
14355 
14356 	if (len >= U8_MAX)
14357 		return -EINVAL;
14358 
14359 	return n_entries;
14360 }
14361 
14362 static int handle_nan_filter(struct nlattr *attr_filter,
14363 			     struct cfg80211_nan_func *func,
14364 			     bool tx)
14365 {
14366 	struct nlattr *attr;
14367 	int n_entries, rem, i;
14368 	struct cfg80211_nan_func_filter *filter;
14369 
14370 	n_entries = validate_nan_filter(attr_filter);
14371 	if (n_entries < 0)
14372 		return n_entries;
14373 
14374 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14375 
14376 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14377 	if (!filter)
14378 		return -ENOMEM;
14379 
14380 	i = 0;
14381 	nla_for_each_nested(attr, attr_filter, rem) {
14382 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14383 		if (!filter[i].filter)
14384 			goto err;
14385 
14386 		filter[i].len = nla_len(attr);
14387 		i++;
14388 	}
14389 	if (tx) {
14390 		func->num_tx_filters = n_entries;
14391 		func->tx_filters = filter;
14392 	} else {
14393 		func->num_rx_filters = n_entries;
14394 		func->rx_filters = filter;
14395 	}
14396 
14397 	return 0;
14398 
14399 err:
14400 	i = 0;
14401 	nla_for_each_nested(attr, attr_filter, rem) {
14402 		kfree(filter[i].filter);
14403 		i++;
14404 	}
14405 	kfree(filter);
14406 	return -ENOMEM;
14407 }
14408 
14409 static int nl80211_nan_add_func(struct sk_buff *skb,
14410 				struct genl_info *info)
14411 {
14412 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14413 	struct wireless_dev *wdev = info->user_ptr[1];
14414 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14415 	struct cfg80211_nan_func *func;
14416 	struct sk_buff *msg = NULL;
14417 	void *hdr = NULL;
14418 	int err = 0;
14419 
14420 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14421 		return -EOPNOTSUPP;
14422 
14423 	if (!wdev_running(wdev))
14424 		return -ENOTCONN;
14425 
14426 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14427 		return -EINVAL;
14428 
14429 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14430 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14431 					  nl80211_nan_func_policy,
14432 					  info->extack);
14433 	if (err)
14434 		return err;
14435 
14436 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14437 	if (!func)
14438 		return -ENOMEM;
14439 
14440 	func->cookie = cfg80211_assign_cookie(rdev);
14441 
14442 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14443 		err = -EINVAL;
14444 		goto out;
14445 	}
14446 
14447 
14448 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14449 
14450 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14451 		err = -EINVAL;
14452 		goto out;
14453 	}
14454 
14455 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14456 	       sizeof(func->service_id));
14457 
14458 	func->close_range =
14459 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14460 
14461 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14462 		func->serv_spec_info_len =
14463 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14464 		func->serv_spec_info =
14465 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14466 				func->serv_spec_info_len,
14467 				GFP_KERNEL);
14468 		if (!func->serv_spec_info) {
14469 			err = -ENOMEM;
14470 			goto out;
14471 		}
14472 	}
14473 
14474 	if (tb[NL80211_NAN_FUNC_TTL])
14475 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14476 
14477 	switch (func->type) {
14478 	case NL80211_NAN_FUNC_PUBLISH:
14479 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14480 			err = -EINVAL;
14481 			goto out;
14482 		}
14483 
14484 		func->publish_type =
14485 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14486 		func->publish_bcast =
14487 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14488 
14489 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14490 			func->publish_bcast) {
14491 			err = -EINVAL;
14492 			goto out;
14493 		}
14494 		break;
14495 	case NL80211_NAN_FUNC_SUBSCRIBE:
14496 		func->subscribe_active =
14497 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14498 		break;
14499 	case NL80211_NAN_FUNC_FOLLOW_UP:
14500 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14501 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14502 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14503 			err = -EINVAL;
14504 			goto out;
14505 		}
14506 
14507 		func->followup_id =
14508 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14509 		func->followup_reqid =
14510 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14511 		memcpy(func->followup_dest.addr,
14512 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14513 		       sizeof(func->followup_dest.addr));
14514 		if (func->ttl) {
14515 			err = -EINVAL;
14516 			goto out;
14517 		}
14518 		break;
14519 	default:
14520 		err = -EINVAL;
14521 		goto out;
14522 	}
14523 
14524 	if (tb[NL80211_NAN_FUNC_SRF]) {
14525 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14526 
14527 		err = nla_parse_nested_deprecated(srf_tb,
14528 						  NL80211_NAN_SRF_ATTR_MAX,
14529 						  tb[NL80211_NAN_FUNC_SRF],
14530 						  nl80211_nan_srf_policy,
14531 						  info->extack);
14532 		if (err)
14533 			goto out;
14534 
14535 		func->srf_include =
14536 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14537 
14538 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14539 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14540 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14541 				err = -EINVAL;
14542 				goto out;
14543 			}
14544 
14545 			func->srf_bf_len =
14546 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14547 			func->srf_bf =
14548 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14549 					func->srf_bf_len, GFP_KERNEL);
14550 			if (!func->srf_bf) {
14551 				err = -ENOMEM;
14552 				goto out;
14553 			}
14554 
14555 			func->srf_bf_idx =
14556 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14557 		} else {
14558 			struct nlattr *attr, *mac_attr =
14559 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14560 			int n_entries, rem, i = 0;
14561 
14562 			if (!mac_attr) {
14563 				err = -EINVAL;
14564 				goto out;
14565 			}
14566 
14567 			n_entries = validate_acl_mac_addrs(mac_attr);
14568 			if (n_entries <= 0) {
14569 				err = -EINVAL;
14570 				goto out;
14571 			}
14572 
14573 			func->srf_num_macs = n_entries;
14574 			func->srf_macs =
14575 				kcalloc(n_entries, sizeof(*func->srf_macs),
14576 					GFP_KERNEL);
14577 			if (!func->srf_macs) {
14578 				err = -ENOMEM;
14579 				goto out;
14580 			}
14581 
14582 			nla_for_each_nested(attr, mac_attr, rem)
14583 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14584 				       sizeof(*func->srf_macs));
14585 		}
14586 	}
14587 
14588 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14589 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14590 					func, true);
14591 		if (err)
14592 			goto out;
14593 	}
14594 
14595 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14596 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14597 					func, false);
14598 		if (err)
14599 			goto out;
14600 	}
14601 
14602 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14603 	if (!msg) {
14604 		err = -ENOMEM;
14605 		goto out;
14606 	}
14607 
14608 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14609 			     NL80211_CMD_ADD_NAN_FUNCTION);
14610 	/* This can't really happen - we just allocated 4KB */
14611 	if (WARN_ON(!hdr)) {
14612 		err = -ENOMEM;
14613 		goto out;
14614 	}
14615 
14616 	err = rdev_add_nan_func(rdev, wdev, func);
14617 out:
14618 	if (err < 0) {
14619 		cfg80211_free_nan_func(func);
14620 		nlmsg_free(msg);
14621 		return err;
14622 	}
14623 
14624 	/* propagate the instance id and cookie to userspace  */
14625 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14626 			      NL80211_ATTR_PAD))
14627 		goto nla_put_failure;
14628 
14629 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14630 	if (!func_attr)
14631 		goto nla_put_failure;
14632 
14633 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14634 		       func->instance_id))
14635 		goto nla_put_failure;
14636 
14637 	nla_nest_end(msg, func_attr);
14638 
14639 	genlmsg_end(msg, hdr);
14640 	return genlmsg_reply(msg, info);
14641 
14642 nla_put_failure:
14643 	nlmsg_free(msg);
14644 	return -ENOBUFS;
14645 }
14646 
14647 static int nl80211_nan_del_func(struct sk_buff *skb,
14648 			       struct genl_info *info)
14649 {
14650 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14651 	struct wireless_dev *wdev = info->user_ptr[1];
14652 	u64 cookie;
14653 
14654 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14655 		return -EOPNOTSUPP;
14656 
14657 	if (!wdev_running(wdev))
14658 		return -ENOTCONN;
14659 
14660 	if (!info->attrs[NL80211_ATTR_COOKIE])
14661 		return -EINVAL;
14662 
14663 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14664 
14665 	rdev_del_nan_func(rdev, wdev, cookie);
14666 
14667 	return 0;
14668 }
14669 
14670 static int nl80211_nan_change_config(struct sk_buff *skb,
14671 				     struct genl_info *info)
14672 {
14673 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14674 	struct wireless_dev *wdev = info->user_ptr[1];
14675 	struct cfg80211_nan_conf conf = {};
14676 	u32 changed = 0;
14677 
14678 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14679 		return -EOPNOTSUPP;
14680 
14681 	if (!wdev_running(wdev))
14682 		return -ENOTCONN;
14683 
14684 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14685 		conf.master_pref =
14686 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14687 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14688 			return -EINVAL;
14689 
14690 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14691 	}
14692 
14693 	if (info->attrs[NL80211_ATTR_BANDS]) {
14694 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14695 
14696 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14697 			return -EOPNOTSUPP;
14698 
14699 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14700 			return -EINVAL;
14701 
14702 		conf.bands = bands;
14703 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14704 	}
14705 
14706 	if (!changed)
14707 		return -EINVAL;
14708 
14709 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14710 }
14711 
14712 void cfg80211_nan_match(struct wireless_dev *wdev,
14713 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14714 {
14715 	struct wiphy *wiphy = wdev->wiphy;
14716 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14717 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14718 	struct sk_buff *msg;
14719 	void *hdr;
14720 
14721 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14722 		return;
14723 
14724 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14725 	if (!msg)
14726 		return;
14727 
14728 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14729 	if (!hdr) {
14730 		nlmsg_free(msg);
14731 		return;
14732 	}
14733 
14734 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14735 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14736 					 wdev->netdev->ifindex)) ||
14737 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14738 			      NL80211_ATTR_PAD))
14739 		goto nla_put_failure;
14740 
14741 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14742 			      NL80211_ATTR_PAD) ||
14743 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14744 		goto nla_put_failure;
14745 
14746 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14747 	if (!match_attr)
14748 		goto nla_put_failure;
14749 
14750 	local_func_attr = nla_nest_start_noflag(msg,
14751 						NL80211_NAN_MATCH_FUNC_LOCAL);
14752 	if (!local_func_attr)
14753 		goto nla_put_failure;
14754 
14755 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14756 		goto nla_put_failure;
14757 
14758 	nla_nest_end(msg, local_func_attr);
14759 
14760 	peer_func_attr = nla_nest_start_noflag(msg,
14761 					       NL80211_NAN_MATCH_FUNC_PEER);
14762 	if (!peer_func_attr)
14763 		goto nla_put_failure;
14764 
14765 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14766 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14767 		goto nla_put_failure;
14768 
14769 	if (match->info && match->info_len &&
14770 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14771 		    match->info))
14772 		goto nla_put_failure;
14773 
14774 	nla_nest_end(msg, peer_func_attr);
14775 	nla_nest_end(msg, match_attr);
14776 	genlmsg_end(msg, hdr);
14777 
14778 	if (!wdev->owner_nlportid)
14779 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14780 					msg, 0, NL80211_MCGRP_NAN, gfp);
14781 	else
14782 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14783 				wdev->owner_nlportid);
14784 
14785 	return;
14786 
14787 nla_put_failure:
14788 	nlmsg_free(msg);
14789 }
14790 EXPORT_SYMBOL(cfg80211_nan_match);
14791 
14792 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14793 				  u8 inst_id,
14794 				  enum nl80211_nan_func_term_reason reason,
14795 				  u64 cookie, gfp_t gfp)
14796 {
14797 	struct wiphy *wiphy = wdev->wiphy;
14798 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14799 	struct sk_buff *msg;
14800 	struct nlattr *func_attr;
14801 	void *hdr;
14802 
14803 	if (WARN_ON(!inst_id))
14804 		return;
14805 
14806 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14807 	if (!msg)
14808 		return;
14809 
14810 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14811 	if (!hdr) {
14812 		nlmsg_free(msg);
14813 		return;
14814 	}
14815 
14816 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14817 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14818 					 wdev->netdev->ifindex)) ||
14819 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14820 			      NL80211_ATTR_PAD))
14821 		goto nla_put_failure;
14822 
14823 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14824 			      NL80211_ATTR_PAD))
14825 		goto nla_put_failure;
14826 
14827 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14828 	if (!func_attr)
14829 		goto nla_put_failure;
14830 
14831 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14832 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14833 		goto nla_put_failure;
14834 
14835 	nla_nest_end(msg, func_attr);
14836 	genlmsg_end(msg, hdr);
14837 
14838 	if (!wdev->owner_nlportid)
14839 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14840 					msg, 0, NL80211_MCGRP_NAN, gfp);
14841 	else
14842 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14843 				wdev->owner_nlportid);
14844 
14845 	return;
14846 
14847 nla_put_failure:
14848 	nlmsg_free(msg);
14849 }
14850 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14851 
14852 static int nl80211_get_protocol_features(struct sk_buff *skb,
14853 					 struct genl_info *info)
14854 {
14855 	void *hdr;
14856 	struct sk_buff *msg;
14857 
14858 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14859 	if (!msg)
14860 		return -ENOMEM;
14861 
14862 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14863 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14864 	if (!hdr)
14865 		goto nla_put_failure;
14866 
14867 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14868 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14869 		goto nla_put_failure;
14870 
14871 	genlmsg_end(msg, hdr);
14872 	return genlmsg_reply(msg, info);
14873 
14874  nla_put_failure:
14875 	kfree_skb(msg);
14876 	return -ENOBUFS;
14877 }
14878 
14879 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14880 {
14881 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14882 	struct cfg80211_update_ft_ies_params ft_params;
14883 	struct net_device *dev = info->user_ptr[1];
14884 
14885 	if (!rdev->ops->update_ft_ies)
14886 		return -EOPNOTSUPP;
14887 
14888 	if (!info->attrs[NL80211_ATTR_MDID] ||
14889 	    !info->attrs[NL80211_ATTR_IE])
14890 		return -EINVAL;
14891 
14892 	memset(&ft_params, 0, sizeof(ft_params));
14893 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14894 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14895 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14896 
14897 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14898 }
14899 
14900 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14901 				       struct genl_info *info)
14902 {
14903 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14904 	struct wireless_dev *wdev = info->user_ptr[1];
14905 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14906 	u16 duration;
14907 	int ret;
14908 
14909 	if (!rdev->ops->crit_proto_start)
14910 		return -EOPNOTSUPP;
14911 
14912 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14913 		return -EINVAL;
14914 
14915 	if (rdev->crit_proto_nlportid)
14916 		return -EBUSY;
14917 
14918 	/* determine protocol if provided */
14919 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14920 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14921 
14922 	if (proto >= NUM_NL80211_CRIT_PROTO)
14923 		return -EINVAL;
14924 
14925 	/* timeout must be provided */
14926 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14927 		return -EINVAL;
14928 
14929 	duration =
14930 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14931 
14932 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14933 	if (!ret)
14934 		rdev->crit_proto_nlportid = info->snd_portid;
14935 
14936 	return ret;
14937 }
14938 
14939 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14940 				      struct genl_info *info)
14941 {
14942 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14943 	struct wireless_dev *wdev = info->user_ptr[1];
14944 
14945 	if (!rdev->ops->crit_proto_stop)
14946 		return -EOPNOTSUPP;
14947 
14948 	if (rdev->crit_proto_nlportid) {
14949 		rdev->crit_proto_nlportid = 0;
14950 		rdev_crit_proto_stop(rdev, wdev);
14951 	}
14952 	return 0;
14953 }
14954 
14955 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14956 				       struct nlattr *attr,
14957 				       struct netlink_ext_ack *extack)
14958 {
14959 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14960 		if (attr->nla_type & NLA_F_NESTED) {
14961 			NL_SET_ERR_MSG_ATTR(extack, attr,
14962 					    "unexpected nested data");
14963 			return -EINVAL;
14964 		}
14965 
14966 		return 0;
14967 	}
14968 
14969 	if (!(attr->nla_type & NLA_F_NESTED)) {
14970 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14971 		return -EINVAL;
14972 	}
14973 
14974 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14975 }
14976 
14977 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14978 {
14979 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14980 	struct wireless_dev *wdev =
14981 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14982 					   info->attrs);
14983 	int i, err;
14984 	u32 vid, subcmd;
14985 
14986 	if (!rdev->wiphy.vendor_commands)
14987 		return -EOPNOTSUPP;
14988 
14989 	if (IS_ERR(wdev)) {
14990 		err = PTR_ERR(wdev);
14991 		if (err != -EINVAL)
14992 			return err;
14993 		wdev = NULL;
14994 	} else if (wdev->wiphy != &rdev->wiphy) {
14995 		return -EINVAL;
14996 	}
14997 
14998 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14999 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15000 		return -EINVAL;
15001 
15002 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15003 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15004 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15005 		const struct wiphy_vendor_command *vcmd;
15006 		void *data = NULL;
15007 		int len = 0;
15008 
15009 		vcmd = &rdev->wiphy.vendor_commands[i];
15010 
15011 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15012 			continue;
15013 
15014 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15015 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15016 			if (!wdev)
15017 				return -EINVAL;
15018 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15019 			    !wdev->netdev)
15020 				return -EINVAL;
15021 
15022 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15023 				if (!wdev_running(wdev))
15024 					return -ENETDOWN;
15025 			}
15026 		} else {
15027 			wdev = NULL;
15028 		}
15029 
15030 		if (!vcmd->doit)
15031 			return -EOPNOTSUPP;
15032 
15033 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15034 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15035 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15036 
15037 			err = nl80211_vendor_check_policy(vcmd,
15038 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15039 					info->extack);
15040 			if (err)
15041 				return err;
15042 		}
15043 
15044 		rdev->cur_cmd_info = info;
15045 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15046 		rdev->cur_cmd_info = NULL;
15047 		return err;
15048 	}
15049 
15050 	return -EOPNOTSUPP;
15051 }
15052 
15053 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15054 				       struct netlink_callback *cb,
15055 				       struct cfg80211_registered_device **rdev,
15056 				       struct wireless_dev **wdev)
15057 {
15058 	struct nlattr **attrbuf;
15059 	u32 vid, subcmd;
15060 	unsigned int i;
15061 	int vcmd_idx = -1;
15062 	int err;
15063 	void *data = NULL;
15064 	unsigned int data_len = 0;
15065 
15066 	if (cb->args[0]) {
15067 		/* subtract the 1 again here */
15068 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15069 		struct wireless_dev *tmp;
15070 
15071 		if (!wiphy)
15072 			return -ENODEV;
15073 		*rdev = wiphy_to_rdev(wiphy);
15074 		*wdev = NULL;
15075 
15076 		if (cb->args[1]) {
15077 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15078 				if (tmp->identifier == cb->args[1] - 1) {
15079 					*wdev = tmp;
15080 					break;
15081 				}
15082 			}
15083 		}
15084 
15085 		/* keep rtnl locked in successful case */
15086 		return 0;
15087 	}
15088 
15089 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15090 	if (!attrbuf)
15091 		return -ENOMEM;
15092 
15093 	err = nlmsg_parse_deprecated(cb->nlh,
15094 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15095 				     attrbuf, nl80211_fam.maxattr,
15096 				     nl80211_policy, NULL);
15097 	if (err)
15098 		goto out;
15099 
15100 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15101 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15102 		err = -EINVAL;
15103 		goto out;
15104 	}
15105 
15106 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15107 	if (IS_ERR(*wdev))
15108 		*wdev = NULL;
15109 
15110 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15111 	if (IS_ERR(*rdev)) {
15112 		err = PTR_ERR(*rdev);
15113 		goto out;
15114 	}
15115 
15116 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15117 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15118 
15119 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15120 		const struct wiphy_vendor_command *vcmd;
15121 
15122 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15123 
15124 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15125 			continue;
15126 
15127 		if (!vcmd->dumpit) {
15128 			err = -EOPNOTSUPP;
15129 			goto out;
15130 		}
15131 
15132 		vcmd_idx = i;
15133 		break;
15134 	}
15135 
15136 	if (vcmd_idx < 0) {
15137 		err = -EOPNOTSUPP;
15138 		goto out;
15139 	}
15140 
15141 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15142 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15143 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15144 
15145 		err = nl80211_vendor_check_policy(
15146 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15147 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15148 				cb->extack);
15149 		if (err)
15150 			goto out;
15151 	}
15152 
15153 	/* 0 is the first index - add 1 to parse only once */
15154 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15155 	/* add 1 to know if it was NULL */
15156 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15157 	cb->args[2] = vcmd_idx;
15158 	cb->args[3] = (unsigned long)data;
15159 	cb->args[4] = data_len;
15160 
15161 	/* keep rtnl locked in successful case */
15162 	err = 0;
15163 out:
15164 	kfree(attrbuf);
15165 	return err;
15166 }
15167 
15168 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15169 				   struct netlink_callback *cb)
15170 {
15171 	struct cfg80211_registered_device *rdev;
15172 	struct wireless_dev *wdev;
15173 	unsigned int vcmd_idx;
15174 	const struct wiphy_vendor_command *vcmd;
15175 	void *data;
15176 	int data_len;
15177 	int err;
15178 	struct nlattr *vendor_data;
15179 
15180 	rtnl_lock();
15181 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15182 	if (err)
15183 		goto out;
15184 
15185 	vcmd_idx = cb->args[2];
15186 	data = (void *)cb->args[3];
15187 	data_len = cb->args[4];
15188 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15189 
15190 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15191 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15192 		if (!wdev) {
15193 			err = -EINVAL;
15194 			goto out;
15195 		}
15196 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15197 		    !wdev->netdev) {
15198 			err = -EINVAL;
15199 			goto out;
15200 		}
15201 
15202 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15203 			if (!wdev_running(wdev)) {
15204 				err = -ENETDOWN;
15205 				goto out;
15206 			}
15207 		}
15208 	}
15209 
15210 	while (1) {
15211 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15212 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15213 					   NL80211_CMD_VENDOR);
15214 		if (!hdr)
15215 			break;
15216 
15217 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15218 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15219 					       wdev_id(wdev),
15220 					       NL80211_ATTR_PAD))) {
15221 			genlmsg_cancel(skb, hdr);
15222 			break;
15223 		}
15224 
15225 		vendor_data = nla_nest_start_noflag(skb,
15226 						    NL80211_ATTR_VENDOR_DATA);
15227 		if (!vendor_data) {
15228 			genlmsg_cancel(skb, hdr);
15229 			break;
15230 		}
15231 
15232 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15233 				   (unsigned long *)&cb->args[5]);
15234 		nla_nest_end(skb, vendor_data);
15235 
15236 		if (err == -ENOBUFS || err == -ENOENT) {
15237 			genlmsg_cancel(skb, hdr);
15238 			break;
15239 		} else if (err <= 0) {
15240 			genlmsg_cancel(skb, hdr);
15241 			goto out;
15242 		}
15243 
15244 		genlmsg_end(skb, hdr);
15245 	}
15246 
15247 	err = skb->len;
15248  out:
15249 	rtnl_unlock();
15250 	return err;
15251 }
15252 
15253 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15254 					   enum nl80211_commands cmd,
15255 					   enum nl80211_attrs attr,
15256 					   int approxlen)
15257 {
15258 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15259 
15260 	if (WARN_ON(!rdev->cur_cmd_info))
15261 		return NULL;
15262 
15263 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15264 					   rdev->cur_cmd_info->snd_portid,
15265 					   rdev->cur_cmd_info->snd_seq,
15266 					   cmd, attr, NULL, GFP_KERNEL);
15267 }
15268 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15269 
15270 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15271 {
15272 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15273 	void *hdr = ((void **)skb->cb)[1];
15274 	struct nlattr *data = ((void **)skb->cb)[2];
15275 
15276 	/* clear CB data for netlink core to own from now on */
15277 	memset(skb->cb, 0, sizeof(skb->cb));
15278 
15279 	if (WARN_ON(!rdev->cur_cmd_info)) {
15280 		kfree_skb(skb);
15281 		return -EINVAL;
15282 	}
15283 
15284 	nla_nest_end(skb, data);
15285 	genlmsg_end(skb, hdr);
15286 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15287 }
15288 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15289 
15290 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15291 {
15292 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15293 
15294 	if (WARN_ON(!rdev->cur_cmd_info))
15295 		return 0;
15296 
15297 	return rdev->cur_cmd_info->snd_portid;
15298 }
15299 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15300 
15301 static int nl80211_set_qos_map(struct sk_buff *skb,
15302 			       struct genl_info *info)
15303 {
15304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15305 	struct cfg80211_qos_map *qos_map = NULL;
15306 	struct net_device *dev = info->user_ptr[1];
15307 	u8 *pos, len, num_des, des_len, des;
15308 	int ret;
15309 
15310 	if (!rdev->ops->set_qos_map)
15311 		return -EOPNOTSUPP;
15312 
15313 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15314 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15315 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15316 
15317 		if (len % 2)
15318 			return -EINVAL;
15319 
15320 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15321 		if (!qos_map)
15322 			return -ENOMEM;
15323 
15324 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15325 		if (num_des) {
15326 			des_len = num_des *
15327 				sizeof(struct cfg80211_dscp_exception);
15328 			memcpy(qos_map->dscp_exception, pos, des_len);
15329 			qos_map->num_des = num_des;
15330 			for (des = 0; des < num_des; des++) {
15331 				if (qos_map->dscp_exception[des].up > 7) {
15332 					kfree(qos_map);
15333 					return -EINVAL;
15334 				}
15335 			}
15336 			pos += des_len;
15337 		}
15338 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15339 	}
15340 
15341 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15342 	if (!ret)
15343 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15344 
15345 	kfree(qos_map);
15346 	return ret;
15347 }
15348 
15349 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15350 {
15351 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15352 	struct net_device *dev = info->user_ptr[1];
15353 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15354 	const u8 *peer;
15355 	u8 tsid, up;
15356 	u16 admitted_time = 0;
15357 
15358 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15359 		return -EOPNOTSUPP;
15360 
15361 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15362 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15363 		return -EINVAL;
15364 
15365 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15366 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15367 
15368 	/* WMM uses TIDs 0-7 even for TSPEC */
15369 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15370 		/* TODO: handle 802.11 TSPEC/admission control
15371 		 * need more attributes for that (e.g. BA session requirement);
15372 		 * change the WMM adminssion test above to allow both then
15373 		 */
15374 		return -EINVAL;
15375 	}
15376 
15377 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15378 
15379 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15380 		admitted_time =
15381 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15382 		if (!admitted_time)
15383 			return -EINVAL;
15384 	}
15385 
15386 	switch (wdev->iftype) {
15387 	case NL80211_IFTYPE_STATION:
15388 	case NL80211_IFTYPE_P2P_CLIENT:
15389 		if (wdev->connected)
15390 			break;
15391 		return -ENOTCONN;
15392 	default:
15393 		return -EOPNOTSUPP;
15394 	}
15395 
15396 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15397 }
15398 
15399 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15400 {
15401 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15402 	struct net_device *dev = info->user_ptr[1];
15403 	const u8 *peer;
15404 	u8 tsid;
15405 
15406 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15407 		return -EINVAL;
15408 
15409 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15410 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15411 
15412 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
15413 }
15414 
15415 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15416 				       struct genl_info *info)
15417 {
15418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15419 	struct net_device *dev = info->user_ptr[1];
15420 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15421 	struct cfg80211_chan_def chandef = {};
15422 	const u8 *addr;
15423 	u8 oper_class;
15424 	int err;
15425 
15426 	if (!rdev->ops->tdls_channel_switch ||
15427 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15428 		return -EOPNOTSUPP;
15429 
15430 	switch (dev->ieee80211_ptr->iftype) {
15431 	case NL80211_IFTYPE_STATION:
15432 	case NL80211_IFTYPE_P2P_CLIENT:
15433 		break;
15434 	default:
15435 		return -EOPNOTSUPP;
15436 	}
15437 
15438 	if (!info->attrs[NL80211_ATTR_MAC] ||
15439 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15440 		return -EINVAL;
15441 
15442 	err = nl80211_parse_chandef(rdev, info, &chandef);
15443 	if (err)
15444 		return err;
15445 
15446 	/*
15447 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15448 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15449 	 * specification is not defined for them.
15450 	 */
15451 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15452 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15453 	    chandef.width != NL80211_CHAN_WIDTH_20)
15454 		return -EINVAL;
15455 
15456 	/* we will be active on the TDLS link */
15457 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15458 					   wdev->iftype))
15459 		return -EINVAL;
15460 
15461 	/* don't allow switching to DFS channels */
15462 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15463 		return -EINVAL;
15464 
15465 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15466 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15467 
15468 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15469 }
15470 
15471 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15472 					      struct genl_info *info)
15473 {
15474 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15475 	struct net_device *dev = info->user_ptr[1];
15476 	const u8 *addr;
15477 
15478 	if (!rdev->ops->tdls_channel_switch ||
15479 	    !rdev->ops->tdls_cancel_channel_switch ||
15480 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15481 		return -EOPNOTSUPP;
15482 
15483 	switch (dev->ieee80211_ptr->iftype) {
15484 	case NL80211_IFTYPE_STATION:
15485 	case NL80211_IFTYPE_P2P_CLIENT:
15486 		break;
15487 	default:
15488 		return -EOPNOTSUPP;
15489 	}
15490 
15491 	if (!info->attrs[NL80211_ATTR_MAC])
15492 		return -EINVAL;
15493 
15494 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15495 
15496 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15497 
15498 	return 0;
15499 }
15500 
15501 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15502 					    struct genl_info *info)
15503 {
15504 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15505 	struct net_device *dev = info->user_ptr[1];
15506 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15507 	const struct nlattr *nla;
15508 	bool enabled;
15509 
15510 	if (!rdev->ops->set_multicast_to_unicast)
15511 		return -EOPNOTSUPP;
15512 
15513 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15514 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15515 		return -EOPNOTSUPP;
15516 
15517 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15518 	enabled = nla_get_flag(nla);
15519 
15520 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15521 }
15522 
15523 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15524 {
15525 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15526 	struct net_device *dev = info->user_ptr[1];
15527 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15528 	struct cfg80211_pmk_conf pmk_conf = {};
15529 
15530 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15531 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15532 		return -EOPNOTSUPP;
15533 
15534 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15535 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15536 		return -EOPNOTSUPP;
15537 
15538 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15539 		return -EINVAL;
15540 
15541 	if (!wdev->connected)
15542 		return -ENOTCONN;
15543 
15544 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15545 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
15546 		return -EINVAL;
15547 
15548 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15549 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15550 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15551 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
15552 		return -EINVAL;
15553 
15554 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15555 		pmk_conf.pmk_r0_name =
15556 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15557 
15558 	return rdev_set_pmk(rdev, dev, &pmk_conf);
15559 }
15560 
15561 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15562 {
15563 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15564 	struct net_device *dev = info->user_ptr[1];
15565 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15566 	const u8 *aa;
15567 
15568 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15569 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15570 		return -EOPNOTSUPP;
15571 
15572 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15573 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15574 		return -EOPNOTSUPP;
15575 
15576 	if (!info->attrs[NL80211_ATTR_MAC])
15577 		return -EINVAL;
15578 
15579 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15580 	return rdev_del_pmk(rdev, dev, aa);
15581 }
15582 
15583 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15584 {
15585 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15586 	struct net_device *dev = info->user_ptr[1];
15587 	struct cfg80211_external_auth_params params;
15588 
15589 	if (!rdev->ops->external_auth)
15590 		return -EOPNOTSUPP;
15591 
15592 	if (!info->attrs[NL80211_ATTR_SSID] &&
15593 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15594 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15595 		return -EINVAL;
15596 
15597 	if (!info->attrs[NL80211_ATTR_BSSID])
15598 		return -EINVAL;
15599 
15600 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15601 		return -EINVAL;
15602 
15603 	memset(&params, 0, sizeof(params));
15604 
15605 	if (info->attrs[NL80211_ATTR_SSID]) {
15606 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15607 		if (params.ssid.ssid_len == 0)
15608 			return -EINVAL;
15609 		memcpy(params.ssid.ssid,
15610 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15611 		       params.ssid.ssid_len);
15612 	}
15613 
15614 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15615 	       ETH_ALEN);
15616 
15617 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15618 
15619 	if (info->attrs[NL80211_ATTR_PMKID])
15620 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15621 
15622 	return rdev_external_auth(rdev, dev, &params);
15623 }
15624 
15625 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15626 {
15627 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15628 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15629 	struct net_device *dev = info->user_ptr[1];
15630 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15631 	const u8 *buf;
15632 	size_t len;
15633 	u8 *dest;
15634 	u16 proto;
15635 	bool noencrypt;
15636 	u64 cookie = 0;
15637 	int link_id;
15638 	int err;
15639 
15640 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15641 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15642 		return -EOPNOTSUPP;
15643 
15644 	if (!rdev->ops->tx_control_port)
15645 		return -EOPNOTSUPP;
15646 
15647 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15648 	    !info->attrs[NL80211_ATTR_MAC] ||
15649 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15650 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15651 		return -EINVAL;
15652 	}
15653 
15654 	switch (wdev->iftype) {
15655 	case NL80211_IFTYPE_AP:
15656 	case NL80211_IFTYPE_P2P_GO:
15657 	case NL80211_IFTYPE_MESH_POINT:
15658 		break;
15659 	case NL80211_IFTYPE_ADHOC:
15660 		if (wdev->u.ibss.current_bss)
15661 			break;
15662 		return -ENOTCONN;
15663 	case NL80211_IFTYPE_STATION:
15664 	case NL80211_IFTYPE_P2P_CLIENT:
15665 		if (wdev->connected)
15666 			break;
15667 		return -ENOTCONN;
15668 	default:
15669 		return -EOPNOTSUPP;
15670 	}
15671 
15672 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15673 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15674 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15675 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15676 	noencrypt =
15677 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15678 
15679 	link_id = nl80211_link_id_or_invalid(info->attrs);
15680 
15681 	err = rdev_tx_control_port(rdev, dev, buf, len,
15682 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15683 				   dont_wait_for_ack ? NULL : &cookie);
15684 	if (!err && !dont_wait_for_ack)
15685 		nl_set_extack_cookie_u64(info->extack, cookie);
15686 	return err;
15687 }
15688 
15689 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15690 					   struct genl_info *info)
15691 {
15692 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15693 	struct net_device *dev = info->user_ptr[1];
15694 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15695 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15696 	unsigned int link_id = nl80211_link_id(info->attrs);
15697 	struct sk_buff *msg;
15698 	void *hdr;
15699 	struct nlattr *ftm_stats_attr;
15700 	int err;
15701 
15702 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15703 	    !wdev->links[link_id].ap.beacon_interval)
15704 		return -EOPNOTSUPP;
15705 
15706 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15707 	if (err)
15708 		return err;
15709 
15710 	if (!ftm_stats.filled)
15711 		return -ENODATA;
15712 
15713 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15714 	if (!msg)
15715 		return -ENOMEM;
15716 
15717 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15718 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15719 	if (!hdr)
15720 		goto nla_put_failure;
15721 
15722 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15723 		goto nla_put_failure;
15724 
15725 	ftm_stats_attr = nla_nest_start_noflag(msg,
15726 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15727 	if (!ftm_stats_attr)
15728 		goto nla_put_failure;
15729 
15730 #define SET_FTM(field, name, type)					 \
15731 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15732 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15733 			     ftm_stats.field))				 \
15734 		goto nla_put_failure; } while (0)
15735 #define SET_FTM_U64(field, name)					 \
15736 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15737 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15738 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15739 		goto nla_put_failure; } while (0)
15740 
15741 	SET_FTM(success_num, SUCCESS_NUM, u32);
15742 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15743 	SET_FTM(failed_num, FAILED_NUM, u32);
15744 	SET_FTM(asap_num, ASAP_NUM, u32);
15745 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15746 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15747 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15748 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15749 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15750 #undef SET_FTM
15751 
15752 	nla_nest_end(msg, ftm_stats_attr);
15753 
15754 	genlmsg_end(msg, hdr);
15755 	return genlmsg_reply(msg, info);
15756 
15757 nla_put_failure:
15758 	nlmsg_free(msg);
15759 	return -ENOBUFS;
15760 }
15761 
15762 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15763 {
15764 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15765 	struct cfg80211_update_owe_info owe_info;
15766 	struct net_device *dev = info->user_ptr[1];
15767 
15768 	if (!rdev->ops->update_owe_info)
15769 		return -EOPNOTSUPP;
15770 
15771 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15772 	    !info->attrs[NL80211_ATTR_MAC])
15773 		return -EINVAL;
15774 
15775 	memset(&owe_info, 0, sizeof(owe_info));
15776 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15777 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15778 
15779 	if (info->attrs[NL80211_ATTR_IE]) {
15780 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15781 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15782 	}
15783 
15784 	return rdev_update_owe_info(rdev, dev, &owe_info);
15785 }
15786 
15787 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15788 {
15789 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15790 	struct net_device *dev = info->user_ptr[1];
15791 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15792 	struct station_info sinfo = {};
15793 	const u8 *buf;
15794 	size_t len;
15795 	u8 *dest;
15796 	int err;
15797 
15798 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15799 		return -EOPNOTSUPP;
15800 
15801 	if (!info->attrs[NL80211_ATTR_MAC] ||
15802 	    !info->attrs[NL80211_ATTR_FRAME]) {
15803 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15804 		return -EINVAL;
15805 	}
15806 
15807 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15808 		return -EOPNOTSUPP;
15809 
15810 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15811 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15812 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15813 
15814 	if (len < sizeof(struct ethhdr))
15815 		return -EINVAL;
15816 
15817 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15818 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15819 		return -EINVAL;
15820 
15821 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15822 	if (err)
15823 		return err;
15824 
15825 	cfg80211_sinfo_release_content(&sinfo);
15826 
15827 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15828 }
15829 
15830 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15831 			  struct nlattr *attrs[], struct net_device *dev,
15832 			  struct cfg80211_tid_cfg *tid_conf,
15833 			  struct genl_info *info, const u8 *peer,
15834 			  unsigned int link_id)
15835 {
15836 	struct netlink_ext_ack *extack = info->extack;
15837 	u64 mask;
15838 	int err;
15839 
15840 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15841 		return -EINVAL;
15842 
15843 	tid_conf->config_override =
15844 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15845 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15846 
15847 	if (tid_conf->config_override) {
15848 		if (rdev->ops->reset_tid_config) {
15849 			err = rdev_reset_tid_config(rdev, dev, peer,
15850 						    tid_conf->tids);
15851 			if (err)
15852 				return err;
15853 		} else {
15854 			return -EINVAL;
15855 		}
15856 	}
15857 
15858 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15859 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15860 		tid_conf->noack =
15861 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15862 	}
15863 
15864 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15865 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15866 		tid_conf->retry_short =
15867 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15868 
15869 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15870 			return -EINVAL;
15871 	}
15872 
15873 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15874 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15875 		tid_conf->retry_long =
15876 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15877 
15878 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15879 			return -EINVAL;
15880 	}
15881 
15882 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15883 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15884 		tid_conf->ampdu =
15885 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15886 	}
15887 
15888 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15889 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15890 		tid_conf->rtscts =
15891 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15892 	}
15893 
15894 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15895 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15896 		tid_conf->amsdu =
15897 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15898 	}
15899 
15900 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15901 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15902 
15903 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15904 
15905 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15906 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15907 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15908 						    &tid_conf->txrate_mask, dev,
15909 						    true, link_id);
15910 			if (err)
15911 				return err;
15912 
15913 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15914 		}
15915 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15916 	}
15917 
15918 	if (peer)
15919 		mask = rdev->wiphy.tid_config_support.peer;
15920 	else
15921 		mask = rdev->wiphy.tid_config_support.vif;
15922 
15923 	if (tid_conf->mask & ~mask) {
15924 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15925 		return -EOPNOTSUPP;
15926 	}
15927 
15928 	return 0;
15929 }
15930 
15931 static int nl80211_set_tid_config(struct sk_buff *skb,
15932 				  struct genl_info *info)
15933 {
15934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15935 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15936 	unsigned int link_id = nl80211_link_id(info->attrs);
15937 	struct net_device *dev = info->user_ptr[1];
15938 	struct cfg80211_tid_config *tid_config;
15939 	struct nlattr *tid;
15940 	int conf_idx = 0, rem_conf;
15941 	int ret = -EINVAL;
15942 	u32 num_conf = 0;
15943 
15944 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15945 		return -EINVAL;
15946 
15947 	if (!rdev->ops->set_tid_config)
15948 		return -EOPNOTSUPP;
15949 
15950 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15951 			    rem_conf)
15952 		num_conf++;
15953 
15954 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15955 			     GFP_KERNEL);
15956 	if (!tid_config)
15957 		return -ENOMEM;
15958 
15959 	tid_config->n_tid_conf = num_conf;
15960 
15961 	if (info->attrs[NL80211_ATTR_MAC])
15962 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15963 
15964 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15965 			    rem_conf) {
15966 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15967 				       tid, NULL, NULL);
15968 
15969 		if (ret)
15970 			goto bad_tid_conf;
15971 
15972 		ret = parse_tid_conf(rdev, attrs, dev,
15973 				     &tid_config->tid_conf[conf_idx],
15974 				     info, tid_config->peer, link_id);
15975 		if (ret)
15976 			goto bad_tid_conf;
15977 
15978 		conf_idx++;
15979 	}
15980 
15981 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15982 
15983 bad_tid_conf:
15984 	kfree(tid_config);
15985 	return ret;
15986 }
15987 
15988 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15989 {
15990 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15991 	struct cfg80211_color_change_settings params = {};
15992 	struct net_device *dev = info->user_ptr[1];
15993 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15994 	struct nlattr **tb;
15995 	u16 offset;
15996 	int err;
15997 
15998 	if (!rdev->ops->color_change)
15999 		return -EOPNOTSUPP;
16000 
16001 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16002 				     NL80211_EXT_FEATURE_BSS_COLOR))
16003 		return -EOPNOTSUPP;
16004 
16005 	if (wdev->iftype != NL80211_IFTYPE_AP)
16006 		return -EOPNOTSUPP;
16007 
16008 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16009 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16010 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16011 		return -EINVAL;
16012 
16013 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16014 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16015 
16016 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16017 				   info->extack);
16018 	if (err)
16019 		return err;
16020 
16021 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16022 	if (!tb)
16023 		return -ENOMEM;
16024 
16025 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16026 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16027 			       nl80211_policy, info->extack);
16028 	if (err)
16029 		goto out;
16030 
16031 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16032 				   info->extack);
16033 	if (err)
16034 		goto out;
16035 
16036 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16037 		err = -EINVAL;
16038 		goto out;
16039 	}
16040 
16041 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16042 		err = -EINVAL;
16043 		goto out;
16044 	}
16045 
16046 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16047 	if (offset >= params.beacon_color_change.tail_len) {
16048 		err = -EINVAL;
16049 		goto out;
16050 	}
16051 
16052 	if (params.beacon_color_change.tail[offset] != params.count) {
16053 		err = -EINVAL;
16054 		goto out;
16055 	}
16056 
16057 	params.counter_offset_beacon = offset;
16058 
16059 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16060 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16061 		    sizeof(u16)) {
16062 			err = -EINVAL;
16063 			goto out;
16064 		}
16065 
16066 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16067 		if (offset >= params.beacon_color_change.probe_resp_len) {
16068 			err = -EINVAL;
16069 			goto out;
16070 		}
16071 
16072 		if (params.beacon_color_change.probe_resp[offset] !=
16073 		    params.count) {
16074 			err = -EINVAL;
16075 			goto out;
16076 		}
16077 
16078 		params.counter_offset_presp = offset;
16079 	}
16080 
16081 	params.link_id = nl80211_link_id(info->attrs);
16082 	err = rdev_color_change(rdev, dev, &params);
16083 
16084 out:
16085 	kfree(params.beacon_next.mbssid_ies);
16086 	kfree(params.beacon_color_change.mbssid_ies);
16087 	kfree(params.beacon_next.rnr_ies);
16088 	kfree(params.beacon_color_change.rnr_ies);
16089 	kfree(tb);
16090 	return err;
16091 }
16092 
16093 static int nl80211_set_fils_aad(struct sk_buff *skb,
16094 				struct genl_info *info)
16095 {
16096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16097 	struct net_device *dev = info->user_ptr[1];
16098 	struct cfg80211_fils_aad fils_aad = {};
16099 	u8 *nonces;
16100 
16101 	if (!info->attrs[NL80211_ATTR_MAC] ||
16102 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16103 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16104 		return -EINVAL;
16105 
16106 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16107 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16108 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16109 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16110 	fils_aad.snonce = nonces;
16111 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16112 
16113 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16114 }
16115 
16116 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16117 {
16118 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16119 	unsigned int link_id = nl80211_link_id(info->attrs);
16120 	struct net_device *dev = info->user_ptr[1];
16121 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16122 	int ret;
16123 
16124 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16125 		return -EINVAL;
16126 
16127 	switch (wdev->iftype) {
16128 	case NL80211_IFTYPE_AP:
16129 		break;
16130 	default:
16131 		return -EINVAL;
16132 	}
16133 
16134 	if (!info->attrs[NL80211_ATTR_MAC] ||
16135 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16136 		return -EINVAL;
16137 
16138 	wdev->valid_links |= BIT(link_id);
16139 	ether_addr_copy(wdev->links[link_id].addr,
16140 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16141 
16142 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16143 	if (ret) {
16144 		wdev->valid_links &= ~BIT(link_id);
16145 		eth_zero_addr(wdev->links[link_id].addr);
16146 	}
16147 
16148 	return ret;
16149 }
16150 
16151 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16152 {
16153 	unsigned int link_id = nl80211_link_id(info->attrs);
16154 	struct net_device *dev = info->user_ptr[1];
16155 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16156 
16157 	/* cannot remove if there's no link */
16158 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16159 		return -EINVAL;
16160 
16161 	switch (wdev->iftype) {
16162 	case NL80211_IFTYPE_AP:
16163 		break;
16164 	default:
16165 		return -EINVAL;
16166 	}
16167 
16168 	cfg80211_remove_link(wdev, link_id);
16169 
16170 	return 0;
16171 }
16172 
16173 static int
16174 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16175 			     bool add)
16176 {
16177 	struct link_station_parameters params = {};
16178 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16179 	struct net_device *dev = info->user_ptr[1];
16180 	int err;
16181 
16182 	if ((add && !rdev->ops->add_link_station) ||
16183 	    (!add && !rdev->ops->mod_link_station))
16184 		return -EOPNOTSUPP;
16185 
16186 	if (add && !info->attrs[NL80211_ATTR_MAC])
16187 		return -EINVAL;
16188 
16189 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16190 		return -EINVAL;
16191 
16192 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16193 		return -EINVAL;
16194 
16195 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16196 
16197 	if (info->attrs[NL80211_ATTR_MAC]) {
16198 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16199 		if (!is_valid_ether_addr(params.link_mac))
16200 			return -EINVAL;
16201 	}
16202 
16203 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16204 		return -EINVAL;
16205 
16206 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16207 
16208 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16209 		params.supported_rates =
16210 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16211 		params.supported_rates_len =
16212 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16213 	}
16214 
16215 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16216 		params.ht_capa =
16217 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16218 
16219 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16220 		params.vht_capa =
16221 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16222 
16223 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16224 		params.he_capa =
16225 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16226 		params.he_capa_len =
16227 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16228 
16229 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16230 			params.eht_capa =
16231 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16232 			params.eht_capa_len =
16233 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16234 
16235 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16236 							(const u8 *)params.eht_capa,
16237 							params.eht_capa_len,
16238 							false))
16239 				return -EINVAL;
16240 		}
16241 	}
16242 
16243 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16244 		params.he_6ghz_capa =
16245 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16246 
16247 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16248 		params.opmode_notif_used = true;
16249 		params.opmode_notif =
16250 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16251 	}
16252 
16253 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16254 						&params.txpwr_set);
16255 	if (err)
16256 		return err;
16257 
16258 	if (add)
16259 		return rdev_add_link_station(rdev, dev, &params);
16260 
16261 	return rdev_mod_link_station(rdev, dev, &params);
16262 }
16263 
16264 static int
16265 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16266 {
16267 	return nl80211_add_mod_link_station(skb, info, true);
16268 }
16269 
16270 static int
16271 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16272 {
16273 	return nl80211_add_mod_link_station(skb, info, false);
16274 }
16275 
16276 static int
16277 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16278 {
16279 	struct link_station_del_parameters params = {};
16280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16281 	struct net_device *dev = info->user_ptr[1];
16282 
16283 	if (!rdev->ops->del_link_station)
16284 		return -EOPNOTSUPP;
16285 
16286 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16287 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16288 		return -EINVAL;
16289 
16290 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16291 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16292 
16293 	return rdev_del_link_station(rdev, dev, &params);
16294 }
16295 
16296 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16297 				    struct genl_info *info)
16298 {
16299 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16300 	struct net_device *dev = info->user_ptr[1];
16301 	struct cfg80211_set_hw_timestamp hwts = {};
16302 
16303 	if (!rdev->wiphy.hw_timestamp_max_peers)
16304 		return -EOPNOTSUPP;
16305 
16306 	if (!info->attrs[NL80211_ATTR_MAC] &&
16307 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16308 		return -EOPNOTSUPP;
16309 
16310 	if (info->attrs[NL80211_ATTR_MAC])
16311 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16312 
16313 	hwts.enable =
16314 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16315 
16316 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16317 }
16318 
16319 static int
16320 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
16321 {
16322 	struct cfg80211_ttlm_params params = {};
16323 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16324 	struct net_device *dev = info->user_ptr[1];
16325 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16326 
16327 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16328 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16329 		return -EOPNOTSUPP;
16330 
16331 	if (!wdev->connected)
16332 		return -ENOLINK;
16333 
16334 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
16335 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
16336 		return -EINVAL;
16337 
16338 	nla_memcpy(params.dlink,
16339 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
16340 		   sizeof(params.dlink));
16341 	nla_memcpy(params.ulink,
16342 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
16343 		   sizeof(params.ulink));
16344 
16345 	return rdev_set_ttlm(rdev, dev, &params);
16346 }
16347 
16348 #define NL80211_FLAG_NEED_WIPHY		0x01
16349 #define NL80211_FLAG_NEED_NETDEV	0x02
16350 #define NL80211_FLAG_NEED_RTNL		0x04
16351 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16352 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16353 					 NL80211_FLAG_CHECK_NETDEV_UP)
16354 #define NL80211_FLAG_NEED_WDEV		0x10
16355 /* If a netdev is associated, it must be UP, P2P must be started */
16356 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16357 					 NL80211_FLAG_CHECK_NETDEV_UP)
16358 #define NL80211_FLAG_CLEAR_SKB		0x20
16359 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16360 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16361 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16362 
16363 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16364 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16365 	SELECTOR(__sel, WIPHY,				\
16366 		 NL80211_FLAG_NEED_WIPHY)		\
16367 	SELECTOR(__sel, WDEV,				\
16368 		 NL80211_FLAG_NEED_WDEV)		\
16369 	SELECTOR(__sel, NETDEV,				\
16370 		 NL80211_FLAG_NEED_NETDEV)		\
16371 	SELECTOR(__sel, NETDEV_LINK,			\
16372 		 NL80211_FLAG_NEED_NETDEV |		\
16373 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16374 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16375 		 NL80211_FLAG_NEED_NETDEV |		\
16376 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16377 	SELECTOR(__sel, WIPHY_RTNL,			\
16378 		 NL80211_FLAG_NEED_WIPHY |		\
16379 		 NL80211_FLAG_NEED_RTNL)		\
16380 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16381 		 NL80211_FLAG_NEED_WIPHY |		\
16382 		 NL80211_FLAG_NEED_RTNL |		\
16383 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16384 	SELECTOR(__sel, WDEV_RTNL,			\
16385 		 NL80211_FLAG_NEED_WDEV |		\
16386 		 NL80211_FLAG_NEED_RTNL)		\
16387 	SELECTOR(__sel, NETDEV_RTNL,			\
16388 		 NL80211_FLAG_NEED_NETDEV |		\
16389 		 NL80211_FLAG_NEED_RTNL)		\
16390 	SELECTOR(__sel, NETDEV_UP,			\
16391 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16392 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16393 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16394 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16395 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16396 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16397 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16398 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16399 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16400 		 NL80211_FLAG_CLEAR_SKB |		\
16401 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16402 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16403 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16404 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16405 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16406 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16407 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16408 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16409 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16410 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16411 		 NL80211_FLAG_CLEAR_SKB)		\
16412 	SELECTOR(__sel, WDEV_UP,			\
16413 		 NL80211_FLAG_NEED_WDEV_UP)		\
16414 	SELECTOR(__sel, WDEV_UP_LINK,			\
16415 		 NL80211_FLAG_NEED_WDEV_UP |		\
16416 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16417 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16418 		 NL80211_FLAG_NEED_WDEV_UP |		\
16419 		 NL80211_FLAG_NEED_RTNL)		\
16420 	SELECTOR(__sel, WIPHY_CLEAR,			\
16421 		 NL80211_FLAG_NEED_WIPHY |		\
16422 		 NL80211_FLAG_CLEAR_SKB)
16423 
16424 enum nl80211_internal_flags_selector {
16425 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16426 	INTERNAL_FLAG_SELECTORS(_)
16427 #undef SELECTOR
16428 };
16429 
16430 static u32 nl80211_internal_flags[] = {
16431 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16432 	INTERNAL_FLAG_SELECTORS(_)
16433 #undef SELECTOR
16434 };
16435 
16436 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16437 			    struct sk_buff *skb,
16438 			    struct genl_info *info)
16439 {
16440 	struct cfg80211_registered_device *rdev = NULL;
16441 	struct wireless_dev *wdev = NULL;
16442 	struct net_device *dev = NULL;
16443 	u32 internal_flags;
16444 	int err;
16445 
16446 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16447 		return -EINVAL;
16448 
16449 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16450 
16451 	rtnl_lock();
16452 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16453 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16454 		if (IS_ERR(rdev)) {
16455 			err = PTR_ERR(rdev);
16456 			goto out_unlock;
16457 		}
16458 		info->user_ptr[0] = rdev;
16459 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16460 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16461 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16462 						  info->attrs);
16463 		if (IS_ERR(wdev)) {
16464 			err = PTR_ERR(wdev);
16465 			goto out_unlock;
16466 		}
16467 
16468 		dev = wdev->netdev;
16469 		dev_hold(dev);
16470 		rdev = wiphy_to_rdev(wdev->wiphy);
16471 
16472 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16473 			if (!dev) {
16474 				err = -EINVAL;
16475 				goto out_unlock;
16476 			}
16477 
16478 			info->user_ptr[1] = dev;
16479 		} else {
16480 			info->user_ptr[1] = wdev;
16481 		}
16482 
16483 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16484 		    !wdev_running(wdev)) {
16485 			err = -ENETDOWN;
16486 			goto out_unlock;
16487 		}
16488 
16489 		info->user_ptr[0] = rdev;
16490 	}
16491 
16492 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16493 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16494 
16495 		if (!wdev) {
16496 			err = -EINVAL;
16497 			goto out_unlock;
16498 		}
16499 
16500 		/* MLO -> require valid link ID */
16501 		if (wdev->valid_links &&
16502 		    (!link_id ||
16503 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16504 			err = -EINVAL;
16505 			goto out_unlock;
16506 		}
16507 
16508 		/* non-MLO -> no link ID attribute accepted */
16509 		if (!wdev->valid_links && link_id) {
16510 			err = -EINVAL;
16511 			goto out_unlock;
16512 		}
16513 	}
16514 
16515 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16516 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16517 		    (wdev && wdev->valid_links)) {
16518 			err = -EINVAL;
16519 			goto out_unlock;
16520 		}
16521 	}
16522 
16523 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16524 		wiphy_lock(&rdev->wiphy);
16525 		/* we keep the mutex locked until post_doit */
16526 		__release(&rdev->wiphy.mtx);
16527 	}
16528 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16529 		rtnl_unlock();
16530 
16531 	return 0;
16532 out_unlock:
16533 	rtnl_unlock();
16534 	dev_put(dev);
16535 	return err;
16536 }
16537 
16538 static void nl80211_post_doit(const struct genl_split_ops *ops,
16539 			      struct sk_buff *skb,
16540 			      struct genl_info *info)
16541 {
16542 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16543 
16544 	if (info->user_ptr[1]) {
16545 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16546 			struct wireless_dev *wdev = info->user_ptr[1];
16547 
16548 			dev_put(wdev->netdev);
16549 		} else {
16550 			dev_put(info->user_ptr[1]);
16551 		}
16552 	}
16553 
16554 	if (info->user_ptr[0] &&
16555 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16556 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16557 
16558 		/* we kept the mutex locked since pre_doit */
16559 		__acquire(&rdev->wiphy.mtx);
16560 		wiphy_unlock(&rdev->wiphy);
16561 	}
16562 
16563 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16564 		rtnl_unlock();
16565 
16566 	/* If needed, clear the netlink message payload from the SKB
16567 	 * as it might contain key data that shouldn't stick around on
16568 	 * the heap after the SKB is freed. The netlink message header
16569 	 * is still needed for further processing, so leave it intact.
16570 	 */
16571 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16572 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16573 
16574 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16575 	}
16576 }
16577 
16578 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16579 				     struct cfg80211_sar_specs *sar_specs,
16580 				     struct nlattr *spec[], int index)
16581 {
16582 	u32 range_index, i;
16583 
16584 	if (!sar_specs || !spec)
16585 		return -EINVAL;
16586 
16587 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16588 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16589 		return -EINVAL;
16590 
16591 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16592 
16593 	/* check if range_index exceeds num_freq_ranges */
16594 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16595 		return -EINVAL;
16596 
16597 	/* check if range_index duplicates */
16598 	for (i = 0; i < index; i++) {
16599 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16600 			return -EINVAL;
16601 	}
16602 
16603 	sar_specs->sub_specs[index].power =
16604 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16605 
16606 	sar_specs->sub_specs[index].freq_range_index = range_index;
16607 
16608 	return 0;
16609 }
16610 
16611 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16612 {
16613 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16614 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16615 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16616 	struct cfg80211_sar_specs *sar_spec;
16617 	enum nl80211_sar_type type;
16618 	struct nlattr *spec_list;
16619 	u32 specs;
16620 	int rem, err;
16621 
16622 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16623 		return -EOPNOTSUPP;
16624 
16625 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16626 		return -EINVAL;
16627 
16628 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16629 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16630 			 NULL, NULL);
16631 
16632 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16633 		return -EINVAL;
16634 
16635 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16636 	if (type != rdev->wiphy.sar_capa->type)
16637 		return -EINVAL;
16638 
16639 	specs = 0;
16640 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16641 		specs++;
16642 
16643 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16644 		return -EINVAL;
16645 
16646 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16647 	if (!sar_spec)
16648 		return -ENOMEM;
16649 
16650 	sar_spec->type = type;
16651 	specs = 0;
16652 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16653 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16654 				 spec_list, NULL, NULL);
16655 
16656 		switch (type) {
16657 		case NL80211_SAR_TYPE_POWER:
16658 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16659 						      spec, specs)) {
16660 				err = -EINVAL;
16661 				goto error;
16662 			}
16663 			break;
16664 		default:
16665 			err = -EINVAL;
16666 			goto error;
16667 		}
16668 		specs++;
16669 	}
16670 
16671 	sar_spec->num_sub_specs = specs;
16672 
16673 	rdev->cur_cmd_info = info;
16674 	err = rdev_set_sar_specs(rdev, sar_spec);
16675 	rdev->cur_cmd_info = NULL;
16676 error:
16677 	kfree(sar_spec);
16678 	return err;
16679 }
16680 
16681 #define SELECTOR(__sel, name, value) \
16682 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16683 int __missing_selector(void);
16684 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16685 
16686 static const struct genl_ops nl80211_ops[] = {
16687 	{
16688 		.cmd = NL80211_CMD_GET_WIPHY,
16689 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16690 		.doit = nl80211_get_wiphy,
16691 		.dumpit = nl80211_dump_wiphy,
16692 		.done = nl80211_dump_wiphy_done,
16693 		/* can be retrieved by unprivileged users */
16694 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16695 	},
16696 };
16697 
16698 static const struct genl_small_ops nl80211_small_ops[] = {
16699 	{
16700 		.cmd = NL80211_CMD_SET_WIPHY,
16701 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16702 		.doit = nl80211_set_wiphy,
16703 		.flags = GENL_UNS_ADMIN_PERM,
16704 	},
16705 	{
16706 		.cmd = NL80211_CMD_GET_INTERFACE,
16707 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16708 		.doit = nl80211_get_interface,
16709 		.dumpit = nl80211_dump_interface,
16710 		/* can be retrieved by unprivileged users */
16711 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16712 	},
16713 	{
16714 		.cmd = NL80211_CMD_SET_INTERFACE,
16715 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16716 		.doit = nl80211_set_interface,
16717 		.flags = GENL_UNS_ADMIN_PERM,
16718 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16719 					 NL80211_FLAG_NEED_RTNL),
16720 	},
16721 	{
16722 		.cmd = NL80211_CMD_NEW_INTERFACE,
16723 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16724 		.doit = nl80211_new_interface,
16725 		.flags = GENL_UNS_ADMIN_PERM,
16726 		.internal_flags =
16727 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16728 			       NL80211_FLAG_NEED_RTNL |
16729 			       /* we take the wiphy mutex later ourselves */
16730 			       NL80211_FLAG_NO_WIPHY_MTX),
16731 	},
16732 	{
16733 		.cmd = NL80211_CMD_DEL_INTERFACE,
16734 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16735 		.doit = nl80211_del_interface,
16736 		.flags = GENL_UNS_ADMIN_PERM,
16737 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16738 					 NL80211_FLAG_NEED_RTNL),
16739 	},
16740 	{
16741 		.cmd = NL80211_CMD_GET_KEY,
16742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16743 		.doit = nl80211_get_key,
16744 		.flags = GENL_UNS_ADMIN_PERM,
16745 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16746 	},
16747 	{
16748 		.cmd = NL80211_CMD_SET_KEY,
16749 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16750 		.doit = nl80211_set_key,
16751 		.flags = GENL_UNS_ADMIN_PERM,
16752 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16753 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16754 					 NL80211_FLAG_CLEAR_SKB),
16755 	},
16756 	{
16757 		.cmd = NL80211_CMD_NEW_KEY,
16758 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16759 		.doit = nl80211_new_key,
16760 		.flags = GENL_UNS_ADMIN_PERM,
16761 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16762 					 NL80211_FLAG_CLEAR_SKB),
16763 	},
16764 	{
16765 		.cmd = NL80211_CMD_DEL_KEY,
16766 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16767 		.doit = nl80211_del_key,
16768 		.flags = GENL_UNS_ADMIN_PERM,
16769 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16770 	},
16771 	{
16772 		.cmd = NL80211_CMD_SET_BEACON,
16773 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16774 		.flags = GENL_UNS_ADMIN_PERM,
16775 		.doit = nl80211_set_beacon,
16776 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16777 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16778 	},
16779 	{
16780 		.cmd = NL80211_CMD_START_AP,
16781 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16782 		.flags = GENL_UNS_ADMIN_PERM,
16783 		.doit = nl80211_start_ap,
16784 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16785 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16786 	},
16787 	{
16788 		.cmd = NL80211_CMD_STOP_AP,
16789 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16790 		.flags = GENL_UNS_ADMIN_PERM,
16791 		.doit = nl80211_stop_ap,
16792 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16793 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16794 	},
16795 	{
16796 		.cmd = NL80211_CMD_GET_STATION,
16797 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16798 		.doit = nl80211_get_station,
16799 		.dumpit = nl80211_dump_station,
16800 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16801 	},
16802 	{
16803 		.cmd = NL80211_CMD_SET_STATION,
16804 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16805 		.doit = nl80211_set_station,
16806 		.flags = GENL_UNS_ADMIN_PERM,
16807 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16808 	},
16809 	{
16810 		.cmd = NL80211_CMD_NEW_STATION,
16811 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16812 		.doit = nl80211_new_station,
16813 		.flags = GENL_UNS_ADMIN_PERM,
16814 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16815 	},
16816 	{
16817 		.cmd = NL80211_CMD_DEL_STATION,
16818 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16819 		.doit = nl80211_del_station,
16820 		.flags = GENL_UNS_ADMIN_PERM,
16821 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
16822 		 * whether MAC address is passed or not. If MAC address is
16823 		 * passed, then even during MLO, link ID is not required.
16824 		 */
16825 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16826 	},
16827 	{
16828 		.cmd = NL80211_CMD_GET_MPATH,
16829 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16830 		.doit = nl80211_get_mpath,
16831 		.dumpit = nl80211_dump_mpath,
16832 		.flags = GENL_UNS_ADMIN_PERM,
16833 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16834 	},
16835 	{
16836 		.cmd = NL80211_CMD_GET_MPP,
16837 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16838 		.doit = nl80211_get_mpp,
16839 		.dumpit = nl80211_dump_mpp,
16840 		.flags = GENL_UNS_ADMIN_PERM,
16841 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16842 	},
16843 	{
16844 		.cmd = NL80211_CMD_SET_MPATH,
16845 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16846 		.doit = nl80211_set_mpath,
16847 		.flags = GENL_UNS_ADMIN_PERM,
16848 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16849 	},
16850 	{
16851 		.cmd = NL80211_CMD_NEW_MPATH,
16852 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16853 		.doit = nl80211_new_mpath,
16854 		.flags = GENL_UNS_ADMIN_PERM,
16855 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16856 	},
16857 	{
16858 		.cmd = NL80211_CMD_DEL_MPATH,
16859 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16860 		.doit = nl80211_del_mpath,
16861 		.flags = GENL_UNS_ADMIN_PERM,
16862 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16863 	},
16864 	{
16865 		.cmd = NL80211_CMD_SET_BSS,
16866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16867 		.doit = nl80211_set_bss,
16868 		.flags = GENL_UNS_ADMIN_PERM,
16869 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16870 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16871 	},
16872 	{
16873 		.cmd = NL80211_CMD_GET_REG,
16874 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16875 		.doit = nl80211_get_reg_do,
16876 		.dumpit = nl80211_get_reg_dump,
16877 		/* can be retrieved by unprivileged users */
16878 	},
16879 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16880 	{
16881 		.cmd = NL80211_CMD_SET_REG,
16882 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16883 		.doit = nl80211_set_reg,
16884 		.flags = GENL_ADMIN_PERM,
16885 	},
16886 #endif
16887 	{
16888 		.cmd = NL80211_CMD_REQ_SET_REG,
16889 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16890 		.doit = nl80211_req_set_reg,
16891 		.flags = GENL_ADMIN_PERM,
16892 	},
16893 	{
16894 		.cmd = NL80211_CMD_RELOAD_REGDB,
16895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16896 		.doit = nl80211_reload_regdb,
16897 		.flags = GENL_ADMIN_PERM,
16898 	},
16899 	{
16900 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16901 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16902 		.doit = nl80211_get_mesh_config,
16903 		/* can be retrieved by unprivileged users */
16904 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16905 	},
16906 	{
16907 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16908 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16909 		.doit = nl80211_update_mesh_config,
16910 		.flags = GENL_UNS_ADMIN_PERM,
16911 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16912 	},
16913 	{
16914 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16915 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16916 		.doit = nl80211_trigger_scan,
16917 		.flags = GENL_UNS_ADMIN_PERM,
16918 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16919 	},
16920 	{
16921 		.cmd = NL80211_CMD_ABORT_SCAN,
16922 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16923 		.doit = nl80211_abort_scan,
16924 		.flags = GENL_UNS_ADMIN_PERM,
16925 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16926 	},
16927 	{
16928 		.cmd = NL80211_CMD_GET_SCAN,
16929 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16930 		.dumpit = nl80211_dump_scan,
16931 	},
16932 	{
16933 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16934 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16935 		.doit = nl80211_start_sched_scan,
16936 		.flags = GENL_UNS_ADMIN_PERM,
16937 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16938 	},
16939 	{
16940 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16941 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16942 		.doit = nl80211_stop_sched_scan,
16943 		.flags = GENL_UNS_ADMIN_PERM,
16944 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16945 	},
16946 	{
16947 		.cmd = NL80211_CMD_AUTHENTICATE,
16948 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16949 		.doit = nl80211_authenticate,
16950 		.flags = GENL_UNS_ADMIN_PERM,
16951 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16952 					 NL80211_FLAG_CLEAR_SKB),
16953 	},
16954 	{
16955 		.cmd = NL80211_CMD_ASSOCIATE,
16956 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16957 		.doit = nl80211_associate,
16958 		.flags = GENL_UNS_ADMIN_PERM,
16959 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16960 					 NL80211_FLAG_CLEAR_SKB),
16961 	},
16962 	{
16963 		.cmd = NL80211_CMD_DEAUTHENTICATE,
16964 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16965 		.doit = nl80211_deauthenticate,
16966 		.flags = GENL_UNS_ADMIN_PERM,
16967 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16968 	},
16969 	{
16970 		.cmd = NL80211_CMD_DISASSOCIATE,
16971 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16972 		.doit = nl80211_disassociate,
16973 		.flags = GENL_UNS_ADMIN_PERM,
16974 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16975 	},
16976 	{
16977 		.cmd = NL80211_CMD_JOIN_IBSS,
16978 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16979 		.doit = nl80211_join_ibss,
16980 		.flags = GENL_UNS_ADMIN_PERM,
16981 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16982 	},
16983 	{
16984 		.cmd = NL80211_CMD_LEAVE_IBSS,
16985 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16986 		.doit = nl80211_leave_ibss,
16987 		.flags = GENL_UNS_ADMIN_PERM,
16988 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16989 	},
16990 #ifdef CONFIG_NL80211_TESTMODE
16991 	{
16992 		.cmd = NL80211_CMD_TESTMODE,
16993 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16994 		.doit = nl80211_testmode_do,
16995 		.dumpit = nl80211_testmode_dump,
16996 		.flags = GENL_UNS_ADMIN_PERM,
16997 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16998 	},
16999 #endif
17000 	{
17001 		.cmd = NL80211_CMD_CONNECT,
17002 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17003 		.doit = nl80211_connect,
17004 		.flags = GENL_UNS_ADMIN_PERM,
17005 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17006 					 NL80211_FLAG_CLEAR_SKB),
17007 	},
17008 	{
17009 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17010 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17011 		.doit = nl80211_update_connect_params,
17012 		.flags = GENL_ADMIN_PERM,
17013 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17014 					 NL80211_FLAG_CLEAR_SKB),
17015 	},
17016 	{
17017 		.cmd = NL80211_CMD_DISCONNECT,
17018 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17019 		.doit = nl80211_disconnect,
17020 		.flags = GENL_UNS_ADMIN_PERM,
17021 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17022 	},
17023 	{
17024 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17025 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17026 		.doit = nl80211_wiphy_netns,
17027 		.flags = GENL_UNS_ADMIN_PERM,
17028 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17029 					 NL80211_FLAG_NEED_RTNL |
17030 					 NL80211_FLAG_NO_WIPHY_MTX),
17031 	},
17032 	{
17033 		.cmd = NL80211_CMD_GET_SURVEY,
17034 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17035 		.dumpit = nl80211_dump_survey,
17036 	},
17037 	{
17038 		.cmd = NL80211_CMD_SET_PMKSA,
17039 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17040 		.doit = nl80211_set_pmksa,
17041 		.flags = GENL_UNS_ADMIN_PERM,
17042 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17043 					 NL80211_FLAG_CLEAR_SKB),
17044 	},
17045 	{
17046 		.cmd = NL80211_CMD_DEL_PMKSA,
17047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17048 		.doit = nl80211_del_pmksa,
17049 		.flags = GENL_UNS_ADMIN_PERM,
17050 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17051 	},
17052 	{
17053 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17054 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17055 		.doit = nl80211_flush_pmksa,
17056 		.flags = GENL_UNS_ADMIN_PERM,
17057 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17058 	},
17059 	{
17060 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17061 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17062 		.doit = nl80211_remain_on_channel,
17063 		.flags = GENL_UNS_ADMIN_PERM,
17064 		/* FIXME: requiring a link ID here is probably not good */
17065 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17066 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17067 	},
17068 	{
17069 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17070 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17071 		.doit = nl80211_cancel_remain_on_channel,
17072 		.flags = GENL_UNS_ADMIN_PERM,
17073 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17074 	},
17075 	{
17076 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17077 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17078 		.doit = nl80211_set_tx_bitrate_mask,
17079 		.flags = GENL_UNS_ADMIN_PERM,
17080 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17081 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17082 	},
17083 	{
17084 		.cmd = NL80211_CMD_REGISTER_FRAME,
17085 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17086 		.doit = nl80211_register_mgmt,
17087 		.flags = GENL_UNS_ADMIN_PERM,
17088 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17089 	},
17090 	{
17091 		.cmd = NL80211_CMD_FRAME,
17092 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17093 		.doit = nl80211_tx_mgmt,
17094 		.flags = GENL_UNS_ADMIN_PERM,
17095 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17096 	},
17097 	{
17098 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17099 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17100 		.doit = nl80211_tx_mgmt_cancel_wait,
17101 		.flags = GENL_UNS_ADMIN_PERM,
17102 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17103 	},
17104 	{
17105 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17106 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17107 		.doit = nl80211_set_power_save,
17108 		.flags = GENL_UNS_ADMIN_PERM,
17109 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17110 	},
17111 	{
17112 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17113 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17114 		.doit = nl80211_get_power_save,
17115 		/* can be retrieved by unprivileged users */
17116 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17117 	},
17118 	{
17119 		.cmd = NL80211_CMD_SET_CQM,
17120 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17121 		.doit = nl80211_set_cqm,
17122 		.flags = GENL_UNS_ADMIN_PERM,
17123 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17124 	},
17125 	{
17126 		.cmd = NL80211_CMD_SET_CHANNEL,
17127 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17128 		.doit = nl80211_set_channel,
17129 		.flags = GENL_UNS_ADMIN_PERM,
17130 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17131 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17132 	},
17133 	{
17134 		.cmd = NL80211_CMD_JOIN_MESH,
17135 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17136 		.doit = nl80211_join_mesh,
17137 		.flags = GENL_UNS_ADMIN_PERM,
17138 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17139 	},
17140 	{
17141 		.cmd = NL80211_CMD_LEAVE_MESH,
17142 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17143 		.doit = nl80211_leave_mesh,
17144 		.flags = GENL_UNS_ADMIN_PERM,
17145 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17146 	},
17147 	{
17148 		.cmd = NL80211_CMD_JOIN_OCB,
17149 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17150 		.doit = nl80211_join_ocb,
17151 		.flags = GENL_UNS_ADMIN_PERM,
17152 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17153 	},
17154 	{
17155 		.cmd = NL80211_CMD_LEAVE_OCB,
17156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17157 		.doit = nl80211_leave_ocb,
17158 		.flags = GENL_UNS_ADMIN_PERM,
17159 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17160 	},
17161 #ifdef CONFIG_PM
17162 	{
17163 		.cmd = NL80211_CMD_GET_WOWLAN,
17164 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17165 		.doit = nl80211_get_wowlan,
17166 		/* can be retrieved by unprivileged users */
17167 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17168 	},
17169 	{
17170 		.cmd = NL80211_CMD_SET_WOWLAN,
17171 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17172 		.doit = nl80211_set_wowlan,
17173 		.flags = GENL_UNS_ADMIN_PERM,
17174 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17175 	},
17176 #endif
17177 	{
17178 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17179 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17180 		.doit = nl80211_set_rekey_data,
17181 		.flags = GENL_UNS_ADMIN_PERM,
17182 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17183 					 NL80211_FLAG_CLEAR_SKB),
17184 	},
17185 	{
17186 		.cmd = NL80211_CMD_TDLS_MGMT,
17187 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17188 		.doit = nl80211_tdls_mgmt,
17189 		.flags = GENL_UNS_ADMIN_PERM,
17190 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17191 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17192 	},
17193 	{
17194 		.cmd = NL80211_CMD_TDLS_OPER,
17195 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17196 		.doit = nl80211_tdls_oper,
17197 		.flags = GENL_UNS_ADMIN_PERM,
17198 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17199 	},
17200 	{
17201 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17202 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17203 		.doit = nl80211_register_unexpected_frame,
17204 		.flags = GENL_UNS_ADMIN_PERM,
17205 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17206 	},
17207 	{
17208 		.cmd = NL80211_CMD_PROBE_CLIENT,
17209 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17210 		.doit = nl80211_probe_client,
17211 		.flags = GENL_UNS_ADMIN_PERM,
17212 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17213 	},
17214 	{
17215 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17216 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17217 		.doit = nl80211_register_beacons,
17218 		.flags = GENL_UNS_ADMIN_PERM,
17219 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17220 	},
17221 	{
17222 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17223 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17224 		.doit = nl80211_set_noack_map,
17225 		.flags = GENL_UNS_ADMIN_PERM,
17226 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17227 	},
17228 	{
17229 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17230 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17231 		.doit = nl80211_start_p2p_device,
17232 		.flags = GENL_UNS_ADMIN_PERM,
17233 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17234 					 NL80211_FLAG_NEED_RTNL),
17235 	},
17236 	{
17237 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17238 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17239 		.doit = nl80211_stop_p2p_device,
17240 		.flags = GENL_UNS_ADMIN_PERM,
17241 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17242 					 NL80211_FLAG_NEED_RTNL),
17243 	},
17244 	{
17245 		.cmd = NL80211_CMD_START_NAN,
17246 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17247 		.doit = nl80211_start_nan,
17248 		.flags = GENL_ADMIN_PERM,
17249 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17250 					 NL80211_FLAG_NEED_RTNL),
17251 	},
17252 	{
17253 		.cmd = NL80211_CMD_STOP_NAN,
17254 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17255 		.doit = nl80211_stop_nan,
17256 		.flags = GENL_ADMIN_PERM,
17257 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17258 					 NL80211_FLAG_NEED_RTNL),
17259 	},
17260 	{
17261 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17262 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17263 		.doit = nl80211_nan_add_func,
17264 		.flags = GENL_ADMIN_PERM,
17265 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17266 	},
17267 	{
17268 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17269 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17270 		.doit = nl80211_nan_del_func,
17271 		.flags = GENL_ADMIN_PERM,
17272 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17273 	},
17274 	{
17275 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17276 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17277 		.doit = nl80211_nan_change_config,
17278 		.flags = GENL_ADMIN_PERM,
17279 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17280 	},
17281 	{
17282 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17283 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17284 		.doit = nl80211_set_mcast_rate,
17285 		.flags = GENL_UNS_ADMIN_PERM,
17286 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17287 	},
17288 	{
17289 		.cmd = NL80211_CMD_SET_MAC_ACL,
17290 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17291 		.doit = nl80211_set_mac_acl,
17292 		.flags = GENL_UNS_ADMIN_PERM,
17293 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17294 					 NL80211_FLAG_MLO_UNSUPPORTED),
17295 	},
17296 	{
17297 		.cmd = NL80211_CMD_RADAR_DETECT,
17298 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17299 		.doit = nl80211_start_radar_detection,
17300 		.flags = GENL_UNS_ADMIN_PERM,
17301 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17302 					 NL80211_FLAG_NO_WIPHY_MTX |
17303 					 NL80211_FLAG_MLO_UNSUPPORTED),
17304 	},
17305 	{
17306 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17307 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17308 		.doit = nl80211_get_protocol_features,
17309 	},
17310 	{
17311 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17312 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17313 		.doit = nl80211_update_ft_ies,
17314 		.flags = GENL_UNS_ADMIN_PERM,
17315 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17316 	},
17317 	{
17318 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17319 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17320 		.doit = nl80211_crit_protocol_start,
17321 		.flags = GENL_UNS_ADMIN_PERM,
17322 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17323 	},
17324 	{
17325 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17326 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17327 		.doit = nl80211_crit_protocol_stop,
17328 		.flags = GENL_UNS_ADMIN_PERM,
17329 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17330 	},
17331 	{
17332 		.cmd = NL80211_CMD_GET_COALESCE,
17333 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17334 		.doit = nl80211_get_coalesce,
17335 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17336 	},
17337 	{
17338 		.cmd = NL80211_CMD_SET_COALESCE,
17339 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17340 		.doit = nl80211_set_coalesce,
17341 		.flags = GENL_UNS_ADMIN_PERM,
17342 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17343 	},
17344 	{
17345 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17346 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17347 		.doit = nl80211_channel_switch,
17348 		.flags = GENL_UNS_ADMIN_PERM,
17349 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17350 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17351 	},
17352 	{
17353 		.cmd = NL80211_CMD_VENDOR,
17354 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17355 		.doit = nl80211_vendor_cmd,
17356 		.dumpit = nl80211_vendor_cmd_dump,
17357 		.flags = GENL_UNS_ADMIN_PERM,
17358 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17359 					 NL80211_FLAG_CLEAR_SKB),
17360 	},
17361 	{
17362 		.cmd = NL80211_CMD_SET_QOS_MAP,
17363 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17364 		.doit = nl80211_set_qos_map,
17365 		.flags = GENL_UNS_ADMIN_PERM,
17366 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17367 	},
17368 	{
17369 		.cmd = NL80211_CMD_ADD_TX_TS,
17370 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17371 		.doit = nl80211_add_tx_ts,
17372 		.flags = GENL_UNS_ADMIN_PERM,
17373 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17374 					 NL80211_FLAG_MLO_UNSUPPORTED),
17375 	},
17376 	{
17377 		.cmd = NL80211_CMD_DEL_TX_TS,
17378 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17379 		.doit = nl80211_del_tx_ts,
17380 		.flags = GENL_UNS_ADMIN_PERM,
17381 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17382 	},
17383 	{
17384 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17385 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17386 		.doit = nl80211_tdls_channel_switch,
17387 		.flags = GENL_UNS_ADMIN_PERM,
17388 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17389 	},
17390 	{
17391 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17393 		.doit = nl80211_tdls_cancel_channel_switch,
17394 		.flags = GENL_UNS_ADMIN_PERM,
17395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17396 	},
17397 	{
17398 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17399 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17400 		.doit = nl80211_set_multicast_to_unicast,
17401 		.flags = GENL_UNS_ADMIN_PERM,
17402 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17403 	},
17404 	{
17405 		.cmd = NL80211_CMD_SET_PMK,
17406 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17407 		.doit = nl80211_set_pmk,
17408 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17409 					 NL80211_FLAG_CLEAR_SKB),
17410 	},
17411 	{
17412 		.cmd = NL80211_CMD_DEL_PMK,
17413 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17414 		.doit = nl80211_del_pmk,
17415 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17416 	},
17417 	{
17418 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17419 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17420 		.doit = nl80211_external_auth,
17421 		.flags = GENL_ADMIN_PERM,
17422 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17423 	},
17424 	{
17425 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17426 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17427 		.doit = nl80211_tx_control_port,
17428 		.flags = GENL_UNS_ADMIN_PERM,
17429 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17430 	},
17431 	{
17432 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17433 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17434 		.doit = nl80211_get_ftm_responder_stats,
17435 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17436 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17437 	},
17438 	{
17439 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17441 		.doit = nl80211_pmsr_start,
17442 		.flags = GENL_UNS_ADMIN_PERM,
17443 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17444 	},
17445 	{
17446 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17447 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17448 		.doit = nl80211_notify_radar_detection,
17449 		.flags = GENL_UNS_ADMIN_PERM,
17450 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17451 	},
17452 	{
17453 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17454 		.doit = nl80211_update_owe_info,
17455 		.flags = GENL_ADMIN_PERM,
17456 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17457 	},
17458 	{
17459 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17460 		.doit = nl80211_probe_mesh_link,
17461 		.flags = GENL_UNS_ADMIN_PERM,
17462 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17463 	},
17464 	{
17465 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17466 		.doit = nl80211_set_tid_config,
17467 		.flags = GENL_UNS_ADMIN_PERM,
17468 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17469 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17470 	},
17471 	{
17472 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17473 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17474 		.doit = nl80211_set_sar_specs,
17475 		.flags = GENL_UNS_ADMIN_PERM,
17476 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17477 					 NL80211_FLAG_NEED_RTNL),
17478 	},
17479 	{
17480 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17481 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17482 		.doit = nl80211_color_change,
17483 		.flags = GENL_UNS_ADMIN_PERM,
17484 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17485 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17486 	},
17487 	{
17488 		.cmd = NL80211_CMD_SET_FILS_AAD,
17489 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17490 		.doit = nl80211_set_fils_aad,
17491 		.flags = GENL_UNS_ADMIN_PERM,
17492 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17493 	},
17494 	{
17495 		.cmd = NL80211_CMD_ADD_LINK,
17496 		.doit = nl80211_add_link,
17497 		.flags = GENL_UNS_ADMIN_PERM,
17498 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17499 	},
17500 	{
17501 		.cmd = NL80211_CMD_REMOVE_LINK,
17502 		.doit = nl80211_remove_link,
17503 		.flags = GENL_UNS_ADMIN_PERM,
17504 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17505 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17506 	},
17507 	{
17508 		.cmd = NL80211_CMD_ADD_LINK_STA,
17509 		.doit = nl80211_add_link_station,
17510 		.flags = GENL_UNS_ADMIN_PERM,
17511 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17512 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17513 	},
17514 	{
17515 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17516 		.doit = nl80211_modify_link_station,
17517 		.flags = GENL_UNS_ADMIN_PERM,
17518 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17519 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17520 	},
17521 	{
17522 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17523 		.doit = nl80211_remove_link_station,
17524 		.flags = GENL_UNS_ADMIN_PERM,
17525 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17526 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17527 	},
17528 	{
17529 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17530 		.doit = nl80211_set_hw_timestamp,
17531 		.flags = GENL_UNS_ADMIN_PERM,
17532 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17533 	},
17534 	{
17535 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
17536 		.doit = nl80211_set_ttlm,
17537 		.flags = GENL_UNS_ADMIN_PERM,
17538 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17539 	},
17540 };
17541 
17542 static struct genl_family nl80211_fam __ro_after_init = {
17543 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17544 	.hdrsize = 0,			/* no private header */
17545 	.version = 1,			/* no particular meaning now */
17546 	.maxattr = NL80211_ATTR_MAX,
17547 	.policy = nl80211_policy,
17548 	.netnsok = true,
17549 	.pre_doit = nl80211_pre_doit,
17550 	.post_doit = nl80211_post_doit,
17551 	.module = THIS_MODULE,
17552 	.ops = nl80211_ops,
17553 	.n_ops = ARRAY_SIZE(nl80211_ops),
17554 	.small_ops = nl80211_small_ops,
17555 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17556 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17557 	.mcgrps = nl80211_mcgrps,
17558 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17559 	.parallel_ops = true,
17560 };
17561 
17562 /* notification functions */
17563 
17564 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17565 			  enum nl80211_commands cmd)
17566 {
17567 	struct sk_buff *msg;
17568 	struct nl80211_dump_wiphy_state state = {};
17569 
17570 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17571 		cmd != NL80211_CMD_DEL_WIPHY);
17572 
17573 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17574 	if (!msg)
17575 		return;
17576 
17577 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17578 		nlmsg_free(msg);
17579 		return;
17580 	}
17581 
17582 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17583 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17584 }
17585 
17586 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17587 				struct wireless_dev *wdev,
17588 				enum nl80211_commands cmd)
17589 {
17590 	struct sk_buff *msg;
17591 
17592 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17593 	if (!msg)
17594 		return;
17595 
17596 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17597 		nlmsg_free(msg);
17598 		return;
17599 	}
17600 
17601 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17602 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17603 }
17604 
17605 static int nl80211_add_scan_req(struct sk_buff *msg,
17606 				struct cfg80211_registered_device *rdev)
17607 {
17608 	struct cfg80211_scan_request *req = rdev->scan_req;
17609 	struct nlattr *nest;
17610 	int i;
17611 	struct cfg80211_scan_info *info;
17612 
17613 	if (WARN_ON(!req))
17614 		return 0;
17615 
17616 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17617 	if (!nest)
17618 		goto nla_put_failure;
17619 	for (i = 0; i < req->n_ssids; i++) {
17620 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17621 			goto nla_put_failure;
17622 	}
17623 	nla_nest_end(msg, nest);
17624 
17625 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17626 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17627 		if (!nest)
17628 			goto nla_put_failure;
17629 		for (i = 0; i < req->n_channels; i++) {
17630 			if (nla_put_u32(msg, i,
17631 				   ieee80211_channel_to_khz(req->channels[i])))
17632 				goto nla_put_failure;
17633 		}
17634 		nla_nest_end(msg, nest);
17635 	} else {
17636 		nest = nla_nest_start_noflag(msg,
17637 					     NL80211_ATTR_SCAN_FREQUENCIES);
17638 		if (!nest)
17639 			goto nla_put_failure;
17640 		for (i = 0; i < req->n_channels; i++) {
17641 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17642 				goto nla_put_failure;
17643 		}
17644 		nla_nest_end(msg, nest);
17645 	}
17646 
17647 	if (req->ie &&
17648 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17649 		goto nla_put_failure;
17650 
17651 	if (req->flags &&
17652 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17653 		goto nla_put_failure;
17654 
17655 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17656 		&rdev->scan_req->info;
17657 	if (info->scan_start_tsf &&
17658 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17659 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17660 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17661 		     info->tsf_bssid)))
17662 		goto nla_put_failure;
17663 
17664 	return 0;
17665  nla_put_failure:
17666 	return -ENOBUFS;
17667 }
17668 
17669 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17670 				 struct cfg80211_registered_device *rdev,
17671 				 struct wireless_dev *wdev,
17672 				 u32 portid, u32 seq, int flags,
17673 				 u32 cmd)
17674 {
17675 	void *hdr;
17676 
17677 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17678 	if (!hdr)
17679 		return -1;
17680 
17681 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17682 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17683 					 wdev->netdev->ifindex)) ||
17684 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17685 			      NL80211_ATTR_PAD))
17686 		goto nla_put_failure;
17687 
17688 	/* ignore errors and send incomplete event anyway */
17689 	nl80211_add_scan_req(msg, rdev);
17690 
17691 	genlmsg_end(msg, hdr);
17692 	return 0;
17693 
17694  nla_put_failure:
17695 	genlmsg_cancel(msg, hdr);
17696 	return -EMSGSIZE;
17697 }
17698 
17699 static int
17700 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17701 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17702 {
17703 	void *hdr;
17704 
17705 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17706 	if (!hdr)
17707 		return -1;
17708 
17709 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17710 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17711 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17712 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17713 			      NL80211_ATTR_PAD))
17714 		goto nla_put_failure;
17715 
17716 	genlmsg_end(msg, hdr);
17717 	return 0;
17718 
17719  nla_put_failure:
17720 	genlmsg_cancel(msg, hdr);
17721 	return -EMSGSIZE;
17722 }
17723 
17724 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17725 			     struct wireless_dev *wdev)
17726 {
17727 	struct sk_buff *msg;
17728 
17729 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17730 	if (!msg)
17731 		return;
17732 
17733 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17734 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17735 		nlmsg_free(msg);
17736 		return;
17737 	}
17738 
17739 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17740 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17741 }
17742 
17743 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17744 				       struct wireless_dev *wdev, bool aborted)
17745 {
17746 	struct sk_buff *msg;
17747 
17748 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17749 	if (!msg)
17750 		return NULL;
17751 
17752 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17753 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17754 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17755 		nlmsg_free(msg);
17756 		return NULL;
17757 	}
17758 
17759 	return msg;
17760 }
17761 
17762 /* send message created by nl80211_build_scan_msg() */
17763 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17764 			   struct sk_buff *msg)
17765 {
17766 	if (!msg)
17767 		return;
17768 
17769 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17770 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17771 }
17772 
17773 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17774 {
17775 	struct sk_buff *msg;
17776 
17777 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17778 	if (!msg)
17779 		return;
17780 
17781 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17782 		nlmsg_free(msg);
17783 		return;
17784 	}
17785 
17786 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17787 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17788 }
17789 
17790 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17791 					  struct regulatory_request *request)
17792 {
17793 	/* Userspace can always count this one always being set */
17794 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17795 		goto nla_put_failure;
17796 
17797 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17798 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17799 			       NL80211_REGDOM_TYPE_WORLD))
17800 			goto nla_put_failure;
17801 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17802 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17803 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17804 			goto nla_put_failure;
17805 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17806 		   request->intersect) {
17807 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17808 			       NL80211_REGDOM_TYPE_INTERSECTION))
17809 			goto nla_put_failure;
17810 	} else {
17811 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17812 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17813 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17814 				   request->alpha2))
17815 			goto nla_put_failure;
17816 	}
17817 
17818 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17819 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17820 
17821 		if (wiphy &&
17822 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17823 			goto nla_put_failure;
17824 
17825 		if (wiphy &&
17826 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17827 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17828 			goto nla_put_failure;
17829 	}
17830 
17831 	return true;
17832 
17833 nla_put_failure:
17834 	return false;
17835 }
17836 
17837 /*
17838  * This can happen on global regulatory changes or device specific settings
17839  * based on custom regulatory domains.
17840  */
17841 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17842 				     struct regulatory_request *request)
17843 {
17844 	struct sk_buff *msg;
17845 	void *hdr;
17846 
17847 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17848 	if (!msg)
17849 		return;
17850 
17851 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17852 	if (!hdr)
17853 		goto nla_put_failure;
17854 
17855 	if (!nl80211_reg_change_event_fill(msg, request))
17856 		goto nla_put_failure;
17857 
17858 	genlmsg_end(msg, hdr);
17859 
17860 	rcu_read_lock();
17861 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17862 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17863 	rcu_read_unlock();
17864 
17865 	return;
17866 
17867 nla_put_failure:
17868 	nlmsg_free(msg);
17869 }
17870 
17871 struct nl80211_mlme_event {
17872 	enum nl80211_commands cmd;
17873 	const u8 *buf;
17874 	size_t buf_len;
17875 	int uapsd_queues;
17876 	const u8 *req_ies;
17877 	size_t req_ies_len;
17878 	bool reconnect;
17879 };
17880 
17881 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17882 				    struct net_device *netdev,
17883 				    const struct nl80211_mlme_event *event,
17884 				    gfp_t gfp)
17885 {
17886 	struct sk_buff *msg;
17887 	void *hdr;
17888 
17889 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
17890 	if (!msg)
17891 		return;
17892 
17893 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
17894 	if (!hdr) {
17895 		nlmsg_free(msg);
17896 		return;
17897 	}
17898 
17899 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17900 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17901 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
17902 	    (event->req_ies &&
17903 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
17904 		     event->req_ies)))
17905 		goto nla_put_failure;
17906 
17907 	if (event->reconnect &&
17908 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17909 		goto nla_put_failure;
17910 
17911 	if (event->uapsd_queues >= 0) {
17912 		struct nlattr *nla_wmm =
17913 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17914 		if (!nla_wmm)
17915 			goto nla_put_failure;
17916 
17917 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17918 			       event->uapsd_queues))
17919 			goto nla_put_failure;
17920 
17921 		nla_nest_end(msg, nla_wmm);
17922 	}
17923 
17924 	genlmsg_end(msg, hdr);
17925 
17926 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17927 				NL80211_MCGRP_MLME, gfp);
17928 	return;
17929 
17930  nla_put_failure:
17931 	nlmsg_free(msg);
17932 }
17933 
17934 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17935 			  struct net_device *netdev, const u8 *buf,
17936 			  size_t len, gfp_t gfp)
17937 {
17938 	struct nl80211_mlme_event event = {
17939 		.cmd = NL80211_CMD_AUTHENTICATE,
17940 		.buf = buf,
17941 		.buf_len = len,
17942 		.uapsd_queues = -1,
17943 	};
17944 
17945 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
17946 }
17947 
17948 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17949 			   struct net_device *netdev,
17950 			   const struct cfg80211_rx_assoc_resp_data *data)
17951 {
17952 	struct nl80211_mlme_event event = {
17953 		.cmd = NL80211_CMD_ASSOCIATE,
17954 		.buf = data->buf,
17955 		.buf_len = data->len,
17956 		.uapsd_queues = data->uapsd_queues,
17957 		.req_ies = data->req_ies,
17958 		.req_ies_len = data->req_ies_len,
17959 	};
17960 
17961 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
17962 }
17963 
17964 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17965 			 struct net_device *netdev, const u8 *buf,
17966 			 size_t len, bool reconnect, gfp_t gfp)
17967 {
17968 	struct nl80211_mlme_event event = {
17969 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17970 		.buf = buf,
17971 		.buf_len = len,
17972 		.reconnect = reconnect,
17973 		.uapsd_queues = -1,
17974 	};
17975 
17976 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
17977 }
17978 
17979 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17980 			   struct net_device *netdev, const u8 *buf,
17981 			   size_t len, bool reconnect, gfp_t gfp)
17982 {
17983 	struct nl80211_mlme_event event = {
17984 		.cmd = NL80211_CMD_DISASSOCIATE,
17985 		.buf = buf,
17986 		.buf_len = len,
17987 		.reconnect = reconnect,
17988 		.uapsd_queues = -1,
17989 	};
17990 
17991 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
17992 }
17993 
17994 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17995 				  size_t len)
17996 {
17997 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17998 	struct wiphy *wiphy = wdev->wiphy;
17999 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18000 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18001 	struct nl80211_mlme_event event = {
18002 		.buf = buf,
18003 		.buf_len = len,
18004 		.uapsd_queues = -1,
18005 	};
18006 
18007 	if (WARN_ON(len < 2))
18008 		return;
18009 
18010 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18011 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18012 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18013 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18014 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18015 		if (wdev->unprot_beacon_reported &&
18016 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18017 			return;
18018 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18019 		wdev->unprot_beacon_reported = jiffies;
18020 	} else {
18021 		return;
18022 	}
18023 
18024 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18025 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18026 }
18027 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18028 
18029 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18030 				      struct net_device *netdev, int cmd,
18031 				      const u8 *addr, gfp_t gfp)
18032 {
18033 	struct sk_buff *msg;
18034 	void *hdr;
18035 
18036 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18037 	if (!msg)
18038 		return;
18039 
18040 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18041 	if (!hdr) {
18042 		nlmsg_free(msg);
18043 		return;
18044 	}
18045 
18046 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18047 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18048 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18049 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18050 		goto nla_put_failure;
18051 
18052 	genlmsg_end(msg, hdr);
18053 
18054 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18055 				NL80211_MCGRP_MLME, gfp);
18056 	return;
18057 
18058  nla_put_failure:
18059 	nlmsg_free(msg);
18060 }
18061 
18062 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18063 			       struct net_device *netdev, const u8 *addr,
18064 			       gfp_t gfp)
18065 {
18066 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18067 				  addr, gfp);
18068 }
18069 
18070 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18071 				struct net_device *netdev, const u8 *addr,
18072 				gfp_t gfp)
18073 {
18074 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18075 				  addr, gfp);
18076 }
18077 
18078 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18079 				 struct net_device *netdev,
18080 				 struct cfg80211_connect_resp_params *cr,
18081 				 gfp_t gfp)
18082 {
18083 	struct sk_buff *msg;
18084 	void *hdr;
18085 	unsigned int link;
18086 	size_t link_info_size = 0;
18087 	const u8 *connected_addr = cr->valid_links ?
18088 				   cr->ap_mld_addr : cr->links[0].bssid;
18089 
18090 	if (cr->valid_links) {
18091 		for_each_valid_link(cr, link) {
18092 			/* Nested attribute header */
18093 			link_info_size += NLA_HDRLEN;
18094 			/* Link ID */
18095 			link_info_size += nla_total_size(sizeof(u8));
18096 			link_info_size += cr->links[link].addr ?
18097 					  nla_total_size(ETH_ALEN) : 0;
18098 			link_info_size += (cr->links[link].bssid ||
18099 					   cr->links[link].bss) ?
18100 					  nla_total_size(ETH_ALEN) : 0;
18101 			link_info_size += nla_total_size(sizeof(u16));
18102 		}
18103 	}
18104 
18105 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18106 			cr->fils.kek_len + cr->fils.pmk_len +
18107 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18108 			gfp);
18109 	if (!msg)
18110 		return;
18111 
18112 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18113 	if (!hdr) {
18114 		nlmsg_free(msg);
18115 		return;
18116 	}
18117 
18118 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18119 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18120 	    (connected_addr &&
18121 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18122 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18123 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18124 			cr->status) ||
18125 	    (cr->status < 0 &&
18126 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18127 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18128 			  cr->timeout_reason))) ||
18129 	    (cr->req_ie &&
18130 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18131 	    (cr->resp_ie &&
18132 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18133 		     cr->resp_ie)) ||
18134 	    (cr->fils.update_erp_next_seq_num &&
18135 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18136 			 cr->fils.erp_next_seq_num)) ||
18137 	    (cr->status == WLAN_STATUS_SUCCESS &&
18138 	     ((cr->fils.kek &&
18139 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18140 		       cr->fils.kek)) ||
18141 	      (cr->fils.pmk &&
18142 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18143 	      (cr->fils.pmkid &&
18144 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18145 		goto nla_put_failure;
18146 
18147 	if (cr->valid_links) {
18148 		int i = 1;
18149 		struct nlattr *nested;
18150 
18151 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18152 		if (!nested)
18153 			goto nla_put_failure;
18154 
18155 		for_each_valid_link(cr, link) {
18156 			struct nlattr *nested_mlo_links;
18157 			const u8 *bssid = cr->links[link].bss ?
18158 					  cr->links[link].bss->bssid :
18159 					  cr->links[link].bssid;
18160 
18161 			nested_mlo_links = nla_nest_start(msg, i);
18162 			if (!nested_mlo_links)
18163 				goto nla_put_failure;
18164 
18165 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18166 			    (bssid &&
18167 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18168 			    (cr->links[link].addr &&
18169 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18170 				     cr->links[link].addr)) ||
18171 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18172 					cr->links[link].status))
18173 				goto nla_put_failure;
18174 
18175 			nla_nest_end(msg, nested_mlo_links);
18176 			i++;
18177 		}
18178 		nla_nest_end(msg, nested);
18179 	}
18180 
18181 	genlmsg_end(msg, hdr);
18182 
18183 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18184 				NL80211_MCGRP_MLME, gfp);
18185 	return;
18186 
18187  nla_put_failure:
18188 	nlmsg_free(msg);
18189 }
18190 
18191 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18192 			 struct net_device *netdev,
18193 			 struct cfg80211_roam_info *info, gfp_t gfp)
18194 {
18195 	struct sk_buff *msg;
18196 	void *hdr;
18197 	size_t link_info_size = 0;
18198 	unsigned int link;
18199 	const u8 *connected_addr = info->ap_mld_addr ?
18200 				   info->ap_mld_addr :
18201 				   (info->links[0].bss ?
18202 				    info->links[0].bss->bssid :
18203 				    info->links[0].bssid);
18204 
18205 	if (info->valid_links) {
18206 		for_each_valid_link(info, link) {
18207 			/* Nested attribute header */
18208 			link_info_size += NLA_HDRLEN;
18209 			/* Link ID */
18210 			link_info_size += nla_total_size(sizeof(u8));
18211 			link_info_size += info->links[link].addr ?
18212 					  nla_total_size(ETH_ALEN) : 0;
18213 			link_info_size += (info->links[link].bssid ||
18214 					   info->links[link].bss) ?
18215 					  nla_total_size(ETH_ALEN) : 0;
18216 		}
18217 	}
18218 
18219 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18220 			info->fils.kek_len + info->fils.pmk_len +
18221 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18222 			link_info_size, gfp);
18223 	if (!msg)
18224 		return;
18225 
18226 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18227 	if (!hdr) {
18228 		nlmsg_free(msg);
18229 		return;
18230 	}
18231 
18232 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18233 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18234 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18235 	    (info->req_ie &&
18236 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18237 		     info->req_ie)) ||
18238 	    (info->resp_ie &&
18239 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18240 		     info->resp_ie)) ||
18241 	    (info->fils.update_erp_next_seq_num &&
18242 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18243 			 info->fils.erp_next_seq_num)) ||
18244 	    (info->fils.kek &&
18245 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18246 		     info->fils.kek)) ||
18247 	    (info->fils.pmk &&
18248 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18249 	    (info->fils.pmkid &&
18250 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18251 		goto nla_put_failure;
18252 
18253 	if (info->valid_links) {
18254 		int i = 1;
18255 		struct nlattr *nested;
18256 
18257 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18258 		if (!nested)
18259 			goto nla_put_failure;
18260 
18261 		for_each_valid_link(info, link) {
18262 			struct nlattr *nested_mlo_links;
18263 			const u8 *bssid = info->links[link].bss ?
18264 					  info->links[link].bss->bssid :
18265 					  info->links[link].bssid;
18266 
18267 			nested_mlo_links = nla_nest_start(msg, i);
18268 			if (!nested_mlo_links)
18269 				goto nla_put_failure;
18270 
18271 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18272 			    (bssid &&
18273 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18274 			    (info->links[link].addr &&
18275 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18276 				     info->links[link].addr)))
18277 				goto nla_put_failure;
18278 
18279 			nla_nest_end(msg, nested_mlo_links);
18280 			i++;
18281 		}
18282 		nla_nest_end(msg, nested);
18283 	}
18284 
18285 	genlmsg_end(msg, hdr);
18286 
18287 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18288 				NL80211_MCGRP_MLME, gfp);
18289 	return;
18290 
18291  nla_put_failure:
18292 	nlmsg_free(msg);
18293 }
18294 
18295 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18296 				  struct net_device *netdev, const u8 *peer_addr,
18297 				  const u8 *td_bitmap, u8 td_bitmap_len)
18298 {
18299 	struct sk_buff *msg;
18300 	void *hdr;
18301 
18302 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18303 	if (!msg)
18304 		return;
18305 
18306 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18307 	if (!hdr) {
18308 		nlmsg_free(msg);
18309 		return;
18310 	}
18311 
18312 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18313 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18314 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
18315 		goto nla_put_failure;
18316 
18317 	if ((td_bitmap_len > 0) && td_bitmap)
18318 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18319 			    td_bitmap_len, td_bitmap))
18320 			goto nla_put_failure;
18321 
18322 	genlmsg_end(msg, hdr);
18323 
18324 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18325 				NL80211_MCGRP_MLME, GFP_KERNEL);
18326 	return;
18327 
18328  nla_put_failure:
18329 	nlmsg_free(msg);
18330 }
18331 
18332 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18333 			       struct net_device *netdev, u16 reason,
18334 			       const u8 *ie, size_t ie_len, bool from_ap)
18335 {
18336 	struct sk_buff *msg;
18337 	void *hdr;
18338 
18339 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18340 	if (!msg)
18341 		return;
18342 
18343 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18344 	if (!hdr) {
18345 		nlmsg_free(msg);
18346 		return;
18347 	}
18348 
18349 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18350 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18351 	    (reason &&
18352 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18353 	    (from_ap &&
18354 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18355 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18356 		goto nla_put_failure;
18357 
18358 	genlmsg_end(msg, hdr);
18359 
18360 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18361 				NL80211_MCGRP_MLME, GFP_KERNEL);
18362 	return;
18363 
18364  nla_put_failure:
18365 	nlmsg_free(msg);
18366 }
18367 
18368 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18369 {
18370 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18371 	struct wiphy *wiphy = wdev->wiphy;
18372 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18373 	struct sk_buff *msg;
18374 	struct nlattr *links;
18375 	void *hdr;
18376 
18377 	lockdep_assert_wiphy(wdev->wiphy);
18378 	trace_cfg80211_links_removed(dev, link_mask);
18379 
18380 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18381 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18382 		return;
18383 
18384 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18385 		    (wdev->valid_links & link_mask) != link_mask ||
18386 		    wdev->valid_links == link_mask))
18387 		return;
18388 
18389 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18390 	wdev->valid_links &= ~link_mask;
18391 
18392 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18393 	if (!msg)
18394 		return;
18395 
18396 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18397 	if (!hdr) {
18398 		nlmsg_free(msg);
18399 		return;
18400 	}
18401 
18402 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18403 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18404 		goto nla_put_failure;
18405 
18406 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18407 	if (!links)
18408 		goto nla_put_failure;
18409 
18410 	while (link_mask) {
18411 		struct nlattr *link;
18412 		int link_id = __ffs(link_mask);
18413 
18414 		link = nla_nest_start(msg, link_id + 1);
18415 		if (!link)
18416 			goto nla_put_failure;
18417 
18418 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18419 			goto nla_put_failure;
18420 
18421 		nla_nest_end(msg, link);
18422 		link_mask &= ~(1 << link_id);
18423 	}
18424 
18425 	nla_nest_end(msg, links);
18426 
18427 	genlmsg_end(msg, hdr);
18428 
18429 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18430 				NL80211_MCGRP_MLME, GFP_KERNEL);
18431 	return;
18432 
18433  nla_put_failure:
18434 	nlmsg_free(msg);
18435 }
18436 EXPORT_SYMBOL(cfg80211_links_removed);
18437 
18438 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18439 			     struct net_device *netdev, const u8 *bssid,
18440 			     gfp_t gfp)
18441 {
18442 	struct sk_buff *msg;
18443 	void *hdr;
18444 
18445 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18446 	if (!msg)
18447 		return;
18448 
18449 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18450 	if (!hdr) {
18451 		nlmsg_free(msg);
18452 		return;
18453 	}
18454 
18455 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18456 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18457 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18458 		goto nla_put_failure;
18459 
18460 	genlmsg_end(msg, hdr);
18461 
18462 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18463 				NL80211_MCGRP_MLME, gfp);
18464 	return;
18465 
18466  nla_put_failure:
18467 	nlmsg_free(msg);
18468 }
18469 
18470 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18471 					const u8 *ie, u8 ie_len,
18472 					int sig_dbm, gfp_t gfp)
18473 {
18474 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18475 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18476 	struct sk_buff *msg;
18477 	void *hdr;
18478 
18479 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18480 		return;
18481 
18482 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18483 
18484 	msg = nlmsg_new(100 + ie_len, gfp);
18485 	if (!msg)
18486 		return;
18487 
18488 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18489 	if (!hdr) {
18490 		nlmsg_free(msg);
18491 		return;
18492 	}
18493 
18494 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18495 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18496 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18497 	    (ie_len && ie &&
18498 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18499 	    (sig_dbm &&
18500 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18501 		goto nla_put_failure;
18502 
18503 	genlmsg_end(msg, hdr);
18504 
18505 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18506 				NL80211_MCGRP_MLME, gfp);
18507 	return;
18508 
18509  nla_put_failure:
18510 	nlmsg_free(msg);
18511 }
18512 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18513 
18514 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18515 				 struct net_device *netdev, const u8 *addr,
18516 				 enum nl80211_key_type key_type, int key_id,
18517 				 const u8 *tsc, gfp_t gfp)
18518 {
18519 	struct sk_buff *msg;
18520 	void *hdr;
18521 
18522 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18523 	if (!msg)
18524 		return;
18525 
18526 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18527 	if (!hdr) {
18528 		nlmsg_free(msg);
18529 		return;
18530 	}
18531 
18532 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18533 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18534 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18535 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18536 	    (key_id != -1 &&
18537 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18538 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18539 		goto nla_put_failure;
18540 
18541 	genlmsg_end(msg, hdr);
18542 
18543 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18544 				NL80211_MCGRP_MLME, gfp);
18545 	return;
18546 
18547  nla_put_failure:
18548 	nlmsg_free(msg);
18549 }
18550 
18551 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18552 				    struct ieee80211_channel *channel_before,
18553 				    struct ieee80211_channel *channel_after)
18554 {
18555 	struct sk_buff *msg;
18556 	void *hdr;
18557 	struct nlattr *nl_freq;
18558 
18559 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18560 	if (!msg)
18561 		return;
18562 
18563 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18564 	if (!hdr) {
18565 		nlmsg_free(msg);
18566 		return;
18567 	}
18568 
18569 	/*
18570 	 * Since we are applying the beacon hint to a wiphy we know its
18571 	 * wiphy_idx is valid
18572 	 */
18573 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18574 		goto nla_put_failure;
18575 
18576 	/* Before */
18577 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18578 	if (!nl_freq)
18579 		goto nla_put_failure;
18580 
18581 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18582 		goto nla_put_failure;
18583 	nla_nest_end(msg, nl_freq);
18584 
18585 	/* After */
18586 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18587 	if (!nl_freq)
18588 		goto nla_put_failure;
18589 
18590 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18591 		goto nla_put_failure;
18592 	nla_nest_end(msg, nl_freq);
18593 
18594 	genlmsg_end(msg, hdr);
18595 
18596 	rcu_read_lock();
18597 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18598 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18599 	rcu_read_unlock();
18600 
18601 	return;
18602 
18603 nla_put_failure:
18604 	nlmsg_free(msg);
18605 }
18606 
18607 static void nl80211_send_remain_on_chan_event(
18608 	int cmd, struct cfg80211_registered_device *rdev,
18609 	struct wireless_dev *wdev, u64 cookie,
18610 	struct ieee80211_channel *chan,
18611 	unsigned int duration, gfp_t gfp)
18612 {
18613 	struct sk_buff *msg;
18614 	void *hdr;
18615 
18616 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18617 	if (!msg)
18618 		return;
18619 
18620 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18621 	if (!hdr) {
18622 		nlmsg_free(msg);
18623 		return;
18624 	}
18625 
18626 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18627 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18628 					 wdev->netdev->ifindex)) ||
18629 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18630 			      NL80211_ATTR_PAD) ||
18631 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18632 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18633 			NL80211_CHAN_NO_HT) ||
18634 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18635 			      NL80211_ATTR_PAD))
18636 		goto nla_put_failure;
18637 
18638 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18639 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18640 		goto nla_put_failure;
18641 
18642 	genlmsg_end(msg, hdr);
18643 
18644 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18645 				NL80211_MCGRP_MLME, gfp);
18646 	return;
18647 
18648  nla_put_failure:
18649 	nlmsg_free(msg);
18650 }
18651 
18652 void cfg80211_assoc_comeback(struct net_device *netdev,
18653 			     const u8 *ap_addr, u32 timeout)
18654 {
18655 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18656 	struct wiphy *wiphy = wdev->wiphy;
18657 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18658 	struct sk_buff *msg;
18659 	void *hdr;
18660 
18661 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18662 
18663 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18664 	if (!msg)
18665 		return;
18666 
18667 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18668 	if (!hdr) {
18669 		nlmsg_free(msg);
18670 		return;
18671 	}
18672 
18673 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18674 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18675 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18676 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18677 		goto nla_put_failure;
18678 
18679 	genlmsg_end(msg, hdr);
18680 
18681 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18682 				NL80211_MCGRP_MLME, GFP_KERNEL);
18683 	return;
18684 
18685  nla_put_failure:
18686 	nlmsg_free(msg);
18687 }
18688 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18689 
18690 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18691 			       struct ieee80211_channel *chan,
18692 			       unsigned int duration, gfp_t gfp)
18693 {
18694 	struct wiphy *wiphy = wdev->wiphy;
18695 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18696 
18697 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18698 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18699 					  rdev, wdev, cookie, chan,
18700 					  duration, gfp);
18701 }
18702 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18703 
18704 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18705 					struct ieee80211_channel *chan,
18706 					gfp_t gfp)
18707 {
18708 	struct wiphy *wiphy = wdev->wiphy;
18709 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18710 
18711 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18712 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18713 					  rdev, wdev, cookie, chan, 0, gfp);
18714 }
18715 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18716 
18717 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18718 					struct ieee80211_channel *chan,
18719 					gfp_t gfp)
18720 {
18721 	struct wiphy *wiphy = wdev->wiphy;
18722 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18723 
18724 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18725 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18726 					  rdev, wdev, cookie, chan, 0, gfp);
18727 }
18728 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18729 
18730 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18731 		      struct station_info *sinfo, gfp_t gfp)
18732 {
18733 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18734 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18735 	struct sk_buff *msg;
18736 
18737 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18738 
18739 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18740 	if (!msg)
18741 		return;
18742 
18743 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18744 				 rdev, dev, mac_addr, sinfo) < 0) {
18745 		nlmsg_free(msg);
18746 		return;
18747 	}
18748 
18749 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18750 				NL80211_MCGRP_MLME, gfp);
18751 }
18752 EXPORT_SYMBOL(cfg80211_new_sta);
18753 
18754 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18755 			    struct station_info *sinfo, gfp_t gfp)
18756 {
18757 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18758 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18759 	struct sk_buff *msg;
18760 	struct station_info empty_sinfo = {};
18761 
18762 	if (!sinfo)
18763 		sinfo = &empty_sinfo;
18764 
18765 	trace_cfg80211_del_sta(dev, mac_addr);
18766 
18767 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18768 	if (!msg) {
18769 		cfg80211_sinfo_release_content(sinfo);
18770 		return;
18771 	}
18772 
18773 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18774 				 rdev, dev, mac_addr, sinfo) < 0) {
18775 		nlmsg_free(msg);
18776 		return;
18777 	}
18778 
18779 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18780 				NL80211_MCGRP_MLME, gfp);
18781 }
18782 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18783 
18784 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18785 			  enum nl80211_connect_failed_reason reason,
18786 			  gfp_t gfp)
18787 {
18788 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18789 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18790 	struct sk_buff *msg;
18791 	void *hdr;
18792 
18793 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18794 	if (!msg)
18795 		return;
18796 
18797 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18798 	if (!hdr) {
18799 		nlmsg_free(msg);
18800 		return;
18801 	}
18802 
18803 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18804 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18805 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18806 		goto nla_put_failure;
18807 
18808 	genlmsg_end(msg, hdr);
18809 
18810 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18811 				NL80211_MCGRP_MLME, gfp);
18812 	return;
18813 
18814  nla_put_failure:
18815 	nlmsg_free(msg);
18816 }
18817 EXPORT_SYMBOL(cfg80211_conn_failed);
18818 
18819 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18820 				       const u8 *addr, gfp_t gfp)
18821 {
18822 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18823 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18824 	struct sk_buff *msg;
18825 	void *hdr;
18826 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18827 
18828 	if (!nlportid)
18829 		return false;
18830 
18831 	msg = nlmsg_new(100, gfp);
18832 	if (!msg)
18833 		return true;
18834 
18835 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18836 	if (!hdr) {
18837 		nlmsg_free(msg);
18838 		return true;
18839 	}
18840 
18841 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18842 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18843 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18844 		goto nla_put_failure;
18845 
18846 	genlmsg_end(msg, hdr);
18847 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18848 	return true;
18849 
18850  nla_put_failure:
18851 	nlmsg_free(msg);
18852 	return true;
18853 }
18854 
18855 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18856 				const u8 *addr, gfp_t gfp)
18857 {
18858 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18859 	bool ret;
18860 
18861 	trace_cfg80211_rx_spurious_frame(dev, addr);
18862 
18863 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18864 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18865 		trace_cfg80211_return_bool(false);
18866 		return false;
18867 	}
18868 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18869 					 addr, gfp);
18870 	trace_cfg80211_return_bool(ret);
18871 	return ret;
18872 }
18873 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18874 
18875 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18876 					const u8 *addr, gfp_t gfp)
18877 {
18878 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18879 	bool ret;
18880 
18881 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18882 
18883 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18884 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18885 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18886 		trace_cfg80211_return_bool(false);
18887 		return false;
18888 	}
18889 	ret = __nl80211_unexpected_frame(dev,
18890 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18891 					 addr, gfp);
18892 	trace_cfg80211_return_bool(ret);
18893 	return ret;
18894 }
18895 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18896 
18897 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18898 		      struct wireless_dev *wdev, u32 nlportid,
18899 		      struct cfg80211_rx_info *info, gfp_t gfp)
18900 {
18901 	struct net_device *netdev = wdev->netdev;
18902 	struct sk_buff *msg;
18903 	void *hdr;
18904 
18905 	msg = nlmsg_new(100 + info->len, gfp);
18906 	if (!msg)
18907 		return -ENOMEM;
18908 
18909 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18910 	if (!hdr) {
18911 		nlmsg_free(msg);
18912 		return -ENOMEM;
18913 	}
18914 
18915 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18916 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18917 					netdev->ifindex)) ||
18918 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18919 			      NL80211_ATTR_PAD) ||
18920 	    (info->have_link_id &&
18921 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18922 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18923 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18924 	    (info->sig_dbm &&
18925 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18926 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18927 	    (info->flags &&
18928 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18929 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18930 						  NL80211_ATTR_RX_HW_TIMESTAMP,
18931 						  info->rx_tstamp,
18932 						  NL80211_ATTR_PAD)) ||
18933 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18934 						   NL80211_ATTR_TX_HW_TIMESTAMP,
18935 						   info->ack_tstamp,
18936 						   NL80211_ATTR_PAD)))
18937 		goto nla_put_failure;
18938 
18939 	genlmsg_end(msg, hdr);
18940 
18941 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18942 
18943  nla_put_failure:
18944 	nlmsg_free(msg);
18945 	return -ENOBUFS;
18946 }
18947 
18948 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18949 				    struct cfg80211_tx_status *status,
18950 				    gfp_t gfp, enum nl80211_commands command)
18951 {
18952 	struct wiphy *wiphy = wdev->wiphy;
18953 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18954 	struct net_device *netdev = wdev->netdev;
18955 	struct sk_buff *msg;
18956 	void *hdr;
18957 
18958 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18959 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18960 					      status->ack);
18961 	else
18962 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18963 						      status->ack);
18964 
18965 	msg = nlmsg_new(100 + status->len, gfp);
18966 	if (!msg)
18967 		return;
18968 
18969 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18970 	if (!hdr) {
18971 		nlmsg_free(msg);
18972 		return;
18973 	}
18974 
18975 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18976 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18977 				   netdev->ifindex)) ||
18978 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18979 			      NL80211_ATTR_PAD) ||
18980 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18981 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18982 			      NL80211_ATTR_PAD) ||
18983 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18984 	    (status->tx_tstamp &&
18985 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18986 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18987 	    (status->ack_tstamp &&
18988 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18989 			       status->ack_tstamp, NL80211_ATTR_PAD)))
18990 		goto nla_put_failure;
18991 
18992 	genlmsg_end(msg, hdr);
18993 
18994 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18995 				NL80211_MCGRP_MLME, gfp);
18996 	return;
18997 
18998 nla_put_failure:
18999 	nlmsg_free(msg);
19000 }
19001 
19002 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19003 				     const u8 *buf, size_t len, bool ack,
19004 				     gfp_t gfp)
19005 {
19006 	struct cfg80211_tx_status status = {
19007 		.cookie = cookie,
19008 		.buf = buf,
19009 		.len = len,
19010 		.ack = ack
19011 	};
19012 
19013 	nl80211_frame_tx_status(wdev, &status, gfp,
19014 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19015 }
19016 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19017 
19018 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19019 				 struct cfg80211_tx_status *status, gfp_t gfp)
19020 {
19021 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19022 }
19023 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19024 
19025 static int __nl80211_rx_control_port(struct net_device *dev,
19026 				     struct sk_buff *skb,
19027 				     bool unencrypted,
19028 				     int link_id,
19029 				     gfp_t gfp)
19030 {
19031 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19032 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19033 	struct ethhdr *ehdr = eth_hdr(skb);
19034 	const u8 *addr = ehdr->h_source;
19035 	u16 proto = be16_to_cpu(skb->protocol);
19036 	struct sk_buff *msg;
19037 	void *hdr;
19038 	struct nlattr *frame;
19039 
19040 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19041 
19042 	if (!nlportid)
19043 		return -ENOENT;
19044 
19045 	msg = nlmsg_new(100 + skb->len, gfp);
19046 	if (!msg)
19047 		return -ENOMEM;
19048 
19049 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19050 	if (!hdr) {
19051 		nlmsg_free(msg);
19052 		return -ENOBUFS;
19053 	}
19054 
19055 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19056 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19057 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19058 			      NL80211_ATTR_PAD) ||
19059 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19060 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19061 	    (link_id >= 0 &&
19062 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19063 	    (unencrypted && nla_put_flag(msg,
19064 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19065 		goto nla_put_failure;
19066 
19067 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19068 	if (!frame)
19069 		goto nla_put_failure;
19070 
19071 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19072 	genlmsg_end(msg, hdr);
19073 
19074 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19075 
19076  nla_put_failure:
19077 	nlmsg_free(msg);
19078 	return -ENOBUFS;
19079 }
19080 
19081 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19082 			      bool unencrypted, int link_id)
19083 {
19084 	int ret;
19085 
19086 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19087 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19088 					GFP_ATOMIC);
19089 	trace_cfg80211_return_bool(ret == 0);
19090 	return ret == 0;
19091 }
19092 EXPORT_SYMBOL(cfg80211_rx_control_port);
19093 
19094 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19095 					    const char *mac, gfp_t gfp)
19096 {
19097 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19098 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19099 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19100 	void **cb;
19101 
19102 	if (!msg)
19103 		return NULL;
19104 
19105 	cb = (void **)msg->cb;
19106 
19107 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19108 	if (!cb[0]) {
19109 		nlmsg_free(msg);
19110 		return NULL;
19111 	}
19112 
19113 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19114 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19115 		goto nla_put_failure;
19116 
19117 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19118 		goto nla_put_failure;
19119 
19120 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19121 	if (!cb[1])
19122 		goto nla_put_failure;
19123 
19124 	cb[2] = rdev;
19125 
19126 	return msg;
19127  nla_put_failure:
19128 	nlmsg_free(msg);
19129 	return NULL;
19130 }
19131 
19132 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19133 {
19134 	void **cb = (void **)msg->cb;
19135 	struct cfg80211_registered_device *rdev = cb[2];
19136 
19137 	nla_nest_end(msg, cb[1]);
19138 	genlmsg_end(msg, cb[0]);
19139 
19140 	memset(msg->cb, 0, sizeof(msg->cb));
19141 
19142 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19143 				NL80211_MCGRP_MLME, gfp);
19144 }
19145 
19146 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19147 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19148 			      s32 rssi_level, gfp_t gfp)
19149 {
19150 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19151 	struct cfg80211_cqm_config *cqm_config;
19152 
19153 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19154 
19155 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19156 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19157 		return;
19158 
19159 	rcu_read_lock();
19160 	cqm_config = rcu_dereference(wdev->cqm_config);
19161 	if (cqm_config) {
19162 		cqm_config->last_rssi_event_value = rssi_level;
19163 		cqm_config->last_rssi_event_type = rssi_event;
19164 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19165 	}
19166 	rcu_read_unlock();
19167 }
19168 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19169 
19170 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19171 {
19172 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19173 						 cqm_rssi_work);
19174 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19175 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19176 	struct cfg80211_cqm_config *cqm_config;
19177 	struct sk_buff *msg;
19178 	s32 rssi_level;
19179 
19180 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
19181 	if (!cqm_config)
19182 		return;
19183 
19184 	if (cqm_config->use_range_api)
19185 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19186 
19187 	rssi_level = cqm_config->last_rssi_event_value;
19188 	rssi_event = cqm_config->last_rssi_event_type;
19189 
19190 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19191 	if (!msg)
19192 		return;
19193 
19194 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19195 			rssi_event))
19196 		goto nla_put_failure;
19197 
19198 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19199 				      rssi_level))
19200 		goto nla_put_failure;
19201 
19202 	cfg80211_send_cqm(msg, GFP_KERNEL);
19203 
19204 	return;
19205 
19206  nla_put_failure:
19207 	nlmsg_free(msg);
19208 }
19209 
19210 void cfg80211_cqm_txe_notify(struct net_device *dev,
19211 			     const u8 *peer, u32 num_packets,
19212 			     u32 rate, u32 intvl, gfp_t gfp)
19213 {
19214 	struct sk_buff *msg;
19215 
19216 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19217 	if (!msg)
19218 		return;
19219 
19220 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19221 		goto nla_put_failure;
19222 
19223 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19224 		goto nla_put_failure;
19225 
19226 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19227 		goto nla_put_failure;
19228 
19229 	cfg80211_send_cqm(msg, gfp);
19230 	return;
19231 
19232  nla_put_failure:
19233 	nlmsg_free(msg);
19234 }
19235 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19236 
19237 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19238 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19239 {
19240 	struct sk_buff *msg;
19241 
19242 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19243 
19244 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19245 	if (!msg)
19246 		return;
19247 
19248 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19249 		goto nla_put_failure;
19250 
19251 	cfg80211_send_cqm(msg, gfp);
19252 	return;
19253 
19254  nla_put_failure:
19255 	nlmsg_free(msg);
19256 }
19257 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19258 
19259 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19260 {
19261 	struct sk_buff *msg;
19262 
19263 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19264 	if (!msg)
19265 		return;
19266 
19267 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19268 		goto nla_put_failure;
19269 
19270 	cfg80211_send_cqm(msg, gfp);
19271 	return;
19272 
19273  nla_put_failure:
19274 	nlmsg_free(msg);
19275 }
19276 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19277 
19278 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19279 				     struct net_device *netdev, const u8 *bssid,
19280 				     const u8 *replay_ctr, gfp_t gfp)
19281 {
19282 	struct sk_buff *msg;
19283 	struct nlattr *rekey_attr;
19284 	void *hdr;
19285 
19286 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19287 	if (!msg)
19288 		return;
19289 
19290 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19291 	if (!hdr) {
19292 		nlmsg_free(msg);
19293 		return;
19294 	}
19295 
19296 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19297 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19298 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19299 		goto nla_put_failure;
19300 
19301 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19302 	if (!rekey_attr)
19303 		goto nla_put_failure;
19304 
19305 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19306 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19307 		goto nla_put_failure;
19308 
19309 	nla_nest_end(msg, rekey_attr);
19310 
19311 	genlmsg_end(msg, hdr);
19312 
19313 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19314 				NL80211_MCGRP_MLME, gfp);
19315 	return;
19316 
19317  nla_put_failure:
19318 	nlmsg_free(msg);
19319 }
19320 
19321 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19322 			       const u8 *replay_ctr, gfp_t gfp)
19323 {
19324 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19325 	struct wiphy *wiphy = wdev->wiphy;
19326 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19327 
19328 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19329 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19330 }
19331 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19332 
19333 static void
19334 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19335 			       struct net_device *netdev, int index,
19336 			       const u8 *bssid, bool preauth, gfp_t gfp)
19337 {
19338 	struct sk_buff *msg;
19339 	struct nlattr *attr;
19340 	void *hdr;
19341 
19342 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19343 	if (!msg)
19344 		return;
19345 
19346 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19347 	if (!hdr) {
19348 		nlmsg_free(msg);
19349 		return;
19350 	}
19351 
19352 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19353 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19354 		goto nla_put_failure;
19355 
19356 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19357 	if (!attr)
19358 		goto nla_put_failure;
19359 
19360 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19361 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19362 	    (preauth &&
19363 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19364 		goto nla_put_failure;
19365 
19366 	nla_nest_end(msg, attr);
19367 
19368 	genlmsg_end(msg, hdr);
19369 
19370 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19371 				NL80211_MCGRP_MLME, gfp);
19372 	return;
19373 
19374  nla_put_failure:
19375 	nlmsg_free(msg);
19376 }
19377 
19378 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19379 				     const u8 *bssid, bool preauth, gfp_t gfp)
19380 {
19381 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19382 	struct wiphy *wiphy = wdev->wiphy;
19383 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19384 
19385 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19386 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19387 }
19388 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19389 
19390 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19391 				     struct net_device *netdev,
19392 				     unsigned int link_id,
19393 				     struct cfg80211_chan_def *chandef,
19394 				     gfp_t gfp,
19395 				     enum nl80211_commands notif,
19396 				     u8 count, bool quiet)
19397 {
19398 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19399 	struct sk_buff *msg;
19400 	void *hdr;
19401 
19402 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19403 	if (!msg)
19404 		return;
19405 
19406 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19407 	if (!hdr) {
19408 		nlmsg_free(msg);
19409 		return;
19410 	}
19411 
19412 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19413 		goto nla_put_failure;
19414 
19415 	if (wdev->valid_links &&
19416 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19417 		goto nla_put_failure;
19418 
19419 	if (nl80211_send_chandef(msg, chandef))
19420 		goto nla_put_failure;
19421 
19422 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19423 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19424 			goto nla_put_failure;
19425 		if (quiet &&
19426 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19427 			goto nla_put_failure;
19428 	}
19429 
19430 	genlmsg_end(msg, hdr);
19431 
19432 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19433 				NL80211_MCGRP_MLME, gfp);
19434 	return;
19435 
19436  nla_put_failure:
19437 	nlmsg_free(msg);
19438 }
19439 
19440 void cfg80211_ch_switch_notify(struct net_device *dev,
19441 			       struct cfg80211_chan_def *chandef,
19442 			       unsigned int link_id)
19443 {
19444 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19445 	struct wiphy *wiphy = wdev->wiphy;
19446 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19447 
19448 	lockdep_assert_wiphy(wdev->wiphy);
19449 	WARN_INVALID_LINK_ID(wdev, link_id);
19450 
19451 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19452 
19453 	switch (wdev->iftype) {
19454 	case NL80211_IFTYPE_STATION:
19455 	case NL80211_IFTYPE_P2P_CLIENT:
19456 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19457 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19458 							chandef->chan);
19459 		break;
19460 	case NL80211_IFTYPE_MESH_POINT:
19461 		wdev->u.mesh.chandef = *chandef;
19462 		wdev->u.mesh.preset_chandef = *chandef;
19463 		break;
19464 	case NL80211_IFTYPE_AP:
19465 	case NL80211_IFTYPE_P2P_GO:
19466 		wdev->links[link_id].ap.chandef = *chandef;
19467 		break;
19468 	case NL80211_IFTYPE_ADHOC:
19469 		wdev->u.ibss.chandef = *chandef;
19470 		break;
19471 	default:
19472 		WARN_ON(1);
19473 		break;
19474 	}
19475 
19476 	cfg80211_schedule_channels_check(wdev);
19477 	cfg80211_sched_dfs_chan_update(rdev);
19478 
19479 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19480 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19481 }
19482 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19483 
19484 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19485 				       struct cfg80211_chan_def *chandef,
19486 				       unsigned int link_id, u8 count,
19487 				       bool quiet)
19488 {
19489 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19490 	struct wiphy *wiphy = wdev->wiphy;
19491 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19492 
19493 	lockdep_assert_wiphy(wdev->wiphy);
19494 	WARN_INVALID_LINK_ID(wdev, link_id);
19495 
19496 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19497 
19498 
19499 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19500 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19501 				 count, quiet);
19502 }
19503 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19504 
19505 int cfg80211_bss_color_notify(struct net_device *dev,
19506 			      enum nl80211_commands cmd, u8 count,
19507 			      u64 color_bitmap, u8 link_id)
19508 {
19509 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19510 	struct wiphy *wiphy = wdev->wiphy;
19511 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19512 	struct sk_buff *msg;
19513 	void *hdr;
19514 
19515 	lockdep_assert_wiphy(wdev->wiphy);
19516 
19517 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19518 
19519 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19520 	if (!msg)
19521 		return -ENOMEM;
19522 
19523 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19524 	if (!hdr)
19525 		goto nla_put_failure;
19526 
19527 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19528 		goto nla_put_failure;
19529 
19530 	if (wdev->valid_links &&
19531 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19532 		goto nla_put_failure;
19533 
19534 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19535 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19536 		goto nla_put_failure;
19537 
19538 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19539 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19540 			      color_bitmap, NL80211_ATTR_PAD))
19541 		goto nla_put_failure;
19542 
19543 	genlmsg_end(msg, hdr);
19544 
19545 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19546 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19547 
19548 nla_put_failure:
19549 	nlmsg_free(msg);
19550 	return -EINVAL;
19551 }
19552 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19553 
19554 void
19555 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19556 		     const struct cfg80211_chan_def *chandef,
19557 		     enum nl80211_radar_event event,
19558 		     struct net_device *netdev, gfp_t gfp)
19559 {
19560 	struct sk_buff *msg;
19561 	void *hdr;
19562 
19563 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19564 	if (!msg)
19565 		return;
19566 
19567 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19568 	if (!hdr) {
19569 		nlmsg_free(msg);
19570 		return;
19571 	}
19572 
19573 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19574 		goto nla_put_failure;
19575 
19576 	/* NOP and radar events don't need a netdev parameter */
19577 	if (netdev) {
19578 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19579 
19580 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19581 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19582 				      NL80211_ATTR_PAD))
19583 			goto nla_put_failure;
19584 	}
19585 
19586 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19587 		goto nla_put_failure;
19588 
19589 	if (nl80211_send_chandef(msg, chandef))
19590 		goto nla_put_failure;
19591 
19592 	genlmsg_end(msg, hdr);
19593 
19594 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19595 				NL80211_MCGRP_MLME, gfp);
19596 	return;
19597 
19598  nla_put_failure:
19599 	nlmsg_free(msg);
19600 }
19601 
19602 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19603 				       struct sta_opmode_info *sta_opmode,
19604 				       gfp_t gfp)
19605 {
19606 	struct sk_buff *msg;
19607 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19608 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19609 	void *hdr;
19610 
19611 	if (WARN_ON(!mac))
19612 		return;
19613 
19614 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19615 	if (!msg)
19616 		return;
19617 
19618 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19619 	if (!hdr) {
19620 		nlmsg_free(msg);
19621 		return;
19622 	}
19623 
19624 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19625 		goto nla_put_failure;
19626 
19627 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19628 		goto nla_put_failure;
19629 
19630 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19631 		goto nla_put_failure;
19632 
19633 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19634 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19635 		goto nla_put_failure;
19636 
19637 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19638 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19639 		goto nla_put_failure;
19640 
19641 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19642 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19643 		goto nla_put_failure;
19644 
19645 	genlmsg_end(msg, hdr);
19646 
19647 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19648 				NL80211_MCGRP_MLME, gfp);
19649 
19650 	return;
19651 
19652 nla_put_failure:
19653 	nlmsg_free(msg);
19654 }
19655 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19656 
19657 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19658 			   u64 cookie, bool acked, s32 ack_signal,
19659 			   bool is_valid_ack_signal, gfp_t gfp)
19660 {
19661 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19662 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19663 	struct sk_buff *msg;
19664 	void *hdr;
19665 
19666 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19667 
19668 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19669 
19670 	if (!msg)
19671 		return;
19672 
19673 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19674 	if (!hdr) {
19675 		nlmsg_free(msg);
19676 		return;
19677 	}
19678 
19679 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19680 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19681 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19682 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19683 			      NL80211_ATTR_PAD) ||
19684 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19685 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19686 						ack_signal)))
19687 		goto nla_put_failure;
19688 
19689 	genlmsg_end(msg, hdr);
19690 
19691 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19692 				NL80211_MCGRP_MLME, gfp);
19693 	return;
19694 
19695  nla_put_failure:
19696 	nlmsg_free(msg);
19697 }
19698 EXPORT_SYMBOL(cfg80211_probe_status);
19699 
19700 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19701 				     size_t len, int freq, int sig_dbm)
19702 {
19703 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19704 	struct sk_buff *msg;
19705 	void *hdr;
19706 	struct cfg80211_beacon_registration *reg;
19707 
19708 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19709 
19710 	spin_lock_bh(&rdev->beacon_registrations_lock);
19711 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19712 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19713 		if (!msg) {
19714 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19715 			return;
19716 		}
19717 
19718 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19719 		if (!hdr)
19720 			goto nla_put_failure;
19721 
19722 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19723 		    (freq &&
19724 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19725 				  KHZ_TO_MHZ(freq)) ||
19726 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19727 				  freq % 1000))) ||
19728 		    (sig_dbm &&
19729 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19730 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19731 			goto nla_put_failure;
19732 
19733 		genlmsg_end(msg, hdr);
19734 
19735 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19736 	}
19737 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19738 	return;
19739 
19740  nla_put_failure:
19741 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19742 	nlmsg_free(msg);
19743 }
19744 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19745 
19746 #ifdef CONFIG_PM
19747 static int cfg80211_net_detect_results(struct sk_buff *msg,
19748 				       struct cfg80211_wowlan_wakeup *wakeup)
19749 {
19750 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19751 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19752 	int i, j;
19753 
19754 	nl_results = nla_nest_start_noflag(msg,
19755 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19756 	if (!nl_results)
19757 		return -EMSGSIZE;
19758 
19759 	for (i = 0; i < nd->n_matches; i++) {
19760 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19761 
19762 		nl_match = nla_nest_start_noflag(msg, i);
19763 		if (!nl_match)
19764 			break;
19765 
19766 		/* The SSID attribute is optional in nl80211, but for
19767 		 * simplicity reasons it's always present in the
19768 		 * cfg80211 structure.  If a driver can't pass the
19769 		 * SSID, that needs to be changed.  A zero length SSID
19770 		 * is still a valid SSID (wildcard), so it cannot be
19771 		 * used for this purpose.
19772 		 */
19773 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19774 			    match->ssid.ssid)) {
19775 			nla_nest_cancel(msg, nl_match);
19776 			goto out;
19777 		}
19778 
19779 		if (match->n_channels) {
19780 			nl_freqs = nla_nest_start_noflag(msg,
19781 							 NL80211_ATTR_SCAN_FREQUENCIES);
19782 			if (!nl_freqs) {
19783 				nla_nest_cancel(msg, nl_match);
19784 				goto out;
19785 			}
19786 
19787 			for (j = 0; j < match->n_channels; j++) {
19788 				if (nla_put_u32(msg, j, match->channels[j])) {
19789 					nla_nest_cancel(msg, nl_freqs);
19790 					nla_nest_cancel(msg, nl_match);
19791 					goto out;
19792 				}
19793 			}
19794 
19795 			nla_nest_end(msg, nl_freqs);
19796 		}
19797 
19798 		nla_nest_end(msg, nl_match);
19799 	}
19800 
19801 out:
19802 	nla_nest_end(msg, nl_results);
19803 	return 0;
19804 }
19805 
19806 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19807 				   struct cfg80211_wowlan_wakeup *wakeup,
19808 				   gfp_t gfp)
19809 {
19810 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19811 	struct sk_buff *msg;
19812 	void *hdr;
19813 	int size = 200;
19814 
19815 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19816 
19817 	if (wakeup)
19818 		size += wakeup->packet_present_len;
19819 
19820 	msg = nlmsg_new(size, gfp);
19821 	if (!msg)
19822 		return;
19823 
19824 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19825 	if (!hdr)
19826 		goto free_msg;
19827 
19828 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19829 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19830 			      NL80211_ATTR_PAD))
19831 		goto free_msg;
19832 
19833 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19834 					wdev->netdev->ifindex))
19835 		goto free_msg;
19836 
19837 	if (wakeup) {
19838 		struct nlattr *reasons;
19839 
19840 		reasons = nla_nest_start_noflag(msg,
19841 						NL80211_ATTR_WOWLAN_TRIGGERS);
19842 		if (!reasons)
19843 			goto free_msg;
19844 
19845 		if (wakeup->disconnect &&
19846 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19847 			goto free_msg;
19848 		if (wakeup->magic_pkt &&
19849 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19850 			goto free_msg;
19851 		if (wakeup->gtk_rekey_failure &&
19852 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19853 			goto free_msg;
19854 		if (wakeup->eap_identity_req &&
19855 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19856 			goto free_msg;
19857 		if (wakeup->four_way_handshake &&
19858 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19859 			goto free_msg;
19860 		if (wakeup->rfkill_release &&
19861 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19862 			goto free_msg;
19863 
19864 		if (wakeup->pattern_idx >= 0 &&
19865 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19866 				wakeup->pattern_idx))
19867 			goto free_msg;
19868 
19869 		if (wakeup->tcp_match &&
19870 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19871 			goto free_msg;
19872 
19873 		if (wakeup->tcp_connlost &&
19874 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19875 			goto free_msg;
19876 
19877 		if (wakeup->tcp_nomoretokens &&
19878 		    nla_put_flag(msg,
19879 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19880 			goto free_msg;
19881 
19882 		if (wakeup->unprot_deauth_disassoc &&
19883 		    nla_put_flag(msg,
19884 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
19885 			goto free_msg;
19886 
19887 		if (wakeup->packet) {
19888 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19889 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19890 
19891 			if (!wakeup->packet_80211) {
19892 				pkt_attr =
19893 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19894 				len_attr =
19895 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19896 			}
19897 
19898 			if (wakeup->packet_len &&
19899 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19900 				goto free_msg;
19901 
19902 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19903 				    wakeup->packet))
19904 				goto free_msg;
19905 		}
19906 
19907 		if (wakeup->net_detect &&
19908 		    cfg80211_net_detect_results(msg, wakeup))
19909 				goto free_msg;
19910 
19911 		nla_nest_end(msg, reasons);
19912 	}
19913 
19914 	genlmsg_end(msg, hdr);
19915 
19916 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19917 				NL80211_MCGRP_MLME, gfp);
19918 	return;
19919 
19920  free_msg:
19921 	nlmsg_free(msg);
19922 }
19923 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19924 #endif
19925 
19926 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19927 				enum nl80211_tdls_operation oper,
19928 				u16 reason_code, gfp_t gfp)
19929 {
19930 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19931 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19932 	struct sk_buff *msg;
19933 	void *hdr;
19934 
19935 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19936 					 reason_code);
19937 
19938 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19939 	if (!msg)
19940 		return;
19941 
19942 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19943 	if (!hdr) {
19944 		nlmsg_free(msg);
19945 		return;
19946 	}
19947 
19948 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19949 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19950 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19951 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19952 	    (reason_code > 0 &&
19953 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19954 		goto nla_put_failure;
19955 
19956 	genlmsg_end(msg, hdr);
19957 
19958 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19959 				NL80211_MCGRP_MLME, gfp);
19960 	return;
19961 
19962  nla_put_failure:
19963 	nlmsg_free(msg);
19964 }
19965 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19966 
19967 static int nl80211_netlink_notify(struct notifier_block * nb,
19968 				  unsigned long state,
19969 				  void *_notify)
19970 {
19971 	struct netlink_notify *notify = _notify;
19972 	struct cfg80211_registered_device *rdev;
19973 	struct wireless_dev *wdev;
19974 	struct cfg80211_beacon_registration *reg, *tmp;
19975 
19976 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19977 		return NOTIFY_DONE;
19978 
19979 	rcu_read_lock();
19980 
19981 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19982 		struct cfg80211_sched_scan_request *sched_scan_req;
19983 
19984 		list_for_each_entry_rcu(sched_scan_req,
19985 					&rdev->sched_scan_req_list,
19986 					list) {
19987 			if (sched_scan_req->owner_nlportid == notify->portid) {
19988 				sched_scan_req->nl_owner_dead = true;
19989 				wiphy_work_queue(&rdev->wiphy,
19990 						 &rdev->sched_scan_stop_wk);
19991 			}
19992 		}
19993 
19994 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19995 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19996 
19997 			if (wdev->owner_nlportid == notify->portid) {
19998 				wdev->nl_owner_dead = true;
19999 				schedule_work(&rdev->destroy_work);
20000 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20001 				schedule_work(&wdev->disconnect_wk);
20002 			}
20003 
20004 			cfg80211_release_pmsr(wdev, notify->portid);
20005 		}
20006 
20007 		spin_lock_bh(&rdev->beacon_registrations_lock);
20008 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20009 					 list) {
20010 			if (reg->nlportid == notify->portid) {
20011 				list_del(&reg->list);
20012 				kfree(reg);
20013 				break;
20014 			}
20015 		}
20016 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20017 	}
20018 
20019 	rcu_read_unlock();
20020 
20021 	/*
20022 	 * It is possible that the user space process that is controlling the
20023 	 * indoor setting disappeared, so notify the regulatory core.
20024 	 */
20025 	regulatory_netlink_notify(notify->portid);
20026 	return NOTIFY_OK;
20027 }
20028 
20029 static struct notifier_block nl80211_netlink_notifier = {
20030 	.notifier_call = nl80211_netlink_notify,
20031 };
20032 
20033 void cfg80211_ft_event(struct net_device *netdev,
20034 		       struct cfg80211_ft_event_params *ft_event)
20035 {
20036 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20037 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20038 	struct sk_buff *msg;
20039 	void *hdr;
20040 
20041 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20042 
20043 	if (!ft_event->target_ap)
20044 		return;
20045 
20046 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20047 			GFP_KERNEL);
20048 	if (!msg)
20049 		return;
20050 
20051 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20052 	if (!hdr)
20053 		goto out;
20054 
20055 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20056 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20057 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20058 		goto out;
20059 
20060 	if (ft_event->ies &&
20061 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20062 		goto out;
20063 	if (ft_event->ric_ies &&
20064 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20065 		    ft_event->ric_ies))
20066 		goto out;
20067 
20068 	genlmsg_end(msg, hdr);
20069 
20070 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20071 				NL80211_MCGRP_MLME, GFP_KERNEL);
20072 	return;
20073  out:
20074 	nlmsg_free(msg);
20075 }
20076 EXPORT_SYMBOL(cfg80211_ft_event);
20077 
20078 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20079 {
20080 	struct cfg80211_registered_device *rdev;
20081 	struct sk_buff *msg;
20082 	void *hdr;
20083 	u32 nlportid;
20084 
20085 	rdev = wiphy_to_rdev(wdev->wiphy);
20086 	if (!rdev->crit_proto_nlportid)
20087 		return;
20088 
20089 	nlportid = rdev->crit_proto_nlportid;
20090 	rdev->crit_proto_nlportid = 0;
20091 
20092 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20093 	if (!msg)
20094 		return;
20095 
20096 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20097 	if (!hdr)
20098 		goto nla_put_failure;
20099 
20100 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20101 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20102 			      NL80211_ATTR_PAD))
20103 		goto nla_put_failure;
20104 
20105 	genlmsg_end(msg, hdr);
20106 
20107 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20108 	return;
20109 
20110  nla_put_failure:
20111 	nlmsg_free(msg);
20112 }
20113 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20114 
20115 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20116 {
20117 	struct wiphy *wiphy = wdev->wiphy;
20118 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20119 	struct sk_buff *msg;
20120 	void *hdr;
20121 
20122 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20123 	if (!msg)
20124 		return;
20125 
20126 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20127 	if (!hdr)
20128 		goto out;
20129 
20130 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20131 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20132 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20133 			      NL80211_ATTR_PAD) ||
20134 	    (wdev->valid_links &&
20135 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20136 		goto out;
20137 
20138 	genlmsg_end(msg, hdr);
20139 
20140 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20141 				NL80211_MCGRP_MLME, GFP_KERNEL);
20142 	return;
20143  out:
20144 	nlmsg_free(msg);
20145 }
20146 
20147 int cfg80211_external_auth_request(struct net_device *dev,
20148 				   struct cfg80211_external_auth_params *params,
20149 				   gfp_t gfp)
20150 {
20151 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20152 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20153 	struct sk_buff *msg;
20154 	void *hdr;
20155 
20156 	if (!wdev->conn_owner_nlportid)
20157 		return -EINVAL;
20158 
20159 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20160 	if (!msg)
20161 		return -ENOMEM;
20162 
20163 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20164 	if (!hdr)
20165 		goto nla_put_failure;
20166 
20167 	/* Some historical mistakes in drivers <-> userspace interface (notably
20168 	 * between drivers and wpa_supplicant) led to a big-endian conversion
20169 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
20170 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
20171 	 * benefit of older wpa_supplicant versions, send this particular value
20172 	 * in big-endian. Note that newer wpa_supplicant will also detect this
20173 	 * particular value in big endian still, so it all continues to work.
20174 	 */
20175 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
20176 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
20177 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
20178 			goto nla_put_failure;
20179 	} else {
20180 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
20181 				params->key_mgmt_suite))
20182 			goto nla_put_failure;
20183 	}
20184 
20185 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20186 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20187 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20188 			params->action) ||
20189 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20190 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20191 		    params->ssid.ssid) ||
20192 	    (!is_zero_ether_addr(params->mld_addr) &&
20193 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20194 		goto nla_put_failure;
20195 
20196 	genlmsg_end(msg, hdr);
20197 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20198 			wdev->conn_owner_nlportid);
20199 	return 0;
20200 
20201  nla_put_failure:
20202 	nlmsg_free(msg);
20203 	return -ENOBUFS;
20204 }
20205 EXPORT_SYMBOL(cfg80211_external_auth_request);
20206 
20207 void cfg80211_update_owe_info_event(struct net_device *netdev,
20208 				    struct cfg80211_update_owe_info *owe_info,
20209 				    gfp_t gfp)
20210 {
20211 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20212 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20213 	struct sk_buff *msg;
20214 	void *hdr;
20215 
20216 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20217 
20218 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20219 	if (!msg)
20220 		return;
20221 
20222 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20223 	if (!hdr)
20224 		goto nla_put_failure;
20225 
20226 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20227 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20228 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20229 		goto nla_put_failure;
20230 
20231 	if (!owe_info->ie_len ||
20232 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20233 		goto nla_put_failure;
20234 
20235 	if (owe_info->assoc_link_id != -1) {
20236 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20237 			       owe_info->assoc_link_id))
20238 			goto nla_put_failure;
20239 
20240 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20241 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20242 			    owe_info->peer_mld_addr))
20243 			goto nla_put_failure;
20244 	}
20245 
20246 	genlmsg_end(msg, hdr);
20247 
20248 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20249 				NL80211_MCGRP_MLME, gfp);
20250 	return;
20251 
20252 nla_put_failure:
20253 	genlmsg_cancel(msg, hdr);
20254 	nlmsg_free(msg);
20255 }
20256 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20257 
20258 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
20259 {
20260 	struct wiphy *wiphy = wdev->wiphy;
20261 
20262 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
20263 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
20264 	    (wiphy_ext_feature_isset(wiphy,
20265 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
20266 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
20267 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
20268 		reg_check_channels();
20269 }
20270 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
20271 
20272 /* initialisation/exit functions */
20273 
20274 int __init nl80211_init(void)
20275 {
20276 	int err;
20277 
20278 	err = genl_register_family(&nl80211_fam);
20279 	if (err)
20280 		return err;
20281 
20282 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20283 	if (err)
20284 		goto err_out;
20285 
20286 	return 0;
20287  err_out:
20288 	genl_unregister_family(&nl80211_fam);
20289 	return err;
20290 }
20291 
20292 void nl80211_exit(void)
20293 {
20294 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20295 	genl_unregister_family(&nl80211_fam);
20296 }
20297