xref: /linux/net/wireless/nl80211.c (revision 3ba84ac69b53e6ee07c31d54554e00793d7b144f) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2024 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
319 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
320 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
466 	.min = 0,
467 	.max = 0xffff,
468 };
469 
470 static const struct netlink_range_validation q_range = {
471 	.max = INT_MAX,
472 };
473 
474 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
475 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
476 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
477 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
478 				      .len = 20-1 },
479 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
480 
481 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
482 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
484 						NL80211_EDMG_CHANNELS_MIN,
485 						NL80211_EDMG_CHANNELS_MAX),
486 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
487 						NL80211_EDMG_BW_CONFIG_MIN,
488 						NL80211_EDMG_BW_CONFIG_MAX),
489 
490 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
491 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
492 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
493 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
494 
495 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
496 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
497 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
498 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
499 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
500 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
501 
502 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
503 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
504 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
505 
506 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
507 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
508 
509 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
510 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
511 				    .len = WLAN_MAX_KEY_LEN },
512 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
513 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
514 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
515 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
516 	[NL80211_ATTR_KEY_TYPE] =
517 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
518 
519 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
520 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
521 	[NL80211_ATTR_BEACON_HEAD] =
522 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
523 				       IEEE80211_MAX_DATA_LEN),
524 	[NL80211_ATTR_BEACON_TAIL] =
525 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
526 				       IEEE80211_MAX_DATA_LEN),
527 	[NL80211_ATTR_STA_AID] =
528 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
529 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
530 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
531 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
532 					       .len = NL80211_MAX_SUPP_RATES },
533 	[NL80211_ATTR_STA_PLINK_ACTION] =
534 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
535 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
536 		NLA_POLICY_RANGE(NLA_U8,
537 				 NL80211_TX_POWER_AUTOMATIC,
538 				 NL80211_TX_POWER_FIXED),
539 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
540 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
541 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
542 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
543 				   .len = IEEE80211_MAX_MESH_ID_LEN },
544 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
545 
546 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
547 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
548 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
549 
550 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
551 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
552 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
553 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
554 					   .len = NL80211_MAX_SUPP_RATES },
555 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
556 
557 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
558 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
559 
560 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
561 
562 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
563 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
564 						   validate_ie_attr,
565 						   IEEE80211_MAX_DATA_LEN),
566 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
567 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
568 
569 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
570 				.len = IEEE80211_MAX_SSID_LEN },
571 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
572 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
573 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
575 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
576 						  NL80211_MFP_NO,
577 						  NL80211_MFP_OPTIONAL),
578 	[NL80211_ATTR_STA_FLAGS2] =
579 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
580 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
583 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
584 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
585 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
586 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
587 	[NL80211_ATTR_WPA_VERSIONS] =
588 		NLA_POLICY_RANGE(NLA_U32, 0,
589 				 NL80211_WPA_VERSION_1 |
590 				 NL80211_WPA_VERSION_2 |
591 				 NL80211_WPA_VERSION_3),
592 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
593 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
594 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
595 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
596 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
597 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
599 				 .len = IEEE80211_MAX_DATA_LEN },
600 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
601 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
602 						   NL80211_PS_DISABLED,
603 						   NL80211_PS_ENABLED),
604 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
605 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
606 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
607 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
608 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
609 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
610 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
611 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
612 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
613 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
614 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
615 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
616 	[NL80211_ATTR_STA_PLINK_STATE] =
617 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
618 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
619 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_MESH_PEER_AID] =
621 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
622 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
623 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
624 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
625 	[NL80211_ATTR_HIDDEN_SSID] =
626 		NLA_POLICY_RANGE(NLA_U32,
627 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
628 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
629 	[NL80211_ATTR_IE_PROBE_RESP] =
630 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
631 				       IEEE80211_MAX_DATA_LEN),
632 	[NL80211_ATTR_IE_ASSOC_RESP] =
633 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
634 				       IEEE80211_MAX_DATA_LEN),
635 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
637 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
638 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
640 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
641 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
642 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
643 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
644 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
645 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
646 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
647 				      .len = IEEE80211_MAX_DATA_LEN },
648 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
649 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
650 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
651 		.len = NL80211_HT_CAPABILITY_LEN
652 	},
653 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
654 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
655 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
656 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
657 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
658 
659 	/* need to include at least Auth Transaction and Status Code */
660 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
661 
662 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
663 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
664 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
665 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
666 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
667 		NLA_POLICY_RANGE(NLA_U32,
668 				 NL80211_MESH_POWER_UNKNOWN + 1,
669 				 NL80211_MESH_POWER_MAX),
670 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
671 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
672 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
673 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
674 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
675 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
676 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
677 		.len = NL80211_VHT_CAPABILITY_LEN,
678 	},
679 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
680 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
681 				  .len = IEEE80211_MAX_DATA_LEN },
682 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
683 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
684 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
685 	[NL80211_ATTR_PEER_AID] =
686 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
687 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
688 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
689 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
690 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
691 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
692 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
693 	/*
694 	 * The value of the Length field of the Supported Operating
695 	 * Classes element is between 2 and 253.
696 	 */
697 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
698 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
699 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
700 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
701 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
702 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
704 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
705 						  IEEE80211_QOS_MAP_LEN_MIN,
706 						  IEEE80211_QOS_MAP_LEN_MAX),
707 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
708 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
709 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
710 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
711 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
712 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
713 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
714 	[NL80211_ATTR_USER_PRIO] =
715 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
716 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
717 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
718 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
719 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
720 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
721 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
722 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
723 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
724 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
725 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
726 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
727 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
728 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
729 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
730 	},
731 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
732 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
733 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
734 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
735 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
736 				    .len = FILS_MAX_KEK_LEN },
737 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
738 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
739 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
740 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
741 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
742 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
743 	},
744 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
745 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
746 					     .len = FILS_ERP_MAX_USERNAME_LEN },
747 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
748 					  .len = FILS_ERP_MAX_REALM_LEN },
749 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
750 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
751 					.len = FILS_ERP_MAX_RRK_LEN },
752 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
753 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
754 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
755 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
756 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
757 
758 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
759 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
760 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
761 	[NL80211_ATTR_HE_CAPABILITY] =
762 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
763 				       NL80211_HE_MAX_CAPABILITY_LEN),
764 	[NL80211_ATTR_FTM_RESPONDER] =
765 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
766 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
767 	[NL80211_ATTR_PEER_MEASUREMENTS] =
768 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
769 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
770 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
771 					.len = SAE_PASSWORD_MAX_LEN },
772 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
773 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
774 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
775 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
776 	[NL80211_ATTR_TID_CONFIG] =
777 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
778 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
779 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
780 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
781 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
782 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
783 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
784 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
785 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
786 	[NL80211_ATTR_FILS_DISCOVERY] =
787 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
788 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
789 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
790 	[NL80211_ATTR_S1G_CAPABILITY] =
791 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
792 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
793 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
794 	[NL80211_ATTR_SAE_PWE] =
795 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
796 				 NL80211_SAE_PWE_BOTH),
797 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
798 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
799 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
800 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
801 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
802 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
803 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
804 	[NL80211_ATTR_MBSSID_CONFIG] =
805 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
806 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
807 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
808 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
809 	[NL80211_ATTR_EHT_CAPABILITY] =
810 		NLA_POLICY_RANGE(NLA_BINARY,
811 				 NL80211_EHT_MIN_CAPABILITY_LEN,
812 				 NL80211_EHT_MAX_CAPABILITY_LEN),
813 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
814 	[NL80211_ATTR_MLO_LINKS] =
815 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
816 	[NL80211_ATTR_MLO_LINK_ID] =
817 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
818 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
819 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
820 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
821 	[NL80211_ATTR_PUNCT_BITMAP] =
822 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
823 
824 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
825 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
826 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
827 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
828 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
829 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
830 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
831 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
832 };
833 
834 /* policy for the key attributes */
835 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
836 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
837 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
838 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
839 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
840 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
841 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
842 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
843 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
844 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
845 };
846 
847 /* policy for the key default flags */
848 static const struct nla_policy
849 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
850 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
851 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
852 };
853 
854 #ifdef CONFIG_PM
855 /* policy for WoWLAN attributes */
856 static const struct nla_policy
857 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
858 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
859 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
860 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
861 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
862 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
863 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
864 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
865 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
866 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
867 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
868 };
869 
870 static const struct nla_policy
871 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
872 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
873 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
874 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
875 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
876 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
877 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
878 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
879 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
880 	},
881 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
882 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
883 	},
884 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
885 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
886 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
887 };
888 #endif /* CONFIG_PM */
889 
890 /* policy for coalesce rule attributes */
891 static const struct nla_policy
892 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
893 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
894 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
895 		NLA_POLICY_RANGE(NLA_U32,
896 				 NL80211_COALESCE_CONDITION_MATCH,
897 				 NL80211_COALESCE_CONDITION_NO_MATCH),
898 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
899 };
900 
901 /* policy for GTK rekey offload attributes */
902 static const struct nla_policy
903 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
904 	[NL80211_REKEY_DATA_KEK] = {
905 		.type = NLA_BINARY,
906 		.len = NL80211_KEK_EXT_LEN
907 	},
908 	[NL80211_REKEY_DATA_KCK] = {
909 		.type = NLA_BINARY,
910 		.len = NL80211_KCK_EXT_LEN_32
911 	},
912 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
913 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
914 };
915 
916 static const struct nla_policy
917 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
918 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
919 						 .len = IEEE80211_MAX_SSID_LEN },
920 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
921 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
922 };
923 
924 static const struct nla_policy
925 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
926 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
927 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
928 };
929 
930 static const struct nla_policy
931 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
932 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
933 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
934 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
935 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
936 	},
937 };
938 
939 /* policy for NAN function attributes */
940 static const struct nla_policy
941 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
942 	[NL80211_NAN_FUNC_TYPE] =
943 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
944 	[NL80211_NAN_FUNC_SERVICE_ID] = {
945 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
946 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
947 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
948 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
949 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
950 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
951 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
952 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
953 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
954 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
955 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
956 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
957 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
958 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
959 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
960 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
961 };
962 
963 /* policy for Service Response Filter attributes */
964 static const struct nla_policy
965 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
966 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
967 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
968 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
969 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
970 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
971 };
972 
973 /* policy for packet pattern attributes */
974 static const struct nla_policy
975 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
976 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
977 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
978 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
979 };
980 
981 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
982 				     struct cfg80211_registered_device **rdev,
983 				     struct wireless_dev **wdev,
984 				     struct nlattr **attrbuf)
985 {
986 	int err;
987 
988 	if (!cb->args[0]) {
989 		struct nlattr **attrbuf_free = NULL;
990 
991 		if (!attrbuf) {
992 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
993 					  GFP_KERNEL);
994 			if (!attrbuf)
995 				return -ENOMEM;
996 			attrbuf_free = attrbuf;
997 		}
998 
999 		err = nlmsg_parse_deprecated(cb->nlh,
1000 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1001 					     attrbuf, nl80211_fam.maxattr,
1002 					     nl80211_policy, NULL);
1003 		if (err) {
1004 			kfree(attrbuf_free);
1005 			return err;
1006 		}
1007 
1008 		rtnl_lock();
1009 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1010 						   attrbuf);
1011 		kfree(attrbuf_free);
1012 		if (IS_ERR(*wdev)) {
1013 			rtnl_unlock();
1014 			return PTR_ERR(*wdev);
1015 		}
1016 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1017 		mutex_lock(&(*rdev)->wiphy.mtx);
1018 		rtnl_unlock();
1019 		/* 0 is the first index - add 1 to parse only once */
1020 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1021 		cb->args[1] = (*wdev)->identifier;
1022 	} else {
1023 		/* subtract the 1 again here */
1024 		struct wiphy *wiphy;
1025 		struct wireless_dev *tmp;
1026 
1027 		rtnl_lock();
1028 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1029 		if (!wiphy) {
1030 			rtnl_unlock();
1031 			return -ENODEV;
1032 		}
1033 		*rdev = wiphy_to_rdev(wiphy);
1034 		*wdev = NULL;
1035 
1036 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1037 			if (tmp->identifier == cb->args[1]) {
1038 				*wdev = tmp;
1039 				break;
1040 			}
1041 		}
1042 
1043 		if (!*wdev) {
1044 			rtnl_unlock();
1045 			return -ENODEV;
1046 		}
1047 		mutex_lock(&(*rdev)->wiphy.mtx);
1048 		rtnl_unlock();
1049 	}
1050 
1051 	return 0;
1052 }
1053 
1054 /* message building helper */
1055 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1056 		     int flags, u8 cmd)
1057 {
1058 	/* since there is no private header just add the generic one */
1059 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1060 }
1061 
1062 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1063 				     const struct ieee80211_reg_rule *rule)
1064 {
1065 	int j;
1066 	struct nlattr *nl_wmm_rules =
1067 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1068 
1069 	if (!nl_wmm_rules)
1070 		goto nla_put_failure;
1071 
1072 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1073 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1074 
1075 		if (!nl_wmm_rule)
1076 			goto nla_put_failure;
1077 
1078 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1079 				rule->wmm_rule.client[j].cw_min) ||
1080 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1081 				rule->wmm_rule.client[j].cw_max) ||
1082 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1083 			       rule->wmm_rule.client[j].aifsn) ||
1084 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1085 			        rule->wmm_rule.client[j].cot))
1086 			goto nla_put_failure;
1087 
1088 		nla_nest_end(msg, nl_wmm_rule);
1089 	}
1090 	nla_nest_end(msg, nl_wmm_rules);
1091 
1092 	return 0;
1093 
1094 nla_put_failure:
1095 	return -ENOBUFS;
1096 }
1097 
1098 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1099 				   struct ieee80211_channel *chan,
1100 				   bool large)
1101 {
1102 	/* Some channels must be completely excluded from the
1103 	 * list to protect old user-space tools from breaking
1104 	 */
1105 	if (!large && chan->flags &
1106 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1107 		return 0;
1108 	if (!large && chan->freq_offset)
1109 		return 0;
1110 
1111 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1112 			chan->center_freq))
1113 		goto nla_put_failure;
1114 
1115 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1116 		goto nla_put_failure;
1117 
1118 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1119 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1120 		goto nla_put_failure;
1121 
1122 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1123 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1124 		goto nla_put_failure;
1125 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1126 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1127 			goto nla_put_failure;
1128 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1129 			goto nla_put_failure;
1130 	}
1131 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1132 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1133 			goto nla_put_failure;
1134 		if (large) {
1135 			u32 time;
1136 
1137 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1138 
1139 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1140 					chan->dfs_state))
1141 				goto nla_put_failure;
1142 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1143 					time))
1144 				goto nla_put_failure;
1145 			if (nla_put_u32(msg,
1146 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1147 					chan->dfs_cac_ms))
1148 				goto nla_put_failure;
1149 		}
1150 	}
1151 
1152 	if (large) {
1153 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1154 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1155 			goto nla_put_failure;
1156 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1157 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1158 			goto nla_put_failure;
1159 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1160 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1161 			goto nla_put_failure;
1162 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1163 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1164 			goto nla_put_failure;
1165 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1166 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1167 			goto nla_put_failure;
1168 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1169 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1170 			goto nla_put_failure;
1171 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1172 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1173 			goto nla_put_failure;
1174 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1175 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1176 			goto nla_put_failure;
1177 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1178 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1179 			goto nla_put_failure;
1180 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1181 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1182 			goto nla_put_failure;
1183 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1184 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1185 			goto nla_put_failure;
1186 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1187 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1188 			goto nla_put_failure;
1189 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1190 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1191 			goto nla_put_failure;
1192 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1193 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1194 			goto nla_put_failure;
1195 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1196 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1197 			goto nla_put_failure;
1198 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1199 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1200 			goto nla_put_failure;
1201 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1202 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1203 			goto nla_put_failure;
1204 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1205 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1206 			goto nla_put_failure;
1207 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1208 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1209 			goto nla_put_failure;
1210 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1211 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1212 			goto nla_put_failure;
1213 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1214 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1215 			goto nla_put_failure;
1216 	}
1217 
1218 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1219 			DBM_TO_MBM(chan->max_power)))
1220 		goto nla_put_failure;
1221 
1222 	if (large) {
1223 		const struct ieee80211_reg_rule *rule =
1224 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1225 
1226 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1227 			if (nl80211_msg_put_wmm_rules(msg, rule))
1228 				goto nla_put_failure;
1229 		}
1230 	}
1231 
1232 	return 0;
1233 
1234  nla_put_failure:
1235 	return -ENOBUFS;
1236 }
1237 
1238 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1239 				  struct cfg80211_txq_stats *txqstats,
1240 				  int attrtype)
1241 {
1242 	struct nlattr *txqattr;
1243 
1244 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1245 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1246 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1247 		return false;						  \
1248 	} while (0)
1249 
1250 	txqattr = nla_nest_start_noflag(msg, attrtype);
1251 	if (!txqattr)
1252 		return false;
1253 
1254 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1255 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1256 	PUT_TXQVAL_U32(FLOWS, flows);
1257 	PUT_TXQVAL_U32(DROPS, drops);
1258 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1259 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1260 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1261 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1262 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1263 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1264 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1265 	nla_nest_end(msg, txqattr);
1266 
1267 #undef PUT_TXQVAL_U32
1268 	return true;
1269 }
1270 
1271 /* netlink command implementations */
1272 
1273 /**
1274  * nl80211_link_id - return link ID
1275  * @attrs: attributes to look at
1276  *
1277  * Returns: the link ID or 0 if not given
1278  *
1279  * Note this function doesn't do any validation of the link
1280  * ID validity wrt. links that were actually added, so it must
1281  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1282  * or if additional validation is done.
1283  */
1284 static unsigned int nl80211_link_id(struct nlattr **attrs)
1285 {
1286 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1287 
1288 	if (!linkid)
1289 		return 0;
1290 
1291 	return nla_get_u8(linkid);
1292 }
1293 
1294 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1295 {
1296 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1297 
1298 	if (!linkid)
1299 		return -1;
1300 
1301 	return nla_get_u8(linkid);
1302 }
1303 
1304 struct key_parse {
1305 	struct key_params p;
1306 	int idx;
1307 	int type;
1308 	bool def, defmgmt, defbeacon;
1309 	bool def_uni, def_multi;
1310 };
1311 
1312 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1313 				 struct key_parse *k)
1314 {
1315 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1316 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1317 					      nl80211_key_policy,
1318 					      info->extack);
1319 	if (err)
1320 		return err;
1321 
1322 	k->def = !!tb[NL80211_KEY_DEFAULT];
1323 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1324 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1325 
1326 	if (k->def) {
1327 		k->def_uni = true;
1328 		k->def_multi = true;
1329 	}
1330 	if (k->defmgmt || k->defbeacon)
1331 		k->def_multi = true;
1332 
1333 	if (tb[NL80211_KEY_IDX])
1334 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1335 
1336 	if (tb[NL80211_KEY_DATA]) {
1337 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1338 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1339 	}
1340 
1341 	if (tb[NL80211_KEY_SEQ]) {
1342 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1343 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1344 	}
1345 
1346 	if (tb[NL80211_KEY_CIPHER])
1347 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1348 
1349 	if (tb[NL80211_KEY_TYPE])
1350 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1351 
1352 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1353 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1354 
1355 		err = nla_parse_nested_deprecated(kdt,
1356 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1357 						  tb[NL80211_KEY_DEFAULT_TYPES],
1358 						  nl80211_key_default_policy,
1359 						  info->extack);
1360 		if (err)
1361 			return err;
1362 
1363 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1364 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1365 	}
1366 
1367 	if (tb[NL80211_KEY_MODE])
1368 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1369 
1370 	return 0;
1371 }
1372 
1373 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1374 {
1375 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1376 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1377 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1378 	}
1379 
1380 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1381 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1382 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1383 	}
1384 
1385 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1386 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1387 
1388 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1389 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1390 
1391 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1392 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1393 
1394 	if (k->def) {
1395 		k->def_uni = true;
1396 		k->def_multi = true;
1397 	}
1398 	if (k->defmgmt)
1399 		k->def_multi = true;
1400 
1401 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1402 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1403 
1404 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1405 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1406 		int err = nla_parse_nested_deprecated(kdt,
1407 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1408 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1409 						      nl80211_key_default_policy,
1410 						      info->extack);
1411 		if (err)
1412 			return err;
1413 
1414 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1415 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1416 	}
1417 
1418 	return 0;
1419 }
1420 
1421 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1422 {
1423 	int err;
1424 
1425 	memset(k, 0, sizeof(*k));
1426 	k->idx = -1;
1427 	k->type = -1;
1428 
1429 	if (info->attrs[NL80211_ATTR_KEY])
1430 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1431 	else
1432 		err = nl80211_parse_key_old(info, k);
1433 
1434 	if (err)
1435 		return err;
1436 
1437 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1438 	    (k->defbeacon ? 1 : 0) > 1) {
1439 		GENL_SET_ERR_MSG(info,
1440 				 "key with multiple default flags is invalid");
1441 		return -EINVAL;
1442 	}
1443 
1444 	if (k->defmgmt || k->defbeacon) {
1445 		if (k->def_uni || !k->def_multi) {
1446 			GENL_SET_ERR_MSG(info,
1447 					 "defmgmt/defbeacon key must be mcast");
1448 			return -EINVAL;
1449 		}
1450 	}
1451 
1452 	if (k->idx != -1) {
1453 		if (k->defmgmt) {
1454 			if (k->idx < 4 || k->idx > 5) {
1455 				GENL_SET_ERR_MSG(info,
1456 						 "defmgmt key idx not 4 or 5");
1457 				return -EINVAL;
1458 			}
1459 		} else if (k->defbeacon) {
1460 			if (k->idx < 6 || k->idx > 7) {
1461 				GENL_SET_ERR_MSG(info,
1462 						 "defbeacon key idx not 6 or 7");
1463 				return -EINVAL;
1464 			}
1465 		} else if (k->def) {
1466 			if (k->idx < 0 || k->idx > 3) {
1467 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1468 				return -EINVAL;
1469 			}
1470 		} else {
1471 			if (k->idx < 0 || k->idx > 7) {
1472 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1473 				return -EINVAL;
1474 			}
1475 		}
1476 	}
1477 
1478 	return 0;
1479 }
1480 
1481 static struct cfg80211_cached_keys *
1482 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1483 		       struct genl_info *info, bool *no_ht)
1484 {
1485 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1486 	struct key_parse parse;
1487 	struct nlattr *key;
1488 	struct cfg80211_cached_keys *result;
1489 	int rem, err, def = 0;
1490 	bool have_key = false;
1491 
1492 	nla_for_each_nested(key, keys, rem) {
1493 		have_key = true;
1494 		break;
1495 	}
1496 
1497 	if (!have_key)
1498 		return NULL;
1499 
1500 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1501 	if (!result)
1502 		return ERR_PTR(-ENOMEM);
1503 
1504 	result->def = -1;
1505 
1506 	nla_for_each_nested(key, keys, rem) {
1507 		memset(&parse, 0, sizeof(parse));
1508 		parse.idx = -1;
1509 
1510 		err = nl80211_parse_key_new(info, key, &parse);
1511 		if (err)
1512 			goto error;
1513 		err = -EINVAL;
1514 		if (!parse.p.key)
1515 			goto error;
1516 		if (parse.idx < 0 || parse.idx > 3) {
1517 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1518 			goto error;
1519 		}
1520 		if (parse.def) {
1521 			if (def) {
1522 				GENL_SET_ERR_MSG(info,
1523 						 "only one key can be default");
1524 				goto error;
1525 			}
1526 			def = 1;
1527 			result->def = parse.idx;
1528 			if (!parse.def_uni || !parse.def_multi)
1529 				goto error;
1530 		} else if (parse.defmgmt)
1531 			goto error;
1532 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1533 						     parse.idx, false, NULL);
1534 		if (err)
1535 			goto error;
1536 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1537 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1538 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1539 			err = -EINVAL;
1540 			goto error;
1541 		}
1542 		result->params[parse.idx].cipher = parse.p.cipher;
1543 		result->params[parse.idx].key_len = parse.p.key_len;
1544 		result->params[parse.idx].key = result->data[parse.idx];
1545 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1546 
1547 		/* must be WEP key if we got here */
1548 		if (no_ht)
1549 			*no_ht = true;
1550 	}
1551 
1552 	if (result->def < 0) {
1553 		err = -EINVAL;
1554 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1555 		goto error;
1556 	}
1557 
1558 	return result;
1559  error:
1560 	kfree(result);
1561 	return ERR_PTR(err);
1562 }
1563 
1564 static int nl80211_key_allowed(struct wireless_dev *wdev)
1565 {
1566 	lockdep_assert_wiphy(wdev->wiphy);
1567 
1568 	switch (wdev->iftype) {
1569 	case NL80211_IFTYPE_AP:
1570 	case NL80211_IFTYPE_AP_VLAN:
1571 	case NL80211_IFTYPE_P2P_GO:
1572 	case NL80211_IFTYPE_MESH_POINT:
1573 		break;
1574 	case NL80211_IFTYPE_ADHOC:
1575 		if (wdev->u.ibss.current_bss)
1576 			return 0;
1577 		return -ENOLINK;
1578 	case NL80211_IFTYPE_STATION:
1579 	case NL80211_IFTYPE_P2P_CLIENT:
1580 		if (wdev->connected)
1581 			return 0;
1582 		return -ENOLINK;
1583 	case NL80211_IFTYPE_NAN:
1584 		if (wiphy_ext_feature_isset(wdev->wiphy,
1585 					    NL80211_EXT_FEATURE_SECURE_NAN))
1586 			return 0;
1587 		return -EINVAL;
1588 	case NL80211_IFTYPE_UNSPECIFIED:
1589 	case NL80211_IFTYPE_OCB:
1590 	case NL80211_IFTYPE_MONITOR:
1591 	case NL80211_IFTYPE_P2P_DEVICE:
1592 	case NL80211_IFTYPE_WDS:
1593 	case NUM_NL80211_IFTYPES:
1594 		return -EINVAL;
1595 	}
1596 
1597 	return 0;
1598 }
1599 
1600 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1601 							u32 freq)
1602 {
1603 	struct ieee80211_channel *chan;
1604 
1605 	chan = ieee80211_get_channel_khz(wiphy, freq);
1606 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1607 		return NULL;
1608 	return chan;
1609 }
1610 
1611 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1612 {
1613 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1614 	int i;
1615 
1616 	if (!nl_modes)
1617 		goto nla_put_failure;
1618 
1619 	i = 0;
1620 	while (ifmodes) {
1621 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1622 			goto nla_put_failure;
1623 		ifmodes >>= 1;
1624 		i++;
1625 	}
1626 
1627 	nla_nest_end(msg, nl_modes);
1628 	return 0;
1629 
1630 nla_put_failure:
1631 	return -ENOBUFS;
1632 }
1633 
1634 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1635 				   const struct ieee80211_iface_combination *c,
1636 				   u16 nested)
1637 {
1638 	struct nlattr *nl_combi, *nl_limits;
1639 	int i;
1640 
1641 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1642 	if (!nl_combi)
1643 		goto nla_put_failure;
1644 
1645 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1646 					       nested);
1647 	if (!nl_limits)
1648 		goto nla_put_failure;
1649 
1650 	for (i = 0; i < c->n_limits; i++) {
1651 		struct nlattr *nl_limit;
1652 
1653 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1654 		if (!nl_limit)
1655 			goto nla_put_failure;
1656 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1657 			goto nla_put_failure;
1658 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1659 					c->limits[i].types))
1660 			goto nla_put_failure;
1661 		nla_nest_end(msg, nl_limit);
1662 	}
1663 
1664 	nla_nest_end(msg, nl_limits);
1665 
1666 	if (c->beacon_int_infra_match &&
1667 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1668 		goto nla_put_failure;
1669 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1670 			c->num_different_channels) ||
1671 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1672 			c->max_interfaces))
1673 		goto nla_put_failure;
1674 	if (large &&
1675 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1676 			c->radar_detect_widths) ||
1677 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1678 			c->radar_detect_regions)))
1679 		goto nla_put_failure;
1680 	if (c->beacon_int_min_gcd &&
1681 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1682 			c->beacon_int_min_gcd))
1683 		goto nla_put_failure;
1684 
1685 	nla_nest_end(msg, nl_combi);
1686 
1687 	return 0;
1688 nla_put_failure:
1689 	return -ENOBUFS;
1690 }
1691 
1692 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1693 					  struct sk_buff *msg,
1694 					  int attr, int radio,
1695 					  bool large, u16 nested)
1696 {
1697 	const struct ieee80211_iface_combination *c;
1698 	struct nlattr *nl_combis;
1699 	int i, n;
1700 
1701 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1702 	if (!nl_combis)
1703 		goto nla_put_failure;
1704 
1705 	if (radio >= 0) {
1706 		c = wiphy->radio[0].iface_combinations;
1707 		n = wiphy->radio[0].n_iface_combinations;
1708 	} else {
1709 		c = wiphy->iface_combinations;
1710 		n = wiphy->n_iface_combinations;
1711 	}
1712 	for (i = 0; i < n; i++)
1713 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1714 			goto nla_put_failure;
1715 
1716 	nla_nest_end(msg, nl_combis);
1717 
1718 	return 0;
1719 nla_put_failure:
1720 	return -ENOBUFS;
1721 }
1722 
1723 #ifdef CONFIG_PM
1724 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1725 					struct sk_buff *msg)
1726 {
1727 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1728 	struct nlattr *nl_tcp;
1729 
1730 	if (!tcp)
1731 		return 0;
1732 
1733 	nl_tcp = nla_nest_start_noflag(msg,
1734 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1735 	if (!nl_tcp)
1736 		return -ENOBUFS;
1737 
1738 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1739 			tcp->data_payload_max))
1740 		return -ENOBUFS;
1741 
1742 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1743 			tcp->data_payload_max))
1744 		return -ENOBUFS;
1745 
1746 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1747 		return -ENOBUFS;
1748 
1749 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1750 				sizeof(*tcp->tok), tcp->tok))
1751 		return -ENOBUFS;
1752 
1753 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1754 			tcp->data_interval_max))
1755 		return -ENOBUFS;
1756 
1757 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1758 			tcp->wake_payload_max))
1759 		return -ENOBUFS;
1760 
1761 	nla_nest_end(msg, nl_tcp);
1762 	return 0;
1763 }
1764 
1765 static int nl80211_send_wowlan(struct sk_buff *msg,
1766 			       struct cfg80211_registered_device *rdev,
1767 			       bool large)
1768 {
1769 	struct nlattr *nl_wowlan;
1770 
1771 	if (!rdev->wiphy.wowlan)
1772 		return 0;
1773 
1774 	nl_wowlan = nla_nest_start_noflag(msg,
1775 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1776 	if (!nl_wowlan)
1777 		return -ENOBUFS;
1778 
1779 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1780 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1781 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1782 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1783 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1784 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1785 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1786 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1787 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1788 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1789 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1790 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1791 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1792 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1793 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1794 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1795 		return -ENOBUFS;
1796 
1797 	if (rdev->wiphy.wowlan->n_patterns) {
1798 		struct nl80211_pattern_support pat = {
1799 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1800 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1801 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1802 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1803 		};
1804 
1805 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1806 			    sizeof(pat), &pat))
1807 			return -ENOBUFS;
1808 	}
1809 
1810 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1811 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1812 			rdev->wiphy.wowlan->max_nd_match_sets))
1813 		return -ENOBUFS;
1814 
1815 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1816 		return -ENOBUFS;
1817 
1818 	nla_nest_end(msg, nl_wowlan);
1819 
1820 	return 0;
1821 }
1822 #endif
1823 
1824 static int nl80211_send_coalesce(struct sk_buff *msg,
1825 				 struct cfg80211_registered_device *rdev)
1826 {
1827 	struct nl80211_coalesce_rule_support rule;
1828 
1829 	if (!rdev->wiphy.coalesce)
1830 		return 0;
1831 
1832 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1833 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1834 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1835 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1836 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1837 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1838 
1839 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1840 		return -ENOBUFS;
1841 
1842 	return 0;
1843 }
1844 
1845 static int
1846 nl80211_send_iftype_data(struct sk_buff *msg,
1847 			 const struct ieee80211_supported_band *sband,
1848 			 const struct ieee80211_sband_iftype_data *iftdata)
1849 {
1850 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1851 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1852 
1853 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1854 				iftdata->types_mask))
1855 		return -ENOBUFS;
1856 
1857 	if (he_cap->has_he) {
1858 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1859 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1860 			    he_cap->he_cap_elem.mac_cap_info) ||
1861 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1862 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1863 			    he_cap->he_cap_elem.phy_cap_info) ||
1864 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1865 			    sizeof(he_cap->he_mcs_nss_supp),
1866 			    &he_cap->he_mcs_nss_supp) ||
1867 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1868 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1869 			return -ENOBUFS;
1870 	}
1871 
1872 	if (eht_cap->has_eht && he_cap->has_he) {
1873 		u8 mcs_nss_size, ppe_thresh_size;
1874 		u16 ppe_thres_hdr;
1875 		bool is_ap;
1876 
1877 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1878 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1879 
1880 		mcs_nss_size =
1881 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1882 						   &eht_cap->eht_cap_elem,
1883 						   is_ap);
1884 
1885 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1886 		ppe_thresh_size =
1887 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1888 					       eht_cap->eht_cap_elem.phy_cap_info);
1889 
1890 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1891 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1892 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1893 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1894 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1895 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1896 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1897 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1898 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1899 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1900 			return -ENOBUFS;
1901 	}
1902 
1903 	if (sband->band == NL80211_BAND_6GHZ &&
1904 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1905 		    sizeof(iftdata->he_6ghz_capa),
1906 		    &iftdata->he_6ghz_capa))
1907 		return -ENOBUFS;
1908 
1909 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1910 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1911 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1912 		return -ENOBUFS;
1913 
1914 	return 0;
1915 }
1916 
1917 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1918 				      struct ieee80211_supported_band *sband,
1919 				      bool large)
1920 {
1921 	struct nlattr *nl_rates, *nl_rate;
1922 	struct ieee80211_rate *rate;
1923 	int i;
1924 
1925 	/* add HT info */
1926 	if (sband->ht_cap.ht_supported &&
1927 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1928 		     sizeof(sband->ht_cap.mcs),
1929 		     &sband->ht_cap.mcs) ||
1930 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1931 			 sband->ht_cap.cap) ||
1932 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1933 			sband->ht_cap.ampdu_factor) ||
1934 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1935 			sband->ht_cap.ampdu_density)))
1936 		return -ENOBUFS;
1937 
1938 	/* add VHT info */
1939 	if (sband->vht_cap.vht_supported &&
1940 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1941 		     sizeof(sband->vht_cap.vht_mcs),
1942 		     &sband->vht_cap.vht_mcs) ||
1943 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1944 			 sband->vht_cap.cap)))
1945 		return -ENOBUFS;
1946 
1947 	if (large && sband->n_iftype_data) {
1948 		struct nlattr *nl_iftype_data =
1949 			nla_nest_start_noflag(msg,
1950 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1951 		const struct ieee80211_sband_iftype_data *iftd;
1952 		int err;
1953 
1954 		if (!nl_iftype_data)
1955 			return -ENOBUFS;
1956 
1957 		for_each_sband_iftype_data(sband, i, iftd) {
1958 			struct nlattr *iftdata;
1959 
1960 			iftdata = nla_nest_start_noflag(msg, i + 1);
1961 			if (!iftdata)
1962 				return -ENOBUFS;
1963 
1964 			err = nl80211_send_iftype_data(msg, sband, iftd);
1965 			if (err)
1966 				return err;
1967 
1968 			nla_nest_end(msg, iftdata);
1969 		}
1970 
1971 		nla_nest_end(msg, nl_iftype_data);
1972 	}
1973 
1974 	/* add EDMG info */
1975 	if (large && sband->edmg_cap.channels &&
1976 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1977 		       sband->edmg_cap.channels) ||
1978 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1979 		       sband->edmg_cap.bw_config)))
1980 
1981 		return -ENOBUFS;
1982 
1983 	/* add bitrates */
1984 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1985 	if (!nl_rates)
1986 		return -ENOBUFS;
1987 
1988 	for (i = 0; i < sband->n_bitrates; i++) {
1989 		nl_rate = nla_nest_start_noflag(msg, i);
1990 		if (!nl_rate)
1991 			return -ENOBUFS;
1992 
1993 		rate = &sband->bitrates[i];
1994 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1995 				rate->bitrate))
1996 			return -ENOBUFS;
1997 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1998 		    nla_put_flag(msg,
1999 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2000 			return -ENOBUFS;
2001 
2002 		nla_nest_end(msg, nl_rate);
2003 	}
2004 
2005 	nla_nest_end(msg, nl_rates);
2006 
2007 	/* S1G capabilities */
2008 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2009 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2010 		     sizeof(sband->s1g_cap.cap),
2011 		     sband->s1g_cap.cap) ||
2012 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2013 		     sizeof(sband->s1g_cap.nss_mcs),
2014 		     sband->s1g_cap.nss_mcs)))
2015 		return -ENOBUFS;
2016 
2017 	return 0;
2018 }
2019 
2020 static int
2021 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2022 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2023 {
2024 	u16 stypes;
2025 	struct nlattr *nl_ftypes, *nl_ifs;
2026 	enum nl80211_iftype ift;
2027 	int i;
2028 
2029 	if (!mgmt_stypes)
2030 		return 0;
2031 
2032 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2033 	if (!nl_ifs)
2034 		return -ENOBUFS;
2035 
2036 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2037 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2038 		if (!nl_ftypes)
2039 			return -ENOBUFS;
2040 		i = 0;
2041 		stypes = mgmt_stypes[ift].tx;
2042 		while (stypes) {
2043 			if ((stypes & 1) &&
2044 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2045 					(i << 4) | IEEE80211_FTYPE_MGMT))
2046 				return -ENOBUFS;
2047 			stypes >>= 1;
2048 			i++;
2049 		}
2050 		nla_nest_end(msg, nl_ftypes);
2051 	}
2052 
2053 	nla_nest_end(msg, nl_ifs);
2054 
2055 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2056 	if (!nl_ifs)
2057 		return -ENOBUFS;
2058 
2059 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2060 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2061 		if (!nl_ftypes)
2062 			return -ENOBUFS;
2063 		i = 0;
2064 		stypes = mgmt_stypes[ift].rx;
2065 		while (stypes) {
2066 			if ((stypes & 1) &&
2067 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2068 					(i << 4) | IEEE80211_FTYPE_MGMT))
2069 				return -ENOBUFS;
2070 			stypes >>= 1;
2071 			i++;
2072 		}
2073 		nla_nest_end(msg, nl_ftypes);
2074 	}
2075 	nla_nest_end(msg, nl_ifs);
2076 
2077 	return 0;
2078 }
2079 
2080 #define CMD(op, n)							\
2081 	 do {								\
2082 		if (rdev->ops->op) {					\
2083 			i++;						\
2084 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2085 				goto nla_put_failure;			\
2086 		}							\
2087 	} while (0)
2088 
2089 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2090 					struct sk_buff *msg)
2091 {
2092 	int i = 0;
2093 
2094 	/*
2095 	 * do *NOT* add anything into this function, new things need to be
2096 	 * advertised only to new versions of userspace that can deal with
2097 	 * the split (and they can't possibly care about new features...
2098 	 */
2099 	CMD(add_virtual_intf, NEW_INTERFACE);
2100 	CMD(change_virtual_intf, SET_INTERFACE);
2101 	CMD(add_key, NEW_KEY);
2102 	CMD(start_ap, START_AP);
2103 	CMD(add_station, NEW_STATION);
2104 	CMD(add_mpath, NEW_MPATH);
2105 	CMD(update_mesh_config, SET_MESH_CONFIG);
2106 	CMD(change_bss, SET_BSS);
2107 	CMD(auth, AUTHENTICATE);
2108 	CMD(assoc, ASSOCIATE);
2109 	CMD(deauth, DEAUTHENTICATE);
2110 	CMD(disassoc, DISASSOCIATE);
2111 	CMD(join_ibss, JOIN_IBSS);
2112 	CMD(join_mesh, JOIN_MESH);
2113 	CMD(set_pmksa, SET_PMKSA);
2114 	CMD(del_pmksa, DEL_PMKSA);
2115 	CMD(flush_pmksa, FLUSH_PMKSA);
2116 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2117 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2118 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2119 	CMD(mgmt_tx, FRAME);
2120 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2121 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2122 		i++;
2123 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2124 			goto nla_put_failure;
2125 	}
2126 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2127 	    rdev->ops->join_mesh) {
2128 		i++;
2129 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2130 			goto nla_put_failure;
2131 	}
2132 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2133 		CMD(tdls_mgmt, TDLS_MGMT);
2134 		CMD(tdls_oper, TDLS_OPER);
2135 	}
2136 	if (rdev->wiphy.max_sched_scan_reqs)
2137 		CMD(sched_scan_start, START_SCHED_SCAN);
2138 	CMD(probe_client, PROBE_CLIENT);
2139 	CMD(set_noack_map, SET_NOACK_MAP);
2140 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2141 		i++;
2142 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2143 			goto nla_put_failure;
2144 	}
2145 	CMD(start_p2p_device, START_P2P_DEVICE);
2146 	CMD(set_mcast_rate, SET_MCAST_RATE);
2147 #ifdef CONFIG_NL80211_TESTMODE
2148 	CMD(testmode_cmd, TESTMODE);
2149 #endif
2150 
2151 	if (rdev->ops->connect || rdev->ops->auth) {
2152 		i++;
2153 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2154 			goto nla_put_failure;
2155 	}
2156 
2157 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2158 		i++;
2159 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2160 			goto nla_put_failure;
2161 	}
2162 
2163 	return i;
2164  nla_put_failure:
2165 	return -ENOBUFS;
2166 }
2167 
2168 static int
2169 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2170 			   struct sk_buff *msg)
2171 {
2172 	struct nlattr *ftm;
2173 
2174 	if (!cap->ftm.supported)
2175 		return 0;
2176 
2177 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2178 	if (!ftm)
2179 		return -ENOBUFS;
2180 
2181 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2182 		return -ENOBUFS;
2183 	if (cap->ftm.non_asap &&
2184 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2185 		return -ENOBUFS;
2186 	if (cap->ftm.request_lci &&
2187 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2188 		return -ENOBUFS;
2189 	if (cap->ftm.request_civicloc &&
2190 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2191 		return -ENOBUFS;
2192 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2193 			cap->ftm.preambles))
2194 		return -ENOBUFS;
2195 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2196 			cap->ftm.bandwidths))
2197 		return -ENOBUFS;
2198 	if (cap->ftm.max_bursts_exponent >= 0 &&
2199 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2200 			cap->ftm.max_bursts_exponent))
2201 		return -ENOBUFS;
2202 	if (cap->ftm.max_ftms_per_burst &&
2203 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2204 			cap->ftm.max_ftms_per_burst))
2205 		return -ENOBUFS;
2206 	if (cap->ftm.trigger_based &&
2207 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2208 		return -ENOBUFS;
2209 	if (cap->ftm.non_trigger_based &&
2210 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2211 		return -ENOBUFS;
2212 
2213 	nla_nest_end(msg, ftm);
2214 	return 0;
2215 }
2216 
2217 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2218 				  struct sk_buff *msg)
2219 {
2220 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2221 	struct nlattr *pmsr, *caps;
2222 
2223 	if (!cap)
2224 		return 0;
2225 
2226 	/*
2227 	 * we don't need to clean up anything here since the caller
2228 	 * will genlmsg_cancel() if we fail
2229 	 */
2230 
2231 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2232 	if (!pmsr)
2233 		return -ENOBUFS;
2234 
2235 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2236 		return -ENOBUFS;
2237 
2238 	if (cap->report_ap_tsf &&
2239 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2240 		return -ENOBUFS;
2241 
2242 	if (cap->randomize_mac_addr &&
2243 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2244 		return -ENOBUFS;
2245 
2246 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2247 	if (!caps)
2248 		return -ENOBUFS;
2249 
2250 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2251 		return -ENOBUFS;
2252 
2253 	nla_nest_end(msg, caps);
2254 	nla_nest_end(msg, pmsr);
2255 
2256 	return 0;
2257 }
2258 
2259 static int
2260 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2261 			      struct sk_buff *msg)
2262 {
2263 	int i;
2264 	struct nlattr *nested, *nested_akms;
2265 	const struct wiphy_iftype_akm_suites *iftype_akms;
2266 
2267 	if (!rdev->wiphy.num_iftype_akm_suites ||
2268 	    !rdev->wiphy.iftype_akm_suites)
2269 		return 0;
2270 
2271 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2272 	if (!nested)
2273 		return -ENOBUFS;
2274 
2275 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2276 		nested_akms = nla_nest_start(msg, i + 1);
2277 		if (!nested_akms)
2278 			return -ENOBUFS;
2279 
2280 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2281 
2282 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2283 					iftype_akms->iftypes_mask))
2284 			return -ENOBUFS;
2285 
2286 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2287 			    sizeof(u32) * iftype_akms->n_akm_suites,
2288 			    iftype_akms->akm_suites)) {
2289 			return -ENOBUFS;
2290 		}
2291 		nla_nest_end(msg, nested_akms);
2292 	}
2293 
2294 	nla_nest_end(msg, nested);
2295 
2296 	return 0;
2297 }
2298 
2299 static int
2300 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2301 			       struct sk_buff *msg)
2302 {
2303 	struct nlattr *supp;
2304 
2305 	if (!rdev->wiphy.tid_config_support.vif &&
2306 	    !rdev->wiphy.tid_config_support.peer)
2307 		return 0;
2308 
2309 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2310 	if (!supp)
2311 		return -ENOSPC;
2312 
2313 	if (rdev->wiphy.tid_config_support.vif &&
2314 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2315 			      rdev->wiphy.tid_config_support.vif,
2316 			      NL80211_TID_CONFIG_ATTR_PAD))
2317 		goto fail;
2318 
2319 	if (rdev->wiphy.tid_config_support.peer &&
2320 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2321 			      rdev->wiphy.tid_config_support.peer,
2322 			      NL80211_TID_CONFIG_ATTR_PAD))
2323 		goto fail;
2324 
2325 	/* for now we just use the same value ... makes more sense */
2326 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2327 		       rdev->wiphy.tid_config_support.max_retry))
2328 		goto fail;
2329 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2330 		       rdev->wiphy.tid_config_support.max_retry))
2331 		goto fail;
2332 
2333 	nla_nest_end(msg, supp);
2334 
2335 	return 0;
2336 fail:
2337 	nla_nest_cancel(msg, supp);
2338 	return -ENOBUFS;
2339 }
2340 
2341 static int
2342 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2343 		      struct sk_buff *msg)
2344 {
2345 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2346 	u8 num_freq_ranges;
2347 	int i;
2348 
2349 	if (!rdev->wiphy.sar_capa)
2350 		return 0;
2351 
2352 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2353 
2354 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2355 	if (!sar_capa)
2356 		return -ENOSPC;
2357 
2358 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2359 		goto fail;
2360 
2361 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2362 	if (!specs)
2363 		goto fail;
2364 
2365 	/* report supported freq_ranges */
2366 	for (i = 0; i < num_freq_ranges; i++) {
2367 		sub_freq_range = nla_nest_start(msg, i + 1);
2368 		if (!sub_freq_range)
2369 			goto fail;
2370 
2371 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2372 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2373 			goto fail;
2374 
2375 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2376 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2377 			goto fail;
2378 
2379 		nla_nest_end(msg, sub_freq_range);
2380 	}
2381 
2382 	nla_nest_end(msg, specs);
2383 	nla_nest_end(msg, sar_capa);
2384 
2385 	return 0;
2386 fail:
2387 	nla_nest_cancel(msg, sar_capa);
2388 	return -ENOBUFS;
2389 }
2390 
2391 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2392 {
2393 	struct nlattr *config;
2394 
2395 	if (!wiphy->mbssid_max_interfaces)
2396 		return 0;
2397 
2398 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2399 	if (!config)
2400 		return -ENOBUFS;
2401 
2402 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2403 		       wiphy->mbssid_max_interfaces))
2404 		goto fail;
2405 
2406 	if (wiphy->ema_max_profile_periodicity &&
2407 	    nla_put_u8(msg,
2408 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2409 		       wiphy->ema_max_profile_periodicity))
2410 		goto fail;
2411 
2412 	nla_nest_end(msg, config);
2413 	return 0;
2414 
2415 fail:
2416 	nla_nest_cancel(msg, config);
2417 	return -ENOBUFS;
2418 }
2419 
2420 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2421 {
2422 	const struct wiphy_radio *r = &wiphy->radio[idx];
2423 	struct nlattr *radio, *freq;
2424 	int i;
2425 
2426 	radio = nla_nest_start(msg, idx);
2427 	if (!radio)
2428 		return -ENOBUFS;
2429 
2430 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2431 		goto nla_put_failure;
2432 
2433 	for (i = 0; i < r->n_freq_range; i++) {
2434 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2435 
2436 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2437 		if (!freq)
2438 			goto nla_put_failure;
2439 
2440 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2441 				range->start_freq) ||
2442 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2443 				range->end_freq))
2444 			goto nla_put_failure;
2445 
2446 		nla_nest_end(msg, freq);
2447 	}
2448 
2449 	for (i = 0; i < r->n_iface_combinations; i++)
2450 		if (nl80211_put_ifcomb_data(msg, true,
2451 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2452 					    &r->iface_combinations[i],
2453 					    NLA_F_NESTED))
2454 			goto nla_put_failure;
2455 
2456 	nla_nest_end(msg, radio);
2457 
2458 	return 0;
2459 
2460 nla_put_failure:
2461 	return -ENOBUFS;
2462 }
2463 
2464 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2465 {
2466 	struct nlattr *radios;
2467 	int i;
2468 
2469 	if (!wiphy->n_radio)
2470 		return 0;
2471 
2472 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2473 	if (!radios)
2474 		return -ENOBUFS;
2475 
2476 	for (i = 0; i < wiphy->n_radio; i++)
2477 		if (nl80211_put_radio(wiphy, msg, i))
2478 			goto fail;
2479 
2480 	nla_nest_end(msg, radios);
2481 
2482 	if (nl80211_put_iface_combinations(wiphy, msg,
2483 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2484 					   -1, true, NLA_F_NESTED))
2485 		return -ENOBUFS;
2486 
2487 	return 0;
2488 
2489 fail:
2490 	nla_nest_cancel(msg, radios);
2491 	return -ENOBUFS;
2492 }
2493 
2494 struct nl80211_dump_wiphy_state {
2495 	s64 filter_wiphy;
2496 	long start;
2497 	long split_start, band_start, chan_start, capa_start;
2498 	bool split;
2499 };
2500 
2501 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2502 			      enum nl80211_commands cmd,
2503 			      struct sk_buff *msg, u32 portid, u32 seq,
2504 			      int flags, struct nl80211_dump_wiphy_state *state)
2505 {
2506 	void *hdr;
2507 	struct nlattr *nl_bands, *nl_band;
2508 	struct nlattr *nl_freqs, *nl_freq;
2509 	struct nlattr *nl_cmds;
2510 	enum nl80211_band band;
2511 	struct ieee80211_channel *chan;
2512 	int i;
2513 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2514 				rdev->wiphy.mgmt_stypes;
2515 	u32 features;
2516 
2517 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2518 	if (!hdr)
2519 		return -ENOBUFS;
2520 
2521 	if (WARN_ON(!state))
2522 		return -EINVAL;
2523 
2524 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2525 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2526 			   wiphy_name(&rdev->wiphy)) ||
2527 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2528 			cfg80211_rdev_list_generation))
2529 		goto nla_put_failure;
2530 
2531 	if (cmd != NL80211_CMD_NEW_WIPHY)
2532 		goto finish;
2533 
2534 	switch (state->split_start) {
2535 	case 0:
2536 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2537 			       rdev->wiphy.retry_short) ||
2538 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2539 			       rdev->wiphy.retry_long) ||
2540 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2541 				rdev->wiphy.frag_threshold) ||
2542 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2543 				rdev->wiphy.rts_threshold) ||
2544 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2545 			       rdev->wiphy.coverage_class) ||
2546 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2547 			       rdev->wiphy.max_scan_ssids) ||
2548 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2549 			       rdev->wiphy.max_sched_scan_ssids) ||
2550 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2551 				rdev->wiphy.max_scan_ie_len) ||
2552 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2553 				rdev->wiphy.max_sched_scan_ie_len) ||
2554 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2555 			       rdev->wiphy.max_match_sets))
2556 			goto nla_put_failure;
2557 
2558 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2559 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2560 			goto nla_put_failure;
2561 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2562 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2563 			goto nla_put_failure;
2564 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2565 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2566 			goto nla_put_failure;
2567 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2568 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2569 			goto nla_put_failure;
2570 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2571 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2572 			goto nla_put_failure;
2573 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2574 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2575 			goto nla_put_failure;
2576 		state->split_start++;
2577 		if (state->split)
2578 			break;
2579 		fallthrough;
2580 	case 1:
2581 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2582 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2583 			    rdev->wiphy.cipher_suites))
2584 			goto nla_put_failure;
2585 
2586 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2587 			       rdev->wiphy.max_num_pmkids))
2588 			goto nla_put_failure;
2589 
2590 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2591 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2592 			goto nla_put_failure;
2593 
2594 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2595 				rdev->wiphy.available_antennas_tx) ||
2596 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2597 				rdev->wiphy.available_antennas_rx))
2598 			goto nla_put_failure;
2599 
2600 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2601 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2602 				rdev->wiphy.probe_resp_offload))
2603 			goto nla_put_failure;
2604 
2605 		if ((rdev->wiphy.available_antennas_tx ||
2606 		     rdev->wiphy.available_antennas_rx) &&
2607 		    rdev->ops->get_antenna) {
2608 			u32 tx_ant = 0, rx_ant = 0;
2609 			int res;
2610 
2611 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2612 			if (!res) {
2613 				if (nla_put_u32(msg,
2614 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2615 						tx_ant) ||
2616 				    nla_put_u32(msg,
2617 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2618 						rx_ant))
2619 					goto nla_put_failure;
2620 			}
2621 		}
2622 
2623 		state->split_start++;
2624 		if (state->split)
2625 			break;
2626 		fallthrough;
2627 	case 2:
2628 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2629 					rdev->wiphy.interface_modes))
2630 				goto nla_put_failure;
2631 		state->split_start++;
2632 		if (state->split)
2633 			break;
2634 		fallthrough;
2635 	case 3:
2636 		nl_bands = nla_nest_start_noflag(msg,
2637 						 NL80211_ATTR_WIPHY_BANDS);
2638 		if (!nl_bands)
2639 			goto nla_put_failure;
2640 
2641 		for (band = state->band_start;
2642 		     band < (state->split ?
2643 				NUM_NL80211_BANDS :
2644 				NL80211_BAND_60GHZ + 1);
2645 		     band++) {
2646 			struct ieee80211_supported_band *sband;
2647 
2648 			/* omit higher bands for ancient software */
2649 			if (band > NL80211_BAND_5GHZ && !state->split)
2650 				break;
2651 
2652 			sband = rdev->wiphy.bands[band];
2653 
2654 			if (!sband)
2655 				continue;
2656 
2657 			nl_band = nla_nest_start_noflag(msg, band);
2658 			if (!nl_band)
2659 				goto nla_put_failure;
2660 
2661 			switch (state->chan_start) {
2662 			case 0:
2663 				if (nl80211_send_band_rateinfo(msg, sband,
2664 							       state->split))
2665 					goto nla_put_failure;
2666 				state->chan_start++;
2667 				if (state->split)
2668 					break;
2669 				fallthrough;
2670 			default:
2671 				/* add frequencies */
2672 				nl_freqs = nla_nest_start_noflag(msg,
2673 								 NL80211_BAND_ATTR_FREQS);
2674 				if (!nl_freqs)
2675 					goto nla_put_failure;
2676 
2677 				for (i = state->chan_start - 1;
2678 				     i < sband->n_channels;
2679 				     i++) {
2680 					nl_freq = nla_nest_start_noflag(msg,
2681 									i);
2682 					if (!nl_freq)
2683 						goto nla_put_failure;
2684 
2685 					chan = &sband->channels[i];
2686 
2687 					if (nl80211_msg_put_channel(
2688 							msg, &rdev->wiphy, chan,
2689 							state->split))
2690 						goto nla_put_failure;
2691 
2692 					nla_nest_end(msg, nl_freq);
2693 					if (state->split)
2694 						break;
2695 				}
2696 				if (i < sband->n_channels)
2697 					state->chan_start = i + 2;
2698 				else
2699 					state->chan_start = 0;
2700 				nla_nest_end(msg, nl_freqs);
2701 			}
2702 
2703 			nla_nest_end(msg, nl_band);
2704 
2705 			if (state->split) {
2706 				/* start again here */
2707 				if (state->chan_start)
2708 					band--;
2709 				break;
2710 			}
2711 		}
2712 		nla_nest_end(msg, nl_bands);
2713 
2714 		if (band < NUM_NL80211_BANDS)
2715 			state->band_start = band + 1;
2716 		else
2717 			state->band_start = 0;
2718 
2719 		/* if bands & channels are done, continue outside */
2720 		if (state->band_start == 0 && state->chan_start == 0)
2721 			state->split_start++;
2722 		if (state->split)
2723 			break;
2724 		fallthrough;
2725 	case 4:
2726 		nl_cmds = nla_nest_start_noflag(msg,
2727 						NL80211_ATTR_SUPPORTED_COMMANDS);
2728 		if (!nl_cmds)
2729 			goto nla_put_failure;
2730 
2731 		i = nl80211_add_commands_unsplit(rdev, msg);
2732 		if (i < 0)
2733 			goto nla_put_failure;
2734 		if (state->split) {
2735 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2736 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2737 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2738 				CMD(channel_switch, CHANNEL_SWITCH);
2739 			CMD(set_qos_map, SET_QOS_MAP);
2740 			if (rdev->wiphy.features &
2741 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2742 				CMD(add_tx_ts, ADD_TX_TS);
2743 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2744 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2745 			CMD(update_ft_ies, UPDATE_FT_IES);
2746 			if (rdev->wiphy.sar_capa)
2747 				CMD(set_sar_specs, SET_SAR_SPECS);
2748 		}
2749 #undef CMD
2750 
2751 		nla_nest_end(msg, nl_cmds);
2752 		state->split_start++;
2753 		if (state->split)
2754 			break;
2755 		fallthrough;
2756 	case 5:
2757 		if (rdev->ops->remain_on_channel &&
2758 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2759 		    nla_put_u32(msg,
2760 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2761 				rdev->wiphy.max_remain_on_channel_duration))
2762 			goto nla_put_failure;
2763 
2764 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2765 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2766 			goto nla_put_failure;
2767 
2768 		state->split_start++;
2769 		if (state->split)
2770 			break;
2771 		fallthrough;
2772 	case 6:
2773 #ifdef CONFIG_PM
2774 		if (nl80211_send_wowlan(msg, rdev, state->split))
2775 			goto nla_put_failure;
2776 		state->split_start++;
2777 		if (state->split)
2778 			break;
2779 #else
2780 		state->split_start++;
2781 #endif
2782 		fallthrough;
2783 	case 7:
2784 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2785 					rdev->wiphy.software_iftypes))
2786 			goto nla_put_failure;
2787 
2788 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2789 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2790 						   rdev->wiphy.n_radio ? 0 : -1,
2791 						   state->split, 0))
2792 			goto nla_put_failure;
2793 
2794 		state->split_start++;
2795 		if (state->split)
2796 			break;
2797 		fallthrough;
2798 	case 8:
2799 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2800 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2801 				rdev->wiphy.ap_sme_capa))
2802 			goto nla_put_failure;
2803 
2804 		features = rdev->wiphy.features;
2805 		/*
2806 		 * We can only add the per-channel limit information if the
2807 		 * dump is split, otherwise it makes it too big. Therefore
2808 		 * only advertise it in that case.
2809 		 */
2810 		if (state->split)
2811 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2812 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2813 			goto nla_put_failure;
2814 
2815 		if (rdev->wiphy.ht_capa_mod_mask &&
2816 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2817 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2818 			    rdev->wiphy.ht_capa_mod_mask))
2819 			goto nla_put_failure;
2820 
2821 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2822 		    rdev->wiphy.max_acl_mac_addrs &&
2823 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2824 				rdev->wiphy.max_acl_mac_addrs))
2825 			goto nla_put_failure;
2826 
2827 		/*
2828 		 * Any information below this point is only available to
2829 		 * applications that can deal with it being split. This
2830 		 * helps ensure that newly added capabilities don't break
2831 		 * older tools by overrunning their buffers.
2832 		 *
2833 		 * We still increment split_start so that in the split
2834 		 * case we'll continue with more data in the next round,
2835 		 * but break unconditionally so unsplit data stops here.
2836 		 */
2837 		if (state->split)
2838 			state->split_start++;
2839 		else
2840 			state->split_start = 0;
2841 		break;
2842 	case 9:
2843 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2844 			goto nla_put_failure;
2845 
2846 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2847 				rdev->wiphy.max_sched_scan_plans) ||
2848 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2849 				rdev->wiphy.max_sched_scan_plan_interval) ||
2850 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2851 				rdev->wiphy.max_sched_scan_plan_iterations))
2852 			goto nla_put_failure;
2853 
2854 		if (rdev->wiphy.extended_capabilities &&
2855 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2856 			     rdev->wiphy.extended_capabilities_len,
2857 			     rdev->wiphy.extended_capabilities) ||
2858 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2859 			     rdev->wiphy.extended_capabilities_len,
2860 			     rdev->wiphy.extended_capabilities_mask)))
2861 			goto nla_put_failure;
2862 
2863 		if (rdev->wiphy.vht_capa_mod_mask &&
2864 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2865 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2866 			    rdev->wiphy.vht_capa_mod_mask))
2867 			goto nla_put_failure;
2868 
2869 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2870 			    rdev->wiphy.perm_addr))
2871 			goto nla_put_failure;
2872 
2873 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2874 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2875 			    rdev->wiphy.addr_mask))
2876 			goto nla_put_failure;
2877 
2878 		if (rdev->wiphy.n_addresses > 1) {
2879 			void *attr;
2880 
2881 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2882 			if (!attr)
2883 				goto nla_put_failure;
2884 
2885 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2886 				if (nla_put(msg, i + 1, ETH_ALEN,
2887 					    rdev->wiphy.addresses[i].addr))
2888 					goto nla_put_failure;
2889 
2890 			nla_nest_end(msg, attr);
2891 		}
2892 
2893 		state->split_start++;
2894 		break;
2895 	case 10:
2896 		if (nl80211_send_coalesce(msg, rdev))
2897 			goto nla_put_failure;
2898 
2899 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2900 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2901 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2902 			goto nla_put_failure;
2903 
2904 		if (rdev->wiphy.max_ap_assoc_sta &&
2905 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2906 				rdev->wiphy.max_ap_assoc_sta))
2907 			goto nla_put_failure;
2908 
2909 		state->split_start++;
2910 		break;
2911 	case 11:
2912 		if (rdev->wiphy.n_vendor_commands) {
2913 			const struct nl80211_vendor_cmd_info *info;
2914 			struct nlattr *nested;
2915 
2916 			nested = nla_nest_start_noflag(msg,
2917 						       NL80211_ATTR_VENDOR_DATA);
2918 			if (!nested)
2919 				goto nla_put_failure;
2920 
2921 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2922 				info = &rdev->wiphy.vendor_commands[i].info;
2923 				if (nla_put(msg, i + 1, sizeof(*info), info))
2924 					goto nla_put_failure;
2925 			}
2926 			nla_nest_end(msg, nested);
2927 		}
2928 
2929 		if (rdev->wiphy.n_vendor_events) {
2930 			const struct nl80211_vendor_cmd_info *info;
2931 			struct nlattr *nested;
2932 
2933 			nested = nla_nest_start_noflag(msg,
2934 						       NL80211_ATTR_VENDOR_EVENTS);
2935 			if (!nested)
2936 				goto nla_put_failure;
2937 
2938 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2939 				info = &rdev->wiphy.vendor_events[i];
2940 				if (nla_put(msg, i + 1, sizeof(*info), info))
2941 					goto nla_put_failure;
2942 			}
2943 			nla_nest_end(msg, nested);
2944 		}
2945 		state->split_start++;
2946 		break;
2947 	case 12:
2948 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2949 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2950 			       rdev->wiphy.max_num_csa_counters))
2951 			goto nla_put_failure;
2952 
2953 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2954 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2955 			goto nla_put_failure;
2956 
2957 		if (rdev->wiphy.max_sched_scan_reqs &&
2958 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2959 				rdev->wiphy.max_sched_scan_reqs))
2960 			goto nla_put_failure;
2961 
2962 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2963 			    sizeof(rdev->wiphy.ext_features),
2964 			    rdev->wiphy.ext_features))
2965 			goto nla_put_failure;
2966 
2967 		if (rdev->wiphy.bss_select_support) {
2968 			struct nlattr *nested;
2969 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2970 
2971 			nested = nla_nest_start_noflag(msg,
2972 						       NL80211_ATTR_BSS_SELECT);
2973 			if (!nested)
2974 				goto nla_put_failure;
2975 
2976 			i = 0;
2977 			while (bss_select_support) {
2978 				if ((bss_select_support & 1) &&
2979 				    nla_put_flag(msg, i))
2980 					goto nla_put_failure;
2981 				i++;
2982 				bss_select_support >>= 1;
2983 			}
2984 			nla_nest_end(msg, nested);
2985 		}
2986 
2987 		state->split_start++;
2988 		break;
2989 	case 13:
2990 		if (rdev->wiphy.num_iftype_ext_capab &&
2991 		    rdev->wiphy.iftype_ext_capab) {
2992 			struct nlattr *nested_ext_capab, *nested;
2993 
2994 			nested = nla_nest_start_noflag(msg,
2995 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2996 			if (!nested)
2997 				goto nla_put_failure;
2998 
2999 			for (i = state->capa_start;
3000 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3001 				const struct wiphy_iftype_ext_capab *capab;
3002 
3003 				capab = &rdev->wiphy.iftype_ext_capab[i];
3004 
3005 				nested_ext_capab = nla_nest_start_noflag(msg,
3006 									 i);
3007 				if (!nested_ext_capab ||
3008 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3009 						capab->iftype) ||
3010 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3011 					    capab->extended_capabilities_len,
3012 					    capab->extended_capabilities) ||
3013 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3014 					    capab->extended_capabilities_len,
3015 					    capab->extended_capabilities_mask))
3016 					goto nla_put_failure;
3017 
3018 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3019 				    (nla_put_u16(msg,
3020 						 NL80211_ATTR_EML_CAPABILITY,
3021 						 capab->eml_capabilities) ||
3022 				     nla_put_u16(msg,
3023 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3024 						 capab->mld_capa_and_ops)))
3025 					goto nla_put_failure;
3026 
3027 				nla_nest_end(msg, nested_ext_capab);
3028 				if (state->split)
3029 					break;
3030 			}
3031 			nla_nest_end(msg, nested);
3032 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3033 				state->capa_start = i + 1;
3034 				break;
3035 			}
3036 		}
3037 
3038 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3039 				rdev->wiphy.nan_supported_bands))
3040 			goto nla_put_failure;
3041 
3042 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3043 					    NL80211_EXT_FEATURE_TXQS)) {
3044 			struct cfg80211_txq_stats txqstats = {};
3045 			int res;
3046 
3047 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3048 			if (!res &&
3049 			    !nl80211_put_txq_stats(msg, &txqstats,
3050 						   NL80211_ATTR_TXQ_STATS))
3051 				goto nla_put_failure;
3052 
3053 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3054 					rdev->wiphy.txq_limit))
3055 				goto nla_put_failure;
3056 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3057 					rdev->wiphy.txq_memory_limit))
3058 				goto nla_put_failure;
3059 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3060 					rdev->wiphy.txq_quantum))
3061 				goto nla_put_failure;
3062 		}
3063 
3064 		state->split_start++;
3065 		break;
3066 	case 14:
3067 		if (nl80211_send_pmsr_capa(rdev, msg))
3068 			goto nla_put_failure;
3069 
3070 		state->split_start++;
3071 		break;
3072 	case 15:
3073 		if (rdev->wiphy.akm_suites &&
3074 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3075 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3076 			    rdev->wiphy.akm_suites))
3077 			goto nla_put_failure;
3078 
3079 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3080 			goto nla_put_failure;
3081 
3082 		if (nl80211_put_tid_config_support(rdev, msg))
3083 			goto nla_put_failure;
3084 		state->split_start++;
3085 		break;
3086 	case 16:
3087 		if (nl80211_put_sar_specs(rdev, msg))
3088 			goto nla_put_failure;
3089 
3090 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3091 			goto nla_put_failure;
3092 
3093 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3094 				rdev->wiphy.max_num_akm_suites))
3095 			goto nla_put_failure;
3096 
3097 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3098 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3099 
3100 		if (rdev->wiphy.hw_timestamp_max_peers &&
3101 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3102 				rdev->wiphy.hw_timestamp_max_peers))
3103 			goto nla_put_failure;
3104 
3105 		state->split_start++;
3106 		break;
3107 	case 17:
3108 		if (nl80211_put_radios(&rdev->wiphy, msg))
3109 			goto nla_put_failure;
3110 
3111 		/* done */
3112 		state->split_start = 0;
3113 		break;
3114 	}
3115  finish:
3116 	genlmsg_end(msg, hdr);
3117 	return 0;
3118 
3119  nla_put_failure:
3120 	genlmsg_cancel(msg, hdr);
3121 	return -EMSGSIZE;
3122 }
3123 
3124 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3125 				    struct netlink_callback *cb,
3126 				    struct nl80211_dump_wiphy_state *state)
3127 {
3128 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3129 	int ret;
3130 
3131 	if (!tb)
3132 		return -ENOMEM;
3133 
3134 	ret = nlmsg_parse_deprecated(cb->nlh,
3135 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3136 				     tb, nl80211_fam.maxattr,
3137 				     nl80211_policy, NULL);
3138 	/* ignore parse errors for backward compatibility */
3139 	if (ret) {
3140 		ret = 0;
3141 		goto out;
3142 	}
3143 
3144 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3145 	if (tb[NL80211_ATTR_WIPHY])
3146 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3147 	if (tb[NL80211_ATTR_WDEV])
3148 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3149 	if (tb[NL80211_ATTR_IFINDEX]) {
3150 		struct net_device *netdev;
3151 		struct cfg80211_registered_device *rdev;
3152 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3153 
3154 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3155 		if (!netdev) {
3156 			ret = -ENODEV;
3157 			goto out;
3158 		}
3159 		if (netdev->ieee80211_ptr) {
3160 			rdev = wiphy_to_rdev(
3161 				netdev->ieee80211_ptr->wiphy);
3162 			state->filter_wiphy = rdev->wiphy_idx;
3163 		}
3164 	}
3165 
3166 	ret = 0;
3167 out:
3168 	kfree(tb);
3169 	return ret;
3170 }
3171 
3172 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3173 {
3174 	int idx = 0, ret;
3175 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3176 	struct cfg80211_registered_device *rdev;
3177 
3178 	rtnl_lock();
3179 	if (!state) {
3180 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3181 		if (!state) {
3182 			rtnl_unlock();
3183 			return -ENOMEM;
3184 		}
3185 		state->filter_wiphy = -1;
3186 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3187 		if (ret) {
3188 			kfree(state);
3189 			rtnl_unlock();
3190 			return ret;
3191 		}
3192 		cb->args[0] = (long)state;
3193 	}
3194 
3195 	for_each_rdev(rdev) {
3196 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3197 			continue;
3198 		if (++idx <= state->start)
3199 			continue;
3200 		if (state->filter_wiphy != -1 &&
3201 		    state->filter_wiphy != rdev->wiphy_idx)
3202 			continue;
3203 		wiphy_lock(&rdev->wiphy);
3204 		/* attempt to fit multiple wiphy data chunks into the skb */
3205 		do {
3206 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3207 						 skb,
3208 						 NETLINK_CB(cb->skb).portid,
3209 						 cb->nlh->nlmsg_seq,
3210 						 NLM_F_MULTI, state);
3211 			if (ret < 0) {
3212 				/*
3213 				 * If sending the wiphy data didn't fit (ENOBUFS
3214 				 * or EMSGSIZE returned), this SKB is still
3215 				 * empty (so it's not too big because another
3216 				 * wiphy dataset is already in the skb) and
3217 				 * we've not tried to adjust the dump allocation
3218 				 * yet ... then adjust the alloc size to be
3219 				 * bigger, and return 1 but with the empty skb.
3220 				 * This results in an empty message being RX'ed
3221 				 * in userspace, but that is ignored.
3222 				 *
3223 				 * We can then retry with the larger buffer.
3224 				 */
3225 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3226 				    !skb->len && !state->split &&
3227 				    cb->min_dump_alloc < 4096) {
3228 					cb->min_dump_alloc = 4096;
3229 					state->split_start = 0;
3230 					wiphy_unlock(&rdev->wiphy);
3231 					rtnl_unlock();
3232 					return 1;
3233 				}
3234 				idx--;
3235 				break;
3236 			}
3237 		} while (state->split_start > 0);
3238 		wiphy_unlock(&rdev->wiphy);
3239 		break;
3240 	}
3241 	rtnl_unlock();
3242 
3243 	state->start = idx;
3244 
3245 	return skb->len;
3246 }
3247 
3248 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3249 {
3250 	kfree((void *)cb->args[0]);
3251 	return 0;
3252 }
3253 
3254 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3255 {
3256 	struct sk_buff *msg;
3257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3258 	struct nl80211_dump_wiphy_state state = {};
3259 
3260 	msg = nlmsg_new(4096, GFP_KERNEL);
3261 	if (!msg)
3262 		return -ENOMEM;
3263 
3264 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3265 			       info->snd_portid, info->snd_seq, 0,
3266 			       &state) < 0) {
3267 		nlmsg_free(msg);
3268 		return -ENOBUFS;
3269 	}
3270 
3271 	return genlmsg_reply(msg, info);
3272 }
3273 
3274 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3275 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3276 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3277 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3278 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3279 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3280 };
3281 
3282 static int parse_txq_params(struct nlattr *tb[],
3283 			    struct ieee80211_txq_params *txq_params)
3284 {
3285 	u8 ac;
3286 
3287 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3288 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3289 	    !tb[NL80211_TXQ_ATTR_AIFS])
3290 		return -EINVAL;
3291 
3292 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3293 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3294 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3295 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3296 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3297 
3298 	if (ac >= NL80211_NUM_ACS)
3299 		return -EINVAL;
3300 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3301 	return 0;
3302 }
3303 
3304 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3305 {
3306 	/*
3307 	 * You can only set the channel explicitly for some interfaces,
3308 	 * most have their channel managed via their respective
3309 	 * "establish a connection" command (connect, join, ...)
3310 	 *
3311 	 * For AP/GO and mesh mode, the channel can be set with the
3312 	 * channel userspace API, but is only stored and passed to the
3313 	 * low-level driver when the AP starts or the mesh is joined.
3314 	 * This is for backward compatibility, userspace can also give
3315 	 * the channel in the start-ap or join-mesh commands instead.
3316 	 *
3317 	 * Monitors are special as they are normally slaved to
3318 	 * whatever else is going on, so they have their own special
3319 	 * operation to set the monitor channel if possible.
3320 	 */
3321 	return !wdev ||
3322 		wdev->iftype == NL80211_IFTYPE_AP ||
3323 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3324 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3325 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3326 }
3327 
3328 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3329 				  struct genl_info *info, bool monitor,
3330 				  struct cfg80211_chan_def *chandef)
3331 {
3332 	struct netlink_ext_ack *extack = info->extack;
3333 	struct nlattr **attrs = info->attrs;
3334 	u32 control_freq;
3335 
3336 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3337 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3338 				    "Frequency is missing");
3339 		return -EINVAL;
3340 	}
3341 
3342 	control_freq = MHZ_TO_KHZ(
3343 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3344 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3345 		control_freq +=
3346 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3347 
3348 	memset(chandef, 0, sizeof(*chandef));
3349 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3350 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3351 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3352 	chandef->freq1_offset = control_freq % 1000;
3353 	chandef->center_freq2 = 0;
3354 
3355 	if (!chandef->chan) {
3356 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3357 				    "Unknown channel");
3358 		return -EINVAL;
3359 	}
3360 
3361 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3362 		enum nl80211_channel_type chantype;
3363 
3364 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3365 
3366 		switch (chantype) {
3367 		case NL80211_CHAN_NO_HT:
3368 		case NL80211_CHAN_HT20:
3369 		case NL80211_CHAN_HT40PLUS:
3370 		case NL80211_CHAN_HT40MINUS:
3371 			cfg80211_chandef_create(chandef, chandef->chan,
3372 						chantype);
3373 			/* user input for center_freq is incorrect */
3374 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3375 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3376 				NL_SET_ERR_MSG_ATTR(extack,
3377 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3378 						    "bad center frequency 1");
3379 				return -EINVAL;
3380 			}
3381 			/* center_freq2 must be zero */
3382 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3383 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3384 				NL_SET_ERR_MSG_ATTR(extack,
3385 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3386 						    "center frequency 2 can't be used");
3387 				return -EINVAL;
3388 			}
3389 			break;
3390 		default:
3391 			NL_SET_ERR_MSG_ATTR(extack,
3392 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3393 					    "invalid channel type");
3394 			return -EINVAL;
3395 		}
3396 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3397 		chandef->width =
3398 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3399 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3400 			/* User input error for channel width doesn't match channel  */
3401 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3402 				NL_SET_ERR_MSG_ATTR(extack,
3403 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3404 						    "bad channel width");
3405 				return -EINVAL;
3406 			}
3407 		}
3408 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3409 			chandef->center_freq1 =
3410 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3411 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3412 				chandef->freq1_offset = nla_get_u32(
3413 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3414 			else
3415 				chandef->freq1_offset = 0;
3416 		}
3417 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3418 			chandef->center_freq2 =
3419 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3420 	}
3421 
3422 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3423 		chandef->edmg.channels =
3424 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3425 
3426 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3427 			chandef->edmg.bw_config =
3428 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3429 	} else {
3430 		chandef->edmg.bw_config = 0;
3431 		chandef->edmg.channels = 0;
3432 	}
3433 
3434 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3435 		chandef->punctured =
3436 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3437 
3438 		if (chandef->punctured &&
3439 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3440 					     NL80211_EXT_FEATURE_PUNCT)) {
3441 			NL_SET_ERR_MSG(extack,
3442 				       "driver doesn't support puncturing");
3443 			return -EINVAL;
3444 		}
3445 	}
3446 
3447 	if (!cfg80211_chandef_valid(chandef)) {
3448 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3449 		return -EINVAL;
3450 	}
3451 
3452 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3453 				      IEEE80211_CHAN_DISABLED,
3454 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3455 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3456 		return -EINVAL;
3457 	}
3458 
3459 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3460 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3461 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3462 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3463 		return -EINVAL;
3464 	}
3465 
3466 	return 0;
3467 }
3468 
3469 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3470 			  struct genl_info *info,
3471 			  struct cfg80211_chan_def *chandef)
3472 {
3473 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3474 }
3475 
3476 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3477 				 struct net_device *dev,
3478 				 struct genl_info *info,
3479 				 int _link_id)
3480 {
3481 	struct cfg80211_chan_def chandef;
3482 	int result;
3483 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3484 	struct wireless_dev *wdev = NULL;
3485 	int link_id = _link_id;
3486 
3487 	if (dev)
3488 		wdev = dev->ieee80211_ptr;
3489 	if (!nl80211_can_set_dev_channel(wdev))
3490 		return -EOPNOTSUPP;
3491 	if (wdev)
3492 		iftype = wdev->iftype;
3493 
3494 	if (link_id < 0) {
3495 		if (wdev && wdev->valid_links)
3496 			return -EINVAL;
3497 		link_id = 0;
3498 	}
3499 
3500 	result = _nl80211_parse_chandef(rdev, info,
3501 					iftype == NL80211_IFTYPE_MONITOR,
3502 					&chandef);
3503 	if (result)
3504 		return result;
3505 
3506 	switch (iftype) {
3507 	case NL80211_IFTYPE_AP:
3508 	case NL80211_IFTYPE_P2P_GO:
3509 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3510 						   iftype))
3511 			return -EINVAL;
3512 		if (wdev->links[link_id].ap.beacon_interval) {
3513 			struct ieee80211_channel *cur_chan;
3514 
3515 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3516 			    !(rdev->wiphy.features &
3517 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3518 				return -EBUSY;
3519 
3520 			/* Only allow dynamic channel width changes */
3521 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3522 			if (chandef.chan != cur_chan)
3523 				return -EBUSY;
3524 
3525 			/* only allow this for regular channel widths */
3526 			switch (wdev->links[link_id].ap.chandef.width) {
3527 			case NL80211_CHAN_WIDTH_20_NOHT:
3528 			case NL80211_CHAN_WIDTH_20:
3529 			case NL80211_CHAN_WIDTH_40:
3530 			case NL80211_CHAN_WIDTH_80:
3531 			case NL80211_CHAN_WIDTH_80P80:
3532 			case NL80211_CHAN_WIDTH_160:
3533 			case NL80211_CHAN_WIDTH_320:
3534 				break;
3535 			default:
3536 				return -EINVAL;
3537 			}
3538 
3539 			switch (chandef.width) {
3540 			case NL80211_CHAN_WIDTH_20_NOHT:
3541 			case NL80211_CHAN_WIDTH_20:
3542 			case NL80211_CHAN_WIDTH_40:
3543 			case NL80211_CHAN_WIDTH_80:
3544 			case NL80211_CHAN_WIDTH_80P80:
3545 			case NL80211_CHAN_WIDTH_160:
3546 			case NL80211_CHAN_WIDTH_320:
3547 				break;
3548 			default:
3549 				return -EINVAL;
3550 			}
3551 
3552 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3553 						       &chandef);
3554 			if (result)
3555 				return result;
3556 			wdev->links[link_id].ap.chandef = chandef;
3557 		} else {
3558 			wdev->u.ap.preset_chandef = chandef;
3559 		}
3560 		return 0;
3561 	case NL80211_IFTYPE_MESH_POINT:
3562 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3563 	case NL80211_IFTYPE_MONITOR:
3564 		return cfg80211_set_monitor_channel(rdev, &chandef);
3565 	default:
3566 		break;
3567 	}
3568 
3569 	return -EINVAL;
3570 }
3571 
3572 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3573 {
3574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3575 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3576 	struct net_device *netdev = info->user_ptr[1];
3577 
3578 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3579 }
3580 
3581 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3582 {
3583 	struct cfg80211_registered_device *rdev = NULL;
3584 	struct net_device *netdev = NULL;
3585 	struct wireless_dev *wdev;
3586 	int result = 0, rem_txq_params = 0;
3587 	struct nlattr *nl_txq_params;
3588 	u32 changed;
3589 	u8 retry_short = 0, retry_long = 0;
3590 	u32 frag_threshold = 0, rts_threshold = 0;
3591 	u8 coverage_class = 0;
3592 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3593 
3594 	rtnl_lock();
3595 	/*
3596 	 * Try to find the wiphy and netdev. Normally this
3597 	 * function shouldn't need the netdev, but this is
3598 	 * done for backward compatibility -- previously
3599 	 * setting the channel was done per wiphy, but now
3600 	 * it is per netdev. Previous userland like hostapd
3601 	 * also passed a netdev to set_wiphy, so that it is
3602 	 * possible to let that go to the right netdev!
3603 	 */
3604 
3605 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3606 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3607 
3608 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3609 		if (netdev && netdev->ieee80211_ptr)
3610 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3611 		else
3612 			netdev = NULL;
3613 	}
3614 
3615 	if (!netdev) {
3616 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3617 						  info->attrs);
3618 		if (IS_ERR(rdev)) {
3619 			rtnl_unlock();
3620 			return PTR_ERR(rdev);
3621 		}
3622 		wdev = NULL;
3623 		netdev = NULL;
3624 		result = 0;
3625 	} else
3626 		wdev = netdev->ieee80211_ptr;
3627 
3628 	wiphy_lock(&rdev->wiphy);
3629 
3630 	/*
3631 	 * end workaround code, by now the rdev is available
3632 	 * and locked, and wdev may or may not be NULL.
3633 	 */
3634 
3635 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3636 		result = cfg80211_dev_rename(
3637 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3638 	rtnl_unlock();
3639 
3640 	if (result)
3641 		goto out;
3642 
3643 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3644 		struct ieee80211_txq_params txq_params;
3645 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3646 
3647 		if (!rdev->ops->set_txq_params) {
3648 			result = -EOPNOTSUPP;
3649 			goto out;
3650 		}
3651 
3652 		if (!netdev) {
3653 			result = -EINVAL;
3654 			goto out;
3655 		}
3656 
3657 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3658 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3659 			result = -EINVAL;
3660 			goto out;
3661 		}
3662 
3663 		if (!netif_running(netdev)) {
3664 			result = -ENETDOWN;
3665 			goto out;
3666 		}
3667 
3668 		nla_for_each_nested(nl_txq_params,
3669 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3670 				    rem_txq_params) {
3671 			result = nla_parse_nested_deprecated(tb,
3672 							     NL80211_TXQ_ATTR_MAX,
3673 							     nl_txq_params,
3674 							     txq_params_policy,
3675 							     info->extack);
3676 			if (result)
3677 				goto out;
3678 			result = parse_txq_params(tb, &txq_params);
3679 			if (result)
3680 				goto out;
3681 
3682 			txq_params.link_id =
3683 				nl80211_link_id_or_invalid(info->attrs);
3684 
3685 			if (txq_params.link_id >= 0 &&
3686 			    !(netdev->ieee80211_ptr->valid_links &
3687 			      BIT(txq_params.link_id)))
3688 				result = -ENOLINK;
3689 			else if (txq_params.link_id >= 0 &&
3690 				 !netdev->ieee80211_ptr->valid_links)
3691 				result = -EINVAL;
3692 			else
3693 				result = rdev_set_txq_params(rdev, netdev,
3694 							     &txq_params);
3695 			if (result)
3696 				goto out;
3697 		}
3698 	}
3699 
3700 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3701 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3702 
3703 		if (wdev) {
3704 			result = __nl80211_set_channel(
3705 				rdev,
3706 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3707 				info, link_id);
3708 		} else {
3709 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3710 		}
3711 
3712 		if (result)
3713 			goto out;
3714 	}
3715 
3716 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3717 		struct wireless_dev *txp_wdev = wdev;
3718 		enum nl80211_tx_power_setting type;
3719 		int idx, mbm = 0;
3720 
3721 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3722 			txp_wdev = NULL;
3723 
3724 		if (!rdev->ops->set_tx_power) {
3725 			result = -EOPNOTSUPP;
3726 			goto out;
3727 		}
3728 
3729 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3730 		type = nla_get_u32(info->attrs[idx]);
3731 
3732 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3733 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3734 			result = -EINVAL;
3735 			goto out;
3736 		}
3737 
3738 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3739 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3740 			mbm = nla_get_u32(info->attrs[idx]);
3741 		}
3742 
3743 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3744 		if (result)
3745 			goto out;
3746 	}
3747 
3748 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3749 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3750 		u32 tx_ant, rx_ant;
3751 
3752 		if ((!rdev->wiphy.available_antennas_tx &&
3753 		     !rdev->wiphy.available_antennas_rx) ||
3754 		    !rdev->ops->set_antenna) {
3755 			result = -EOPNOTSUPP;
3756 			goto out;
3757 		}
3758 
3759 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3760 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3761 
3762 		/* reject antenna configurations which don't match the
3763 		 * available antenna masks, except for the "all" mask */
3764 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3765 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3766 			result = -EINVAL;
3767 			goto out;
3768 		}
3769 
3770 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3771 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3772 
3773 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3774 		if (result)
3775 			goto out;
3776 	}
3777 
3778 	changed = 0;
3779 
3780 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3781 		retry_short = nla_get_u8(
3782 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3783 
3784 		changed |= WIPHY_PARAM_RETRY_SHORT;
3785 	}
3786 
3787 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3788 		retry_long = nla_get_u8(
3789 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3790 
3791 		changed |= WIPHY_PARAM_RETRY_LONG;
3792 	}
3793 
3794 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3795 		frag_threshold = nla_get_u32(
3796 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3797 		if (frag_threshold < 256) {
3798 			result = -EINVAL;
3799 			goto out;
3800 		}
3801 
3802 		if (frag_threshold != (u32) -1) {
3803 			/*
3804 			 * Fragments (apart from the last one) are required to
3805 			 * have even length. Make the fragmentation code
3806 			 * simpler by stripping LSB should someone try to use
3807 			 * odd threshold value.
3808 			 */
3809 			frag_threshold &= ~0x1;
3810 		}
3811 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3812 	}
3813 
3814 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3815 		rts_threshold = nla_get_u32(
3816 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3817 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3818 	}
3819 
3820 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3821 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3822 			result = -EINVAL;
3823 			goto out;
3824 		}
3825 
3826 		coverage_class = nla_get_u8(
3827 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3828 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3829 	}
3830 
3831 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3832 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3833 			result = -EOPNOTSUPP;
3834 			goto out;
3835 		}
3836 
3837 		changed |= WIPHY_PARAM_DYN_ACK;
3838 	}
3839 
3840 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3841 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3842 					     NL80211_EXT_FEATURE_TXQS)) {
3843 			result = -EOPNOTSUPP;
3844 			goto out;
3845 		}
3846 		txq_limit = nla_get_u32(
3847 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3848 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3849 	}
3850 
3851 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3852 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3853 					     NL80211_EXT_FEATURE_TXQS)) {
3854 			result = -EOPNOTSUPP;
3855 			goto out;
3856 		}
3857 		txq_memory_limit = nla_get_u32(
3858 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3859 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3860 	}
3861 
3862 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3863 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3864 					     NL80211_EXT_FEATURE_TXQS)) {
3865 			result = -EOPNOTSUPP;
3866 			goto out;
3867 		}
3868 		txq_quantum = nla_get_u32(
3869 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3870 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3871 	}
3872 
3873 	if (changed) {
3874 		u8 old_retry_short, old_retry_long;
3875 		u32 old_frag_threshold, old_rts_threshold;
3876 		u8 old_coverage_class;
3877 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3878 
3879 		if (!rdev->ops->set_wiphy_params) {
3880 			result = -EOPNOTSUPP;
3881 			goto out;
3882 		}
3883 
3884 		old_retry_short = rdev->wiphy.retry_short;
3885 		old_retry_long = rdev->wiphy.retry_long;
3886 		old_frag_threshold = rdev->wiphy.frag_threshold;
3887 		old_rts_threshold = rdev->wiphy.rts_threshold;
3888 		old_coverage_class = rdev->wiphy.coverage_class;
3889 		old_txq_limit = rdev->wiphy.txq_limit;
3890 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3891 		old_txq_quantum = rdev->wiphy.txq_quantum;
3892 
3893 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3894 			rdev->wiphy.retry_short = retry_short;
3895 		if (changed & WIPHY_PARAM_RETRY_LONG)
3896 			rdev->wiphy.retry_long = retry_long;
3897 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3898 			rdev->wiphy.frag_threshold = frag_threshold;
3899 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3900 			rdev->wiphy.rts_threshold = rts_threshold;
3901 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3902 			rdev->wiphy.coverage_class = coverage_class;
3903 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3904 			rdev->wiphy.txq_limit = txq_limit;
3905 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3906 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3907 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3908 			rdev->wiphy.txq_quantum = txq_quantum;
3909 
3910 		result = rdev_set_wiphy_params(rdev, changed);
3911 		if (result) {
3912 			rdev->wiphy.retry_short = old_retry_short;
3913 			rdev->wiphy.retry_long = old_retry_long;
3914 			rdev->wiphy.frag_threshold = old_frag_threshold;
3915 			rdev->wiphy.rts_threshold = old_rts_threshold;
3916 			rdev->wiphy.coverage_class = old_coverage_class;
3917 			rdev->wiphy.txq_limit = old_txq_limit;
3918 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3919 			rdev->wiphy.txq_quantum = old_txq_quantum;
3920 			goto out;
3921 		}
3922 	}
3923 
3924 	result = 0;
3925 
3926 out:
3927 	wiphy_unlock(&rdev->wiphy);
3928 	return result;
3929 }
3930 
3931 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3932 {
3933 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3934 		return -EINVAL;
3935 
3936 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3937 			chandef->chan->center_freq))
3938 		return -ENOBUFS;
3939 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3940 			chandef->chan->freq_offset))
3941 		return -ENOBUFS;
3942 	switch (chandef->width) {
3943 	case NL80211_CHAN_WIDTH_20_NOHT:
3944 	case NL80211_CHAN_WIDTH_20:
3945 	case NL80211_CHAN_WIDTH_40:
3946 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3947 				cfg80211_get_chandef_type(chandef)))
3948 			return -ENOBUFS;
3949 		break;
3950 	default:
3951 		break;
3952 	}
3953 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3954 		return -ENOBUFS;
3955 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3956 		return -ENOBUFS;
3957 	if (chandef->center_freq2 &&
3958 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3959 		return -ENOBUFS;
3960 	if (chandef->punctured &&
3961 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
3962 		return -ENOBUFS;
3963 
3964 	return 0;
3965 }
3966 EXPORT_SYMBOL(nl80211_send_chandef);
3967 
3968 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3969 			      struct cfg80211_registered_device *rdev,
3970 			      struct wireless_dev *wdev,
3971 			      enum nl80211_commands cmd)
3972 {
3973 	struct net_device *dev = wdev->netdev;
3974 	void *hdr;
3975 
3976 	lockdep_assert_wiphy(&rdev->wiphy);
3977 
3978 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3979 		cmd != NL80211_CMD_DEL_INTERFACE &&
3980 		cmd != NL80211_CMD_SET_INTERFACE);
3981 
3982 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3983 	if (!hdr)
3984 		return -1;
3985 
3986 	if (dev &&
3987 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3988 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3989 		goto nla_put_failure;
3990 
3991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3992 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3993 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3994 			      NL80211_ATTR_PAD) ||
3995 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3996 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3997 			rdev->devlist_generation ^
3998 			(cfg80211_rdev_list_generation << 2)) ||
3999 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
4000 		goto nla_put_failure;
4001 
4002 	if (rdev->ops->get_channel && !wdev->valid_links) {
4003 		struct cfg80211_chan_def chandef = {};
4004 		int ret;
4005 
4006 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4007 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4008 			goto nla_put_failure;
4009 	}
4010 
4011 	if (rdev->ops->get_tx_power) {
4012 		int dbm, ret;
4013 
4014 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
4015 		if (ret == 0 &&
4016 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4017 				DBM_TO_MBM(dbm)))
4018 			goto nla_put_failure;
4019 	}
4020 
4021 	switch (wdev->iftype) {
4022 	case NL80211_IFTYPE_AP:
4023 	case NL80211_IFTYPE_P2P_GO:
4024 		if (wdev->u.ap.ssid_len &&
4025 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4026 			    wdev->u.ap.ssid))
4027 			goto nla_put_failure;
4028 		break;
4029 	case NL80211_IFTYPE_STATION:
4030 	case NL80211_IFTYPE_P2P_CLIENT:
4031 		if (wdev->u.client.ssid_len &&
4032 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4033 			    wdev->u.client.ssid))
4034 			goto nla_put_failure;
4035 		break;
4036 	case NL80211_IFTYPE_ADHOC:
4037 		if (wdev->u.ibss.ssid_len &&
4038 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4039 			    wdev->u.ibss.ssid))
4040 			goto nla_put_failure;
4041 		break;
4042 	default:
4043 		/* nothing */
4044 		break;
4045 	}
4046 
4047 	if (rdev->ops->get_txq_stats) {
4048 		struct cfg80211_txq_stats txqstats = {};
4049 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4050 
4051 		if (ret == 0 &&
4052 		    !nl80211_put_txq_stats(msg, &txqstats,
4053 					   NL80211_ATTR_TXQ_STATS))
4054 			goto nla_put_failure;
4055 	}
4056 
4057 	if (wdev->valid_links) {
4058 		unsigned int link_id;
4059 		struct nlattr *links = nla_nest_start(msg,
4060 						      NL80211_ATTR_MLO_LINKS);
4061 
4062 		if (!links)
4063 			goto nla_put_failure;
4064 
4065 		for_each_valid_link(wdev, link_id) {
4066 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4067 			struct cfg80211_chan_def chandef = {};
4068 			int ret;
4069 
4070 			if (!link)
4071 				goto nla_put_failure;
4072 
4073 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4074 				goto nla_put_failure;
4075 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4076 				    wdev->links[link_id].addr))
4077 				goto nla_put_failure;
4078 
4079 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4080 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4081 				goto nla_put_failure;
4082 
4083 			nla_nest_end(msg, link);
4084 		}
4085 
4086 		nla_nest_end(msg, links);
4087 	}
4088 
4089 	genlmsg_end(msg, hdr);
4090 	return 0;
4091 
4092  nla_put_failure:
4093 	genlmsg_cancel(msg, hdr);
4094 	return -EMSGSIZE;
4095 }
4096 
4097 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4098 {
4099 	int wp_idx = 0;
4100 	int if_idx = 0;
4101 	int wp_start = cb->args[0];
4102 	int if_start = cb->args[1];
4103 	int filter_wiphy = -1;
4104 	struct cfg80211_registered_device *rdev;
4105 	struct wireless_dev *wdev;
4106 	int ret;
4107 
4108 	rtnl_lock();
4109 	if (!cb->args[2]) {
4110 		struct nl80211_dump_wiphy_state state = {
4111 			.filter_wiphy = -1,
4112 		};
4113 
4114 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4115 		if (ret)
4116 			goto out_unlock;
4117 
4118 		filter_wiphy = state.filter_wiphy;
4119 
4120 		/*
4121 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4122 		 * value needed to determine that parsing is necessary.
4123 		 */
4124 		if (filter_wiphy >= 0)
4125 			cb->args[2] = filter_wiphy + 1;
4126 		else
4127 			cb->args[2] = -1;
4128 	} else if (cb->args[2] > 0) {
4129 		filter_wiphy = cb->args[2] - 1;
4130 	}
4131 
4132 	for_each_rdev(rdev) {
4133 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4134 			continue;
4135 		if (wp_idx < wp_start) {
4136 			wp_idx++;
4137 			continue;
4138 		}
4139 
4140 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4141 			continue;
4142 
4143 		if_idx = 0;
4144 
4145 		wiphy_lock(&rdev->wiphy);
4146 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4147 			if (if_idx < if_start) {
4148 				if_idx++;
4149 				continue;
4150 			}
4151 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4152 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4153 					       rdev, wdev,
4154 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4155 				wiphy_unlock(&rdev->wiphy);
4156 				goto out;
4157 			}
4158 			if_idx++;
4159 		}
4160 		wiphy_unlock(&rdev->wiphy);
4161 
4162 		if_start = 0;
4163 		wp_idx++;
4164 	}
4165  out:
4166 	cb->args[0] = wp_idx;
4167 	cb->args[1] = if_idx;
4168 
4169 	ret = skb->len;
4170  out_unlock:
4171 	rtnl_unlock();
4172 
4173 	return ret;
4174 }
4175 
4176 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4177 {
4178 	struct sk_buff *msg;
4179 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4180 	struct wireless_dev *wdev = info->user_ptr[1];
4181 
4182 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4183 	if (!msg)
4184 		return -ENOMEM;
4185 
4186 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4187 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4188 		nlmsg_free(msg);
4189 		return -ENOBUFS;
4190 	}
4191 
4192 	return genlmsg_reply(msg, info);
4193 }
4194 
4195 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4196 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4197 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4198 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4199 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4200 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4201 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4202 };
4203 
4204 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4205 {
4206 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4207 	int flag;
4208 
4209 	*mntrflags = 0;
4210 
4211 	if (!nla)
4212 		return -EINVAL;
4213 
4214 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4215 		return -EINVAL;
4216 
4217 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4218 		if (flags[flag])
4219 			*mntrflags |= (1<<flag);
4220 
4221 	*mntrflags |= MONITOR_FLAG_CHANGED;
4222 
4223 	return 0;
4224 }
4225 
4226 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4227 				     enum nl80211_iftype type,
4228 				     struct genl_info *info,
4229 				     struct vif_params *params)
4230 {
4231 	bool change = false;
4232 	int err;
4233 
4234 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4235 		if (type != NL80211_IFTYPE_MONITOR)
4236 			return -EINVAL;
4237 
4238 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4239 					  &params->flags);
4240 		if (err)
4241 			return err;
4242 
4243 		change = true;
4244 	}
4245 
4246 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4247 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4248 		return -EOPNOTSUPP;
4249 
4250 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4251 		const u8 *mumimo_groups;
4252 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4253 
4254 		if (type != NL80211_IFTYPE_MONITOR)
4255 			return -EINVAL;
4256 
4257 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4258 			return -EOPNOTSUPP;
4259 
4260 		mumimo_groups =
4261 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4262 
4263 		/* bits 0 and 63 are reserved and must be zero */
4264 		if ((mumimo_groups[0] & BIT(0)) ||
4265 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4266 			return -EINVAL;
4267 
4268 		params->vht_mumimo_groups = mumimo_groups;
4269 		change = true;
4270 	}
4271 
4272 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4273 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4274 
4275 		if (type != NL80211_IFTYPE_MONITOR)
4276 			return -EINVAL;
4277 
4278 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4279 			return -EOPNOTSUPP;
4280 
4281 		params->vht_mumimo_follow_addr =
4282 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4283 		change = true;
4284 	}
4285 
4286 	return change ? 1 : 0;
4287 }
4288 
4289 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4290 			       struct net_device *netdev, u8 use_4addr,
4291 			       enum nl80211_iftype iftype)
4292 {
4293 	if (!use_4addr) {
4294 		if (netdev && netif_is_bridge_port(netdev))
4295 			return -EBUSY;
4296 		return 0;
4297 	}
4298 
4299 	switch (iftype) {
4300 	case NL80211_IFTYPE_AP_VLAN:
4301 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4302 			return 0;
4303 		break;
4304 	case NL80211_IFTYPE_STATION:
4305 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4306 			return 0;
4307 		break;
4308 	default:
4309 		break;
4310 	}
4311 
4312 	return -EOPNOTSUPP;
4313 }
4314 
4315 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4316 {
4317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4318 	struct vif_params params;
4319 	int err;
4320 	enum nl80211_iftype otype, ntype;
4321 	struct net_device *dev = info->user_ptr[1];
4322 	bool change = false;
4323 
4324 	memset(&params, 0, sizeof(params));
4325 
4326 	otype = ntype = dev->ieee80211_ptr->iftype;
4327 
4328 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4329 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4330 		if (otype != ntype)
4331 			change = true;
4332 	}
4333 
4334 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4335 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4336 
4337 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4338 			return -EINVAL;
4339 		if (otype != NL80211_IFTYPE_MESH_POINT)
4340 			return -EINVAL;
4341 		if (netif_running(dev))
4342 			return -EBUSY;
4343 
4344 		wdev->u.mesh.id_up_len =
4345 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4346 		memcpy(wdev->u.mesh.id,
4347 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4348 		       wdev->u.mesh.id_up_len);
4349 	}
4350 
4351 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4352 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4353 		change = true;
4354 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4355 		if (err)
4356 			return err;
4357 	} else {
4358 		params.use_4addr = -1;
4359 	}
4360 
4361 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4362 	if (err < 0)
4363 		return err;
4364 	if (err > 0)
4365 		change = true;
4366 
4367 	if (change)
4368 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4369 	else
4370 		err = 0;
4371 
4372 	if (!err && params.use_4addr != -1)
4373 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4374 
4375 	if (change && !err) {
4376 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4377 
4378 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4379 	}
4380 
4381 	return err;
4382 }
4383 
4384 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4385 {
4386 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4387 	struct vif_params params;
4388 	struct wireless_dev *wdev;
4389 	struct sk_buff *msg;
4390 	int err;
4391 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4392 
4393 	memset(&params, 0, sizeof(params));
4394 
4395 	if (!info->attrs[NL80211_ATTR_IFNAME])
4396 		return -EINVAL;
4397 
4398 	if (info->attrs[NL80211_ATTR_IFTYPE])
4399 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4400 
4401 	if (!rdev->ops->add_virtual_intf)
4402 		return -EOPNOTSUPP;
4403 
4404 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4405 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4406 	    info->attrs[NL80211_ATTR_MAC]) {
4407 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4408 			   ETH_ALEN);
4409 		if (!is_valid_ether_addr(params.macaddr))
4410 			return -EADDRNOTAVAIL;
4411 	}
4412 
4413 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4414 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4415 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4416 		if (err)
4417 			return err;
4418 	}
4419 
4420 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4421 		return -EOPNOTSUPP;
4422 
4423 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4424 	if (err < 0)
4425 		return err;
4426 
4427 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4428 	if (!msg)
4429 		return -ENOMEM;
4430 
4431 	wdev = rdev_add_virtual_intf(rdev,
4432 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4433 				NET_NAME_USER, type, &params);
4434 	if (WARN_ON(!wdev)) {
4435 		nlmsg_free(msg);
4436 		return -EPROTO;
4437 	} else if (IS_ERR(wdev)) {
4438 		nlmsg_free(msg);
4439 		return PTR_ERR(wdev);
4440 	}
4441 
4442 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4443 		wdev->owner_nlportid = info->snd_portid;
4444 
4445 	switch (type) {
4446 	case NL80211_IFTYPE_MESH_POINT:
4447 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4448 			break;
4449 		wdev->u.mesh.id_up_len =
4450 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4451 		memcpy(wdev->u.mesh.id,
4452 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4453 		       wdev->u.mesh.id_up_len);
4454 		break;
4455 	case NL80211_IFTYPE_NAN:
4456 	case NL80211_IFTYPE_P2P_DEVICE:
4457 		/*
4458 		 * P2P Device and NAN do not have a netdev, so don't go
4459 		 * through the netdev notifier and must be added here
4460 		 */
4461 		cfg80211_init_wdev(wdev);
4462 		cfg80211_register_wdev(rdev, wdev);
4463 		break;
4464 	default:
4465 		break;
4466 	}
4467 
4468 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4469 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4470 		nlmsg_free(msg);
4471 		return -ENOBUFS;
4472 	}
4473 
4474 	return genlmsg_reply(msg, info);
4475 }
4476 
4477 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4478 {
4479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4480 	int ret;
4481 
4482 	/* to avoid failing a new interface creation due to pending removal */
4483 	cfg80211_destroy_ifaces(rdev);
4484 
4485 	wiphy_lock(&rdev->wiphy);
4486 	ret = _nl80211_new_interface(skb, info);
4487 	wiphy_unlock(&rdev->wiphy);
4488 
4489 	return ret;
4490 }
4491 
4492 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4493 {
4494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4495 	struct wireless_dev *wdev = info->user_ptr[1];
4496 
4497 	if (!rdev->ops->del_virtual_intf)
4498 		return -EOPNOTSUPP;
4499 
4500 	/*
4501 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4502 	 * reach 0, and thus the rdev cannot be deleted.
4503 	 *
4504 	 * We need to do it for the dev_close(), since that will call
4505 	 * the netdev notifiers, and we need to acquire the mutex there
4506 	 * but don't know if we get there from here or from some other
4507 	 * place (e.g. "ip link set ... down").
4508 	 */
4509 	mutex_unlock(&rdev->wiphy.mtx);
4510 
4511 	/*
4512 	 * If we remove a wireless device without a netdev then clear
4513 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4514 	 * to check if it needs to do dev_put(). Otherwise it crashes
4515 	 * since the wdev has been freed, unlike with a netdev where
4516 	 * we need the dev_put() for the netdev to really be freed.
4517 	 */
4518 	if (!wdev->netdev)
4519 		info->user_ptr[1] = NULL;
4520 	else
4521 		dev_close(wdev->netdev);
4522 
4523 	mutex_lock(&rdev->wiphy.mtx);
4524 
4525 	return cfg80211_remove_virtual_intf(rdev, wdev);
4526 }
4527 
4528 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4529 {
4530 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4531 	struct net_device *dev = info->user_ptr[1];
4532 	u16 noack_map;
4533 
4534 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4535 		return -EINVAL;
4536 
4537 	if (!rdev->ops->set_noack_map)
4538 		return -EOPNOTSUPP;
4539 
4540 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4541 
4542 	return rdev_set_noack_map(rdev, dev, noack_map);
4543 }
4544 
4545 static int nl80211_validate_key_link_id(struct genl_info *info,
4546 					struct wireless_dev *wdev,
4547 					int link_id, bool pairwise)
4548 {
4549 	if (pairwise) {
4550 		if (link_id != -1) {
4551 			GENL_SET_ERR_MSG(info,
4552 					 "link ID not allowed for pairwise key");
4553 			return -EINVAL;
4554 		}
4555 
4556 		return 0;
4557 	}
4558 
4559 	if (wdev->valid_links) {
4560 		if (link_id == -1) {
4561 			GENL_SET_ERR_MSG(info,
4562 					 "link ID must for MLO group key");
4563 			return -EINVAL;
4564 		}
4565 		if (!(wdev->valid_links & BIT(link_id))) {
4566 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4567 			return -EINVAL;
4568 		}
4569 	} else if (link_id != -1) {
4570 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4571 		return -EINVAL;
4572 	}
4573 
4574 	return 0;
4575 }
4576 
4577 struct get_key_cookie {
4578 	struct sk_buff *msg;
4579 	int error;
4580 	int idx;
4581 };
4582 
4583 static void get_key_callback(void *c, struct key_params *params)
4584 {
4585 	struct nlattr *key;
4586 	struct get_key_cookie *cookie = c;
4587 
4588 	if ((params->seq &&
4589 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4590 		     params->seq_len, params->seq)) ||
4591 	    (params->cipher &&
4592 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4593 			 params->cipher)))
4594 		goto nla_put_failure;
4595 
4596 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4597 	if (!key)
4598 		goto nla_put_failure;
4599 
4600 	if ((params->seq &&
4601 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4602 		     params->seq_len, params->seq)) ||
4603 	    (params->cipher &&
4604 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4605 			 params->cipher)))
4606 		goto nla_put_failure;
4607 
4608 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4609 		goto nla_put_failure;
4610 
4611 	nla_nest_end(cookie->msg, key);
4612 
4613 	return;
4614  nla_put_failure:
4615 	cookie->error = 1;
4616 }
4617 
4618 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4619 {
4620 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4621 	int err;
4622 	struct net_device *dev = info->user_ptr[1];
4623 	u8 key_idx = 0;
4624 	const u8 *mac_addr = NULL;
4625 	bool pairwise;
4626 	struct get_key_cookie cookie = {
4627 		.error = 0,
4628 	};
4629 	void *hdr;
4630 	struct sk_buff *msg;
4631 	bool bigtk_support = false;
4632 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4633 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4634 
4635 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4636 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4637 		bigtk_support = true;
4638 
4639 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4640 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4641 	    wiphy_ext_feature_isset(&rdev->wiphy,
4642 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4643 		bigtk_support = true;
4644 
4645 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4646 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4647 
4648 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4649 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4650 			return -EINVAL;
4651 		}
4652 	}
4653 
4654 	if (info->attrs[NL80211_ATTR_MAC])
4655 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4656 
4657 	pairwise = !!mac_addr;
4658 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4659 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4660 
4661 		if (kt != NL80211_KEYTYPE_GROUP &&
4662 		    kt != NL80211_KEYTYPE_PAIRWISE)
4663 			return -EINVAL;
4664 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4665 	}
4666 
4667 	if (!rdev->ops->get_key)
4668 		return -EOPNOTSUPP;
4669 
4670 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4671 		return -ENOENT;
4672 
4673 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4674 	if (!msg)
4675 		return -ENOMEM;
4676 
4677 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4678 			     NL80211_CMD_NEW_KEY);
4679 	if (!hdr)
4680 		goto nla_put_failure;
4681 
4682 	cookie.msg = msg;
4683 	cookie.idx = key_idx;
4684 
4685 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4686 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4687 		goto nla_put_failure;
4688 	if (mac_addr &&
4689 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4690 		goto nla_put_failure;
4691 
4692 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4693 	if (err)
4694 		goto free_msg;
4695 
4696 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4697 			   &cookie, get_key_callback);
4698 
4699 	if (err)
4700 		goto free_msg;
4701 
4702 	if (cookie.error)
4703 		goto nla_put_failure;
4704 
4705 	genlmsg_end(msg, hdr);
4706 	return genlmsg_reply(msg, info);
4707 
4708  nla_put_failure:
4709 	err = -ENOBUFS;
4710  free_msg:
4711 	nlmsg_free(msg);
4712 	return err;
4713 }
4714 
4715 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4716 {
4717 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4718 	struct key_parse key;
4719 	int err;
4720 	struct net_device *dev = info->user_ptr[1];
4721 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4723 
4724 	err = nl80211_parse_key(info, &key);
4725 	if (err)
4726 		return err;
4727 
4728 	if (key.idx < 0)
4729 		return -EINVAL;
4730 
4731 	/* Only support setting default key and
4732 	 * Extended Key ID action NL80211_KEY_SET_TX.
4733 	 */
4734 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4735 	    !(key.p.mode == NL80211_KEY_SET_TX))
4736 		return -EINVAL;
4737 
4738 	if (key.def) {
4739 		if (!rdev->ops->set_default_key)
4740 			return -EOPNOTSUPP;
4741 
4742 		err = nl80211_key_allowed(wdev);
4743 		if (err)
4744 			return err;
4745 
4746 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4747 		if (err)
4748 			return err;
4749 
4750 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4751 					   key.def_uni, key.def_multi);
4752 
4753 		if (err)
4754 			return err;
4755 
4756 #ifdef CONFIG_CFG80211_WEXT
4757 		wdev->wext.default_key = key.idx;
4758 #endif
4759 		return 0;
4760 	} else if (key.defmgmt) {
4761 		if (key.def_uni || !key.def_multi)
4762 			return -EINVAL;
4763 
4764 		if (!rdev->ops->set_default_mgmt_key)
4765 			return -EOPNOTSUPP;
4766 
4767 		err = nl80211_key_allowed(wdev);
4768 		if (err)
4769 			return err;
4770 
4771 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4772 		if (err)
4773 			return err;
4774 
4775 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4776 		if (err)
4777 			return err;
4778 
4779 #ifdef CONFIG_CFG80211_WEXT
4780 		wdev->wext.default_mgmt_key = key.idx;
4781 #endif
4782 		return 0;
4783 	} else if (key.defbeacon) {
4784 		if (key.def_uni || !key.def_multi)
4785 			return -EINVAL;
4786 
4787 		if (!rdev->ops->set_default_beacon_key)
4788 			return -EOPNOTSUPP;
4789 
4790 		err = nl80211_key_allowed(wdev);
4791 		if (err)
4792 			return err;
4793 
4794 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4795 		if (err)
4796 			return err;
4797 
4798 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4799 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4800 		   wiphy_ext_feature_isset(&rdev->wiphy,
4801 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4802 		u8 *mac_addr = NULL;
4803 
4804 		if (info->attrs[NL80211_ATTR_MAC])
4805 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4806 
4807 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4808 			return -EINVAL;
4809 
4810 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4811 		if (err)
4812 			return err;
4813 
4814 		return rdev_add_key(rdev, dev, link_id, key.idx,
4815 				    NL80211_KEYTYPE_PAIRWISE,
4816 				    mac_addr, &key.p);
4817 	}
4818 
4819 	return -EINVAL;
4820 }
4821 
4822 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4823 {
4824 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4825 	int err;
4826 	struct net_device *dev = info->user_ptr[1];
4827 	struct key_parse key;
4828 	const u8 *mac_addr = NULL;
4829 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4830 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4831 
4832 	err = nl80211_parse_key(info, &key);
4833 	if (err)
4834 		return err;
4835 
4836 	if (!key.p.key) {
4837 		GENL_SET_ERR_MSG(info, "no key");
4838 		return -EINVAL;
4839 	}
4840 
4841 	if (info->attrs[NL80211_ATTR_MAC])
4842 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4843 
4844 	if (key.type == -1) {
4845 		if (mac_addr)
4846 			key.type = NL80211_KEYTYPE_PAIRWISE;
4847 		else
4848 			key.type = NL80211_KEYTYPE_GROUP;
4849 	}
4850 
4851 	/* for now */
4852 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4853 	    key.type != NL80211_KEYTYPE_GROUP) {
4854 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4855 		return -EINVAL;
4856 	}
4857 
4858 	if (key.type == NL80211_KEYTYPE_GROUP &&
4859 	    info->attrs[NL80211_ATTR_VLAN_ID])
4860 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4861 
4862 	if (!rdev->ops->add_key)
4863 		return -EOPNOTSUPP;
4864 
4865 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4866 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4867 					   mac_addr)) {
4868 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4869 		return -EINVAL;
4870 	}
4871 
4872 	err = nl80211_key_allowed(wdev);
4873 	if (err)
4874 		GENL_SET_ERR_MSG(info, "key not allowed");
4875 
4876 	if (!err)
4877 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4878 				key.type == NL80211_KEYTYPE_PAIRWISE);
4879 
4880 	if (!err) {
4881 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4882 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4883 				    mac_addr, &key.p);
4884 		if (err)
4885 			GENL_SET_ERR_MSG(info, "key addition failed");
4886 	}
4887 
4888 	return err;
4889 }
4890 
4891 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4892 {
4893 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4894 	int err;
4895 	struct net_device *dev = info->user_ptr[1];
4896 	u8 *mac_addr = NULL;
4897 	struct key_parse key;
4898 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4899 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4900 
4901 	err = nl80211_parse_key(info, &key);
4902 	if (err)
4903 		return err;
4904 
4905 	if (info->attrs[NL80211_ATTR_MAC])
4906 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4907 
4908 	if (key.type == -1) {
4909 		if (mac_addr)
4910 			key.type = NL80211_KEYTYPE_PAIRWISE;
4911 		else
4912 			key.type = NL80211_KEYTYPE_GROUP;
4913 	}
4914 
4915 	/* for now */
4916 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4917 	    key.type != NL80211_KEYTYPE_GROUP)
4918 		return -EINVAL;
4919 
4920 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4921 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4922 		return -EINVAL;
4923 
4924 	if (!rdev->ops->del_key)
4925 		return -EOPNOTSUPP;
4926 
4927 	err = nl80211_key_allowed(wdev);
4928 
4929 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4930 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4931 		err = -ENOENT;
4932 
4933 	if (!err)
4934 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4935 				key.type == NL80211_KEYTYPE_PAIRWISE);
4936 
4937 	if (!err)
4938 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4939 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4940 				   mac_addr);
4941 
4942 #ifdef CONFIG_CFG80211_WEXT
4943 	if (!err) {
4944 		if (key.idx == wdev->wext.default_key)
4945 			wdev->wext.default_key = -1;
4946 		else if (key.idx == wdev->wext.default_mgmt_key)
4947 			wdev->wext.default_mgmt_key = -1;
4948 	}
4949 #endif
4950 
4951 	return err;
4952 }
4953 
4954 /* This function returns an error or the number of nested attributes */
4955 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4956 {
4957 	struct nlattr *attr;
4958 	int n_entries = 0, tmp;
4959 
4960 	nla_for_each_nested(attr, nl_attr, tmp) {
4961 		if (nla_len(attr) != ETH_ALEN)
4962 			return -EINVAL;
4963 
4964 		n_entries++;
4965 	}
4966 
4967 	return n_entries;
4968 }
4969 
4970 /*
4971  * This function parses ACL information and allocates memory for ACL data.
4972  * On successful return, the calling function is responsible to free the
4973  * ACL buffer returned by this function.
4974  */
4975 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4976 						struct genl_info *info)
4977 {
4978 	enum nl80211_acl_policy acl_policy;
4979 	struct nlattr *attr;
4980 	struct cfg80211_acl_data *acl;
4981 	int i = 0, n_entries, tmp;
4982 
4983 	if (!wiphy->max_acl_mac_addrs)
4984 		return ERR_PTR(-EOPNOTSUPP);
4985 
4986 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4987 		return ERR_PTR(-EINVAL);
4988 
4989 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4990 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4991 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4992 		return ERR_PTR(-EINVAL);
4993 
4994 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4995 		return ERR_PTR(-EINVAL);
4996 
4997 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4998 	if (n_entries < 0)
4999 		return ERR_PTR(n_entries);
5000 
5001 	if (n_entries > wiphy->max_acl_mac_addrs)
5002 		return ERR_PTR(-EOPNOTSUPP);
5003 
5004 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5005 	if (!acl)
5006 		return ERR_PTR(-ENOMEM);
5007 	acl->n_acl_entries = n_entries;
5008 
5009 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5010 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5011 		i++;
5012 	}
5013 	acl->acl_policy = acl_policy;
5014 
5015 	return acl;
5016 }
5017 
5018 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5019 {
5020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5021 	struct net_device *dev = info->user_ptr[1];
5022 	struct cfg80211_acl_data *acl;
5023 	int err;
5024 
5025 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5026 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5027 		return -EOPNOTSUPP;
5028 
5029 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5030 		return -EINVAL;
5031 
5032 	acl = parse_acl_data(&rdev->wiphy, info);
5033 	if (IS_ERR(acl))
5034 		return PTR_ERR(acl);
5035 
5036 	err = rdev_set_mac_acl(rdev, dev, acl);
5037 
5038 	kfree(acl);
5039 
5040 	return err;
5041 }
5042 
5043 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5044 			   u8 *rates, u8 rates_len)
5045 {
5046 	u8 i;
5047 	u32 mask = 0;
5048 
5049 	for (i = 0; i < rates_len; i++) {
5050 		int rate = (rates[i] & 0x7f) * 5;
5051 		int ridx;
5052 
5053 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5054 			struct ieee80211_rate *srate =
5055 				&sband->bitrates[ridx];
5056 			if (rate == srate->bitrate) {
5057 				mask |= 1 << ridx;
5058 				break;
5059 			}
5060 		}
5061 		if (ridx == sband->n_bitrates)
5062 			return 0; /* rate not found */
5063 	}
5064 
5065 	return mask;
5066 }
5067 
5068 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5069 			       u8 *rates, u8 rates_len,
5070 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5071 {
5072 	u8 i;
5073 
5074 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5075 
5076 	for (i = 0; i < rates_len; i++) {
5077 		int ridx, rbit;
5078 
5079 		ridx = rates[i] / 8;
5080 		rbit = BIT(rates[i] % 8);
5081 
5082 		/* check validity */
5083 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5084 			return false;
5085 
5086 		/* check availability */
5087 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5088 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5089 			mcs[ridx] |= rbit;
5090 		else
5091 			return false;
5092 	}
5093 
5094 	return true;
5095 }
5096 
5097 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5098 {
5099 	u16 mcs_mask = 0;
5100 
5101 	switch (vht_mcs_map) {
5102 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5103 		break;
5104 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5105 		mcs_mask = 0x00FF;
5106 		break;
5107 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5108 		mcs_mask = 0x01FF;
5109 		break;
5110 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5111 		mcs_mask = 0x03FF;
5112 		break;
5113 	default:
5114 		break;
5115 	}
5116 
5117 	return mcs_mask;
5118 }
5119 
5120 static void vht_build_mcs_mask(u16 vht_mcs_map,
5121 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5122 {
5123 	u8 nss;
5124 
5125 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5126 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5127 		vht_mcs_map >>= 2;
5128 	}
5129 }
5130 
5131 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5132 			     struct nl80211_txrate_vht *txrate,
5133 			     u16 mcs[NL80211_VHT_NSS_MAX])
5134 {
5135 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5136 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5137 	u8 i;
5138 
5139 	if (!sband->vht_cap.vht_supported)
5140 		return false;
5141 
5142 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5143 
5144 	/* Build vht_mcs_mask from VHT capabilities */
5145 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5146 
5147 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5148 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5149 			mcs[i] = txrate->mcs[i];
5150 		else
5151 			return false;
5152 	}
5153 
5154 	return true;
5155 }
5156 
5157 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5158 {
5159 	switch (he_mcs_map) {
5160 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5161 		return 0;
5162 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5163 		return 0x00FF;
5164 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5165 		return 0x03FF;
5166 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5167 		return 0xFFF;
5168 	default:
5169 		break;
5170 	}
5171 	return 0;
5172 }
5173 
5174 static void he_build_mcs_mask(u16 he_mcs_map,
5175 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5176 {
5177 	u8 nss;
5178 
5179 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5180 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5181 		he_mcs_map >>= 2;
5182 	}
5183 }
5184 
5185 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5186 			   const struct ieee80211_sta_he_cap *he_cap)
5187 {
5188 	struct net_device *dev = info->user_ptr[1];
5189 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5190 	struct cfg80211_chan_def *chandef;
5191 	__le16 tx_mcs;
5192 
5193 	chandef = wdev_chandef(wdev, link_id);
5194 	if (!chandef) {
5195 		/*
5196 		 * This is probably broken, but we never maintained
5197 		 * a chandef in these cases, so it always was.
5198 		 */
5199 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5200 	}
5201 
5202 	switch (chandef->width) {
5203 	case NL80211_CHAN_WIDTH_80P80:
5204 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5205 		break;
5206 	case NL80211_CHAN_WIDTH_160:
5207 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5208 		break;
5209 	default:
5210 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5211 		break;
5212 	}
5213 
5214 	return le16_to_cpu(tx_mcs);
5215 }
5216 
5217 static bool he_set_mcs_mask(struct genl_info *info,
5218 			    struct wireless_dev *wdev,
5219 			    struct ieee80211_supported_band *sband,
5220 			    struct nl80211_txrate_he *txrate,
5221 			    u16 mcs[NL80211_HE_NSS_MAX],
5222 			    unsigned int link_id)
5223 {
5224 	const struct ieee80211_sta_he_cap *he_cap;
5225 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5226 	u16 tx_mcs_map = 0;
5227 	u8 i;
5228 
5229 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5230 	if (!he_cap)
5231 		return false;
5232 
5233 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5234 
5235 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5236 
5237 	/* Build he_mcs_mask from HE capabilities */
5238 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5239 
5240 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5241 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5242 			mcs[i] = txrate->mcs[i];
5243 		else
5244 			return false;
5245 	}
5246 
5247 	return true;
5248 }
5249 
5250 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5251 					 struct nlattr *attrs[],
5252 					 enum nl80211_attrs attr,
5253 					 struct cfg80211_bitrate_mask *mask,
5254 					 struct net_device *dev,
5255 					 bool default_all_enabled,
5256 					 unsigned int link_id)
5257 {
5258 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5260 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5261 	int rem, i;
5262 	struct nlattr *tx_rates;
5263 	struct ieee80211_supported_band *sband;
5264 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5265 
5266 	memset(mask, 0, sizeof(*mask));
5267 	/* Default to all rates enabled */
5268 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5269 		const struct ieee80211_sta_he_cap *he_cap;
5270 
5271 		if (!default_all_enabled)
5272 			break;
5273 
5274 		sband = rdev->wiphy.bands[i];
5275 
5276 		if (!sband)
5277 			continue;
5278 
5279 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5280 		memcpy(mask->control[i].ht_mcs,
5281 		       sband->ht_cap.mcs.rx_mask,
5282 		       sizeof(mask->control[i].ht_mcs));
5283 
5284 		if (sband->vht_cap.vht_supported) {
5285 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5286 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5287 		}
5288 
5289 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5290 		if (!he_cap)
5291 			continue;
5292 
5293 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5294 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5295 
5296 		mask->control[i].he_gi = 0xFF;
5297 		mask->control[i].he_ltf = 0xFF;
5298 	}
5299 
5300 	/* if no rates are given set it back to the defaults */
5301 	if (!attrs[attr])
5302 		goto out;
5303 
5304 	/* The nested attribute uses enum nl80211_band as the index. This maps
5305 	 * directly to the enum nl80211_band values used in cfg80211.
5306 	 */
5307 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5308 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5309 		enum nl80211_band band = nla_type(tx_rates);
5310 		int err;
5311 
5312 		if (band < 0 || band >= NUM_NL80211_BANDS)
5313 			return -EINVAL;
5314 		sband = rdev->wiphy.bands[band];
5315 		if (sband == NULL)
5316 			return -EINVAL;
5317 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5318 						  tx_rates,
5319 						  nl80211_txattr_policy,
5320 						  info->extack);
5321 		if (err)
5322 			return err;
5323 		if (tb[NL80211_TXRATE_LEGACY]) {
5324 			mask->control[band].legacy = rateset_to_mask(
5325 				sband,
5326 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5327 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5328 			if ((mask->control[band].legacy == 0) &&
5329 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5330 				return -EINVAL;
5331 		}
5332 		if (tb[NL80211_TXRATE_HT]) {
5333 			if (!ht_rateset_to_mask(
5334 					sband,
5335 					nla_data(tb[NL80211_TXRATE_HT]),
5336 					nla_len(tb[NL80211_TXRATE_HT]),
5337 					mask->control[band].ht_mcs))
5338 				return -EINVAL;
5339 		}
5340 
5341 		if (tb[NL80211_TXRATE_VHT]) {
5342 			if (!vht_set_mcs_mask(
5343 					sband,
5344 					nla_data(tb[NL80211_TXRATE_VHT]),
5345 					mask->control[band].vht_mcs))
5346 				return -EINVAL;
5347 		}
5348 
5349 		if (tb[NL80211_TXRATE_GI]) {
5350 			mask->control[band].gi =
5351 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5352 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5353 				return -EINVAL;
5354 		}
5355 		if (tb[NL80211_TXRATE_HE] &&
5356 		    !he_set_mcs_mask(info, wdev, sband,
5357 				     nla_data(tb[NL80211_TXRATE_HE]),
5358 				     mask->control[band].he_mcs,
5359 				     link_id))
5360 			return -EINVAL;
5361 
5362 		if (tb[NL80211_TXRATE_HE_GI])
5363 			mask->control[band].he_gi =
5364 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5365 		if (tb[NL80211_TXRATE_HE_LTF])
5366 			mask->control[band].he_ltf =
5367 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5368 
5369 		if (mask->control[band].legacy == 0) {
5370 			/* don't allow empty legacy rates if HT, VHT or HE
5371 			 * are not even supported.
5372 			 */
5373 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5374 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5375 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5376 				return -EINVAL;
5377 
5378 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5379 				if (mask->control[band].ht_mcs[i])
5380 					goto out;
5381 
5382 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5383 				if (mask->control[band].vht_mcs[i])
5384 					goto out;
5385 
5386 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5387 				if (mask->control[band].he_mcs[i])
5388 					goto out;
5389 
5390 			/* legacy and mcs rates may not be both empty */
5391 			return -EINVAL;
5392 		}
5393 	}
5394 
5395 out:
5396 	return 0;
5397 }
5398 
5399 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5400 				   enum nl80211_band band,
5401 				   struct cfg80211_bitrate_mask *beacon_rate)
5402 {
5403 	u32 count_ht, count_vht, count_he, i;
5404 	u32 rate = beacon_rate->control[band].legacy;
5405 
5406 	/* Allow only one rate */
5407 	if (hweight32(rate) > 1)
5408 		return -EINVAL;
5409 
5410 	count_ht = 0;
5411 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5412 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5413 			return -EINVAL;
5414 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5415 			count_ht++;
5416 			if (count_ht > 1)
5417 				return -EINVAL;
5418 		}
5419 		if (count_ht && rate)
5420 			return -EINVAL;
5421 	}
5422 
5423 	count_vht = 0;
5424 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5425 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5426 			return -EINVAL;
5427 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5428 			count_vht++;
5429 			if (count_vht > 1)
5430 				return -EINVAL;
5431 		}
5432 		if (count_vht && rate)
5433 			return -EINVAL;
5434 	}
5435 
5436 	count_he = 0;
5437 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5438 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5439 			return -EINVAL;
5440 		} else if (beacon_rate->control[band].he_mcs[i]) {
5441 			count_he++;
5442 			if (count_he > 1)
5443 				return -EINVAL;
5444 		}
5445 		if (count_he && rate)
5446 			return -EINVAL;
5447 	}
5448 
5449 	if ((count_ht && count_vht && count_he) ||
5450 	    (!rate && !count_ht && !count_vht && !count_he))
5451 		return -EINVAL;
5452 
5453 	if (rate &&
5454 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5455 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5456 		return -EINVAL;
5457 	if (count_ht &&
5458 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5459 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5460 		return -EINVAL;
5461 	if (count_vht &&
5462 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5463 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5464 		return -EINVAL;
5465 	if (count_he &&
5466 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5467 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5468 		return -EINVAL;
5469 
5470 	return 0;
5471 }
5472 
5473 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5474 				       struct net_device *dev,
5475 				       struct nlattr *attrs,
5476 				       struct cfg80211_mbssid_config *config,
5477 				       u8 num_elems)
5478 {
5479 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5480 
5481 	if (!wiphy->mbssid_max_interfaces)
5482 		return -EOPNOTSUPP;
5483 
5484 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5485 			     NULL) ||
5486 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5487 		return -EINVAL;
5488 
5489 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5490 	if (config->ema) {
5491 		if (!wiphy->ema_max_profile_periodicity)
5492 			return -EOPNOTSUPP;
5493 
5494 		if (num_elems > wiphy->ema_max_profile_periodicity)
5495 			return -EINVAL;
5496 	}
5497 
5498 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5499 	if (config->index >= wiphy->mbssid_max_interfaces ||
5500 	    (!config->index && !num_elems))
5501 		return -EINVAL;
5502 
5503 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5504 		u32 tx_ifindex =
5505 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5506 
5507 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5508 		    (config->index && tx_ifindex == dev->ifindex))
5509 			return -EINVAL;
5510 
5511 		if (tx_ifindex != dev->ifindex) {
5512 			struct net_device *tx_netdev =
5513 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5514 
5515 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5516 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5517 			    tx_netdev->ieee80211_ptr->iftype !=
5518 							NL80211_IFTYPE_AP) {
5519 				dev_put(tx_netdev);
5520 				return -EINVAL;
5521 			}
5522 
5523 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5524 		} else {
5525 			config->tx_wdev = dev->ieee80211_ptr;
5526 		}
5527 	} else if (!config->index) {
5528 		config->tx_wdev = dev->ieee80211_ptr;
5529 	} else {
5530 		return -EINVAL;
5531 	}
5532 
5533 	return 0;
5534 }
5535 
5536 static struct cfg80211_mbssid_elems *
5537 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5538 {
5539 	struct nlattr *nl_elems;
5540 	struct cfg80211_mbssid_elems *elems;
5541 	int rem_elems;
5542 	u8 i = 0, num_elems = 0;
5543 
5544 	if (!wiphy->mbssid_max_interfaces)
5545 		return ERR_PTR(-EINVAL);
5546 
5547 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5548 		if (num_elems >= 255)
5549 			return ERR_PTR(-EINVAL);
5550 		num_elems++;
5551 	}
5552 
5553 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5554 	if (!elems)
5555 		return ERR_PTR(-ENOMEM);
5556 	elems->cnt = num_elems;
5557 
5558 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5559 		elems->elem[i].data = nla_data(nl_elems);
5560 		elems->elem[i].len = nla_len(nl_elems);
5561 		i++;
5562 	}
5563 	return elems;
5564 }
5565 
5566 static struct cfg80211_rnr_elems *
5567 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5568 			struct netlink_ext_ack *extack)
5569 {
5570 	struct nlattr *nl_elems;
5571 	struct cfg80211_rnr_elems *elems;
5572 	int rem_elems;
5573 	u8 i = 0, num_elems = 0;
5574 
5575 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5576 		int ret;
5577 
5578 		ret = validate_ie_attr(nl_elems, extack);
5579 		if (ret)
5580 			return ERR_PTR(ret);
5581 
5582 		num_elems++;
5583 	}
5584 
5585 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5586 	if (!elems)
5587 		return ERR_PTR(-ENOMEM);
5588 	elems->cnt = num_elems;
5589 
5590 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5591 		elems->elem[i].data = nla_data(nl_elems);
5592 		elems->elem[i].len = nla_len(nl_elems);
5593 		i++;
5594 	}
5595 	return elems;
5596 }
5597 
5598 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5599 				      struct cfg80211_he_bss_color *he_bss_color)
5600 {
5601 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5602 	int err;
5603 
5604 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5605 			       he_bss_color_policy, NULL);
5606 	if (err)
5607 		return err;
5608 
5609 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5610 		return -EINVAL;
5611 
5612 	he_bss_color->color =
5613 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5614 	he_bss_color->enabled =
5615 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5616 	he_bss_color->partial =
5617 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5618 
5619 	return 0;
5620 }
5621 
5622 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5623 				struct nlattr *attrs[],
5624 				struct cfg80211_beacon_data *bcn,
5625 				struct netlink_ext_ack *extack)
5626 {
5627 	bool haveinfo = false;
5628 	int err;
5629 
5630 	memset(bcn, 0, sizeof(*bcn));
5631 
5632 	bcn->link_id = nl80211_link_id(attrs);
5633 
5634 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5635 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5636 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5637 		if (!bcn->head_len)
5638 			return -EINVAL;
5639 		haveinfo = true;
5640 	}
5641 
5642 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5643 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5644 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5645 		haveinfo = true;
5646 	}
5647 
5648 	if (!haveinfo)
5649 		return -EINVAL;
5650 
5651 	if (attrs[NL80211_ATTR_IE]) {
5652 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5653 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5654 	}
5655 
5656 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5657 		bcn->proberesp_ies =
5658 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5659 		bcn->proberesp_ies_len =
5660 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5661 	}
5662 
5663 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5664 		bcn->assocresp_ies =
5665 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5666 		bcn->assocresp_ies_len =
5667 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5668 	}
5669 
5670 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5671 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5672 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5673 	}
5674 
5675 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5676 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5677 
5678 		err = nla_parse_nested_deprecated(tb,
5679 						  NL80211_FTM_RESP_ATTR_MAX,
5680 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5681 						  NULL, NULL);
5682 		if (err)
5683 			return err;
5684 
5685 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5686 		    wiphy_ext_feature_isset(&rdev->wiphy,
5687 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5688 			bcn->ftm_responder = 1;
5689 		else
5690 			return -EOPNOTSUPP;
5691 
5692 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5693 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5694 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5695 		}
5696 
5697 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5698 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5699 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5700 		}
5701 	} else {
5702 		bcn->ftm_responder = -1;
5703 	}
5704 
5705 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5706 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5707 						 &bcn->he_bss_color);
5708 		if (err)
5709 			return err;
5710 		bcn->he_bss_color_valid = true;
5711 	}
5712 
5713 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5714 		struct cfg80211_mbssid_elems *mbssid =
5715 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5716 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5717 
5718 		if (IS_ERR(mbssid))
5719 			return PTR_ERR(mbssid);
5720 
5721 		bcn->mbssid_ies = mbssid;
5722 
5723 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5724 			struct cfg80211_rnr_elems *rnr =
5725 				nl80211_parse_rnr_elems(&rdev->wiphy,
5726 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5727 							extack);
5728 
5729 			if (IS_ERR(rnr))
5730 				return PTR_ERR(rnr);
5731 
5732 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5733 				return -EINVAL;
5734 
5735 			bcn->rnr_ies = rnr;
5736 		}
5737 	}
5738 
5739 	return 0;
5740 }
5741 
5742 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5743 				    struct ieee80211_he_obss_pd *he_obss_pd)
5744 {
5745 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5746 	int err;
5747 
5748 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5749 			       he_obss_pd_policy, NULL);
5750 	if (err)
5751 		return err;
5752 
5753 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5754 		return -EINVAL;
5755 
5756 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5757 
5758 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5759 		he_obss_pd->min_offset =
5760 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5761 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5762 		he_obss_pd->max_offset =
5763 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5764 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5765 		he_obss_pd->non_srg_max_offset =
5766 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5767 
5768 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5769 		return -EINVAL;
5770 
5771 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5772 		memcpy(he_obss_pd->bss_color_bitmap,
5773 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5774 		       sizeof(he_obss_pd->bss_color_bitmap));
5775 
5776 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5777 		memcpy(he_obss_pd->partial_bssid_bitmap,
5778 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5779 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5780 
5781 	he_obss_pd->enable = true;
5782 
5783 	return 0;
5784 }
5785 
5786 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5787 					struct nlattr *attrs,
5788 					struct cfg80211_fils_discovery *fd)
5789 {
5790 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5791 	int ret;
5792 
5793 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5794 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5795 		return -EINVAL;
5796 
5797 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5798 			       NULL, NULL);
5799 	if (ret)
5800 		return ret;
5801 
5802 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5803 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5804 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5805 		fd->update = true;
5806 		return 0;
5807 	}
5808 
5809 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5810 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5811 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5812 		return -EINVAL;
5813 
5814 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5815 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5816 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5817 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5818 	fd->update = true;
5819 	return 0;
5820 }
5821 
5822 static int
5823 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5824 				     struct nlattr *attrs,
5825 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5826 {
5827 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5828 	int ret;
5829 
5830 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5831 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5832 		return -EINVAL;
5833 
5834 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5835 			       attrs, NULL, NULL);
5836 	if (ret)
5837 		return ret;
5838 
5839 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5840 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5841 		presp->update = true;
5842 		return 0;
5843 	}
5844 
5845 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5846 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5847 		return -EINVAL;
5848 
5849 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5850 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5851 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5852 	presp->update = true;
5853 	return 0;
5854 }
5855 
5856 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5857 					    const struct element *rates)
5858 {
5859 	int i;
5860 
5861 	if (!rates)
5862 		return;
5863 
5864 	for (i = 0; i < rates->datalen; i++) {
5865 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5866 			params->ht_required = true;
5867 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5868 			params->vht_required = true;
5869 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5870 			params->he_required = true;
5871 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5872 			params->sae_h2e_required = true;
5873 	}
5874 }
5875 
5876 /*
5877  * Since the nl80211 API didn't include, from the beginning, attributes about
5878  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5879  * benefit of drivers that rebuild IEs in the firmware.
5880  */
5881 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5882 {
5883 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5884 	size_t ies_len = bcn->tail_len;
5885 	const u8 *ies = bcn->tail;
5886 	const struct element *rates;
5887 	const struct element *cap;
5888 
5889 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5890 	nl80211_check_ap_rate_selectors(params, rates);
5891 
5892 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5893 	nl80211_check_ap_rate_selectors(params, rates);
5894 
5895 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5896 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5897 		params->ht_cap = (void *)cap->data;
5898 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5899 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5900 		params->vht_cap = (void *)cap->data;
5901 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5902 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5903 		params->he_cap = (void *)(cap->data + 1);
5904 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5905 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5906 		params->he_oper = (void *)(cap->data + 1);
5907 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5908 	if (cap) {
5909 		if (!cap->datalen)
5910 			return -EINVAL;
5911 		params->eht_cap = (void *)(cap->data + 1);
5912 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5913 						(const u8 *)params->eht_cap,
5914 						cap->datalen - 1, true))
5915 			return -EINVAL;
5916 	}
5917 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5918 	if (cap) {
5919 		if (!cap->datalen)
5920 			return -EINVAL;
5921 		params->eht_oper = (void *)(cap->data + 1);
5922 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5923 						cap->datalen - 1))
5924 			return -EINVAL;
5925 	}
5926 	return 0;
5927 }
5928 
5929 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5930 				   struct cfg80211_ap_settings *params)
5931 {
5932 	struct wireless_dev *wdev;
5933 
5934 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5935 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5936 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5937 			continue;
5938 
5939 		if (!wdev->u.ap.preset_chandef.chan)
5940 			continue;
5941 
5942 		params->chandef = wdev->u.ap.preset_chandef;
5943 		return true;
5944 	}
5945 
5946 	return false;
5947 }
5948 
5949 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5950 				    enum nl80211_auth_type auth_type,
5951 				    enum nl80211_commands cmd)
5952 {
5953 	if (auth_type > NL80211_AUTHTYPE_MAX)
5954 		return false;
5955 
5956 	switch (cmd) {
5957 	case NL80211_CMD_AUTHENTICATE:
5958 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5959 		    auth_type == NL80211_AUTHTYPE_SAE)
5960 			return false;
5961 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5962 					     NL80211_EXT_FEATURE_FILS_STA) &&
5963 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5964 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5965 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5966 			return false;
5967 		return true;
5968 	case NL80211_CMD_CONNECT:
5969 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5970 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5971 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5972 		    auth_type == NL80211_AUTHTYPE_SAE)
5973 			return false;
5974 
5975 		/* FILS with SK PFS or PK not supported yet */
5976 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5977 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5978 			return false;
5979 		if (!wiphy_ext_feature_isset(
5980 			    &rdev->wiphy,
5981 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5982 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5983 			return false;
5984 		return true;
5985 	case NL80211_CMD_START_AP:
5986 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5987 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5988 		    auth_type == NL80211_AUTHTYPE_SAE)
5989 			return false;
5990 		/* FILS not supported yet */
5991 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5992 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5993 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5994 			return false;
5995 		return true;
5996 	default:
5997 		return false;
5998 	}
5999 }
6000 
6001 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6002 				    unsigned int link_id)
6003 {
6004 	struct wiphy *wiphy = wdev->wiphy;
6005 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6006 	struct sk_buff *msg;
6007 	void *hdr;
6008 
6009 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6010 	if (!msg)
6011 		return;
6012 
6013 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6014 	if (!hdr)
6015 		goto out;
6016 
6017 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6018 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6019 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6020 			      NL80211_ATTR_PAD) ||
6021 	    (wdev->u.ap.ssid_len &&
6022 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6023 		     wdev->u.ap.ssid)) ||
6024 	    (wdev->valid_links &&
6025 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6026 		goto out;
6027 
6028 	genlmsg_end(msg, hdr);
6029 
6030 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6031 				NL80211_MCGRP_MLME, GFP_KERNEL);
6032 	return;
6033 out:
6034 	nlmsg_free(msg);
6035 }
6036 
6037 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6038 {
6039 	struct ieee80211_channel *channel = params->chandef.chan;
6040 
6041 	if ((params->he_cap ||  params->he_oper) &&
6042 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6043 		return -EOPNOTSUPP;
6044 
6045 	if ((params->eht_cap || params->eht_oper) &&
6046 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6047 		return -EOPNOTSUPP;
6048 
6049 	return 0;
6050 }
6051 
6052 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6053 {
6054 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6055 	struct cfg80211_beaconing_check_config beacon_check = {};
6056 	unsigned int link_id = nl80211_link_id(info->attrs);
6057 	struct net_device *dev = info->user_ptr[1];
6058 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6059 	struct cfg80211_ap_settings *params;
6060 	int err;
6061 
6062 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6063 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6064 		return -EOPNOTSUPP;
6065 
6066 	if (!rdev->ops->start_ap)
6067 		return -EOPNOTSUPP;
6068 
6069 	if (wdev->links[link_id].cac_started)
6070 		return -EBUSY;
6071 
6072 	if (wdev->links[link_id].ap.beacon_interval)
6073 		return -EALREADY;
6074 
6075 	/* these are required for START_AP */
6076 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6077 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6078 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6079 		return -EINVAL;
6080 
6081 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6082 	if (!params)
6083 		return -ENOMEM;
6084 
6085 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6086 				   info->extack);
6087 	if (err)
6088 		goto out;
6089 
6090 	params->beacon_interval =
6091 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6092 	params->dtim_period =
6093 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6094 
6095 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6096 					   params->beacon_interval);
6097 	if (err)
6098 		goto out;
6099 
6100 	/*
6101 	 * In theory, some of these attributes should be required here
6102 	 * but since they were not used when the command was originally
6103 	 * added, keep them optional for old user space programs to let
6104 	 * them continue to work with drivers that do not need the
6105 	 * additional information -- drivers must check!
6106 	 */
6107 	if (info->attrs[NL80211_ATTR_SSID]) {
6108 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6109 		params->ssid_len =
6110 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6111 		if (params->ssid_len == 0) {
6112 			err = -EINVAL;
6113 			goto out;
6114 		}
6115 
6116 		if (wdev->u.ap.ssid_len &&
6117 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6118 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6119 			/* require identical SSID for MLO */
6120 			err = -EINVAL;
6121 			goto out;
6122 		}
6123 	} else if (wdev->valid_links) {
6124 		/* require SSID for MLO */
6125 		err = -EINVAL;
6126 		goto out;
6127 	}
6128 
6129 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6130 		params->hidden_ssid = nla_get_u32(
6131 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6132 
6133 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6134 
6135 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6136 		params->auth_type = nla_get_u32(
6137 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6138 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6139 					     NL80211_CMD_START_AP)) {
6140 			err = -EINVAL;
6141 			goto out;
6142 		}
6143 	} else
6144 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6145 
6146 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6147 				      NL80211_MAX_NR_CIPHER_SUITES);
6148 	if (err)
6149 		goto out;
6150 
6151 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6152 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6153 			err = -EOPNOTSUPP;
6154 			goto out;
6155 		}
6156 		params->inactivity_timeout = nla_get_u16(
6157 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6158 	}
6159 
6160 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6161 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6162 			err = -EINVAL;
6163 			goto out;
6164 		}
6165 		params->p2p_ctwindow =
6166 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6167 		if (params->p2p_ctwindow != 0 &&
6168 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6169 			err = -EINVAL;
6170 			goto out;
6171 		}
6172 	}
6173 
6174 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6175 		u8 tmp;
6176 
6177 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6178 			err = -EINVAL;
6179 			goto out;
6180 		}
6181 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6182 		params->p2p_opp_ps = tmp;
6183 		if (params->p2p_opp_ps != 0 &&
6184 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6185 			err = -EINVAL;
6186 			goto out;
6187 		}
6188 	}
6189 
6190 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6191 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6192 		if (err)
6193 			goto out;
6194 	} else if (wdev->valid_links) {
6195 		/* with MLD need to specify the channel configuration */
6196 		err = -EINVAL;
6197 		goto out;
6198 	} else if (wdev->u.ap.preset_chandef.chan) {
6199 		params->chandef = wdev->u.ap.preset_chandef;
6200 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6201 		err = -EINVAL;
6202 		goto out;
6203 	}
6204 
6205 	beacon_check.iftype = wdev->iftype;
6206 	beacon_check.relax = true;
6207 	beacon_check.reg_power =
6208 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6209 					     params->beacon.tail_len);
6210 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6211 					  &beacon_check)) {
6212 		err = -EINVAL;
6213 		goto out;
6214 	}
6215 
6216 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6217 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6218 						    NL80211_ATTR_TX_RATES,
6219 						    &params->beacon_rate,
6220 						    dev, false, link_id);
6221 		if (err)
6222 			goto out;
6223 
6224 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6225 					      &params->beacon_rate);
6226 		if (err)
6227 			goto out;
6228 	}
6229 
6230 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6231 		params->smps_mode =
6232 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6233 		switch (params->smps_mode) {
6234 		case NL80211_SMPS_OFF:
6235 			break;
6236 		case NL80211_SMPS_STATIC:
6237 			if (!(rdev->wiphy.features &
6238 			      NL80211_FEATURE_STATIC_SMPS)) {
6239 				err = -EINVAL;
6240 				goto out;
6241 			}
6242 			break;
6243 		case NL80211_SMPS_DYNAMIC:
6244 			if (!(rdev->wiphy.features &
6245 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6246 				err = -EINVAL;
6247 				goto out;
6248 			}
6249 			break;
6250 		default:
6251 			err = -EINVAL;
6252 			goto out;
6253 		}
6254 	} else {
6255 		params->smps_mode = NL80211_SMPS_OFF;
6256 	}
6257 
6258 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6259 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6260 		err = -EOPNOTSUPP;
6261 		goto out;
6262 	}
6263 
6264 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6265 		params->acl = parse_acl_data(&rdev->wiphy, info);
6266 		if (IS_ERR(params->acl)) {
6267 			err = PTR_ERR(params->acl);
6268 			params->acl = NULL;
6269 			goto out;
6270 		}
6271 	}
6272 
6273 	params->twt_responder =
6274 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6275 
6276 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6277 		err = nl80211_parse_he_obss_pd(
6278 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6279 					&params->he_obss_pd);
6280 		if (err)
6281 			goto out;
6282 	}
6283 
6284 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6285 		err = nl80211_parse_fils_discovery(rdev,
6286 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6287 						   &params->fils_discovery);
6288 		if (err)
6289 			goto out;
6290 	}
6291 
6292 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6293 		err = nl80211_parse_unsol_bcast_probe_resp(
6294 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6295 			&params->unsol_bcast_probe_resp);
6296 		if (err)
6297 			goto out;
6298 	}
6299 
6300 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6301 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6302 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6303 						  &params->mbssid_config,
6304 						  params->beacon.mbssid_ies ?
6305 							params->beacon.mbssid_ies->cnt :
6306 							0);
6307 		if (err)
6308 			goto out;
6309 	}
6310 
6311 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6312 		err = -EINVAL;
6313 		goto out;
6314 	}
6315 
6316 	err = nl80211_calculate_ap_params(params);
6317 	if (err)
6318 		goto out;
6319 
6320 	err = nl80211_validate_ap_phy_operation(params);
6321 	if (err)
6322 		goto out;
6323 
6324 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6325 		params->flags = nla_get_u32(
6326 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6327 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6328 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6329 
6330 	if (wdev->conn_owner_nlportid &&
6331 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6332 	    wdev->conn_owner_nlportid != info->snd_portid) {
6333 		err = -EINVAL;
6334 		goto out;
6335 	}
6336 
6337 	/* FIXME: validate MLO/link-id against driver capabilities */
6338 
6339 	err = rdev_start_ap(rdev, dev, params);
6340 	if (!err) {
6341 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6342 		wdev->links[link_id].ap.chandef = params->chandef;
6343 		wdev->u.ap.ssid_len = params->ssid_len;
6344 		memcpy(wdev->u.ap.ssid, params->ssid,
6345 		       params->ssid_len);
6346 
6347 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6348 			wdev->conn_owner_nlportid = info->snd_portid;
6349 
6350 		nl80211_send_ap_started(wdev, link_id);
6351 	}
6352 out:
6353 	kfree(params->acl);
6354 	kfree(params->beacon.mbssid_ies);
6355 	if (params->mbssid_config.tx_wdev &&
6356 	    params->mbssid_config.tx_wdev->netdev &&
6357 	    params->mbssid_config.tx_wdev->netdev != dev)
6358 		dev_put(params->mbssid_config.tx_wdev->netdev);
6359 	kfree(params->beacon.rnr_ies);
6360 	kfree(params);
6361 
6362 	return err;
6363 }
6364 
6365 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6366 {
6367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6368 	struct cfg80211_beaconing_check_config beacon_check = {};
6369 	unsigned int link_id = nl80211_link_id(info->attrs);
6370 	struct net_device *dev = info->user_ptr[1];
6371 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6372 	struct cfg80211_ap_update *params;
6373 	struct nlattr *attr;
6374 	int err;
6375 
6376 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6377 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6378 		return -EOPNOTSUPP;
6379 
6380 	if (!rdev->ops->change_beacon)
6381 		return -EOPNOTSUPP;
6382 
6383 	if (!wdev->links[link_id].ap.beacon_interval)
6384 		return -EINVAL;
6385 
6386 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6387 	if (!params)
6388 		return -ENOMEM;
6389 
6390 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6391 				   info->extack);
6392 	if (err)
6393 		goto out;
6394 
6395 	/* recheck beaconing is permitted with possibly changed power type */
6396 	beacon_check.iftype = wdev->iftype;
6397 	beacon_check.relax = true;
6398 	beacon_check.reg_power =
6399 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6400 					     params->beacon.tail_len);
6401 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6402 					  &wdev->links[link_id].ap.chandef,
6403 					  &beacon_check)) {
6404 		err = -EINVAL;
6405 		goto out;
6406 	}
6407 
6408 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6409 	if (attr) {
6410 		err = nl80211_parse_fils_discovery(rdev, attr,
6411 						   &params->fils_discovery);
6412 		if (err)
6413 			goto out;
6414 	}
6415 
6416 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6417 	if (attr) {
6418 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6419 							   &params->unsol_bcast_probe_resp);
6420 		if (err)
6421 			goto out;
6422 	}
6423 
6424 	err = rdev_change_beacon(rdev, dev, params);
6425 
6426 out:
6427 	kfree(params->beacon.mbssid_ies);
6428 	kfree(params->beacon.rnr_ies);
6429 	kfree(params);
6430 	return err;
6431 }
6432 
6433 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6434 {
6435 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6436 	unsigned int link_id = nl80211_link_id(info->attrs);
6437 	struct net_device *dev = info->user_ptr[1];
6438 
6439 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6440 }
6441 
6442 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6443 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6444 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6445 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6446 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6447 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6448 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6449 };
6450 
6451 static int parse_station_flags(struct genl_info *info,
6452 			       enum nl80211_iftype iftype,
6453 			       struct station_parameters *params)
6454 {
6455 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6456 	struct nlattr *nla;
6457 	int flag;
6458 
6459 	/*
6460 	 * Try parsing the new attribute first so userspace
6461 	 * can specify both for older kernels.
6462 	 */
6463 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6464 	if (nla) {
6465 		struct nl80211_sta_flag_update *sta_flags;
6466 
6467 		sta_flags = nla_data(nla);
6468 		params->sta_flags_mask = sta_flags->mask;
6469 		params->sta_flags_set = sta_flags->set;
6470 		params->sta_flags_set &= params->sta_flags_mask;
6471 		if ((params->sta_flags_mask |
6472 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6473 			return -EINVAL;
6474 		return 0;
6475 	}
6476 
6477 	/* if present, parse the old attribute */
6478 
6479 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6480 	if (!nla)
6481 		return 0;
6482 
6483 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6484 		return -EINVAL;
6485 
6486 	/*
6487 	 * Only allow certain flags for interface types so that
6488 	 * other attributes are silently ignored. Remember that
6489 	 * this is backward compatibility code with old userspace
6490 	 * and shouldn't be hit in other cases anyway.
6491 	 */
6492 	switch (iftype) {
6493 	case NL80211_IFTYPE_AP:
6494 	case NL80211_IFTYPE_AP_VLAN:
6495 	case NL80211_IFTYPE_P2P_GO:
6496 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6497 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6498 					 BIT(NL80211_STA_FLAG_WME) |
6499 					 BIT(NL80211_STA_FLAG_MFP);
6500 		break;
6501 	case NL80211_IFTYPE_P2P_CLIENT:
6502 	case NL80211_IFTYPE_STATION:
6503 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6504 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6505 		break;
6506 	case NL80211_IFTYPE_MESH_POINT:
6507 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6508 					 BIT(NL80211_STA_FLAG_MFP) |
6509 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6510 		break;
6511 	default:
6512 		return -EINVAL;
6513 	}
6514 
6515 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6516 		if (flags[flag]) {
6517 			params->sta_flags_set |= (1<<flag);
6518 
6519 			/* no longer support new API additions in old API */
6520 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6521 				return -EINVAL;
6522 		}
6523 	}
6524 
6525 	return 0;
6526 }
6527 
6528 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6529 {
6530 	struct nlattr *rate;
6531 	u32 bitrate;
6532 	u16 bitrate_compat;
6533 	enum nl80211_rate_info rate_flg;
6534 
6535 	rate = nla_nest_start_noflag(msg, attr);
6536 	if (!rate)
6537 		return false;
6538 
6539 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6540 	bitrate = cfg80211_calculate_bitrate(info);
6541 	/* report 16-bit bitrate only if we can */
6542 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6543 	if (bitrate > 0 &&
6544 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6545 		return false;
6546 	if (bitrate_compat > 0 &&
6547 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6548 		return false;
6549 
6550 	switch (info->bw) {
6551 	case RATE_INFO_BW_1:
6552 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6553 		break;
6554 	case RATE_INFO_BW_2:
6555 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6556 		break;
6557 	case RATE_INFO_BW_4:
6558 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6559 		break;
6560 	case RATE_INFO_BW_5:
6561 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6562 		break;
6563 	case RATE_INFO_BW_8:
6564 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6565 		break;
6566 	case RATE_INFO_BW_10:
6567 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6568 		break;
6569 	case RATE_INFO_BW_16:
6570 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6571 		break;
6572 	default:
6573 		WARN_ON(1);
6574 		fallthrough;
6575 	case RATE_INFO_BW_20:
6576 		rate_flg = 0;
6577 		break;
6578 	case RATE_INFO_BW_40:
6579 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6580 		break;
6581 	case RATE_INFO_BW_80:
6582 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6583 		break;
6584 	case RATE_INFO_BW_160:
6585 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6586 		break;
6587 	case RATE_INFO_BW_HE_RU:
6588 		rate_flg = 0;
6589 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6590 		break;
6591 	case RATE_INFO_BW_320:
6592 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6593 		break;
6594 	case RATE_INFO_BW_EHT_RU:
6595 		rate_flg = 0;
6596 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6597 		break;
6598 	}
6599 
6600 	if (rate_flg && nla_put_flag(msg, rate_flg))
6601 		return false;
6602 
6603 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6604 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6605 			return false;
6606 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6607 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6608 			return false;
6609 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6610 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6611 			return false;
6612 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6613 			return false;
6614 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6615 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6616 			return false;
6617 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6618 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6619 			return false;
6620 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6621 			return false;
6622 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6623 			return false;
6624 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6625 			return false;
6626 		if (info->bw == RATE_INFO_BW_HE_RU &&
6627 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6628 			       info->he_ru_alloc))
6629 			return false;
6630 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6631 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6632 			return false;
6633 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6634 			return false;
6635 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6636 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6637 			return false;
6638 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6639 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6640 			return false;
6641 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6642 			return false;
6643 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6644 			return false;
6645 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6646 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6647 			       info->eht_ru_alloc))
6648 			return false;
6649 	}
6650 
6651 	nla_nest_end(msg, rate);
6652 	return true;
6653 }
6654 
6655 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6656 			       int id)
6657 {
6658 	void *attr;
6659 	int i = 0;
6660 
6661 	if (!mask)
6662 		return true;
6663 
6664 	attr = nla_nest_start_noflag(msg, id);
6665 	if (!attr)
6666 		return false;
6667 
6668 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6669 		if (!(mask & BIT(i)))
6670 			continue;
6671 
6672 		if (nla_put_u8(msg, i, signal[i]))
6673 			return false;
6674 	}
6675 
6676 	nla_nest_end(msg, attr);
6677 
6678 	return true;
6679 }
6680 
6681 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6682 				u32 seq, int flags,
6683 				struct cfg80211_registered_device *rdev,
6684 				struct net_device *dev,
6685 				const u8 *mac_addr, struct station_info *sinfo)
6686 {
6687 	void *hdr;
6688 	struct nlattr *sinfoattr, *bss_param;
6689 
6690 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6691 	if (!hdr) {
6692 		cfg80211_sinfo_release_content(sinfo);
6693 		return -1;
6694 	}
6695 
6696 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6697 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6698 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6699 		goto nla_put_failure;
6700 
6701 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6702 	if (!sinfoattr)
6703 		goto nla_put_failure;
6704 
6705 #define PUT_SINFO(attr, memb, type) do {				\
6706 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6707 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6708 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6709 			     sinfo->memb))				\
6710 		goto nla_put_failure;					\
6711 	} while (0)
6712 #define PUT_SINFO_U64(attr, memb) do {					\
6713 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6714 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6715 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6716 		goto nla_put_failure;					\
6717 	} while (0)
6718 
6719 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6720 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6721 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6722 
6723 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6724 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6725 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6726 			(u32)sinfo->rx_bytes))
6727 		goto nla_put_failure;
6728 
6729 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6730 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6731 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6732 			(u32)sinfo->tx_bytes))
6733 		goto nla_put_failure;
6734 
6735 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6736 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6737 	PUT_SINFO(LLID, llid, u16);
6738 	PUT_SINFO(PLID, plid, u16);
6739 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6740 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6741 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6742 
6743 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6744 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6745 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6746 
6747 	switch (rdev->wiphy.signal_type) {
6748 	case CFG80211_SIGNAL_TYPE_MBM:
6749 		PUT_SINFO(SIGNAL, signal, u8);
6750 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6751 		break;
6752 	default:
6753 		break;
6754 	}
6755 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6756 		if (!nl80211_put_signal(msg, sinfo->chains,
6757 					sinfo->chain_signal,
6758 					NL80211_STA_INFO_CHAIN_SIGNAL))
6759 			goto nla_put_failure;
6760 	}
6761 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6762 		if (!nl80211_put_signal(msg, sinfo->chains,
6763 					sinfo->chain_signal_avg,
6764 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6765 			goto nla_put_failure;
6766 	}
6767 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6768 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6769 					  NL80211_STA_INFO_TX_BITRATE))
6770 			goto nla_put_failure;
6771 	}
6772 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6773 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6774 					  NL80211_STA_INFO_RX_BITRATE))
6775 			goto nla_put_failure;
6776 	}
6777 
6778 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6779 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6780 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6781 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6782 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6783 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6784 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6785 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6786 	PUT_SINFO(PEER_PM, peer_pm, u32);
6787 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6788 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6789 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6790 
6791 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6792 		bss_param = nla_nest_start_noflag(msg,
6793 						  NL80211_STA_INFO_BSS_PARAM);
6794 		if (!bss_param)
6795 			goto nla_put_failure;
6796 
6797 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6798 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6799 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6800 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6801 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6802 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6803 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6804 			       sinfo->bss_param.dtim_period) ||
6805 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6806 				sinfo->bss_param.beacon_interval))
6807 			goto nla_put_failure;
6808 
6809 		nla_nest_end(msg, bss_param);
6810 	}
6811 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6812 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6813 		    sizeof(struct nl80211_sta_flag_update),
6814 		    &sinfo->sta_flags))
6815 		goto nla_put_failure;
6816 
6817 	PUT_SINFO_U64(T_OFFSET, t_offset);
6818 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6819 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6820 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6821 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6822 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6823 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6824 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6825 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6826 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6827 	}
6828 
6829 #undef PUT_SINFO
6830 #undef PUT_SINFO_U64
6831 
6832 	if (sinfo->pertid) {
6833 		struct nlattr *tidsattr;
6834 		int tid;
6835 
6836 		tidsattr = nla_nest_start_noflag(msg,
6837 						 NL80211_STA_INFO_TID_STATS);
6838 		if (!tidsattr)
6839 			goto nla_put_failure;
6840 
6841 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6842 			struct cfg80211_tid_stats *tidstats;
6843 			struct nlattr *tidattr;
6844 
6845 			tidstats = &sinfo->pertid[tid];
6846 
6847 			if (!tidstats->filled)
6848 				continue;
6849 
6850 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6851 			if (!tidattr)
6852 				goto nla_put_failure;
6853 
6854 #define PUT_TIDVAL_U64(attr, memb) do {					\
6855 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6856 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6857 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6858 		goto nla_put_failure;					\
6859 	} while (0)
6860 
6861 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6862 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6863 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6864 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6865 
6866 #undef PUT_TIDVAL_U64
6867 			if ((tidstats->filled &
6868 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6869 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6870 						   NL80211_TID_STATS_TXQ_STATS))
6871 				goto nla_put_failure;
6872 
6873 			nla_nest_end(msg, tidattr);
6874 		}
6875 
6876 		nla_nest_end(msg, tidsattr);
6877 	}
6878 
6879 	nla_nest_end(msg, sinfoattr);
6880 
6881 	if (sinfo->assoc_req_ies_len &&
6882 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6883 		    sinfo->assoc_req_ies))
6884 		goto nla_put_failure;
6885 
6886 	if (sinfo->assoc_resp_ies_len &&
6887 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6888 		    sinfo->assoc_resp_ies))
6889 		goto nla_put_failure;
6890 
6891 	if (sinfo->mlo_params_valid) {
6892 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6893 			       sinfo->assoc_link_id))
6894 			goto nla_put_failure;
6895 
6896 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6897 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6898 			    sinfo->mld_addr))
6899 			goto nla_put_failure;
6900 	}
6901 
6902 	cfg80211_sinfo_release_content(sinfo);
6903 	genlmsg_end(msg, hdr);
6904 	return 0;
6905 
6906  nla_put_failure:
6907 	cfg80211_sinfo_release_content(sinfo);
6908 	genlmsg_cancel(msg, hdr);
6909 	return -EMSGSIZE;
6910 }
6911 
6912 static int nl80211_dump_station(struct sk_buff *skb,
6913 				struct netlink_callback *cb)
6914 {
6915 	struct station_info sinfo;
6916 	struct cfg80211_registered_device *rdev;
6917 	struct wireless_dev *wdev;
6918 	u8 mac_addr[ETH_ALEN];
6919 	int sta_idx = cb->args[2];
6920 	int err;
6921 
6922 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6923 	if (err)
6924 		return err;
6925 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6926 	__acquire(&rdev->wiphy.mtx);
6927 
6928 	if (!wdev->netdev) {
6929 		err = -EINVAL;
6930 		goto out_err;
6931 	}
6932 
6933 	if (!rdev->ops->dump_station) {
6934 		err = -EOPNOTSUPP;
6935 		goto out_err;
6936 	}
6937 
6938 	while (1) {
6939 		memset(&sinfo, 0, sizeof(sinfo));
6940 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6941 					mac_addr, &sinfo);
6942 		if (err == -ENOENT)
6943 			break;
6944 		if (err)
6945 			goto out_err;
6946 
6947 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6948 				NETLINK_CB(cb->skb).portid,
6949 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6950 				rdev, wdev->netdev, mac_addr,
6951 				&sinfo) < 0)
6952 			goto out;
6953 
6954 		sta_idx++;
6955 	}
6956 
6957  out:
6958 	cb->args[2] = sta_idx;
6959 	err = skb->len;
6960  out_err:
6961 	wiphy_unlock(&rdev->wiphy);
6962 
6963 	return err;
6964 }
6965 
6966 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6967 {
6968 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6969 	struct net_device *dev = info->user_ptr[1];
6970 	struct station_info sinfo;
6971 	struct sk_buff *msg;
6972 	u8 *mac_addr = NULL;
6973 	int err;
6974 
6975 	memset(&sinfo, 0, sizeof(sinfo));
6976 
6977 	if (!info->attrs[NL80211_ATTR_MAC])
6978 		return -EINVAL;
6979 
6980 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6981 
6982 	if (!rdev->ops->get_station)
6983 		return -EOPNOTSUPP;
6984 
6985 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6986 	if (err)
6987 		return err;
6988 
6989 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6990 	if (!msg) {
6991 		cfg80211_sinfo_release_content(&sinfo);
6992 		return -ENOMEM;
6993 	}
6994 
6995 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6996 				 info->snd_portid, info->snd_seq, 0,
6997 				 rdev, dev, mac_addr, &sinfo) < 0) {
6998 		nlmsg_free(msg);
6999 		return -ENOBUFS;
7000 	}
7001 
7002 	return genlmsg_reply(msg, info);
7003 }
7004 
7005 int cfg80211_check_station_change(struct wiphy *wiphy,
7006 				  struct station_parameters *params,
7007 				  enum cfg80211_station_type statype)
7008 {
7009 	if (params->listen_interval != -1 &&
7010 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7011 		return -EINVAL;
7012 
7013 	if (params->support_p2p_ps != -1 &&
7014 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7015 		return -EINVAL;
7016 
7017 	if (params->aid &&
7018 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7019 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7020 		return -EINVAL;
7021 
7022 	/* When you run into this, adjust the code below for the new flag */
7023 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7024 
7025 	switch (statype) {
7026 	case CFG80211_STA_MESH_PEER_KERNEL:
7027 	case CFG80211_STA_MESH_PEER_USER:
7028 		/*
7029 		 * No ignoring the TDLS flag here -- the userspace mesh
7030 		 * code doesn't have the bug of including TDLS in the
7031 		 * mask everywhere.
7032 		 */
7033 		if (params->sta_flags_mask &
7034 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7035 				  BIT(NL80211_STA_FLAG_MFP) |
7036 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7037 			return -EINVAL;
7038 		break;
7039 	case CFG80211_STA_TDLS_PEER_SETUP:
7040 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7041 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7042 			return -EINVAL;
7043 		/* ignore since it can't change */
7044 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7045 		break;
7046 	default:
7047 		/* disallow mesh-specific things */
7048 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7049 			return -EINVAL;
7050 		if (params->local_pm)
7051 			return -EINVAL;
7052 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7053 			return -EINVAL;
7054 	}
7055 
7056 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7057 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7058 		/* TDLS can't be set, ... */
7059 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7060 			return -EINVAL;
7061 		/*
7062 		 * ... but don't bother the driver with it. This works around
7063 		 * a hostapd/wpa_supplicant issue -- it always includes the
7064 		 * TLDS_PEER flag in the mask even for AP mode.
7065 		 */
7066 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7067 	}
7068 
7069 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7070 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7071 		/* reject other things that can't change */
7072 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7073 			return -EINVAL;
7074 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7075 			return -EINVAL;
7076 		if (params->link_sta_params.supported_rates)
7077 			return -EINVAL;
7078 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7079 		    params->link_sta_params.vht_capa ||
7080 		    params->link_sta_params.he_capa ||
7081 		    params->link_sta_params.eht_capa)
7082 			return -EINVAL;
7083 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7084 			return -EINVAL;
7085 	}
7086 
7087 	if (statype != CFG80211_STA_AP_CLIENT &&
7088 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7089 		if (params->vlan)
7090 			return -EINVAL;
7091 	}
7092 
7093 	switch (statype) {
7094 	case CFG80211_STA_AP_MLME_CLIENT:
7095 		/* Use this only for authorizing/unauthorizing a station */
7096 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7097 			return -EOPNOTSUPP;
7098 		break;
7099 	case CFG80211_STA_AP_CLIENT:
7100 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7101 		/* accept only the listed bits */
7102 		if (params->sta_flags_mask &
7103 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7104 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7105 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7106 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7107 				  BIT(NL80211_STA_FLAG_WME) |
7108 				  BIT(NL80211_STA_FLAG_MFP) |
7109 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7110 			return -EINVAL;
7111 
7112 		/* but authenticated/associated only if driver handles it */
7113 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7114 		    params->sta_flags_mask &
7115 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7116 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7117 			return -EINVAL;
7118 		break;
7119 	case CFG80211_STA_IBSS:
7120 	case CFG80211_STA_AP_STA:
7121 		/* reject any changes other than AUTHORIZED */
7122 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7123 			return -EINVAL;
7124 		break;
7125 	case CFG80211_STA_TDLS_PEER_SETUP:
7126 		/* reject any changes other than AUTHORIZED or WME */
7127 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7128 					       BIT(NL80211_STA_FLAG_WME)))
7129 			return -EINVAL;
7130 		/* force (at least) rates when authorizing */
7131 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7132 		    !params->link_sta_params.supported_rates)
7133 			return -EINVAL;
7134 		break;
7135 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7136 		/* reject any changes */
7137 		return -EINVAL;
7138 	case CFG80211_STA_MESH_PEER_KERNEL:
7139 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7140 			return -EINVAL;
7141 		break;
7142 	case CFG80211_STA_MESH_PEER_USER:
7143 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7144 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7145 			return -EINVAL;
7146 		break;
7147 	}
7148 
7149 	/*
7150 	 * Older kernel versions ignored this attribute entirely, so don't
7151 	 * reject attempts to update it but mark it as unused instead so the
7152 	 * driver won't look at the data.
7153 	 */
7154 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7155 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7156 		params->link_sta_params.opmode_notif_used = false;
7157 
7158 	return 0;
7159 }
7160 EXPORT_SYMBOL(cfg80211_check_station_change);
7161 
7162 /*
7163  * Get vlan interface making sure it is running and on the right wiphy.
7164  */
7165 static struct net_device *get_vlan(struct genl_info *info,
7166 				   struct cfg80211_registered_device *rdev)
7167 {
7168 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7169 	struct net_device *v;
7170 	int ret;
7171 
7172 	if (!vlanattr)
7173 		return NULL;
7174 
7175 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7176 	if (!v)
7177 		return ERR_PTR(-ENODEV);
7178 
7179 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7180 		ret = -EINVAL;
7181 		goto error;
7182 	}
7183 
7184 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7185 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7186 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7187 		ret = -EINVAL;
7188 		goto error;
7189 	}
7190 
7191 	if (!netif_running(v)) {
7192 		ret = -ENETDOWN;
7193 		goto error;
7194 	}
7195 
7196 	return v;
7197  error:
7198 	dev_put(v);
7199 	return ERR_PTR(ret);
7200 }
7201 
7202 static int nl80211_parse_sta_wme(struct genl_info *info,
7203 				 struct station_parameters *params)
7204 {
7205 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7206 	struct nlattr *nla;
7207 	int err;
7208 
7209 	/* parse WME attributes if present */
7210 	if (!info->attrs[NL80211_ATTR_STA_WME])
7211 		return 0;
7212 
7213 	nla = info->attrs[NL80211_ATTR_STA_WME];
7214 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7215 					  nl80211_sta_wme_policy,
7216 					  info->extack);
7217 	if (err)
7218 		return err;
7219 
7220 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7221 		params->uapsd_queues = nla_get_u8(
7222 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7223 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7224 		return -EINVAL;
7225 
7226 	if (tb[NL80211_STA_WME_MAX_SP])
7227 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7228 
7229 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7230 		return -EINVAL;
7231 
7232 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7233 
7234 	return 0;
7235 }
7236 
7237 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7238 				      struct station_parameters *params)
7239 {
7240 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7241 		params->supported_channels =
7242 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7243 		params->supported_channels_len =
7244 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7245 		/*
7246 		 * Need to include at least one (first channel, number of
7247 		 * channels) tuple for each subband (checked in policy),
7248 		 * and must have proper tuples for the rest of the data as well.
7249 		 */
7250 		if (params->supported_channels_len % 2)
7251 			return -EINVAL;
7252 	}
7253 
7254 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7255 		params->supported_oper_classes =
7256 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7257 		params->supported_oper_classes_len =
7258 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7259 	}
7260 	return 0;
7261 }
7262 
7263 static int nl80211_set_station_tdls(struct genl_info *info,
7264 				    struct station_parameters *params)
7265 {
7266 	int err;
7267 	/* Dummy STA entry gets updated once the peer capabilities are known */
7268 	if (info->attrs[NL80211_ATTR_PEER_AID])
7269 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7270 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7271 		params->link_sta_params.ht_capa =
7272 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7273 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7274 		params->link_sta_params.vht_capa =
7275 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7276 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7277 		params->link_sta_params.he_capa =
7278 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7279 		params->link_sta_params.he_capa_len =
7280 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7281 
7282 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7283 			params->link_sta_params.eht_capa =
7284 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7285 			params->link_sta_params.eht_capa_len =
7286 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7287 
7288 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7289 							(const u8 *)params->link_sta_params.eht_capa,
7290 							params->link_sta_params.eht_capa_len,
7291 							false))
7292 				return -EINVAL;
7293 		}
7294 	}
7295 
7296 	err = nl80211_parse_sta_channel_info(info, params);
7297 	if (err)
7298 		return err;
7299 
7300 	return nl80211_parse_sta_wme(info, params);
7301 }
7302 
7303 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7304 					     struct sta_txpwr *txpwr,
7305 					     bool *txpwr_set)
7306 {
7307 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7308 	int idx;
7309 
7310 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7311 		if (!rdev->ops->set_tx_power ||
7312 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7313 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7314 			return -EOPNOTSUPP;
7315 
7316 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7317 		txpwr->type = nla_get_u8(info->attrs[idx]);
7318 
7319 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7320 			idx = NL80211_ATTR_STA_TX_POWER;
7321 
7322 			if (info->attrs[idx])
7323 				txpwr->power = nla_get_s16(info->attrs[idx]);
7324 			else
7325 				return -EINVAL;
7326 		}
7327 
7328 		*txpwr_set = true;
7329 	} else {
7330 		*txpwr_set = false;
7331 	}
7332 
7333 	return 0;
7334 }
7335 
7336 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7337 {
7338 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7339 	struct net_device *dev = info->user_ptr[1];
7340 	struct station_parameters params;
7341 	u8 *mac_addr;
7342 	int err;
7343 
7344 	memset(&params, 0, sizeof(params));
7345 
7346 	if (!rdev->ops->change_station)
7347 		return -EOPNOTSUPP;
7348 
7349 	/*
7350 	 * AID and listen_interval properties can be set only for unassociated
7351 	 * station. Include these parameters here and will check them in
7352 	 * cfg80211_check_station_change().
7353 	 */
7354 	if (info->attrs[NL80211_ATTR_STA_AID])
7355 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7356 
7357 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7358 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7359 
7360 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7361 		params.listen_interval =
7362 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7363 	else
7364 		params.listen_interval = -1;
7365 
7366 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7367 		params.support_p2p_ps =
7368 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7369 	else
7370 		params.support_p2p_ps = -1;
7371 
7372 	if (!info->attrs[NL80211_ATTR_MAC])
7373 		return -EINVAL;
7374 
7375 	params.link_sta_params.link_id =
7376 		nl80211_link_id_or_invalid(info->attrs);
7377 
7378 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7379 		/* If MLD_ADDR attribute is set then this is an MLD station
7380 		 * and the MLD_ADDR attribute holds the MLD address and the
7381 		 * MAC attribute holds for the LINK address.
7382 		 * In that case, the link_id is also expected to be valid.
7383 		 */
7384 		if (params.link_sta_params.link_id < 0)
7385 			return -EINVAL;
7386 
7387 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7388 		params.link_sta_params.mld_mac = mac_addr;
7389 		params.link_sta_params.link_mac =
7390 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7391 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7392 			return -EINVAL;
7393 	} else {
7394 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7395 	}
7396 
7397 
7398 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7399 		params.link_sta_params.supported_rates =
7400 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7401 		params.link_sta_params.supported_rates_len =
7402 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7403 	}
7404 
7405 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7406 		params.capability =
7407 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7408 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7409 	}
7410 
7411 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7412 		params.ext_capab =
7413 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7414 		params.ext_capab_len =
7415 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7416 	}
7417 
7418 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7419 		return -EINVAL;
7420 
7421 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7422 		params.plink_action =
7423 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7424 
7425 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7426 		params.plink_state =
7427 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7428 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7429 			params.peer_aid = nla_get_u16(
7430 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7431 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7432 	}
7433 
7434 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7435 		params.local_pm = nla_get_u32(
7436 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7437 
7438 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7439 		params.link_sta_params.opmode_notif_used = true;
7440 		params.link_sta_params.opmode_notif =
7441 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7442 	}
7443 
7444 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7445 		params.link_sta_params.he_6ghz_capa =
7446 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7447 
7448 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7449 		params.airtime_weight =
7450 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7451 
7452 	if (params.airtime_weight &&
7453 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7454 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7455 		return -EOPNOTSUPP;
7456 
7457 	err = nl80211_parse_sta_txpower_setting(info,
7458 						&params.link_sta_params.txpwr,
7459 						&params.link_sta_params.txpwr_set);
7460 	if (err)
7461 		return err;
7462 
7463 	/* Include parameters for TDLS peer (will check later) */
7464 	err = nl80211_set_station_tdls(info, &params);
7465 	if (err)
7466 		return err;
7467 
7468 	params.vlan = get_vlan(info, rdev);
7469 	if (IS_ERR(params.vlan))
7470 		return PTR_ERR(params.vlan);
7471 
7472 	switch (dev->ieee80211_ptr->iftype) {
7473 	case NL80211_IFTYPE_AP:
7474 	case NL80211_IFTYPE_AP_VLAN:
7475 	case NL80211_IFTYPE_P2P_GO:
7476 	case NL80211_IFTYPE_P2P_CLIENT:
7477 	case NL80211_IFTYPE_STATION:
7478 	case NL80211_IFTYPE_ADHOC:
7479 	case NL80211_IFTYPE_MESH_POINT:
7480 		break;
7481 	default:
7482 		err = -EOPNOTSUPP;
7483 		goto out_put_vlan;
7484 	}
7485 
7486 	/* driver will call cfg80211_check_station_change() */
7487 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7488 
7489  out_put_vlan:
7490 	dev_put(params.vlan);
7491 
7492 	return err;
7493 }
7494 
7495 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7496 {
7497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7498 	int err;
7499 	struct net_device *dev = info->user_ptr[1];
7500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7501 	struct station_parameters params;
7502 	u8 *mac_addr = NULL;
7503 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7504 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7505 
7506 	memset(&params, 0, sizeof(params));
7507 
7508 	if (!rdev->ops->add_station)
7509 		return -EOPNOTSUPP;
7510 
7511 	if (!info->attrs[NL80211_ATTR_MAC])
7512 		return -EINVAL;
7513 
7514 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7515 		return -EINVAL;
7516 
7517 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7518 		return -EINVAL;
7519 
7520 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7521 	    !info->attrs[NL80211_ATTR_PEER_AID])
7522 		return -EINVAL;
7523 
7524 	params.link_sta_params.link_id =
7525 		nl80211_link_id_or_invalid(info->attrs);
7526 
7527 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7528 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7529 		params.link_sta_params.mld_mac = mac_addr;
7530 		params.link_sta_params.link_mac =
7531 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7532 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7533 			return -EINVAL;
7534 	} else {
7535 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7536 	}
7537 
7538 	params.link_sta_params.supported_rates =
7539 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7540 	params.link_sta_params.supported_rates_len =
7541 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7542 	params.listen_interval =
7543 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7544 
7545 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7546 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7547 
7548 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7549 		params.support_p2p_ps =
7550 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7551 	} else {
7552 		/*
7553 		 * if not specified, assume it's supported for P2P GO interface,
7554 		 * and is NOT supported for AP interface
7555 		 */
7556 		params.support_p2p_ps =
7557 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7558 	}
7559 
7560 	if (info->attrs[NL80211_ATTR_PEER_AID])
7561 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7562 	else
7563 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7564 
7565 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7566 		params.capability =
7567 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7568 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7569 	}
7570 
7571 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7572 		params.ext_capab =
7573 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7574 		params.ext_capab_len =
7575 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7576 	}
7577 
7578 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7579 		params.link_sta_params.ht_capa =
7580 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7581 
7582 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7583 		params.link_sta_params.vht_capa =
7584 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7585 
7586 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7587 		params.link_sta_params.he_capa =
7588 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7589 		params.link_sta_params.he_capa_len =
7590 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7591 
7592 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7593 			params.link_sta_params.eht_capa =
7594 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7595 			params.link_sta_params.eht_capa_len =
7596 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7597 
7598 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7599 							(const u8 *)params.link_sta_params.eht_capa,
7600 							params.link_sta_params.eht_capa_len,
7601 							false))
7602 				return -EINVAL;
7603 		}
7604 	}
7605 
7606 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7607 		params.link_sta_params.he_6ghz_capa =
7608 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7609 
7610 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7611 		params.link_sta_params.opmode_notif_used = true;
7612 		params.link_sta_params.opmode_notif =
7613 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7614 	}
7615 
7616 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7617 		params.plink_action =
7618 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7619 
7620 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7621 		params.airtime_weight =
7622 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7623 
7624 	if (params.airtime_weight &&
7625 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7626 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7627 		return -EOPNOTSUPP;
7628 
7629 	err = nl80211_parse_sta_txpower_setting(info,
7630 						&params.link_sta_params.txpwr,
7631 						&params.link_sta_params.txpwr_set);
7632 	if (err)
7633 		return err;
7634 
7635 	err = nl80211_parse_sta_channel_info(info, &params);
7636 	if (err)
7637 		return err;
7638 
7639 	err = nl80211_parse_sta_wme(info, &params);
7640 	if (err)
7641 		return err;
7642 
7643 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7644 		return -EINVAL;
7645 
7646 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7647 	 * as userspace might just pass through the capabilities from the IEs
7648 	 * directly, rather than enforcing this restriction and returning an
7649 	 * error in this case.
7650 	 */
7651 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7652 		params.link_sta_params.ht_capa = NULL;
7653 		params.link_sta_params.vht_capa = NULL;
7654 
7655 		/* HE and EHT require WME */
7656 		if (params.link_sta_params.he_capa_len ||
7657 		    params.link_sta_params.he_6ghz_capa ||
7658 		    params.link_sta_params.eht_capa_len)
7659 			return -EINVAL;
7660 	}
7661 
7662 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7663 	if (params.link_sta_params.he_6ghz_capa &&
7664 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7665 		return -EINVAL;
7666 
7667 	/* When you run into this, adjust the code below for the new flag */
7668 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7669 
7670 	switch (dev->ieee80211_ptr->iftype) {
7671 	case NL80211_IFTYPE_AP:
7672 	case NL80211_IFTYPE_AP_VLAN:
7673 	case NL80211_IFTYPE_P2P_GO:
7674 		/* ignore WME attributes if iface/sta is not capable */
7675 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7676 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7677 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7678 
7679 		/* TDLS peers cannot be added */
7680 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7681 		    info->attrs[NL80211_ATTR_PEER_AID])
7682 			return -EINVAL;
7683 		/* but don't bother the driver with it */
7684 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7685 
7686 		/* allow authenticated/associated only if driver handles it */
7687 		if (!(rdev->wiphy.features &
7688 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7689 		    params.sta_flags_mask & auth_assoc)
7690 			return -EINVAL;
7691 
7692 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7693 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
7694 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7695 			return -EINVAL;
7696 
7697 		/* Older userspace, or userspace wanting to be compatible with
7698 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7699 		 * and assoc flags in the mask, but assumes the station will be
7700 		 * added as associated anyway since this was the required driver
7701 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7702 		 * introduced.
7703 		 * In order to not bother drivers with this quirk in the API
7704 		 * set the flags in both the mask and set for new stations in
7705 		 * this case.
7706 		 */
7707 		if (!(params.sta_flags_mask & auth_assoc)) {
7708 			params.sta_flags_mask |= auth_assoc;
7709 			params.sta_flags_set |= auth_assoc;
7710 		}
7711 
7712 		/* must be last in here for error handling */
7713 		params.vlan = get_vlan(info, rdev);
7714 		if (IS_ERR(params.vlan))
7715 			return PTR_ERR(params.vlan);
7716 		break;
7717 	case NL80211_IFTYPE_MESH_POINT:
7718 		/* ignore uAPSD data */
7719 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7720 
7721 		/* associated is disallowed */
7722 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7723 			return -EINVAL;
7724 		/* TDLS peers cannot be added */
7725 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7726 		    info->attrs[NL80211_ATTR_PEER_AID])
7727 			return -EINVAL;
7728 		break;
7729 	case NL80211_IFTYPE_STATION:
7730 	case NL80211_IFTYPE_P2P_CLIENT:
7731 		/* ignore uAPSD data */
7732 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7733 
7734 		/* these are disallowed */
7735 		if (params.sta_flags_mask &
7736 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7737 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7738 			return -EINVAL;
7739 		/* Only TDLS peers can be added */
7740 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7741 			return -EINVAL;
7742 		/* Can only add if TDLS ... */
7743 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7744 			return -EOPNOTSUPP;
7745 		/* ... with external setup is supported */
7746 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7747 			return -EOPNOTSUPP;
7748 		/*
7749 		 * Older wpa_supplicant versions always mark the TDLS peer
7750 		 * as authorized, but it shouldn't yet be.
7751 		 */
7752 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7753 		break;
7754 	default:
7755 		return -EOPNOTSUPP;
7756 	}
7757 
7758 	/* be aware of params.vlan when changing code here */
7759 
7760 	if (wdev->valid_links) {
7761 		if (params.link_sta_params.link_id < 0) {
7762 			err = -EINVAL;
7763 			goto out;
7764 		}
7765 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7766 			err = -ENOLINK;
7767 			goto out;
7768 		}
7769 	} else {
7770 		if (params.link_sta_params.link_id >= 0) {
7771 			err = -EINVAL;
7772 			goto out;
7773 		}
7774 	}
7775 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7776 out:
7777 	dev_put(params.vlan);
7778 	return err;
7779 }
7780 
7781 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7782 {
7783 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7784 	struct net_device *dev = info->user_ptr[1];
7785 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7786 	struct station_del_parameters params;
7787 	int link_id = nl80211_link_id_or_invalid(info->attrs);
7788 
7789 	memset(&params, 0, sizeof(params));
7790 
7791 	if (info->attrs[NL80211_ATTR_MAC])
7792 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7793 
7794 	switch (wdev->iftype) {
7795 	case NL80211_IFTYPE_AP:
7796 	case NL80211_IFTYPE_AP_VLAN:
7797 	case NL80211_IFTYPE_MESH_POINT:
7798 	case NL80211_IFTYPE_P2P_GO:
7799 		/* always accept these */
7800 		break;
7801 	case NL80211_IFTYPE_ADHOC:
7802 		/* conditionally accept */
7803 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7804 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7805 			break;
7806 		return -EINVAL;
7807 	default:
7808 		return -EINVAL;
7809 	}
7810 
7811 	if (!rdev->ops->del_station)
7812 		return -EOPNOTSUPP;
7813 
7814 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7815 		params.subtype =
7816 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7817 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7818 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7819 			return -EINVAL;
7820 	} else {
7821 		/* Default to Deauthentication frame */
7822 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7823 	}
7824 
7825 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7826 		params.reason_code =
7827 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7828 		if (params.reason_code == 0)
7829 			return -EINVAL; /* 0 is reserved */
7830 	} else {
7831 		/* Default to reason code 2 */
7832 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7833 	}
7834 
7835 	/* Link ID not expected in case of non-ML operation */
7836 	if (!wdev->valid_links && link_id != -1)
7837 		return -EINVAL;
7838 
7839 	/* If given, a valid link ID should be passed during MLO */
7840 	if (wdev->valid_links && link_id >= 0 &&
7841 	    !(wdev->valid_links & BIT(link_id)))
7842 		return -EINVAL;
7843 
7844 	params.link_id = link_id;
7845 
7846 	return rdev_del_station(rdev, dev, &params);
7847 }
7848 
7849 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7850 				int flags, struct net_device *dev,
7851 				u8 *dst, u8 *next_hop,
7852 				struct mpath_info *pinfo)
7853 {
7854 	void *hdr;
7855 	struct nlattr *pinfoattr;
7856 
7857 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7858 	if (!hdr)
7859 		return -1;
7860 
7861 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7862 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7863 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7864 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7865 		goto nla_put_failure;
7866 
7867 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7868 	if (!pinfoattr)
7869 		goto nla_put_failure;
7870 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7871 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7872 			pinfo->frame_qlen))
7873 		goto nla_put_failure;
7874 	if (((pinfo->filled & MPATH_INFO_SN) &&
7875 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7876 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7877 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7878 			 pinfo->metric)) ||
7879 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7880 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7881 			 pinfo->exptime)) ||
7882 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7883 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7884 			pinfo->flags)) ||
7885 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7886 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7887 			 pinfo->discovery_timeout)) ||
7888 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7889 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7890 			pinfo->discovery_retries)) ||
7891 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7892 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7893 			pinfo->hop_count)) ||
7894 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7895 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7896 			 pinfo->path_change_count)))
7897 		goto nla_put_failure;
7898 
7899 	nla_nest_end(msg, pinfoattr);
7900 
7901 	genlmsg_end(msg, hdr);
7902 	return 0;
7903 
7904  nla_put_failure:
7905 	genlmsg_cancel(msg, hdr);
7906 	return -EMSGSIZE;
7907 }
7908 
7909 static int nl80211_dump_mpath(struct sk_buff *skb,
7910 			      struct netlink_callback *cb)
7911 {
7912 	struct mpath_info pinfo;
7913 	struct cfg80211_registered_device *rdev;
7914 	struct wireless_dev *wdev;
7915 	u8 dst[ETH_ALEN];
7916 	u8 next_hop[ETH_ALEN];
7917 	int path_idx = cb->args[2];
7918 	int err;
7919 
7920 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7921 	if (err)
7922 		return err;
7923 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7924 	__acquire(&rdev->wiphy.mtx);
7925 
7926 	if (!rdev->ops->dump_mpath) {
7927 		err = -EOPNOTSUPP;
7928 		goto out_err;
7929 	}
7930 
7931 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7932 		err = -EOPNOTSUPP;
7933 		goto out_err;
7934 	}
7935 
7936 	while (1) {
7937 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7938 				      next_hop, &pinfo);
7939 		if (err == -ENOENT)
7940 			break;
7941 		if (err)
7942 			goto out_err;
7943 
7944 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7945 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7946 				       wdev->netdev, dst, next_hop,
7947 				       &pinfo) < 0)
7948 			goto out;
7949 
7950 		path_idx++;
7951 	}
7952 
7953  out:
7954 	cb->args[2] = path_idx;
7955 	err = skb->len;
7956  out_err:
7957 	wiphy_unlock(&rdev->wiphy);
7958 	return err;
7959 }
7960 
7961 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7962 {
7963 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7964 	int err;
7965 	struct net_device *dev = info->user_ptr[1];
7966 	struct mpath_info pinfo;
7967 	struct sk_buff *msg;
7968 	u8 *dst = NULL;
7969 	u8 next_hop[ETH_ALEN];
7970 
7971 	memset(&pinfo, 0, sizeof(pinfo));
7972 
7973 	if (!info->attrs[NL80211_ATTR_MAC])
7974 		return -EINVAL;
7975 
7976 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7977 
7978 	if (!rdev->ops->get_mpath)
7979 		return -EOPNOTSUPP;
7980 
7981 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7982 		return -EOPNOTSUPP;
7983 
7984 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7985 	if (err)
7986 		return err;
7987 
7988 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7989 	if (!msg)
7990 		return -ENOMEM;
7991 
7992 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7993 				 dev, dst, next_hop, &pinfo) < 0) {
7994 		nlmsg_free(msg);
7995 		return -ENOBUFS;
7996 	}
7997 
7998 	return genlmsg_reply(msg, info);
7999 }
8000 
8001 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8002 {
8003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8004 	struct net_device *dev = info->user_ptr[1];
8005 	u8 *dst = NULL;
8006 	u8 *next_hop = NULL;
8007 
8008 	if (!info->attrs[NL80211_ATTR_MAC])
8009 		return -EINVAL;
8010 
8011 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8012 		return -EINVAL;
8013 
8014 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8015 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8016 
8017 	if (!rdev->ops->change_mpath)
8018 		return -EOPNOTSUPP;
8019 
8020 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8021 		return -EOPNOTSUPP;
8022 
8023 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8024 }
8025 
8026 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8027 {
8028 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8029 	struct net_device *dev = info->user_ptr[1];
8030 	u8 *dst = NULL;
8031 	u8 *next_hop = NULL;
8032 
8033 	if (!info->attrs[NL80211_ATTR_MAC])
8034 		return -EINVAL;
8035 
8036 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8037 		return -EINVAL;
8038 
8039 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8040 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8041 
8042 	if (!rdev->ops->add_mpath)
8043 		return -EOPNOTSUPP;
8044 
8045 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8046 		return -EOPNOTSUPP;
8047 
8048 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8049 }
8050 
8051 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8052 {
8053 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8054 	struct net_device *dev = info->user_ptr[1];
8055 	u8 *dst = NULL;
8056 
8057 	if (info->attrs[NL80211_ATTR_MAC])
8058 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8059 
8060 	if (!rdev->ops->del_mpath)
8061 		return -EOPNOTSUPP;
8062 
8063 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8064 		return -EOPNOTSUPP;
8065 
8066 	return rdev_del_mpath(rdev, dev, dst);
8067 }
8068 
8069 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8070 {
8071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8072 	int err;
8073 	struct net_device *dev = info->user_ptr[1];
8074 	struct mpath_info pinfo;
8075 	struct sk_buff *msg;
8076 	u8 *dst = NULL;
8077 	u8 mpp[ETH_ALEN];
8078 
8079 	memset(&pinfo, 0, sizeof(pinfo));
8080 
8081 	if (!info->attrs[NL80211_ATTR_MAC])
8082 		return -EINVAL;
8083 
8084 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8085 
8086 	if (!rdev->ops->get_mpp)
8087 		return -EOPNOTSUPP;
8088 
8089 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8090 		return -EOPNOTSUPP;
8091 
8092 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
8093 	if (err)
8094 		return err;
8095 
8096 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8097 	if (!msg)
8098 		return -ENOMEM;
8099 
8100 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8101 			       dev, dst, mpp, &pinfo) < 0) {
8102 		nlmsg_free(msg);
8103 		return -ENOBUFS;
8104 	}
8105 
8106 	return genlmsg_reply(msg, info);
8107 }
8108 
8109 static int nl80211_dump_mpp(struct sk_buff *skb,
8110 			    struct netlink_callback *cb)
8111 {
8112 	struct mpath_info pinfo;
8113 	struct cfg80211_registered_device *rdev;
8114 	struct wireless_dev *wdev;
8115 	u8 dst[ETH_ALEN];
8116 	u8 mpp[ETH_ALEN];
8117 	int path_idx = cb->args[2];
8118 	int err;
8119 
8120 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8121 	if (err)
8122 		return err;
8123 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8124 	__acquire(&rdev->wiphy.mtx);
8125 
8126 	if (!rdev->ops->dump_mpp) {
8127 		err = -EOPNOTSUPP;
8128 		goto out_err;
8129 	}
8130 
8131 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8132 		err = -EOPNOTSUPP;
8133 		goto out_err;
8134 	}
8135 
8136 	while (1) {
8137 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8138 				    mpp, &pinfo);
8139 		if (err == -ENOENT)
8140 			break;
8141 		if (err)
8142 			goto out_err;
8143 
8144 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8145 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8146 				       wdev->netdev, dst, mpp,
8147 				       &pinfo) < 0)
8148 			goto out;
8149 
8150 		path_idx++;
8151 	}
8152 
8153  out:
8154 	cb->args[2] = path_idx;
8155 	err = skb->len;
8156  out_err:
8157 	wiphy_unlock(&rdev->wiphy);
8158 	return err;
8159 }
8160 
8161 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8162 {
8163 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8164 	struct net_device *dev = info->user_ptr[1];
8165 	struct bss_parameters params;
8166 
8167 	memset(&params, 0, sizeof(params));
8168 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8169 	/* default to not changing parameters */
8170 	params.use_cts_prot = -1;
8171 	params.use_short_preamble = -1;
8172 	params.use_short_slot_time = -1;
8173 	params.ap_isolate = -1;
8174 	params.ht_opmode = -1;
8175 	params.p2p_ctwindow = -1;
8176 	params.p2p_opp_ps = -1;
8177 
8178 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8179 		params.use_cts_prot =
8180 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8181 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8182 		params.use_short_preamble =
8183 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8184 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8185 		params.use_short_slot_time =
8186 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8187 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8188 		params.basic_rates =
8189 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8190 		params.basic_rates_len =
8191 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8192 	}
8193 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8194 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8195 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8196 		params.ht_opmode =
8197 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8198 
8199 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8200 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8201 			return -EINVAL;
8202 		params.p2p_ctwindow =
8203 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8204 		if (params.p2p_ctwindow != 0 &&
8205 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8206 			return -EINVAL;
8207 	}
8208 
8209 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8210 		u8 tmp;
8211 
8212 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8213 			return -EINVAL;
8214 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8215 		params.p2p_opp_ps = tmp;
8216 		if (params.p2p_opp_ps &&
8217 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8218 			return -EINVAL;
8219 	}
8220 
8221 	if (!rdev->ops->change_bss)
8222 		return -EOPNOTSUPP;
8223 
8224 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8225 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8226 		return -EOPNOTSUPP;
8227 
8228 	return rdev_change_bss(rdev, dev, &params);
8229 }
8230 
8231 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8232 {
8233 	char *data = NULL;
8234 	bool is_indoor;
8235 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8236 	u32 owner_nlportid;
8237 
8238 	/*
8239 	 * You should only get this when cfg80211 hasn't yet initialized
8240 	 * completely when built-in to the kernel right between the time
8241 	 * window between nl80211_init() and regulatory_init(), if that is
8242 	 * even possible.
8243 	 */
8244 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8245 		return -EINPROGRESS;
8246 
8247 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8248 		user_reg_hint_type =
8249 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8250 	else
8251 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8252 
8253 	switch (user_reg_hint_type) {
8254 	case NL80211_USER_REG_HINT_USER:
8255 	case NL80211_USER_REG_HINT_CELL_BASE:
8256 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8257 			return -EINVAL;
8258 
8259 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8260 		return regulatory_hint_user(data, user_reg_hint_type);
8261 	case NL80211_USER_REG_HINT_INDOOR:
8262 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8263 			owner_nlportid = info->snd_portid;
8264 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8265 		} else {
8266 			owner_nlportid = 0;
8267 			is_indoor = true;
8268 		}
8269 
8270 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8271 		return 0;
8272 	default:
8273 		return -EINVAL;
8274 	}
8275 }
8276 
8277 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8278 {
8279 	return reg_reload_regdb();
8280 }
8281 
8282 static int nl80211_get_mesh_config(struct sk_buff *skb,
8283 				   struct genl_info *info)
8284 {
8285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8286 	struct net_device *dev = info->user_ptr[1];
8287 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8288 	struct mesh_config cur_params;
8289 	int err = 0;
8290 	void *hdr;
8291 	struct nlattr *pinfoattr;
8292 	struct sk_buff *msg;
8293 
8294 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8295 		return -EOPNOTSUPP;
8296 
8297 	if (!rdev->ops->get_mesh_config)
8298 		return -EOPNOTSUPP;
8299 
8300 	/* If not connected, get default parameters */
8301 	if (!wdev->u.mesh.id_len)
8302 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8303 	else
8304 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8305 
8306 	if (err)
8307 		return err;
8308 
8309 	/* Draw up a netlink message to send back */
8310 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8311 	if (!msg)
8312 		return -ENOMEM;
8313 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8314 			     NL80211_CMD_GET_MESH_CONFIG);
8315 	if (!hdr)
8316 		goto out;
8317 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8318 	if (!pinfoattr)
8319 		goto nla_put_failure;
8320 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8321 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8322 			cur_params.dot11MeshRetryTimeout) ||
8323 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8324 			cur_params.dot11MeshConfirmTimeout) ||
8325 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8326 			cur_params.dot11MeshHoldingTimeout) ||
8327 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8328 			cur_params.dot11MeshMaxPeerLinks) ||
8329 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8330 		       cur_params.dot11MeshMaxRetries) ||
8331 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8332 		       cur_params.dot11MeshTTL) ||
8333 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8334 		       cur_params.element_ttl) ||
8335 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8336 		       cur_params.auto_open_plinks) ||
8337 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8338 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8339 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8340 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8341 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8342 			cur_params.path_refresh_time) ||
8343 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8344 			cur_params.min_discovery_timeout) ||
8345 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8346 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8347 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8348 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8349 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8350 			cur_params.dot11MeshHWMPperrMinInterval) ||
8351 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8352 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8353 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8354 		       cur_params.dot11MeshHWMPRootMode) ||
8355 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8356 			cur_params.dot11MeshHWMPRannInterval) ||
8357 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8358 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8359 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8360 		       cur_params.dot11MeshForwarding) ||
8361 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8362 			cur_params.rssi_threshold) ||
8363 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8364 			cur_params.ht_opmode) ||
8365 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8366 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8367 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8368 			cur_params.dot11MeshHWMProotInterval) ||
8369 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8370 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8371 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8372 			cur_params.power_mode) ||
8373 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8374 			cur_params.dot11MeshAwakeWindowDuration) ||
8375 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8376 			cur_params.plink_timeout) ||
8377 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8378 		       cur_params.dot11MeshConnectedToMeshGate) ||
8379 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8380 		       cur_params.dot11MeshNolearn) ||
8381 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8382 		       cur_params.dot11MeshConnectedToAuthServer))
8383 		goto nla_put_failure;
8384 	nla_nest_end(msg, pinfoattr);
8385 	genlmsg_end(msg, hdr);
8386 	return genlmsg_reply(msg, info);
8387 
8388  nla_put_failure:
8389  out:
8390 	nlmsg_free(msg);
8391 	return -ENOBUFS;
8392 }
8393 
8394 static const struct nla_policy
8395 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8396 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8397 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8398 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8399 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8400 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8401 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8402 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8403 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8404 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8405 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8406 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8407 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8408 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8409 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8410 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8411 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8412 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8413 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8414 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8415 		NLA_POLICY_MIN(NLA_U16, 1),
8416 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8417 		NLA_POLICY_MIN(NLA_U16, 1),
8418 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8419 		NLA_POLICY_MIN(NLA_U16, 1),
8420 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8421 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8422 		NLA_POLICY_MIN(NLA_U16, 1),
8423 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8424 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8425 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8426 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8427 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8428 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8429 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8430 		NLA_POLICY_MIN(NLA_U16, 1),
8431 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8432 		NLA_POLICY_MIN(NLA_U16, 1),
8433 	[NL80211_MESHCONF_POWER_MODE] =
8434 		NLA_POLICY_RANGE(NLA_U32,
8435 				 NL80211_MESH_POWER_ACTIVE,
8436 				 NL80211_MESH_POWER_MAX),
8437 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8438 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8439 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8440 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8441 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8442 };
8443 
8444 static const struct nla_policy
8445 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8446 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8447 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8448 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8449 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8450 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8451 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8452 	[NL80211_MESH_SETUP_IE] =
8453 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8454 				       IEEE80211_MAX_DATA_LEN),
8455 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8456 };
8457 
8458 static int nl80211_parse_mesh_config(struct genl_info *info,
8459 				     struct mesh_config *cfg,
8460 				     u32 *mask_out)
8461 {
8462 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8463 	u32 mask = 0;
8464 	u16 ht_opmode;
8465 
8466 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8467 do {									\
8468 	if (tb[attr]) {							\
8469 		cfg->param = fn(tb[attr]);				\
8470 		mask |= BIT((attr) - 1);				\
8471 	}								\
8472 } while (0)
8473 
8474 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8475 		return -EINVAL;
8476 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8477 		return -EINVAL;
8478 
8479 	/* This makes sure that there aren't more than 32 mesh config
8480 	 * parameters (otherwise our bitfield scheme would not work.) */
8481 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8482 
8483 	/* Fill in the params struct */
8484 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8485 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8486 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8487 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8488 				  nla_get_u16);
8489 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8490 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8491 				  nla_get_u16);
8492 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8493 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8494 				  nla_get_u16);
8495 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8496 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8497 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8498 				  NL80211_MESHCONF_TTL, nla_get_u8);
8499 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8500 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8501 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8502 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8503 				  nla_get_u8);
8504 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8505 				  mask,
8506 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8507 				  nla_get_u32);
8508 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8509 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8510 				  nla_get_u8);
8511 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8512 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8513 				  nla_get_u32);
8514 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8515 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8516 		return -EINVAL;
8517 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8518 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8519 				  nla_get_u16);
8520 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8521 				  mask,
8522 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8523 				  nla_get_u32);
8524 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8525 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8526 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8527 		return -EINVAL;
8528 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8529 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8530 				  nla_get_u16);
8531 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8532 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8533 				  nla_get_u16);
8534 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8535 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8536 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8537 				  nla_get_u16);
8538 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8539 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8540 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8541 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8542 				  nla_get_u16);
8543 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8544 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8545 				  nla_get_u8);
8546 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8547 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8548 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8549 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8550 				  nla_get_s32);
8551 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8552 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8553 				  nla_get_u8);
8554 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8555 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8556 				  nla_get_u8);
8557 	/*
8558 	 * Check HT operation mode based on
8559 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8560 	 */
8561 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8562 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8563 
8564 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8565 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8566 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8567 			return -EINVAL;
8568 
8569 		/* NON_HT_STA bit is reserved, but some programs set it */
8570 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8571 
8572 		cfg->ht_opmode = ht_opmode;
8573 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8574 	}
8575 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8576 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8577 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8578 				  nla_get_u32);
8579 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8580 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8581 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8582 		return -EINVAL;
8583 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8584 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8585 				  nla_get_u16);
8586 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8587 				  mask,
8588 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8589 				  nla_get_u16);
8590 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8591 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8592 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8593 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8594 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8595 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8596 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8597 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8598 	if (mask_out)
8599 		*mask_out = mask;
8600 
8601 	return 0;
8602 
8603 #undef FILL_IN_MESH_PARAM_IF_SET
8604 }
8605 
8606 static int nl80211_parse_mesh_setup(struct genl_info *info,
8607 				     struct mesh_setup *setup)
8608 {
8609 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8610 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8611 
8612 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8613 		return -EINVAL;
8614 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8615 		return -EINVAL;
8616 
8617 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8618 		setup->sync_method =
8619 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8620 		 IEEE80211_SYNC_METHOD_VENDOR :
8621 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8622 
8623 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8624 		setup->path_sel_proto =
8625 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8626 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8627 		 IEEE80211_PATH_PROTOCOL_HWMP;
8628 
8629 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8630 		setup->path_metric =
8631 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8632 		 IEEE80211_PATH_METRIC_VENDOR :
8633 		 IEEE80211_PATH_METRIC_AIRTIME;
8634 
8635 	if (tb[NL80211_MESH_SETUP_IE]) {
8636 		struct nlattr *ieattr =
8637 			tb[NL80211_MESH_SETUP_IE];
8638 		setup->ie = nla_data(ieattr);
8639 		setup->ie_len = nla_len(ieattr);
8640 	}
8641 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8642 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8643 		return -EINVAL;
8644 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8645 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8646 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8647 	if (setup->is_secure)
8648 		setup->user_mpm = true;
8649 
8650 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8651 		if (!setup->user_mpm)
8652 			return -EINVAL;
8653 		setup->auth_id =
8654 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8655 	}
8656 
8657 	return 0;
8658 }
8659 
8660 static int nl80211_update_mesh_config(struct sk_buff *skb,
8661 				      struct genl_info *info)
8662 {
8663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8664 	struct net_device *dev = info->user_ptr[1];
8665 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8666 	struct mesh_config cfg = {};
8667 	u32 mask;
8668 	int err;
8669 
8670 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8671 		return -EOPNOTSUPP;
8672 
8673 	if (!rdev->ops->update_mesh_config)
8674 		return -EOPNOTSUPP;
8675 
8676 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8677 	if (err)
8678 		return err;
8679 
8680 	if (!wdev->u.mesh.id_len)
8681 		err = -ENOLINK;
8682 
8683 	if (!err)
8684 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8685 
8686 	return err;
8687 }
8688 
8689 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8690 			      struct sk_buff *msg)
8691 {
8692 	struct nlattr *nl_reg_rules;
8693 	unsigned int i;
8694 
8695 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8696 	    (regdom->dfs_region &&
8697 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8698 		goto nla_put_failure;
8699 
8700 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8701 	if (!nl_reg_rules)
8702 		goto nla_put_failure;
8703 
8704 	for (i = 0; i < regdom->n_reg_rules; i++) {
8705 		struct nlattr *nl_reg_rule;
8706 		const struct ieee80211_reg_rule *reg_rule;
8707 		const struct ieee80211_freq_range *freq_range;
8708 		const struct ieee80211_power_rule *power_rule;
8709 		unsigned int max_bandwidth_khz;
8710 
8711 		reg_rule = &regdom->reg_rules[i];
8712 		freq_range = &reg_rule->freq_range;
8713 		power_rule = &reg_rule->power_rule;
8714 
8715 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8716 		if (!nl_reg_rule)
8717 			goto nla_put_failure;
8718 
8719 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8720 		if (!max_bandwidth_khz)
8721 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8722 								  reg_rule);
8723 
8724 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8725 				reg_rule->flags) ||
8726 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8727 				freq_range->start_freq_khz) ||
8728 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8729 				freq_range->end_freq_khz) ||
8730 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8731 				max_bandwidth_khz) ||
8732 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8733 				power_rule->max_antenna_gain) ||
8734 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8735 				power_rule->max_eirp) ||
8736 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8737 				reg_rule->dfs_cac_ms))
8738 			goto nla_put_failure;
8739 
8740 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
8741 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
8742 			       reg_rule->psd))
8743 			goto nla_put_failure;
8744 
8745 		nla_nest_end(msg, nl_reg_rule);
8746 	}
8747 
8748 	nla_nest_end(msg, nl_reg_rules);
8749 	return 0;
8750 
8751 nla_put_failure:
8752 	return -EMSGSIZE;
8753 }
8754 
8755 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8756 {
8757 	const struct ieee80211_regdomain *regdom = NULL;
8758 	struct cfg80211_registered_device *rdev;
8759 	struct wiphy *wiphy = NULL;
8760 	struct sk_buff *msg;
8761 	int err = -EMSGSIZE;
8762 	void *hdr;
8763 
8764 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8765 	if (!msg)
8766 		return -ENOBUFS;
8767 
8768 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8769 			     NL80211_CMD_GET_REG);
8770 	if (!hdr)
8771 		goto put_failure;
8772 
8773 	rtnl_lock();
8774 
8775 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8776 		bool self_managed;
8777 
8778 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8779 		if (IS_ERR(rdev)) {
8780 			err = PTR_ERR(rdev);
8781 			goto nla_put_failure;
8782 		}
8783 
8784 		wiphy = &rdev->wiphy;
8785 		self_managed = wiphy->regulatory_flags &
8786 			       REGULATORY_WIPHY_SELF_MANAGED;
8787 
8788 		rcu_read_lock();
8789 
8790 		regdom = get_wiphy_regdom(wiphy);
8791 
8792 		/* a self-managed-reg device must have a private regdom */
8793 		if (WARN_ON(!regdom && self_managed)) {
8794 			err = -EINVAL;
8795 			goto nla_put_failure_rcu;
8796 		}
8797 
8798 		if (regdom &&
8799 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8800 			goto nla_put_failure_rcu;
8801 	} else {
8802 		rcu_read_lock();
8803 	}
8804 
8805 	if (!wiphy && reg_last_request_cell_base() &&
8806 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8807 			NL80211_USER_REG_HINT_CELL_BASE))
8808 		goto nla_put_failure_rcu;
8809 
8810 	if (!regdom)
8811 		regdom = rcu_dereference(cfg80211_regdomain);
8812 
8813 	if (nl80211_put_regdom(regdom, msg))
8814 		goto nla_put_failure_rcu;
8815 
8816 	rcu_read_unlock();
8817 
8818 	genlmsg_end(msg, hdr);
8819 	rtnl_unlock();
8820 	return genlmsg_reply(msg, info);
8821 
8822 nla_put_failure_rcu:
8823 	rcu_read_unlock();
8824 nla_put_failure:
8825 	rtnl_unlock();
8826 put_failure:
8827 	nlmsg_free(msg);
8828 	return err;
8829 }
8830 
8831 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8832 			       u32 seq, int flags, struct wiphy *wiphy,
8833 			       const struct ieee80211_regdomain *regdom)
8834 {
8835 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8836 				   NL80211_CMD_GET_REG);
8837 
8838 	if (!hdr)
8839 		return -1;
8840 
8841 	genl_dump_check_consistent(cb, hdr);
8842 
8843 	if (nl80211_put_regdom(regdom, msg))
8844 		goto nla_put_failure;
8845 
8846 	if (!wiphy && reg_last_request_cell_base() &&
8847 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8848 			NL80211_USER_REG_HINT_CELL_BASE))
8849 		goto nla_put_failure;
8850 
8851 	if (wiphy &&
8852 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8853 		goto nla_put_failure;
8854 
8855 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8856 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8857 		goto nla_put_failure;
8858 
8859 	genlmsg_end(msg, hdr);
8860 	return 0;
8861 
8862 nla_put_failure:
8863 	genlmsg_cancel(msg, hdr);
8864 	return -EMSGSIZE;
8865 }
8866 
8867 static int nl80211_get_reg_dump(struct sk_buff *skb,
8868 				struct netlink_callback *cb)
8869 {
8870 	const struct ieee80211_regdomain *regdom = NULL;
8871 	struct cfg80211_registered_device *rdev;
8872 	int err, reg_idx, start = cb->args[2];
8873 
8874 	rcu_read_lock();
8875 
8876 	if (cfg80211_regdomain && start == 0) {
8877 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8878 					  NLM_F_MULTI, NULL,
8879 					  rcu_dereference(cfg80211_regdomain));
8880 		if (err < 0)
8881 			goto out_err;
8882 	}
8883 
8884 	/* the global regdom is idx 0 */
8885 	reg_idx = 1;
8886 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8887 		regdom = get_wiphy_regdom(&rdev->wiphy);
8888 		if (!regdom)
8889 			continue;
8890 
8891 		if (++reg_idx <= start)
8892 			continue;
8893 
8894 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8895 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8896 		if (err < 0) {
8897 			reg_idx--;
8898 			break;
8899 		}
8900 	}
8901 
8902 	cb->args[2] = reg_idx;
8903 	err = skb->len;
8904 out_err:
8905 	rcu_read_unlock();
8906 	return err;
8907 }
8908 
8909 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8910 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8911 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8912 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8913 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8914 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8915 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8916 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8917 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8918 };
8919 
8920 static int parse_reg_rule(struct nlattr *tb[],
8921 	struct ieee80211_reg_rule *reg_rule)
8922 {
8923 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8924 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8925 
8926 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8927 		return -EINVAL;
8928 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8929 		return -EINVAL;
8930 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8931 		return -EINVAL;
8932 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8933 		return -EINVAL;
8934 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8935 		return -EINVAL;
8936 
8937 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8938 
8939 	freq_range->start_freq_khz =
8940 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8941 	freq_range->end_freq_khz =
8942 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8943 	freq_range->max_bandwidth_khz =
8944 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8945 
8946 	power_rule->max_eirp =
8947 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8948 
8949 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8950 		power_rule->max_antenna_gain =
8951 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8952 
8953 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8954 		reg_rule->dfs_cac_ms =
8955 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8956 
8957 	return 0;
8958 }
8959 
8960 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8961 {
8962 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8963 	struct nlattr *nl_reg_rule;
8964 	char *alpha2;
8965 	int rem_reg_rules, r;
8966 	u32 num_rules = 0, rule_idx = 0;
8967 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8968 	struct ieee80211_regdomain *rd;
8969 
8970 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8971 		return -EINVAL;
8972 
8973 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8974 		return -EINVAL;
8975 
8976 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8977 
8978 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8979 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8980 
8981 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8982 			    rem_reg_rules) {
8983 		num_rules++;
8984 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8985 			return -EINVAL;
8986 	}
8987 
8988 	rtnl_lock();
8989 	if (!reg_is_valid_request(alpha2)) {
8990 		r = -EINVAL;
8991 		goto out;
8992 	}
8993 
8994 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8995 	if (!rd) {
8996 		r = -ENOMEM;
8997 		goto out;
8998 	}
8999 
9000 	rd->n_reg_rules = num_rules;
9001 	rd->alpha2[0] = alpha2[0];
9002 	rd->alpha2[1] = alpha2[1];
9003 
9004 	/*
9005 	 * Disable DFS master mode if the DFS region was
9006 	 * not supported or known on this kernel.
9007 	 */
9008 	if (reg_supported_dfs_region(dfs_region))
9009 		rd->dfs_region = dfs_region;
9010 
9011 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9012 			    rem_reg_rules) {
9013 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9014 						nl_reg_rule, reg_rule_policy,
9015 						info->extack);
9016 		if (r)
9017 			goto bad_reg;
9018 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9019 		if (r)
9020 			goto bad_reg;
9021 
9022 		rule_idx++;
9023 
9024 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9025 			r = -EINVAL;
9026 			goto bad_reg;
9027 		}
9028 	}
9029 
9030 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9031 	/* set_regdom takes ownership of rd */
9032 	rd = NULL;
9033  bad_reg:
9034 	kfree(rd);
9035  out:
9036 	rtnl_unlock();
9037 	return r;
9038 }
9039 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9040 
9041 static int validate_scan_freqs(struct nlattr *freqs)
9042 {
9043 	struct nlattr *attr1, *attr2;
9044 	int n_channels = 0, tmp1, tmp2;
9045 
9046 	nla_for_each_nested(attr1, freqs, tmp1)
9047 		if (nla_len(attr1) != sizeof(u32))
9048 			return 0;
9049 
9050 	nla_for_each_nested(attr1, freqs, tmp1) {
9051 		n_channels++;
9052 		/*
9053 		 * Some hardware has a limited channel list for
9054 		 * scanning, and it is pretty much nonsensical
9055 		 * to scan for a channel twice, so disallow that
9056 		 * and don't require drivers to check that the
9057 		 * channel list they get isn't longer than what
9058 		 * they can scan, as long as they can scan all
9059 		 * the channels they registered at once.
9060 		 */
9061 		nla_for_each_nested(attr2, freqs, tmp2)
9062 			if (attr1 != attr2 &&
9063 			    nla_get_u32(attr1) == nla_get_u32(attr2))
9064 				return 0;
9065 	}
9066 
9067 	return n_channels;
9068 }
9069 
9070 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
9071 {
9072 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
9073 }
9074 
9075 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
9076 			    struct cfg80211_bss_selection *bss_select)
9077 {
9078 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
9079 	struct nlattr *nest;
9080 	int err;
9081 	bool found = false;
9082 	int i;
9083 
9084 	/* only process one nested attribute */
9085 	nest = nla_data(nla);
9086 	if (!nla_ok(nest, nla_len(nest)))
9087 		return -EINVAL;
9088 
9089 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
9090 					  nest, nl80211_bss_select_policy,
9091 					  NULL);
9092 	if (err)
9093 		return err;
9094 
9095 	/* only one attribute may be given */
9096 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9097 		if (attr[i]) {
9098 			if (found)
9099 				return -EINVAL;
9100 			found = true;
9101 		}
9102 	}
9103 
9104 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9105 
9106 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9107 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9108 
9109 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9110 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9111 		bss_select->param.band_pref =
9112 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9113 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9114 			return -EINVAL;
9115 	}
9116 
9117 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9118 		struct nl80211_bss_select_rssi_adjust *adj_param;
9119 
9120 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9121 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9122 		bss_select->param.adjust.band = adj_param->band;
9123 		bss_select->param.adjust.delta = adj_param->delta;
9124 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9125 			return -EINVAL;
9126 	}
9127 
9128 	/* user-space did not provide behaviour attribute */
9129 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9130 		return -EINVAL;
9131 
9132 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9133 		return -EINVAL;
9134 
9135 	return 0;
9136 }
9137 
9138 int nl80211_parse_random_mac(struct nlattr **attrs,
9139 			     u8 *mac_addr, u8 *mac_addr_mask)
9140 {
9141 	int i;
9142 
9143 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9144 		eth_zero_addr(mac_addr);
9145 		eth_zero_addr(mac_addr_mask);
9146 		mac_addr[0] = 0x2;
9147 		mac_addr_mask[0] = 0x3;
9148 
9149 		return 0;
9150 	}
9151 
9152 	/* need both or none */
9153 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9154 		return -EINVAL;
9155 
9156 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9157 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9158 
9159 	/* don't allow or configure an mcast address */
9160 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9161 	    is_multicast_ether_addr(mac_addr))
9162 		return -EINVAL;
9163 
9164 	/*
9165 	 * allow users to pass a MAC address that has bits set outside
9166 	 * of the mask, but don't bother drivers with having to deal
9167 	 * with such bits
9168 	 */
9169 	for (i = 0; i < ETH_ALEN; i++)
9170 		mac_addr[i] &= mac_addr_mask[i];
9171 
9172 	return 0;
9173 }
9174 
9175 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9176 					      struct ieee80211_channel *chan)
9177 {
9178 	unsigned int link_id;
9179 	bool all_ok = true;
9180 
9181 	lockdep_assert_wiphy(wdev->wiphy);
9182 
9183 	if (!cfg80211_beaconing_iface_active(wdev))
9184 		return true;
9185 
9186 	/*
9187 	 * FIXME: check if we have a free HW resource/link for chan
9188 	 *
9189 	 * This, as well as the FIXME below, requires knowing the link
9190 	 * capabilities of the hardware.
9191 	 */
9192 
9193 	/* we cannot leave radar channels */
9194 	for_each_valid_link(wdev, link_id) {
9195 		struct cfg80211_chan_def *chandef;
9196 
9197 		chandef = wdev_chandef(wdev, link_id);
9198 		if (!chandef || !chandef->chan)
9199 			continue;
9200 
9201 		/*
9202 		 * FIXME: don't require all_ok, but rather check only the
9203 		 *	  correct HW resource/link onto which 'chan' falls,
9204 		 *	  as only that link leaves the channel for doing
9205 		 *	  the off-channel operation.
9206 		 */
9207 
9208 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9209 			all_ok = false;
9210 	}
9211 
9212 	if (all_ok)
9213 		return true;
9214 
9215 	return regulatory_pre_cac_allowed(wdev->wiphy);
9216 }
9217 
9218 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9219 				    enum nl80211_ext_feature_index feat)
9220 {
9221 	if (!(flags & flag))
9222 		return true;
9223 	if (wiphy_ext_feature_isset(wiphy, feat))
9224 		return true;
9225 	return false;
9226 }
9227 
9228 static int
9229 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9230 			 void *request, struct nlattr **attrs,
9231 			 bool is_sched_scan)
9232 {
9233 	u8 *mac_addr, *mac_addr_mask;
9234 	u32 *flags;
9235 	enum nl80211_feature_flags randomness_flag;
9236 
9237 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9238 		return 0;
9239 
9240 	if (is_sched_scan) {
9241 		struct cfg80211_sched_scan_request *req = request;
9242 
9243 		randomness_flag = wdev ?
9244 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9245 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9246 		flags = &req->flags;
9247 		mac_addr = req->mac_addr;
9248 		mac_addr_mask = req->mac_addr_mask;
9249 	} else {
9250 		struct cfg80211_scan_request *req = request;
9251 
9252 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9253 		flags = &req->flags;
9254 		mac_addr = req->mac_addr;
9255 		mac_addr_mask = req->mac_addr_mask;
9256 	}
9257 
9258 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9259 
9260 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9261 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9262 	    !nl80211_check_scan_feat(wiphy, *flags,
9263 				     NL80211_SCAN_FLAG_LOW_SPAN,
9264 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9265 	    !nl80211_check_scan_feat(wiphy, *flags,
9266 				     NL80211_SCAN_FLAG_LOW_POWER,
9267 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9268 	    !nl80211_check_scan_feat(wiphy, *flags,
9269 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9270 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9271 	    !nl80211_check_scan_feat(wiphy, *flags,
9272 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9273 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9274 	    !nl80211_check_scan_feat(wiphy, *flags,
9275 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9276 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9277 	    !nl80211_check_scan_feat(wiphy, *flags,
9278 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9279 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9280 	    !nl80211_check_scan_feat(wiphy, *flags,
9281 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9282 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9283 	    !nl80211_check_scan_feat(wiphy, *flags,
9284 				     NL80211_SCAN_FLAG_RANDOM_SN,
9285 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9286 	    !nl80211_check_scan_feat(wiphy, *flags,
9287 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9288 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9289 		return -EOPNOTSUPP;
9290 
9291 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9292 		int err;
9293 
9294 		if (!(wiphy->features & randomness_flag) ||
9295 		    (wdev && wdev->connected))
9296 			return -EOPNOTSUPP;
9297 
9298 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9299 		if (err)
9300 			return err;
9301 	}
9302 
9303 	return 0;
9304 }
9305 
9306 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9307 {
9308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9309 	struct wireless_dev *wdev = info->user_ptr[1];
9310 	struct cfg80211_scan_request *request;
9311 	struct nlattr *scan_freqs = NULL;
9312 	bool scan_freqs_khz = false;
9313 	struct nlattr *attr;
9314 	struct wiphy *wiphy;
9315 	int err, tmp, n_ssids = 0, n_channels, i;
9316 	size_t ie_len, size;
9317 	size_t ssids_offset, ie_offset;
9318 
9319 	wiphy = &rdev->wiphy;
9320 
9321 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9322 		return -EOPNOTSUPP;
9323 
9324 	if (!rdev->ops->scan)
9325 		return -EOPNOTSUPP;
9326 
9327 	if (rdev->scan_req || rdev->scan_msg)
9328 		return -EBUSY;
9329 
9330 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9331 		if (!wiphy_ext_feature_isset(wiphy,
9332 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9333 			return -EOPNOTSUPP;
9334 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9335 		scan_freqs_khz = true;
9336 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9337 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9338 
9339 	if (scan_freqs) {
9340 		n_channels = validate_scan_freqs(scan_freqs);
9341 		if (!n_channels)
9342 			return -EINVAL;
9343 	} else {
9344 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9345 	}
9346 
9347 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9348 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9349 			n_ssids++;
9350 
9351 	if (n_ssids > wiphy->max_scan_ssids)
9352 		return -EINVAL;
9353 
9354 	if (info->attrs[NL80211_ATTR_IE])
9355 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9356 	else
9357 		ie_len = 0;
9358 
9359 	if (ie_len > wiphy->max_scan_ie_len)
9360 		return -EINVAL;
9361 
9362 	size = struct_size(request, channels, n_channels);
9363 	ssids_offset = size;
9364 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9365 	ie_offset = size;
9366 	size = size_add(size, ie_len);
9367 	request = kzalloc(size, GFP_KERNEL);
9368 	if (!request)
9369 		return -ENOMEM;
9370 	request->n_channels = n_channels;
9371 
9372 	if (n_ssids)
9373 		request->ssids = (void *)request + ssids_offset;
9374 	request->n_ssids = n_ssids;
9375 	if (ie_len)
9376 		request->ie = (void *)request + ie_offset;
9377 
9378 	i = 0;
9379 	if (scan_freqs) {
9380 		/* user specified, bail out if channel not found */
9381 		nla_for_each_nested(attr, scan_freqs, tmp) {
9382 			struct ieee80211_channel *chan;
9383 			int freq = nla_get_u32(attr);
9384 
9385 			if (!scan_freqs_khz)
9386 				freq = MHZ_TO_KHZ(freq);
9387 
9388 			chan = ieee80211_get_channel_khz(wiphy, freq);
9389 			if (!chan) {
9390 				err = -EINVAL;
9391 				goto out_free;
9392 			}
9393 
9394 			/* ignore disabled channels */
9395 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9396 				continue;
9397 
9398 			request->channels[i] = chan;
9399 			i++;
9400 		}
9401 	} else {
9402 		enum nl80211_band band;
9403 
9404 		/* all channels */
9405 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9406 			int j;
9407 
9408 			if (!wiphy->bands[band])
9409 				continue;
9410 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9411 				struct ieee80211_channel *chan;
9412 
9413 				chan = &wiphy->bands[band]->channels[j];
9414 
9415 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9416 					continue;
9417 
9418 				request->channels[i] = chan;
9419 				i++;
9420 			}
9421 		}
9422 	}
9423 
9424 	if (!i) {
9425 		err = -EINVAL;
9426 		goto out_free;
9427 	}
9428 
9429 	request->n_channels = i;
9430 
9431 	for (i = 0; i < request->n_channels; i++) {
9432 		struct ieee80211_channel *chan = request->channels[i];
9433 
9434 		/* if we can go off-channel to the target channel we're good */
9435 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9436 			continue;
9437 
9438 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9439 			err = -EBUSY;
9440 			goto out_free;
9441 		}
9442 	}
9443 
9444 	i = 0;
9445 	if (n_ssids) {
9446 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9447 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9448 				err = -EINVAL;
9449 				goto out_free;
9450 			}
9451 			request->ssids[i].ssid_len = nla_len(attr);
9452 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9453 			i++;
9454 		}
9455 	}
9456 
9457 	if (info->attrs[NL80211_ATTR_IE]) {
9458 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9459 		memcpy((void *)request->ie,
9460 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9461 		       request->ie_len);
9462 	}
9463 
9464 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9465 		if (wiphy->bands[i])
9466 			request->rates[i] =
9467 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9468 
9469 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9470 		nla_for_each_nested(attr,
9471 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9472 				    tmp) {
9473 			enum nl80211_band band = nla_type(attr);
9474 
9475 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9476 				err = -EINVAL;
9477 				goto out_free;
9478 			}
9479 
9480 			if (!wiphy->bands[band])
9481 				continue;
9482 
9483 			err = ieee80211_get_ratemask(wiphy->bands[band],
9484 						     nla_data(attr),
9485 						     nla_len(attr),
9486 						     &request->rates[band]);
9487 			if (err)
9488 				goto out_free;
9489 		}
9490 	}
9491 
9492 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9493 		request->duration =
9494 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9495 		request->duration_mandatory =
9496 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9497 	}
9498 
9499 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9500 				       false);
9501 	if (err)
9502 		goto out_free;
9503 
9504 	request->no_cck =
9505 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9506 
9507 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9508 	 * BSSID to scan for. This was problematic because that same attribute
9509 	 * was already used for another purpose (local random MAC address). The
9510 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9511 	 * compatibility with older userspace components, also use the
9512 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9513 	 * the specific BSSID use case instead of the random MAC address
9514 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9515 	 */
9516 	if (info->attrs[NL80211_ATTR_BSSID])
9517 		memcpy(request->bssid,
9518 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9519 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9520 		 info->attrs[NL80211_ATTR_MAC])
9521 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9522 		       ETH_ALEN);
9523 	else
9524 		eth_broadcast_addr(request->bssid);
9525 
9526 	request->tsf_report_link_id = nl80211_link_id_or_invalid(info->attrs);
9527 	request->wdev = wdev;
9528 	request->wiphy = &rdev->wiphy;
9529 	request->scan_start = jiffies;
9530 
9531 	rdev->scan_req = request;
9532 	err = cfg80211_scan(rdev);
9533 
9534 	if (err)
9535 		goto out_free;
9536 
9537 	nl80211_send_scan_start(rdev, wdev);
9538 	dev_hold(wdev->netdev);
9539 
9540 	return 0;
9541 
9542  out_free:
9543 	rdev->scan_req = NULL;
9544 	kfree(request);
9545 
9546 	return err;
9547 }
9548 
9549 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9550 {
9551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9552 	struct wireless_dev *wdev = info->user_ptr[1];
9553 
9554 	if (!rdev->ops->abort_scan)
9555 		return -EOPNOTSUPP;
9556 
9557 	if (rdev->scan_msg)
9558 		return 0;
9559 
9560 	if (!rdev->scan_req)
9561 		return -ENOENT;
9562 
9563 	rdev_abort_scan(rdev, wdev);
9564 	return 0;
9565 }
9566 
9567 static int
9568 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9569 			       struct cfg80211_sched_scan_request *request,
9570 			       struct nlattr **attrs)
9571 {
9572 	int tmp, err, i = 0;
9573 	struct nlattr *attr;
9574 
9575 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9576 		u32 interval;
9577 
9578 		/*
9579 		 * If scan plans are not specified,
9580 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9581 		 * case one scan plan will be set with the specified scan
9582 		 * interval and infinite number of iterations.
9583 		 */
9584 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9585 		if (!interval)
9586 			return -EINVAL;
9587 
9588 		request->scan_plans[0].interval =
9589 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9590 		if (!request->scan_plans[0].interval)
9591 			return -EINVAL;
9592 
9593 		if (request->scan_plans[0].interval >
9594 		    wiphy->max_sched_scan_plan_interval)
9595 			request->scan_plans[0].interval =
9596 				wiphy->max_sched_scan_plan_interval;
9597 
9598 		return 0;
9599 	}
9600 
9601 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9602 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9603 
9604 		if (WARN_ON(i >= n_plans))
9605 			return -EINVAL;
9606 
9607 		err = nla_parse_nested_deprecated(plan,
9608 						  NL80211_SCHED_SCAN_PLAN_MAX,
9609 						  attr, nl80211_plan_policy,
9610 						  NULL);
9611 		if (err)
9612 			return err;
9613 
9614 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9615 			return -EINVAL;
9616 
9617 		request->scan_plans[i].interval =
9618 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9619 		if (!request->scan_plans[i].interval ||
9620 		    request->scan_plans[i].interval >
9621 		    wiphy->max_sched_scan_plan_interval)
9622 			return -EINVAL;
9623 
9624 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9625 			request->scan_plans[i].iterations =
9626 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9627 			if (!request->scan_plans[i].iterations ||
9628 			    (request->scan_plans[i].iterations >
9629 			     wiphy->max_sched_scan_plan_iterations))
9630 				return -EINVAL;
9631 		} else if (i < n_plans - 1) {
9632 			/*
9633 			 * All scan plans but the last one must specify
9634 			 * a finite number of iterations
9635 			 */
9636 			return -EINVAL;
9637 		}
9638 
9639 		i++;
9640 	}
9641 
9642 	/*
9643 	 * The last scan plan must not specify the number of
9644 	 * iterations, it is supposed to run infinitely
9645 	 */
9646 	if (request->scan_plans[n_plans - 1].iterations)
9647 		return  -EINVAL;
9648 
9649 	return 0;
9650 }
9651 
9652 static struct cfg80211_sched_scan_request *
9653 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9654 			 struct nlattr **attrs, int max_match_sets)
9655 {
9656 	struct cfg80211_sched_scan_request *request;
9657 	struct nlattr *attr;
9658 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9659 	enum nl80211_band band;
9660 	size_t ie_len, size;
9661 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9662 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9663 
9664 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9665 		n_channels = validate_scan_freqs(
9666 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9667 		if (!n_channels)
9668 			return ERR_PTR(-EINVAL);
9669 	} else {
9670 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9671 	}
9672 
9673 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9674 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9675 				    tmp)
9676 			n_ssids++;
9677 
9678 	if (n_ssids > wiphy->max_sched_scan_ssids)
9679 		return ERR_PTR(-EINVAL);
9680 
9681 	/*
9682 	 * First, count the number of 'real' matchsets. Due to an issue with
9683 	 * the old implementation, matchsets containing only the RSSI attribute
9684 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9685 	 * RSSI for all matchsets, rather than their own matchset for reporting
9686 	 * all APs with a strong RSSI. This is needed to be compatible with
9687 	 * older userspace that treated a matchset with only the RSSI as the
9688 	 * global RSSI for all other matchsets - if there are other matchsets.
9689 	 */
9690 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9691 		nla_for_each_nested(attr,
9692 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9693 				    tmp) {
9694 			struct nlattr *rssi;
9695 
9696 			err = nla_parse_nested_deprecated(tb,
9697 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9698 							  attr,
9699 							  nl80211_match_policy,
9700 							  NULL);
9701 			if (err)
9702 				return ERR_PTR(err);
9703 
9704 			/* SSID and BSSID are mutually exclusive */
9705 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9706 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9707 				return ERR_PTR(-EINVAL);
9708 
9709 			/* add other standalone attributes here */
9710 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9711 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9712 				n_match_sets++;
9713 				continue;
9714 			}
9715 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9716 			if (rssi)
9717 				default_match_rssi = nla_get_s32(rssi);
9718 		}
9719 	}
9720 
9721 	/* However, if there's no other matchset, add the RSSI one */
9722 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9723 		n_match_sets = 1;
9724 
9725 	if (n_match_sets > max_match_sets)
9726 		return ERR_PTR(-EINVAL);
9727 
9728 	if (attrs[NL80211_ATTR_IE])
9729 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9730 	else
9731 		ie_len = 0;
9732 
9733 	if (ie_len > wiphy->max_sched_scan_ie_len)
9734 		return ERR_PTR(-EINVAL);
9735 
9736 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9737 		/*
9738 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9739 		 * each scan plan already specifies its own interval
9740 		 */
9741 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9742 			return ERR_PTR(-EINVAL);
9743 
9744 		nla_for_each_nested(attr,
9745 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9746 			n_plans++;
9747 	} else {
9748 		/*
9749 		 * The scan interval attribute is kept for backward
9750 		 * compatibility. If no scan plans are specified and sched scan
9751 		 * interval is specified, one scan plan will be set with this
9752 		 * scan interval and infinite number of iterations.
9753 		 */
9754 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9755 			return ERR_PTR(-EINVAL);
9756 
9757 		n_plans = 1;
9758 	}
9759 
9760 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9761 		return ERR_PTR(-EINVAL);
9762 
9763 	if (!wiphy_ext_feature_isset(
9764 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9765 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9766 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9767 		return ERR_PTR(-EINVAL);
9768 
9769 	size = struct_size(request, channels, n_channels);
9770 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9771 	size = size_add(size, array_size(sizeof(*request->match_sets),
9772 					 n_match_sets));
9773 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9774 					 n_plans));
9775 	size = size_add(size, ie_len);
9776 	request = kzalloc(size, GFP_KERNEL);
9777 	if (!request)
9778 		return ERR_PTR(-ENOMEM);
9779 
9780 	if (n_ssids)
9781 		request->ssids = (void *)request +
9782 			struct_size(request, channels, n_channels);
9783 	request->n_ssids = n_ssids;
9784 	if (ie_len) {
9785 		if (n_ssids)
9786 			request->ie = (void *)(request->ssids + n_ssids);
9787 		else
9788 			request->ie = (void *)(request->channels + n_channels);
9789 	}
9790 
9791 	if (n_match_sets) {
9792 		if (request->ie)
9793 			request->match_sets = (void *)(request->ie + ie_len);
9794 		else if (n_ssids)
9795 			request->match_sets =
9796 				(void *)(request->ssids + n_ssids);
9797 		else
9798 			request->match_sets =
9799 				(void *)(request->channels + n_channels);
9800 	}
9801 	request->n_match_sets = n_match_sets;
9802 
9803 	if (n_match_sets)
9804 		request->scan_plans = (void *)(request->match_sets +
9805 					       n_match_sets);
9806 	else if (request->ie)
9807 		request->scan_plans = (void *)(request->ie + ie_len);
9808 	else if (n_ssids)
9809 		request->scan_plans = (void *)(request->ssids + n_ssids);
9810 	else
9811 		request->scan_plans = (void *)(request->channels + n_channels);
9812 
9813 	request->n_scan_plans = n_plans;
9814 
9815 	i = 0;
9816 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9817 		/* user specified, bail out if channel not found */
9818 		nla_for_each_nested(attr,
9819 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9820 				    tmp) {
9821 			struct ieee80211_channel *chan;
9822 
9823 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9824 
9825 			if (!chan) {
9826 				err = -EINVAL;
9827 				goto out_free;
9828 			}
9829 
9830 			/* ignore disabled channels */
9831 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9832 				continue;
9833 
9834 			request->channels[i] = chan;
9835 			i++;
9836 		}
9837 	} else {
9838 		/* all channels */
9839 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9840 			int j;
9841 
9842 			if (!wiphy->bands[band])
9843 				continue;
9844 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9845 				struct ieee80211_channel *chan;
9846 
9847 				chan = &wiphy->bands[band]->channels[j];
9848 
9849 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9850 					continue;
9851 
9852 				request->channels[i] = chan;
9853 				i++;
9854 			}
9855 		}
9856 	}
9857 
9858 	if (!i) {
9859 		err = -EINVAL;
9860 		goto out_free;
9861 	}
9862 
9863 	request->n_channels = i;
9864 
9865 	i = 0;
9866 	if (n_ssids) {
9867 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9868 				    tmp) {
9869 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9870 				err = -EINVAL;
9871 				goto out_free;
9872 			}
9873 			request->ssids[i].ssid_len = nla_len(attr);
9874 			memcpy(request->ssids[i].ssid, nla_data(attr),
9875 			       nla_len(attr));
9876 			i++;
9877 		}
9878 	}
9879 
9880 	i = 0;
9881 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9882 		nla_for_each_nested(attr,
9883 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9884 				    tmp) {
9885 			struct nlattr *ssid, *bssid, *rssi;
9886 
9887 			err = nla_parse_nested_deprecated(tb,
9888 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9889 							  attr,
9890 							  nl80211_match_policy,
9891 							  NULL);
9892 			if (err)
9893 				goto out_free;
9894 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9895 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9896 
9897 			if (!ssid && !bssid) {
9898 				i++;
9899 				continue;
9900 			}
9901 
9902 			if (WARN_ON(i >= n_match_sets)) {
9903 				/* this indicates a programming error,
9904 				 * the loop above should have verified
9905 				 * things properly
9906 				 */
9907 				err = -EINVAL;
9908 				goto out_free;
9909 			}
9910 
9911 			if (ssid) {
9912 				memcpy(request->match_sets[i].ssid.ssid,
9913 				       nla_data(ssid), nla_len(ssid));
9914 				request->match_sets[i].ssid.ssid_len =
9915 					nla_len(ssid);
9916 			}
9917 			if (bssid)
9918 				memcpy(request->match_sets[i].bssid,
9919 				       nla_data(bssid), ETH_ALEN);
9920 
9921 			/* special attribute - old implementation w/a */
9922 			request->match_sets[i].rssi_thold = default_match_rssi;
9923 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9924 			if (rssi)
9925 				request->match_sets[i].rssi_thold =
9926 					nla_get_s32(rssi);
9927 			i++;
9928 		}
9929 
9930 		/* there was no other matchset, so the RSSI one is alone */
9931 		if (i == 0 && n_match_sets)
9932 			request->match_sets[0].rssi_thold = default_match_rssi;
9933 
9934 		request->min_rssi_thold = INT_MAX;
9935 		for (i = 0; i < n_match_sets; i++)
9936 			request->min_rssi_thold =
9937 				min(request->match_sets[i].rssi_thold,
9938 				    request->min_rssi_thold);
9939 	} else {
9940 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9941 	}
9942 
9943 	if (ie_len) {
9944 		request->ie_len = ie_len;
9945 		memcpy((void *)request->ie,
9946 		       nla_data(attrs[NL80211_ATTR_IE]),
9947 		       request->ie_len);
9948 	}
9949 
9950 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9951 	if (err)
9952 		goto out_free;
9953 
9954 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9955 		request->delay =
9956 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9957 
9958 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9959 		request->relative_rssi = nla_get_s8(
9960 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9961 		request->relative_rssi_set = true;
9962 	}
9963 
9964 	if (request->relative_rssi_set &&
9965 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9966 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9967 
9968 		rssi_adjust = nla_data(
9969 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9970 		request->rssi_adjust.band = rssi_adjust->band;
9971 		request->rssi_adjust.delta = rssi_adjust->delta;
9972 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9973 			err = -EINVAL;
9974 			goto out_free;
9975 		}
9976 	}
9977 
9978 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9979 	if (err)
9980 		goto out_free;
9981 
9982 	request->scan_start = jiffies;
9983 
9984 	return request;
9985 
9986 out_free:
9987 	kfree(request);
9988 	return ERR_PTR(err);
9989 }
9990 
9991 static int nl80211_start_sched_scan(struct sk_buff *skb,
9992 				    struct genl_info *info)
9993 {
9994 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9995 	struct net_device *dev = info->user_ptr[1];
9996 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9997 	struct cfg80211_sched_scan_request *sched_scan_req;
9998 	bool want_multi;
9999 	int err;
10000 
10001 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10002 		return -EOPNOTSUPP;
10003 
10004 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10005 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10006 	if (err)
10007 		return err;
10008 
10009 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10010 						  info->attrs,
10011 						  rdev->wiphy.max_match_sets);
10012 
10013 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10014 	if (err)
10015 		goto out_err;
10016 
10017 	/* leave request id zero for legacy request
10018 	 * or if driver does not support multi-scheduled scan
10019 	 */
10020 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10021 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10022 
10023 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
10024 	if (err)
10025 		goto out_free;
10026 
10027 	sched_scan_req->dev = dev;
10028 	sched_scan_req->wiphy = &rdev->wiphy;
10029 
10030 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10031 		sched_scan_req->owner_nlportid = info->snd_portid;
10032 
10033 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
10034 
10035 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
10036 	return 0;
10037 
10038 out_free:
10039 	kfree(sched_scan_req);
10040 out_err:
10041 	return err;
10042 }
10043 
10044 static int nl80211_stop_sched_scan(struct sk_buff *skb,
10045 				   struct genl_info *info)
10046 {
10047 	struct cfg80211_sched_scan_request *req;
10048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10049 	u64 cookie;
10050 
10051 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
10052 		return -EOPNOTSUPP;
10053 
10054 	if (info->attrs[NL80211_ATTR_COOKIE]) {
10055 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10056 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
10057 	}
10058 
10059 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
10060 				     struct cfg80211_sched_scan_request,
10061 				     list);
10062 	if (!req || req->reqid ||
10063 	    (req->owner_nlportid &&
10064 	     req->owner_nlportid != info->snd_portid))
10065 		return -ENOENT;
10066 
10067 	return cfg80211_stop_sched_scan_req(rdev, req, false);
10068 }
10069 
10070 static int nl80211_start_radar_detection(struct sk_buff *skb,
10071 					 struct genl_info *info)
10072 {
10073 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10074 	struct net_device *dev = info->user_ptr[1];
10075 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10076 	int link_id = nl80211_link_id(info->attrs);
10077 	struct wiphy *wiphy = wdev->wiphy;
10078 	struct cfg80211_chan_def chandef;
10079 	enum nl80211_dfs_regions dfs_region;
10080 	unsigned int cac_time_ms;
10081 	int err = -EINVAL;
10082 
10083 	flush_delayed_work(&rdev->dfs_update_channels_wk);
10084 
10085 	switch (wdev->iftype) {
10086 	case NL80211_IFTYPE_AP:
10087 	case NL80211_IFTYPE_P2P_GO:
10088 	case NL80211_IFTYPE_MESH_POINT:
10089 	case NL80211_IFTYPE_ADHOC:
10090 		break;
10091 	default:
10092 		/* caution - see cfg80211_beaconing_iface_active() below */
10093 		return -EINVAL;
10094 	}
10095 
10096 	wiphy_lock(wiphy);
10097 
10098 	dfs_region = reg_get_dfs_region(wiphy);
10099 	if (dfs_region == NL80211_DFS_UNSET)
10100 		goto unlock;
10101 
10102 	err = nl80211_parse_chandef(rdev, info, &chandef);
10103 	if (err)
10104 		goto unlock;
10105 
10106 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10107 	if (err < 0)
10108 		goto unlock;
10109 
10110 	if (err == 0) {
10111 		err = -EINVAL;
10112 		goto unlock;
10113 	}
10114 
10115 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
10116 		err = -EINVAL;
10117 		goto unlock;
10118 	}
10119 
10120 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
10121 		err = cfg80211_start_background_radar_detection(rdev, wdev,
10122 								&chandef);
10123 		goto unlock;
10124 	}
10125 
10126 	if (cfg80211_beaconing_iface_active(wdev)) {
10127 		/* During MLO other link(s) can beacon, only the current link
10128 		 * can not already beacon
10129 		 */
10130 		if (wdev->valid_links &&
10131 		    !wdev->links[link_id].ap.beacon_interval) {
10132 			/* nothing */
10133 		} else {
10134 			err = -EBUSY;
10135 			goto unlock;
10136 		}
10137 	}
10138 
10139 	if (wdev->links[link_id].cac_started) {
10140 		err = -EBUSY;
10141 		goto unlock;
10142 	}
10143 
10144 	/* CAC start is offloaded to HW and can't be started manually */
10145 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
10146 		err = -EOPNOTSUPP;
10147 		goto unlock;
10148 	}
10149 
10150 	if (!rdev->ops->start_radar_detection) {
10151 		err = -EOPNOTSUPP;
10152 		goto unlock;
10153 	}
10154 
10155 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10156 	if (WARN_ON(!cac_time_ms))
10157 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10158 
10159 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
10160 					 link_id);
10161 	if (!err) {
10162 		switch (wdev->iftype) {
10163 		case NL80211_IFTYPE_AP:
10164 		case NL80211_IFTYPE_P2P_GO:
10165 			wdev->links[0].ap.chandef = chandef;
10166 			break;
10167 		case NL80211_IFTYPE_ADHOC:
10168 			wdev->u.ibss.chandef = chandef;
10169 			break;
10170 		case NL80211_IFTYPE_MESH_POINT:
10171 			wdev->u.mesh.chandef = chandef;
10172 			break;
10173 		default:
10174 			break;
10175 		}
10176 		wdev->links[link_id].cac_started = true;
10177 		wdev->links[link_id].cac_start_time = jiffies;
10178 		wdev->links[link_id].cac_time_ms = cac_time_ms;
10179 	}
10180 unlock:
10181 	wiphy_unlock(wiphy);
10182 
10183 	return err;
10184 }
10185 
10186 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10187 					  struct genl_info *info)
10188 {
10189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10190 	struct net_device *dev = info->user_ptr[1];
10191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10192 	struct wiphy *wiphy = wdev->wiphy;
10193 	struct cfg80211_chan_def chandef;
10194 	enum nl80211_dfs_regions dfs_region;
10195 	int err;
10196 
10197 	dfs_region = reg_get_dfs_region(wiphy);
10198 	if (dfs_region == NL80211_DFS_UNSET) {
10199 		GENL_SET_ERR_MSG(info,
10200 				 "DFS Region is not set. Unexpected Radar indication");
10201 		return -EINVAL;
10202 	}
10203 
10204 	err = nl80211_parse_chandef(rdev, info, &chandef);
10205 	if (err) {
10206 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10207 		return err;
10208 	}
10209 
10210 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10211 	if (err < 0) {
10212 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10213 		return err;
10214 	}
10215 
10216 	if (err == 0) {
10217 		GENL_SET_ERR_MSG(info,
10218 				 "Unexpected Radar indication for chandef/iftype");
10219 		return -EINVAL;
10220 	}
10221 
10222 	/* Do not process this notification if radar is already detected
10223 	 * by kernel on this channel, and return success.
10224 	 */
10225 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10226 		return 0;
10227 
10228 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10229 
10230 	cfg80211_sched_dfs_chan_update(rdev);
10231 
10232 	rdev->radar_chandef = chandef;
10233 
10234 	/* Propagate this notification to other radios as well */
10235 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10236 
10237 	return 0;
10238 }
10239 
10240 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10241 					 const u8 *data, size_t datalen,
10242 					 int first_count, struct nlattr *attr,
10243 					 const u16 **offsets, unsigned int *n_offsets)
10244 {
10245 	int i;
10246 
10247 	*n_offsets = 0;
10248 
10249 	if (!attr)
10250 		return 0;
10251 
10252 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10253 		return -EINVAL;
10254 
10255 	*n_offsets = nla_len(attr) / sizeof(u16);
10256 	if (rdev->wiphy.max_num_csa_counters &&
10257 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10258 		return -EINVAL;
10259 
10260 	*offsets = nla_data(attr);
10261 
10262 	/* sanity checks - counters should fit and be the same */
10263 	for (i = 0; i < *n_offsets; i++) {
10264 		u16 offset = (*offsets)[i];
10265 
10266 		if (offset >= datalen)
10267 			return -EINVAL;
10268 
10269 		if (first_count != -1 && data[offset] != first_count)
10270 			return -EINVAL;
10271 	}
10272 
10273 	return 0;
10274 }
10275 
10276 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10277 {
10278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10279 	unsigned int link_id = nl80211_link_id(info->attrs);
10280 	struct net_device *dev = info->user_ptr[1];
10281 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10282 	struct cfg80211_csa_settings params;
10283 	struct nlattr **csa_attrs = NULL;
10284 	int err;
10285 	bool need_new_beacon = false;
10286 	bool need_handle_dfs_flag = true;
10287 	u32 cs_count;
10288 
10289 	if (!rdev->ops->channel_switch ||
10290 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10291 		return -EOPNOTSUPP;
10292 
10293 	switch (dev->ieee80211_ptr->iftype) {
10294 	case NL80211_IFTYPE_AP:
10295 	case NL80211_IFTYPE_P2P_GO:
10296 		need_new_beacon = true;
10297 		/* For all modes except AP the handle_dfs flag needs to be
10298 		 * supplied to tell the kernel that userspace will handle radar
10299 		 * events when they happen. Otherwise a switch to a channel
10300 		 * requiring DFS will be rejected.
10301 		 */
10302 		need_handle_dfs_flag = false;
10303 
10304 		/* useless if AP is not running */
10305 		if (!wdev->links[link_id].ap.beacon_interval)
10306 			return -ENOTCONN;
10307 		break;
10308 	case NL80211_IFTYPE_ADHOC:
10309 		if (!wdev->u.ibss.ssid_len)
10310 			return -ENOTCONN;
10311 		break;
10312 	case NL80211_IFTYPE_MESH_POINT:
10313 		if (!wdev->u.mesh.id_len)
10314 			return -ENOTCONN;
10315 		break;
10316 	default:
10317 		return -EOPNOTSUPP;
10318 	}
10319 
10320 	memset(&params, 0, sizeof(params));
10321 	params.beacon_csa.ftm_responder = -1;
10322 
10323 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10324 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10325 		return -EINVAL;
10326 
10327 	/* only important for AP, IBSS and mesh create IEs internally */
10328 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10329 		return -EINVAL;
10330 
10331 	/* Even though the attribute is u32, the specification says
10332 	 * u8, so let's make sure we don't overflow.
10333 	 */
10334 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10335 	if (cs_count > 255)
10336 		return -EINVAL;
10337 
10338 	params.count = cs_count;
10339 
10340 	if (!need_new_beacon)
10341 		goto skip_beacons;
10342 
10343 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10344 				   info->extack);
10345 	if (err)
10346 		goto free;
10347 
10348 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10349 			    GFP_KERNEL);
10350 	if (!csa_attrs) {
10351 		err = -ENOMEM;
10352 		goto free;
10353 	}
10354 
10355 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10356 					  info->attrs[NL80211_ATTR_CSA_IES],
10357 					  nl80211_policy, info->extack);
10358 	if (err)
10359 		goto free;
10360 
10361 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10362 				   info->extack);
10363 	if (err)
10364 		goto free;
10365 
10366 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10367 		err = -EINVAL;
10368 		goto free;
10369 	}
10370 
10371 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10372 					    params.beacon_csa.tail_len,
10373 					    params.count,
10374 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10375 					    &params.counter_offsets_beacon,
10376 					    &params.n_counter_offsets_beacon);
10377 	if (err)
10378 		goto free;
10379 
10380 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10381 					    params.beacon_csa.probe_resp_len,
10382 					    params.count,
10383 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10384 					    &params.counter_offsets_presp,
10385 					    &params.n_counter_offsets_presp);
10386 	if (err)
10387 		goto free;
10388 
10389 skip_beacons:
10390 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10391 	if (err)
10392 		goto free;
10393 
10394 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10395 					   wdev->iftype)) {
10396 		err = -EINVAL;
10397 		goto free;
10398 	}
10399 
10400 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10401 					    &params.chandef,
10402 					    wdev->iftype);
10403 	if (err < 0)
10404 		goto free;
10405 
10406 	if (err > 0) {
10407 		params.radar_required = true;
10408 		if (need_handle_dfs_flag &&
10409 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10410 			err = -EINVAL;
10411 			goto free;
10412 		}
10413 	}
10414 
10415 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10416 		params.block_tx = true;
10417 
10418 	params.link_id = link_id;
10419 	err = rdev_channel_switch(rdev, dev, &params);
10420 
10421 free:
10422 	kfree(params.beacon_after.mbssid_ies);
10423 	kfree(params.beacon_csa.mbssid_ies);
10424 	kfree(params.beacon_after.rnr_ies);
10425 	kfree(params.beacon_csa.rnr_ies);
10426 	kfree(csa_attrs);
10427 	return err;
10428 }
10429 
10430 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10431 			    u32 seq, int flags,
10432 			    struct cfg80211_registered_device *rdev,
10433 			    struct wireless_dev *wdev,
10434 			    struct cfg80211_internal_bss *intbss)
10435 {
10436 	struct cfg80211_bss *res = &intbss->pub;
10437 	const struct cfg80211_bss_ies *ies;
10438 	unsigned int link_id;
10439 	void *hdr;
10440 	struct nlattr *bss;
10441 
10442 	lockdep_assert_wiphy(wdev->wiphy);
10443 
10444 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10445 			     NL80211_CMD_NEW_SCAN_RESULTS);
10446 	if (!hdr)
10447 		return -1;
10448 
10449 	genl_dump_check_consistent(cb, hdr);
10450 
10451 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10452 		goto nla_put_failure;
10453 	if (wdev->netdev &&
10454 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10455 		goto nla_put_failure;
10456 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10457 			      NL80211_ATTR_PAD))
10458 		goto nla_put_failure;
10459 
10460 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10461 	if (!bss)
10462 		goto nla_put_failure;
10463 	if ((!is_zero_ether_addr(res->bssid) &&
10464 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10465 		goto nla_put_failure;
10466 
10467 	rcu_read_lock();
10468 	/* indicate whether we have probe response data or not */
10469 	if (rcu_access_pointer(res->proberesp_ies) &&
10470 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10471 		goto fail_unlock_rcu;
10472 
10473 	/* this pointer prefers to be pointed to probe response data
10474 	 * but is always valid
10475 	 */
10476 	ies = rcu_dereference(res->ies);
10477 	if (ies) {
10478 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10479 				      NL80211_BSS_PAD))
10480 			goto fail_unlock_rcu;
10481 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10482 					ies->len, ies->data))
10483 			goto fail_unlock_rcu;
10484 	}
10485 
10486 	/* and this pointer is always (unless driver didn't know) beacon data */
10487 	ies = rcu_dereference(res->beacon_ies);
10488 	if (ies && ies->from_beacon) {
10489 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10490 				      NL80211_BSS_PAD))
10491 			goto fail_unlock_rcu;
10492 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10493 					ies->len, ies->data))
10494 			goto fail_unlock_rcu;
10495 	}
10496 	rcu_read_unlock();
10497 
10498 	if (res->beacon_interval &&
10499 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10500 		goto nla_put_failure;
10501 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10502 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10503 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10504 			res->channel->freq_offset) ||
10505 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10506 			jiffies_to_msecs(jiffies - intbss->ts)))
10507 		goto nla_put_failure;
10508 
10509 	if (intbss->parent_tsf &&
10510 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10511 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10512 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10513 		     intbss->parent_bssid)))
10514 		goto nla_put_failure;
10515 
10516 	if (intbss->ts_boottime &&
10517 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10518 			      intbss->ts_boottime, NL80211_BSS_PAD))
10519 		goto nla_put_failure;
10520 
10521 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10522 				intbss->pub.chain_signal,
10523 				NL80211_BSS_CHAIN_SIGNAL))
10524 		goto nla_put_failure;
10525 
10526 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
10527 		switch (rdev->wiphy.signal_type) {
10528 		case CFG80211_SIGNAL_TYPE_MBM:
10529 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
10530 					res->signal))
10531 				goto nla_put_failure;
10532 			break;
10533 		case CFG80211_SIGNAL_TYPE_UNSPEC:
10534 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
10535 				       res->signal))
10536 				goto nla_put_failure;
10537 			break;
10538 		default:
10539 			break;
10540 		}
10541 	}
10542 
10543 	switch (wdev->iftype) {
10544 	case NL80211_IFTYPE_P2P_CLIENT:
10545 	case NL80211_IFTYPE_STATION:
10546 		for_each_valid_link(wdev, link_id) {
10547 			if (intbss == wdev->links[link_id].client.current_bss &&
10548 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10549 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10550 			     (wdev->valid_links &&
10551 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10552 					  link_id) ||
10553 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10554 				       wdev->u.client.connected_addr)))))
10555 				goto nla_put_failure;
10556 		}
10557 		break;
10558 	case NL80211_IFTYPE_ADHOC:
10559 		if (intbss == wdev->u.ibss.current_bss &&
10560 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10561 				NL80211_BSS_STATUS_IBSS_JOINED))
10562 			goto nla_put_failure;
10563 		break;
10564 	default:
10565 		break;
10566 	}
10567 
10568 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
10569 		goto nla_put_failure;
10570 
10571 	if (res->cannot_use_reasons &&
10572 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
10573 			      res->cannot_use_reasons,
10574 			      NL80211_BSS_PAD))
10575 		goto nla_put_failure;
10576 
10577 	nla_nest_end(msg, bss);
10578 
10579 	genlmsg_end(msg, hdr);
10580 	return 0;
10581 
10582  fail_unlock_rcu:
10583 	rcu_read_unlock();
10584  nla_put_failure:
10585 	genlmsg_cancel(msg, hdr);
10586 	return -EMSGSIZE;
10587 }
10588 
10589 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10590 {
10591 	struct cfg80211_registered_device *rdev;
10592 	struct cfg80211_internal_bss *scan;
10593 	struct wireless_dev *wdev;
10594 	struct nlattr **attrbuf;
10595 	int start = cb->args[2], idx = 0;
10596 	bool dump_include_use_data;
10597 	int err;
10598 
10599 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10600 	if (!attrbuf)
10601 		return -ENOMEM;
10602 
10603 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10604 	if (err) {
10605 		kfree(attrbuf);
10606 		return err;
10607 	}
10608 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10609 	__acquire(&rdev->wiphy.mtx);
10610 
10611 	dump_include_use_data =
10612 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
10613 	kfree(attrbuf);
10614 
10615 	spin_lock_bh(&rdev->bss_lock);
10616 
10617 	/*
10618 	 * dump_scan will be called multiple times to break up the scan results
10619 	 * into multiple messages.  It is unlikely that any more bss-es will be
10620 	 * expired after the first call, so only call only call this on the
10621 	 * first dump_scan invocation.
10622 	 */
10623 	if (start == 0)
10624 		cfg80211_bss_expire(rdev);
10625 
10626 	cb->seq = rdev->bss_generation;
10627 
10628 	list_for_each_entry(scan, &rdev->bss_list, list) {
10629 		if (++idx <= start)
10630 			continue;
10631 		if (!dump_include_use_data &&
10632 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
10633 			continue;
10634 		if (nl80211_send_bss(skb, cb,
10635 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10636 				rdev, wdev, scan) < 0) {
10637 			idx--;
10638 			break;
10639 		}
10640 	}
10641 
10642 	spin_unlock_bh(&rdev->bss_lock);
10643 
10644 	cb->args[2] = idx;
10645 	wiphy_unlock(&rdev->wiphy);
10646 
10647 	return skb->len;
10648 }
10649 
10650 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10651 			       int flags, struct net_device *dev,
10652 			       bool allow_radio_stats,
10653 			       struct survey_info *survey)
10654 {
10655 	void *hdr;
10656 	struct nlattr *infoattr;
10657 
10658 	/* skip radio stats if userspace didn't request them */
10659 	if (!survey->channel && !allow_radio_stats)
10660 		return 0;
10661 
10662 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10663 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10664 	if (!hdr)
10665 		return -ENOMEM;
10666 
10667 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10668 		goto nla_put_failure;
10669 
10670 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10671 	if (!infoattr)
10672 		goto nla_put_failure;
10673 
10674 	if (survey->channel &&
10675 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10676 			survey->channel->center_freq))
10677 		goto nla_put_failure;
10678 
10679 	if (survey->channel && survey->channel->freq_offset &&
10680 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10681 			survey->channel->freq_offset))
10682 		goto nla_put_failure;
10683 
10684 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10685 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10686 		goto nla_put_failure;
10687 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10688 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10689 		goto nla_put_failure;
10690 	if ((survey->filled & SURVEY_INFO_TIME) &&
10691 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10692 			survey->time, NL80211_SURVEY_INFO_PAD))
10693 		goto nla_put_failure;
10694 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10695 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10696 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10697 		goto nla_put_failure;
10698 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10699 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10700 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10701 		goto nla_put_failure;
10702 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10703 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10704 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10705 		goto nla_put_failure;
10706 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10707 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10708 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10709 		goto nla_put_failure;
10710 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10711 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10712 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10713 		goto nla_put_failure;
10714 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10715 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10716 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10717 		goto nla_put_failure;
10718 
10719 	nla_nest_end(msg, infoattr);
10720 
10721 	genlmsg_end(msg, hdr);
10722 	return 0;
10723 
10724  nla_put_failure:
10725 	genlmsg_cancel(msg, hdr);
10726 	return -EMSGSIZE;
10727 }
10728 
10729 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10730 {
10731 	struct nlattr **attrbuf;
10732 	struct survey_info survey;
10733 	struct cfg80211_registered_device *rdev;
10734 	struct wireless_dev *wdev;
10735 	int survey_idx = cb->args[2];
10736 	int res;
10737 	bool radio_stats;
10738 
10739 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10740 	if (!attrbuf)
10741 		return -ENOMEM;
10742 
10743 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10744 	if (res) {
10745 		kfree(attrbuf);
10746 		return res;
10747 	}
10748 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10749 	__acquire(&rdev->wiphy.mtx);
10750 
10751 	/* prepare_wdev_dump parsed the attributes */
10752 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10753 
10754 	if (!wdev->netdev) {
10755 		res = -EINVAL;
10756 		goto out_err;
10757 	}
10758 
10759 	if (!rdev->ops->dump_survey) {
10760 		res = -EOPNOTSUPP;
10761 		goto out_err;
10762 	}
10763 
10764 	while (1) {
10765 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10766 		if (res == -ENOENT)
10767 			break;
10768 		if (res)
10769 			goto out_err;
10770 
10771 		/* don't send disabled channels, but do send non-channel data */
10772 		if (survey.channel &&
10773 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10774 			survey_idx++;
10775 			continue;
10776 		}
10777 
10778 		if (nl80211_send_survey(skb,
10779 				NETLINK_CB(cb->skb).portid,
10780 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10781 				wdev->netdev, radio_stats, &survey) < 0)
10782 			goto out;
10783 		survey_idx++;
10784 	}
10785 
10786  out:
10787 	cb->args[2] = survey_idx;
10788 	res = skb->len;
10789  out_err:
10790 	kfree(attrbuf);
10791 	wiphy_unlock(&rdev->wiphy);
10792 	return res;
10793 }
10794 
10795 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10796 {
10797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10798 	struct net_device *dev = info->user_ptr[1];
10799 	struct ieee80211_channel *chan;
10800 	const u8 *bssid, *ssid;
10801 	int err, ssid_len;
10802 	enum nl80211_auth_type auth_type;
10803 	struct key_parse key;
10804 	bool local_state_change;
10805 	struct cfg80211_auth_request req = {};
10806 	u32 freq;
10807 
10808 	if (!info->attrs[NL80211_ATTR_MAC])
10809 		return -EINVAL;
10810 
10811 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10812 		return -EINVAL;
10813 
10814 	if (!info->attrs[NL80211_ATTR_SSID])
10815 		return -EINVAL;
10816 
10817 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10818 		return -EINVAL;
10819 
10820 	err = nl80211_parse_key(info, &key);
10821 	if (err)
10822 		return err;
10823 
10824 	if (key.idx >= 0) {
10825 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10826 			return -EINVAL;
10827 		if (!key.p.key || !key.p.key_len)
10828 			return -EINVAL;
10829 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10830 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10831 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10832 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10833 			return -EINVAL;
10834 		if (key.idx > 3)
10835 			return -EINVAL;
10836 	} else {
10837 		key.p.key_len = 0;
10838 		key.p.key = NULL;
10839 	}
10840 
10841 	if (key.idx >= 0) {
10842 		int i;
10843 		bool ok = false;
10844 
10845 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10846 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10847 				ok = true;
10848 				break;
10849 			}
10850 		}
10851 		if (!ok)
10852 			return -EINVAL;
10853 	}
10854 
10855 	if (!rdev->ops->auth)
10856 		return -EOPNOTSUPP;
10857 
10858 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10859 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10860 		return -EOPNOTSUPP;
10861 
10862 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10863 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10864 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10865 		freq +=
10866 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10867 
10868 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10869 	if (!chan)
10870 		return -EINVAL;
10871 
10872 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10873 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10874 
10875 	if (info->attrs[NL80211_ATTR_IE]) {
10876 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10877 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10878 	}
10879 
10880 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10881 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10882 		return -EINVAL;
10883 
10884 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10885 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10886 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10887 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10888 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10889 		return -EINVAL;
10890 
10891 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10892 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10893 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10894 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10895 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10896 			return -EINVAL;
10897 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10898 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10899 	}
10900 
10901 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10902 
10903 	/*
10904 	 * Since we no longer track auth state, ignore
10905 	 * requests to only change local state.
10906 	 */
10907 	if (local_state_change)
10908 		return 0;
10909 
10910 	req.auth_type = auth_type;
10911 	req.key = key.p.key;
10912 	req.key_len = key.p.key_len;
10913 	req.key_idx = key.idx;
10914 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10915 	if (req.link_id >= 0) {
10916 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10917 			return -EINVAL;
10918 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10919 			return -EINVAL;
10920 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10921 		if (!is_valid_ether_addr(req.ap_mld_addr))
10922 			return -EINVAL;
10923 	}
10924 
10925 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10926 				   IEEE80211_BSS_TYPE_ESS,
10927 				   IEEE80211_PRIVACY_ANY);
10928 	if (!req.bss)
10929 		return -ENOENT;
10930 
10931 	err = cfg80211_mlme_auth(rdev, dev, &req);
10932 
10933 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10934 
10935 	return err;
10936 }
10937 
10938 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10939 				     struct genl_info *info)
10940 {
10941 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10942 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10943 		return -EINVAL;
10944 	}
10945 
10946 	if (!rdev->ops->tx_control_port ||
10947 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10948 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10949 		return -EOPNOTSUPP;
10950 
10951 	return 0;
10952 }
10953 
10954 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10955 				   struct genl_info *info,
10956 				   struct cfg80211_crypto_settings *settings,
10957 				   int cipher_limit)
10958 {
10959 	memset(settings, 0, sizeof(*settings));
10960 
10961 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10962 
10963 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10964 		u16 proto;
10965 
10966 		proto = nla_get_u16(
10967 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10968 		settings->control_port_ethertype = cpu_to_be16(proto);
10969 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10970 		    proto != ETH_P_PAE)
10971 			return -EINVAL;
10972 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10973 			settings->control_port_no_encrypt = true;
10974 	} else
10975 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10976 
10977 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10978 		int r = validate_pae_over_nl80211(rdev, info);
10979 
10980 		if (r < 0)
10981 			return r;
10982 
10983 		settings->control_port_over_nl80211 = true;
10984 
10985 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10986 			settings->control_port_no_preauth = true;
10987 	}
10988 
10989 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10990 		void *data;
10991 		int len, i;
10992 
10993 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10994 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10995 		settings->n_ciphers_pairwise = len / sizeof(u32);
10996 
10997 		if (len % sizeof(u32))
10998 			return -EINVAL;
10999 
11000 		if (settings->n_ciphers_pairwise > cipher_limit)
11001 			return -EINVAL;
11002 
11003 		memcpy(settings->ciphers_pairwise, data, len);
11004 
11005 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
11006 			if (!cfg80211_supported_cipher_suite(
11007 					&rdev->wiphy,
11008 					settings->ciphers_pairwise[i]))
11009 				return -EINVAL;
11010 	}
11011 
11012 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
11013 		settings->cipher_group =
11014 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
11015 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
11016 						     settings->cipher_group))
11017 			return -EINVAL;
11018 	}
11019 
11020 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
11021 		settings->wpa_versions =
11022 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
11023 
11024 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
11025 		void *data;
11026 		int len;
11027 
11028 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
11029 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
11030 		settings->n_akm_suites = len / sizeof(u32);
11031 
11032 		if (len % sizeof(u32))
11033 			return -EINVAL;
11034 
11035 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
11036 			return -EINVAL;
11037 
11038 		memcpy(settings->akm_suites, data, len);
11039 	}
11040 
11041 	if (info->attrs[NL80211_ATTR_PMK]) {
11042 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
11043 			return -EINVAL;
11044 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11045 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
11046 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11047 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
11048 			return -EINVAL;
11049 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11050 	}
11051 
11052 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
11053 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11054 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
11055 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11056 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
11057 			return -EINVAL;
11058 		settings->sae_pwd =
11059 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11060 		settings->sae_pwd_len =
11061 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11062 	}
11063 
11064 	if (info->attrs[NL80211_ATTR_SAE_PWE])
11065 		settings->sae_pwe =
11066 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
11067 	else
11068 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
11069 
11070 	return 0;
11071 }
11072 
11073 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
11074 					      const u8 *ssid, int ssid_len,
11075 					      struct nlattr **attrs,
11076 					      int assoc_link_id, int link_id)
11077 {
11078 	struct ieee80211_channel *chan;
11079 	struct cfg80211_bss *bss;
11080 	const u8 *bssid;
11081 	u32 freq, use_for = 0;
11082 
11083 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
11084 		return ERR_PTR(-EINVAL);
11085 
11086 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
11087 
11088 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
11089 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11090 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11091 
11092 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11093 	if (!chan)
11094 		return ERR_PTR(-EINVAL);
11095 
11096 	if (assoc_link_id >= 0)
11097 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
11098 	if (assoc_link_id == link_id)
11099 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
11100 
11101 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
11102 				 ssid, ssid_len,
11103 				 IEEE80211_BSS_TYPE_ESS,
11104 				 IEEE80211_PRIVACY_ANY,
11105 				 use_for);
11106 	if (!bss)
11107 		return ERR_PTR(-ENOENT);
11108 
11109 	return bss;
11110 }
11111 
11112 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
11113 {
11114 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11115 	struct net_device *dev = info->user_ptr[1];
11116 	struct cfg80211_assoc_request req = {};
11117 	struct nlattr **attrs = NULL;
11118 	const u8 *ap_addr, *ssid;
11119 	unsigned int link_id;
11120 	int err, ssid_len;
11121 
11122 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11123 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11124 		return -EPERM;
11125 
11126 	if (!info->attrs[NL80211_ATTR_SSID])
11127 		return -EINVAL;
11128 
11129 	if (!rdev->ops->assoc)
11130 		return -EOPNOTSUPP;
11131 
11132 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11133 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11134 		return -EOPNOTSUPP;
11135 
11136 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11137 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11138 
11139 	if (info->attrs[NL80211_ATTR_IE]) {
11140 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11141 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11142 
11143 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11144 					   req.ie, req.ie_len)) {
11145 			NL_SET_ERR_MSG_ATTR(info->extack,
11146 					    info->attrs[NL80211_ATTR_IE],
11147 					    "non-inheritance makes no sense");
11148 			return -EINVAL;
11149 		}
11150 	}
11151 
11152 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11153 		enum nl80211_mfp mfp =
11154 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11155 		if (mfp == NL80211_MFP_REQUIRED)
11156 			req.use_mfp = true;
11157 		else if (mfp != NL80211_MFP_NO)
11158 			return -EINVAL;
11159 	}
11160 
11161 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11162 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11163 
11164 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11165 		req.flags |= ASSOC_REQ_DISABLE_HT;
11166 
11167 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11168 		memcpy(&req.ht_capa_mask,
11169 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11170 		       sizeof(req.ht_capa_mask));
11171 
11172 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11173 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11174 			return -EINVAL;
11175 		memcpy(&req.ht_capa,
11176 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11177 		       sizeof(req.ht_capa));
11178 	}
11179 
11180 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11181 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11182 
11183 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11184 		req.flags |= ASSOC_REQ_DISABLE_HE;
11185 
11186 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11187 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11188 
11189 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11190 		memcpy(&req.vht_capa_mask,
11191 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11192 		       sizeof(req.vht_capa_mask));
11193 
11194 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11195 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11196 			return -EINVAL;
11197 		memcpy(&req.vht_capa,
11198 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11199 		       sizeof(req.vht_capa));
11200 	}
11201 
11202 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11203 		if (!((rdev->wiphy.features &
11204 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11205 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11206 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11207 					     NL80211_EXT_FEATURE_RRM))
11208 			return -EINVAL;
11209 		req.flags |= ASSOC_REQ_USE_RRM;
11210 	}
11211 
11212 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11213 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11214 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11215 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11216 			return -EINVAL;
11217 		req.fils_nonces =
11218 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11219 	}
11220 
11221 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11222 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11223 			return -EINVAL;
11224 		memcpy(&req.s1g_capa_mask,
11225 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11226 		       sizeof(req.s1g_capa_mask));
11227 	}
11228 
11229 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11230 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11231 			return -EINVAL;
11232 		memcpy(&req.s1g_capa,
11233 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11234 		       sizeof(req.s1g_capa));
11235 	}
11236 
11237 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11238 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11239 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11240 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11241 			return -EINVAL;
11242 		}
11243 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11244 	}
11245 
11246 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11247 
11248 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11249 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11250 		struct nlattr *link;
11251 		int rem = 0;
11252 
11253 		if (req.link_id < 0)
11254 			return -EINVAL;
11255 
11256 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11257 			return -EINVAL;
11258 
11259 		if (info->attrs[NL80211_ATTR_MAC] ||
11260 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11261 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11262 			return -EINVAL;
11263 
11264 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11265 		ap_addr = req.ap_mld_addr;
11266 
11267 		attrs = kzalloc(attrsize, GFP_KERNEL);
11268 		if (!attrs)
11269 			return -ENOMEM;
11270 
11271 		nla_for_each_nested(link,
11272 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11273 				    rem) {
11274 			memset(attrs, 0, attrsize);
11275 
11276 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11277 					 link, NULL, NULL);
11278 
11279 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11280 				err = -EINVAL;
11281 				NL_SET_BAD_ATTR(info->extack, link);
11282 				goto free;
11283 			}
11284 
11285 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11286 			/* cannot use the same link ID again */
11287 			if (req.links[link_id].bss) {
11288 				err = -EINVAL;
11289 				NL_SET_BAD_ATTR(info->extack, link);
11290 				goto free;
11291 			}
11292 			req.links[link_id].bss =
11293 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11294 						  req.link_id, link_id);
11295 			if (IS_ERR(req.links[link_id].bss)) {
11296 				err = PTR_ERR(req.links[link_id].bss);
11297 				req.links[link_id].bss = NULL;
11298 				NL_SET_ERR_MSG_ATTR(info->extack,
11299 						    link, "Error fetching BSS for link");
11300 				goto free;
11301 			}
11302 
11303 			if (attrs[NL80211_ATTR_IE]) {
11304 				req.links[link_id].elems =
11305 					nla_data(attrs[NL80211_ATTR_IE]);
11306 				req.links[link_id].elems_len =
11307 					nla_len(attrs[NL80211_ATTR_IE]);
11308 
11309 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11310 						       req.links[link_id].elems,
11311 						       req.links[link_id].elems_len)) {
11312 					NL_SET_ERR_MSG_ATTR(info->extack,
11313 							    attrs[NL80211_ATTR_IE],
11314 							    "cannot deal with fragmentation");
11315 					err = -EINVAL;
11316 					goto free;
11317 				}
11318 
11319 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11320 							   req.links[link_id].elems,
11321 							   req.links[link_id].elems_len)) {
11322 					NL_SET_ERR_MSG_ATTR(info->extack,
11323 							    attrs[NL80211_ATTR_IE],
11324 							    "cannot deal with non-inheritance");
11325 					err = -EINVAL;
11326 					goto free;
11327 				}
11328 			}
11329 
11330 			req.links[link_id].disabled =
11331 				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11332 		}
11333 
11334 		if (!req.links[req.link_id].bss) {
11335 			err = -EINVAL;
11336 			goto free;
11337 		}
11338 
11339 		if (req.links[req.link_id].elems_len) {
11340 			GENL_SET_ERR_MSG(info,
11341 					 "cannot have per-link elems on assoc link");
11342 			err = -EINVAL;
11343 			goto free;
11344 		}
11345 
11346 		if (req.links[req.link_id].disabled) {
11347 			GENL_SET_ERR_MSG(info,
11348 					 "cannot have assoc link disabled");
11349 			err = -EINVAL;
11350 			goto free;
11351 		}
11352 
11353 		kfree(attrs);
11354 		attrs = NULL;
11355 	} else {
11356 		if (req.link_id >= 0)
11357 			return -EINVAL;
11358 
11359 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11360 					    -1, -1);
11361 		if (IS_ERR(req.bss))
11362 			return PTR_ERR(req.bss);
11363 		ap_addr = req.bss->bssid;
11364 	}
11365 
11366 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11367 	if (!err) {
11368 		struct nlattr *link;
11369 		int rem = 0;
11370 
11371 		err = cfg80211_mlme_assoc(rdev, dev, &req,
11372 					  info->extack);
11373 
11374 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11375 			dev->ieee80211_ptr->conn_owner_nlportid =
11376 				info->snd_portid;
11377 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11378 			       ap_addr, ETH_ALEN);
11379 		}
11380 
11381 		/* Report error from first problematic link */
11382 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11383 			nla_for_each_nested(link,
11384 					    info->attrs[NL80211_ATTR_MLO_LINKS],
11385 					    rem) {
11386 				struct nlattr *link_id_attr =
11387 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
11388 
11389 				if (!link_id_attr)
11390 					continue;
11391 
11392 				link_id = nla_get_u8(link_id_attr);
11393 
11394 				if (link_id == req.link_id)
11395 					continue;
11396 
11397 				if (!req.links[link_id].error ||
11398 				    WARN_ON(req.links[link_id].error > 0))
11399 					continue;
11400 
11401 				WARN_ON(err >= 0);
11402 
11403 				NL_SET_BAD_ATTR(info->extack, link);
11404 				err = req.links[link_id].error;
11405 				break;
11406 			}
11407 		}
11408 	}
11409 
11410 free:
11411 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11412 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11413 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11414 	kfree(attrs);
11415 
11416 	return err;
11417 }
11418 
11419 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11420 {
11421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11422 	struct net_device *dev = info->user_ptr[1];
11423 	const u8 *ie = NULL, *bssid;
11424 	int ie_len = 0;
11425 	u16 reason_code;
11426 	bool local_state_change;
11427 
11428 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11429 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11430 		return -EPERM;
11431 
11432 	if (!info->attrs[NL80211_ATTR_MAC])
11433 		return -EINVAL;
11434 
11435 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11436 		return -EINVAL;
11437 
11438 	if (!rdev->ops->deauth)
11439 		return -EOPNOTSUPP;
11440 
11441 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11442 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11443 		return -EOPNOTSUPP;
11444 
11445 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11446 
11447 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11448 	if (reason_code == 0) {
11449 		/* Reason Code 0 is reserved */
11450 		return -EINVAL;
11451 	}
11452 
11453 	if (info->attrs[NL80211_ATTR_IE]) {
11454 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11455 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11456 	}
11457 
11458 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11459 
11460 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11461 				    local_state_change);
11462 }
11463 
11464 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11465 {
11466 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11467 	struct net_device *dev = info->user_ptr[1];
11468 	const u8 *ie = NULL, *bssid;
11469 	int ie_len = 0;
11470 	u16 reason_code;
11471 	bool local_state_change;
11472 
11473 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11474 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11475 		return -EPERM;
11476 
11477 	if (!info->attrs[NL80211_ATTR_MAC])
11478 		return -EINVAL;
11479 
11480 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11481 		return -EINVAL;
11482 
11483 	if (!rdev->ops->disassoc)
11484 		return -EOPNOTSUPP;
11485 
11486 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11487 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11488 		return -EOPNOTSUPP;
11489 
11490 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11491 
11492 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11493 	if (reason_code == 0) {
11494 		/* Reason Code 0 is reserved */
11495 		return -EINVAL;
11496 	}
11497 
11498 	if (info->attrs[NL80211_ATTR_IE]) {
11499 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11500 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11501 	}
11502 
11503 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11504 
11505 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11506 				      local_state_change);
11507 }
11508 
11509 static bool
11510 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11511 			 int mcast_rate[NUM_NL80211_BANDS],
11512 			 int rateval)
11513 {
11514 	struct wiphy *wiphy = &rdev->wiphy;
11515 	bool found = false;
11516 	int band, i;
11517 
11518 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11519 		struct ieee80211_supported_band *sband;
11520 
11521 		sband = wiphy->bands[band];
11522 		if (!sband)
11523 			continue;
11524 
11525 		for (i = 0; i < sband->n_bitrates; i++) {
11526 			if (sband->bitrates[i].bitrate == rateval) {
11527 				mcast_rate[band] = i + 1;
11528 				found = true;
11529 				break;
11530 			}
11531 		}
11532 	}
11533 
11534 	return found;
11535 }
11536 
11537 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11538 {
11539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11540 	struct net_device *dev = info->user_ptr[1];
11541 	struct cfg80211_ibss_params ibss;
11542 	struct wiphy *wiphy;
11543 	struct cfg80211_cached_keys *connkeys = NULL;
11544 	int err;
11545 
11546 	memset(&ibss, 0, sizeof(ibss));
11547 
11548 	if (!info->attrs[NL80211_ATTR_SSID] ||
11549 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11550 		return -EINVAL;
11551 
11552 	ibss.beacon_interval = 100;
11553 
11554 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11555 		ibss.beacon_interval =
11556 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11557 
11558 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11559 					   ibss.beacon_interval);
11560 	if (err)
11561 		return err;
11562 
11563 	if (!rdev->ops->join_ibss)
11564 		return -EOPNOTSUPP;
11565 
11566 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11567 		return -EOPNOTSUPP;
11568 
11569 	wiphy = &rdev->wiphy;
11570 
11571 	if (info->attrs[NL80211_ATTR_MAC]) {
11572 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11573 
11574 		if (!is_valid_ether_addr(ibss.bssid))
11575 			return -EINVAL;
11576 	}
11577 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11578 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11579 
11580 	if (info->attrs[NL80211_ATTR_IE]) {
11581 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11582 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11583 	}
11584 
11585 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11586 	if (err)
11587 		return err;
11588 
11589 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11590 				     NL80211_IFTYPE_ADHOC))
11591 		return -EINVAL;
11592 
11593 	switch (ibss.chandef.width) {
11594 	case NL80211_CHAN_WIDTH_5:
11595 	case NL80211_CHAN_WIDTH_10:
11596 	case NL80211_CHAN_WIDTH_20_NOHT:
11597 		break;
11598 	case NL80211_CHAN_WIDTH_20:
11599 	case NL80211_CHAN_WIDTH_40:
11600 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11601 			return -EINVAL;
11602 		break;
11603 	case NL80211_CHAN_WIDTH_80:
11604 	case NL80211_CHAN_WIDTH_80P80:
11605 	case NL80211_CHAN_WIDTH_160:
11606 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11607 			return -EINVAL;
11608 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11609 					     NL80211_EXT_FEATURE_VHT_IBSS))
11610 			return -EINVAL;
11611 		break;
11612 	case NL80211_CHAN_WIDTH_320:
11613 		return -EINVAL;
11614 	default:
11615 		return -EINVAL;
11616 	}
11617 
11618 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11619 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11620 
11621 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11622 		u8 *rates =
11623 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11624 		int n_rates =
11625 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11626 		struct ieee80211_supported_band *sband =
11627 			wiphy->bands[ibss.chandef.chan->band];
11628 
11629 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11630 					     &ibss.basic_rates);
11631 		if (err)
11632 			return err;
11633 	}
11634 
11635 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11636 		memcpy(&ibss.ht_capa_mask,
11637 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11638 		       sizeof(ibss.ht_capa_mask));
11639 
11640 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11641 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11642 			return -EINVAL;
11643 		memcpy(&ibss.ht_capa,
11644 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11645 		       sizeof(ibss.ht_capa));
11646 	}
11647 
11648 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11649 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11650 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11651 		return -EINVAL;
11652 
11653 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11654 		bool no_ht = false;
11655 
11656 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11657 		if (IS_ERR(connkeys))
11658 			return PTR_ERR(connkeys);
11659 
11660 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11661 		    no_ht) {
11662 			kfree_sensitive(connkeys);
11663 			return -EINVAL;
11664 		}
11665 	}
11666 
11667 	ibss.control_port =
11668 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11669 
11670 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11671 		int r = validate_pae_over_nl80211(rdev, info);
11672 
11673 		if (r < 0) {
11674 			kfree_sensitive(connkeys);
11675 			return r;
11676 		}
11677 
11678 		ibss.control_port_over_nl80211 = true;
11679 	}
11680 
11681 	ibss.userspace_handles_dfs =
11682 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11683 
11684 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11685 	if (err)
11686 		kfree_sensitive(connkeys);
11687 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11688 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11689 
11690 	return err;
11691 }
11692 
11693 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11694 {
11695 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11696 	struct net_device *dev = info->user_ptr[1];
11697 
11698 	if (!rdev->ops->leave_ibss)
11699 		return -EOPNOTSUPP;
11700 
11701 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11702 		return -EOPNOTSUPP;
11703 
11704 	return cfg80211_leave_ibss(rdev, dev, false);
11705 }
11706 
11707 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11708 {
11709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11710 	struct net_device *dev = info->user_ptr[1];
11711 	int mcast_rate[NUM_NL80211_BANDS];
11712 	u32 nla_rate;
11713 
11714 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11715 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11716 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11717 		return -EOPNOTSUPP;
11718 
11719 	if (!rdev->ops->set_mcast_rate)
11720 		return -EOPNOTSUPP;
11721 
11722 	memset(mcast_rate, 0, sizeof(mcast_rate));
11723 
11724 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11725 		return -EINVAL;
11726 
11727 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11728 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11729 		return -EINVAL;
11730 
11731 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11732 }
11733 
11734 static struct sk_buff *
11735 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11736 			    struct wireless_dev *wdev, int approxlen,
11737 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11738 			    enum nl80211_attrs attr,
11739 			    const struct nl80211_vendor_cmd_info *info,
11740 			    gfp_t gfp)
11741 {
11742 	struct sk_buff *skb;
11743 	void *hdr;
11744 	struct nlattr *data;
11745 
11746 	skb = nlmsg_new(approxlen + 100, gfp);
11747 	if (!skb)
11748 		return NULL;
11749 
11750 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11751 	if (!hdr) {
11752 		kfree_skb(skb);
11753 		return NULL;
11754 	}
11755 
11756 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11757 		goto nla_put_failure;
11758 
11759 	if (info) {
11760 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11761 				info->vendor_id))
11762 			goto nla_put_failure;
11763 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11764 				info->subcmd))
11765 			goto nla_put_failure;
11766 	}
11767 
11768 	if (wdev) {
11769 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11770 				      wdev_id(wdev), NL80211_ATTR_PAD))
11771 			goto nla_put_failure;
11772 		if (wdev->netdev &&
11773 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11774 				wdev->netdev->ifindex))
11775 			goto nla_put_failure;
11776 	}
11777 
11778 	data = nla_nest_start_noflag(skb, attr);
11779 	if (!data)
11780 		goto nla_put_failure;
11781 
11782 	((void **)skb->cb)[0] = rdev;
11783 	((void **)skb->cb)[1] = hdr;
11784 	((void **)skb->cb)[2] = data;
11785 
11786 	return skb;
11787 
11788  nla_put_failure:
11789 	kfree_skb(skb);
11790 	return NULL;
11791 }
11792 
11793 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11794 					   struct wireless_dev *wdev,
11795 					   enum nl80211_commands cmd,
11796 					   enum nl80211_attrs attr,
11797 					   unsigned int portid,
11798 					   int vendor_event_idx,
11799 					   int approxlen, gfp_t gfp)
11800 {
11801 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11802 	const struct nl80211_vendor_cmd_info *info;
11803 
11804 	switch (cmd) {
11805 	case NL80211_CMD_TESTMODE:
11806 		if (WARN_ON(vendor_event_idx != -1))
11807 			return NULL;
11808 		info = NULL;
11809 		break;
11810 	case NL80211_CMD_VENDOR:
11811 		if (WARN_ON(vendor_event_idx < 0 ||
11812 			    vendor_event_idx >= wiphy->n_vendor_events))
11813 			return NULL;
11814 		info = &wiphy->vendor_events[vendor_event_idx];
11815 		break;
11816 	default:
11817 		WARN_ON(1);
11818 		return NULL;
11819 	}
11820 
11821 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11822 					   cmd, attr, info, gfp);
11823 }
11824 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11825 
11826 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11827 {
11828 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11829 	void *hdr = ((void **)skb->cb)[1];
11830 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11831 	struct nlattr *data = ((void **)skb->cb)[2];
11832 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11833 
11834 	/* clear CB data for netlink core to own from now on */
11835 	memset(skb->cb, 0, sizeof(skb->cb));
11836 
11837 	nla_nest_end(skb, data);
11838 	genlmsg_end(skb, hdr);
11839 
11840 	if (nlhdr->nlmsg_pid) {
11841 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11842 				nlhdr->nlmsg_pid);
11843 	} else {
11844 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11845 			mcgrp = NL80211_MCGRP_VENDOR;
11846 
11847 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11848 					skb, 0, mcgrp, gfp);
11849 	}
11850 }
11851 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11852 
11853 #ifdef CONFIG_NL80211_TESTMODE
11854 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11855 {
11856 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11857 	struct wireless_dev *wdev;
11858 	int err;
11859 
11860 	lockdep_assert_held(&rdev->wiphy.mtx);
11861 
11862 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11863 					  info->attrs);
11864 
11865 	if (!rdev->ops->testmode_cmd)
11866 		return -EOPNOTSUPP;
11867 
11868 	if (IS_ERR(wdev)) {
11869 		err = PTR_ERR(wdev);
11870 		if (err != -EINVAL)
11871 			return err;
11872 		wdev = NULL;
11873 	} else if (wdev->wiphy != &rdev->wiphy) {
11874 		return -EINVAL;
11875 	}
11876 
11877 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11878 		return -EINVAL;
11879 
11880 	rdev->cur_cmd_info = info;
11881 	err = rdev_testmode_cmd(rdev, wdev,
11882 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11883 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11884 	rdev->cur_cmd_info = NULL;
11885 
11886 	return err;
11887 }
11888 
11889 static int nl80211_testmode_dump(struct sk_buff *skb,
11890 				 struct netlink_callback *cb)
11891 {
11892 	struct cfg80211_registered_device *rdev;
11893 	struct nlattr **attrbuf = NULL;
11894 	int err;
11895 	long phy_idx;
11896 	void *data = NULL;
11897 	int data_len = 0;
11898 
11899 	rtnl_lock();
11900 
11901 	if (cb->args[0]) {
11902 		/*
11903 		 * 0 is a valid index, but not valid for args[0],
11904 		 * so we need to offset by 1.
11905 		 */
11906 		phy_idx = cb->args[0] - 1;
11907 
11908 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11909 		if (!rdev) {
11910 			err = -ENOENT;
11911 			goto out_err;
11912 		}
11913 	} else {
11914 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11915 				  GFP_KERNEL);
11916 		if (!attrbuf) {
11917 			err = -ENOMEM;
11918 			goto out_err;
11919 		}
11920 
11921 		err = nlmsg_parse_deprecated(cb->nlh,
11922 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11923 					     attrbuf, nl80211_fam.maxattr,
11924 					     nl80211_policy, NULL);
11925 		if (err)
11926 			goto out_err;
11927 
11928 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11929 		if (IS_ERR(rdev)) {
11930 			err = PTR_ERR(rdev);
11931 			goto out_err;
11932 		}
11933 		phy_idx = rdev->wiphy_idx;
11934 
11935 		if (attrbuf[NL80211_ATTR_TESTDATA])
11936 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11937 	}
11938 
11939 	if (cb->args[1]) {
11940 		data = nla_data((void *)cb->args[1]);
11941 		data_len = nla_len((void *)cb->args[1]);
11942 	}
11943 
11944 	if (!rdev->ops->testmode_dump) {
11945 		err = -EOPNOTSUPP;
11946 		goto out_err;
11947 	}
11948 
11949 	while (1) {
11950 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11951 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11952 					   NL80211_CMD_TESTMODE);
11953 		struct nlattr *tmdata;
11954 
11955 		if (!hdr)
11956 			break;
11957 
11958 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11959 			genlmsg_cancel(skb, hdr);
11960 			break;
11961 		}
11962 
11963 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11964 		if (!tmdata) {
11965 			genlmsg_cancel(skb, hdr);
11966 			break;
11967 		}
11968 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11969 		nla_nest_end(skb, tmdata);
11970 
11971 		if (err == -ENOBUFS || err == -ENOENT) {
11972 			genlmsg_cancel(skb, hdr);
11973 			break;
11974 		} else if (err) {
11975 			genlmsg_cancel(skb, hdr);
11976 			goto out_err;
11977 		}
11978 
11979 		genlmsg_end(skb, hdr);
11980 	}
11981 
11982 	err = skb->len;
11983 	/* see above */
11984 	cb->args[0] = phy_idx + 1;
11985  out_err:
11986 	kfree(attrbuf);
11987 	rtnl_unlock();
11988 	return err;
11989 }
11990 #endif
11991 
11992 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11993 {
11994 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11995 	struct net_device *dev = info->user_ptr[1];
11996 	struct cfg80211_connect_params connect;
11997 	struct wiphy *wiphy;
11998 	struct cfg80211_cached_keys *connkeys = NULL;
11999 	u32 freq = 0;
12000 	int err;
12001 
12002 	memset(&connect, 0, sizeof(connect));
12003 
12004 	if (!info->attrs[NL80211_ATTR_SSID] ||
12005 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12006 		return -EINVAL;
12007 
12008 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12009 		connect.auth_type =
12010 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12011 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
12012 					     NL80211_CMD_CONNECT))
12013 			return -EINVAL;
12014 	} else
12015 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
12016 
12017 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
12018 
12019 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
12020 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12021 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12022 		return -EINVAL;
12023 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
12024 
12025 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
12026 				      NL80211_MAX_NR_CIPHER_SUITES);
12027 	if (err)
12028 		return err;
12029 
12030 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12031 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12032 		return -EOPNOTSUPP;
12033 
12034 	wiphy = &rdev->wiphy;
12035 
12036 	connect.bg_scan_period = -1;
12037 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
12038 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
12039 		connect.bg_scan_period =
12040 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
12041 	}
12042 
12043 	if (info->attrs[NL80211_ATTR_MAC])
12044 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12045 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
12046 		connect.bssid_hint =
12047 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
12048 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12049 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12050 
12051 	if (info->attrs[NL80211_ATTR_IE]) {
12052 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12053 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12054 	}
12055 
12056 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12057 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12058 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
12059 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12060 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
12061 			return -EOPNOTSUPP;
12062 	} else {
12063 		connect.mfp = NL80211_MFP_NO;
12064 	}
12065 
12066 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12067 		connect.prev_bssid =
12068 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12069 
12070 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
12071 		freq = MHZ_TO_KHZ(nla_get_u32(
12072 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12073 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12074 		freq +=
12075 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12076 
12077 	if (freq) {
12078 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
12079 		if (!connect.channel)
12080 			return -EINVAL;
12081 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
12082 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
12083 		freq = MHZ_TO_KHZ(freq);
12084 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
12085 		if (!connect.channel_hint)
12086 			return -EINVAL;
12087 	}
12088 
12089 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
12090 		connect.edmg.channels =
12091 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
12092 
12093 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
12094 			connect.edmg.bw_config =
12095 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
12096 	}
12097 
12098 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12099 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
12100 		if (IS_ERR(connkeys))
12101 			return PTR_ERR(connkeys);
12102 	}
12103 
12104 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12105 		connect.flags |= ASSOC_REQ_DISABLE_HT;
12106 
12107 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12108 		memcpy(&connect.ht_capa_mask,
12109 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12110 		       sizeof(connect.ht_capa_mask));
12111 
12112 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12113 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
12114 			kfree_sensitive(connkeys);
12115 			return -EINVAL;
12116 		}
12117 		memcpy(&connect.ht_capa,
12118 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12119 		       sizeof(connect.ht_capa));
12120 	}
12121 
12122 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12123 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
12124 
12125 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12126 		connect.flags |= ASSOC_REQ_DISABLE_HE;
12127 
12128 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12129 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12130 
12131 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12132 		memcpy(&connect.vht_capa_mask,
12133 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12134 		       sizeof(connect.vht_capa_mask));
12135 
12136 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12137 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12138 			kfree_sensitive(connkeys);
12139 			return -EINVAL;
12140 		}
12141 		memcpy(&connect.vht_capa,
12142 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12143 		       sizeof(connect.vht_capa));
12144 	}
12145 
12146 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12147 		if (!((rdev->wiphy.features &
12148 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12149 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12150 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12151 					     NL80211_EXT_FEATURE_RRM)) {
12152 			kfree_sensitive(connkeys);
12153 			return -EINVAL;
12154 		}
12155 		connect.flags |= ASSOC_REQ_USE_RRM;
12156 	}
12157 
12158 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12159 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12160 		kfree_sensitive(connkeys);
12161 		return -EOPNOTSUPP;
12162 	}
12163 
12164 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12165 		/* bss selection makes no sense if bssid is set */
12166 		if (connect.bssid) {
12167 			kfree_sensitive(connkeys);
12168 			return -EINVAL;
12169 		}
12170 
12171 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12172 				       wiphy, &connect.bss_select);
12173 		if (err) {
12174 			kfree_sensitive(connkeys);
12175 			return err;
12176 		}
12177 	}
12178 
12179 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12180 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12181 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12182 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12183 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12184 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12185 		connect.fils_erp_username =
12186 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12187 		connect.fils_erp_username_len =
12188 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12189 		connect.fils_erp_realm =
12190 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12191 		connect.fils_erp_realm_len =
12192 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12193 		connect.fils_erp_next_seq_num =
12194 			nla_get_u16(
12195 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12196 		connect.fils_erp_rrk =
12197 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12198 		connect.fils_erp_rrk_len =
12199 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12200 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12201 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12202 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12203 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12204 		kfree_sensitive(connkeys);
12205 		return -EINVAL;
12206 	}
12207 
12208 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12209 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12210 			kfree_sensitive(connkeys);
12211 			GENL_SET_ERR_MSG(info,
12212 					 "external auth requires connection ownership");
12213 			return -EINVAL;
12214 		}
12215 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12216 	}
12217 
12218 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12219 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12220 
12221 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12222 			       connect.prev_bssid);
12223 	if (err)
12224 		kfree_sensitive(connkeys);
12225 
12226 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12227 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12228 		if (connect.bssid)
12229 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12230 			       connect.bssid, ETH_ALEN);
12231 		else
12232 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12233 	}
12234 
12235 	return err;
12236 }
12237 
12238 static int nl80211_update_connect_params(struct sk_buff *skb,
12239 					 struct genl_info *info)
12240 {
12241 	struct cfg80211_connect_params connect = {};
12242 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12243 	struct net_device *dev = info->user_ptr[1];
12244 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12245 	bool fils_sk_offload;
12246 	u32 auth_type;
12247 	u32 changed = 0;
12248 
12249 	if (!rdev->ops->update_connect_params)
12250 		return -EOPNOTSUPP;
12251 
12252 	if (info->attrs[NL80211_ATTR_IE]) {
12253 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12254 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12255 		changed |= UPDATE_ASSOC_IES;
12256 	}
12257 
12258 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12259 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12260 
12261 	/*
12262 	 * when driver supports fils-sk offload all attributes must be
12263 	 * provided. So the else covers "fils-sk-not-all" and
12264 	 * "no-fils-sk-any".
12265 	 */
12266 	if (fils_sk_offload &&
12267 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12268 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12269 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12270 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12271 		connect.fils_erp_username =
12272 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12273 		connect.fils_erp_username_len =
12274 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12275 		connect.fils_erp_realm =
12276 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12277 		connect.fils_erp_realm_len =
12278 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12279 		connect.fils_erp_next_seq_num =
12280 			nla_get_u16(
12281 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12282 		connect.fils_erp_rrk =
12283 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12284 		connect.fils_erp_rrk_len =
12285 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12286 		changed |= UPDATE_FILS_ERP_INFO;
12287 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12288 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12289 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12290 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12291 		return -EINVAL;
12292 	}
12293 
12294 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12295 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12296 		if (!nl80211_valid_auth_type(rdev, auth_type,
12297 					     NL80211_CMD_CONNECT))
12298 			return -EINVAL;
12299 
12300 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12301 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12302 			return -EINVAL;
12303 
12304 		connect.auth_type = auth_type;
12305 		changed |= UPDATE_AUTH_TYPE;
12306 	}
12307 
12308 	if (!wdev->connected)
12309 		return -ENOLINK;
12310 
12311 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12312 }
12313 
12314 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12315 {
12316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12317 	struct net_device *dev = info->user_ptr[1];
12318 	u16 reason;
12319 
12320 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12321 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12322 		return -EPERM;
12323 
12324 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12325 		reason = WLAN_REASON_DEAUTH_LEAVING;
12326 	else
12327 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12328 
12329 	if (reason == 0)
12330 		return -EINVAL;
12331 
12332 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12333 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12334 		return -EOPNOTSUPP;
12335 
12336 	return cfg80211_disconnect(rdev, dev, reason, true);
12337 }
12338 
12339 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12340 {
12341 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12342 	struct net *net;
12343 	int err;
12344 
12345 	if (info->attrs[NL80211_ATTR_PID]) {
12346 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12347 
12348 		net = get_net_ns_by_pid(pid);
12349 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12350 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12351 
12352 		net = get_net_ns_by_fd(fd);
12353 	} else {
12354 		return -EINVAL;
12355 	}
12356 
12357 	if (IS_ERR(net))
12358 		return PTR_ERR(net);
12359 
12360 	err = 0;
12361 
12362 	/* check if anything to do */
12363 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12364 		err = cfg80211_switch_netns(rdev, net);
12365 
12366 	put_net(net);
12367 	return err;
12368 }
12369 
12370 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12371 {
12372 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12373 	struct net_device *dev = info->user_ptr[1];
12374 	struct cfg80211_pmksa pmksa;
12375 	bool ap_pmksa_caching_support = false;
12376 
12377 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12378 
12379 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12380 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12381 
12382 	if (!info->attrs[NL80211_ATTR_PMKID])
12383 		return -EINVAL;
12384 
12385 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12386 
12387 	if (info->attrs[NL80211_ATTR_MAC]) {
12388 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12389 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12390 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12391 	           info->attrs[NL80211_ATTR_PMK]) {
12392 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12393 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12394 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12395 	} else {
12396 		return -EINVAL;
12397 	}
12398 
12399 	if (info->attrs[NL80211_ATTR_PMK]) {
12400 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12401 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12402 	}
12403 
12404 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12405 		pmksa.pmk_lifetime =
12406 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12407 
12408 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12409 		pmksa.pmk_reauth_threshold =
12410 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12411 
12412 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12413 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12414 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12415 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12416 	       ap_pmksa_caching_support))
12417 		return -EOPNOTSUPP;
12418 
12419 	if (!rdev->ops->set_pmksa)
12420 		return -EOPNOTSUPP;
12421 
12422 	return rdev_set_pmksa(rdev, dev, &pmksa);
12423 }
12424 
12425 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
12426 {
12427 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12428 	struct net_device *dev = info->user_ptr[1];
12429 	struct cfg80211_pmksa pmksa;
12430 	bool sae_offload_support = false;
12431 	bool owe_offload_support = false;
12432 	bool ap_pmksa_caching_support = false;
12433 
12434 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12435 
12436 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12437 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
12438 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12439 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
12440 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12441 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12442 
12443 	if (info->attrs[NL80211_ATTR_PMKID])
12444 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12445 
12446 	if (info->attrs[NL80211_ATTR_MAC]) {
12447 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12448 	} else if (info->attrs[NL80211_ATTR_SSID]) {
12449 		/* SSID based pmksa flush supported only for FILS,
12450 		 * OWE/SAE OFFLOAD cases
12451 		 */
12452 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12453 		    info->attrs[NL80211_ATTR_PMK]) {
12454 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12455 		} else if (!sae_offload_support && !owe_offload_support) {
12456 			return -EINVAL;
12457 		}
12458 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12459 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12460 	} else {
12461 		return -EINVAL;
12462 	}
12463 
12464 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12465 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12466 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12467 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12468 	       ap_pmksa_caching_support))
12469 		return -EOPNOTSUPP;
12470 
12471 	if (!rdev->ops->del_pmksa)
12472 		return -EOPNOTSUPP;
12473 
12474 	return rdev_del_pmksa(rdev, dev, &pmksa);
12475 }
12476 
12477 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12478 {
12479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12480 	struct net_device *dev = info->user_ptr[1];
12481 
12482 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12483 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12484 		return -EOPNOTSUPP;
12485 
12486 	if (!rdev->ops->flush_pmksa)
12487 		return -EOPNOTSUPP;
12488 
12489 	return rdev_flush_pmksa(rdev, dev);
12490 }
12491 
12492 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12493 {
12494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12495 	struct net_device *dev = info->user_ptr[1];
12496 	u8 action_code, dialog_token;
12497 	u32 peer_capability = 0;
12498 	u16 status_code;
12499 	u8 *peer;
12500 	int link_id;
12501 	bool initiator;
12502 
12503 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12504 	    !rdev->ops->tdls_mgmt)
12505 		return -EOPNOTSUPP;
12506 
12507 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12508 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12509 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12510 	    !info->attrs[NL80211_ATTR_IE] ||
12511 	    !info->attrs[NL80211_ATTR_MAC])
12512 		return -EINVAL;
12513 
12514 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12515 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12516 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12517 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12518 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12519 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12520 		peer_capability =
12521 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12522 	link_id = nl80211_link_id_or_invalid(info->attrs);
12523 
12524 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12525 			      dialog_token, status_code, peer_capability,
12526 			      initiator,
12527 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12528 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12529 }
12530 
12531 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12532 {
12533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12534 	struct net_device *dev = info->user_ptr[1];
12535 	enum nl80211_tdls_operation operation;
12536 	u8 *peer;
12537 
12538 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12539 	    !rdev->ops->tdls_oper)
12540 		return -EOPNOTSUPP;
12541 
12542 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12543 	    !info->attrs[NL80211_ATTR_MAC])
12544 		return -EINVAL;
12545 
12546 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12547 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12548 
12549 	return rdev_tdls_oper(rdev, dev, peer, operation);
12550 }
12551 
12552 static int nl80211_remain_on_channel(struct sk_buff *skb,
12553 				     struct genl_info *info)
12554 {
12555 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12556 	unsigned int link_id = nl80211_link_id(info->attrs);
12557 	struct wireless_dev *wdev = info->user_ptr[1];
12558 	struct cfg80211_chan_def chandef;
12559 	struct sk_buff *msg;
12560 	void *hdr;
12561 	u64 cookie;
12562 	u32 duration;
12563 	int err;
12564 
12565 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12566 	    !info->attrs[NL80211_ATTR_DURATION])
12567 		return -EINVAL;
12568 
12569 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12570 
12571 	if (!rdev->ops->remain_on_channel ||
12572 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12573 		return -EOPNOTSUPP;
12574 
12575 	/*
12576 	 * We should be on that channel for at least a minimum amount of
12577 	 * time (10ms) but no longer than the driver supports.
12578 	 */
12579 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12580 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12581 		return -EINVAL;
12582 
12583 	err = nl80211_parse_chandef(rdev, info, &chandef);
12584 	if (err)
12585 		return err;
12586 
12587 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12588 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12589 
12590 		oper_chandef = wdev_chandef(wdev, link_id);
12591 
12592 		if (WARN_ON(!oper_chandef)) {
12593 			/* cannot happen since we must beacon to get here */
12594 			WARN_ON(1);
12595 			return -EBUSY;
12596 		}
12597 
12598 		/* note: returns first one if identical chandefs */
12599 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12600 							     oper_chandef);
12601 
12602 		if (compat_chandef != &chandef)
12603 			return -EBUSY;
12604 	}
12605 
12606 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12607 	if (!msg)
12608 		return -ENOMEM;
12609 
12610 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12611 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12612 	if (!hdr) {
12613 		err = -ENOBUFS;
12614 		goto free_msg;
12615 	}
12616 
12617 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12618 				     duration, &cookie);
12619 
12620 	if (err)
12621 		goto free_msg;
12622 
12623 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12624 			      NL80211_ATTR_PAD))
12625 		goto nla_put_failure;
12626 
12627 	genlmsg_end(msg, hdr);
12628 
12629 	return genlmsg_reply(msg, info);
12630 
12631  nla_put_failure:
12632 	err = -ENOBUFS;
12633  free_msg:
12634 	nlmsg_free(msg);
12635 	return err;
12636 }
12637 
12638 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12639 					    struct genl_info *info)
12640 {
12641 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12642 	struct wireless_dev *wdev = info->user_ptr[1];
12643 	u64 cookie;
12644 
12645 	if (!info->attrs[NL80211_ATTR_COOKIE])
12646 		return -EINVAL;
12647 
12648 	if (!rdev->ops->cancel_remain_on_channel)
12649 		return -EOPNOTSUPP;
12650 
12651 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12652 
12653 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12654 }
12655 
12656 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12657 				       struct genl_info *info)
12658 {
12659 	struct cfg80211_bitrate_mask mask;
12660 	unsigned int link_id = nl80211_link_id(info->attrs);
12661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12662 	struct net_device *dev = info->user_ptr[1];
12663 	int err;
12664 
12665 	if (!rdev->ops->set_bitrate_mask)
12666 		return -EOPNOTSUPP;
12667 
12668 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12669 					    NL80211_ATTR_TX_RATES, &mask,
12670 					    dev, true, link_id);
12671 	if (err)
12672 		return err;
12673 
12674 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12675 }
12676 
12677 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12678 {
12679 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12680 	struct wireless_dev *wdev = info->user_ptr[1];
12681 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12682 
12683 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12684 		return -EINVAL;
12685 
12686 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12687 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12688 
12689 	switch (wdev->iftype) {
12690 	case NL80211_IFTYPE_STATION:
12691 	case NL80211_IFTYPE_ADHOC:
12692 	case NL80211_IFTYPE_P2P_CLIENT:
12693 	case NL80211_IFTYPE_AP:
12694 	case NL80211_IFTYPE_AP_VLAN:
12695 	case NL80211_IFTYPE_MESH_POINT:
12696 	case NL80211_IFTYPE_P2P_GO:
12697 	case NL80211_IFTYPE_P2P_DEVICE:
12698 		break;
12699 	case NL80211_IFTYPE_NAN:
12700 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12701 					     NL80211_EXT_FEATURE_SECURE_NAN))
12702 			return -EOPNOTSUPP;
12703 		break;
12704 	default:
12705 		return -EOPNOTSUPP;
12706 	}
12707 
12708 	/* not much point in registering if we can't reply */
12709 	if (!rdev->ops->mgmt_tx)
12710 		return -EOPNOTSUPP;
12711 
12712 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12713 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12714 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12715 		GENL_SET_ERR_MSG(info,
12716 				 "multicast RX registrations are not supported");
12717 		return -EOPNOTSUPP;
12718 	}
12719 
12720 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12721 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12722 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12723 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12724 					   info->extack);
12725 }
12726 
12727 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12728 {
12729 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12730 	struct wireless_dev *wdev = info->user_ptr[1];
12731 	struct cfg80211_chan_def chandef;
12732 	int err;
12733 	void *hdr = NULL;
12734 	u64 cookie;
12735 	struct sk_buff *msg = NULL;
12736 	struct cfg80211_mgmt_tx_params params = {
12737 		.dont_wait_for_ack =
12738 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12739 	};
12740 
12741 	if (!info->attrs[NL80211_ATTR_FRAME])
12742 		return -EINVAL;
12743 
12744 	if (!rdev->ops->mgmt_tx)
12745 		return -EOPNOTSUPP;
12746 
12747 	switch (wdev->iftype) {
12748 	case NL80211_IFTYPE_P2P_DEVICE:
12749 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12750 			return -EINVAL;
12751 		break;
12752 	case NL80211_IFTYPE_STATION:
12753 	case NL80211_IFTYPE_ADHOC:
12754 	case NL80211_IFTYPE_P2P_CLIENT:
12755 	case NL80211_IFTYPE_AP:
12756 	case NL80211_IFTYPE_AP_VLAN:
12757 	case NL80211_IFTYPE_MESH_POINT:
12758 	case NL80211_IFTYPE_P2P_GO:
12759 		break;
12760 	case NL80211_IFTYPE_NAN:
12761 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12762 					     NL80211_EXT_FEATURE_SECURE_NAN))
12763 			return -EOPNOTSUPP;
12764 		break;
12765 	default:
12766 		return -EOPNOTSUPP;
12767 	}
12768 
12769 	if (info->attrs[NL80211_ATTR_DURATION]) {
12770 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12771 			return -EINVAL;
12772 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12773 
12774 		/*
12775 		 * We should wait on the channel for at least a minimum amount
12776 		 * of time (10ms) but no longer than the driver supports.
12777 		 */
12778 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12779 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12780 			return -EINVAL;
12781 	}
12782 
12783 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12784 
12785 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12786 		return -EINVAL;
12787 
12788 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12789 
12790 	/* get the channel if any has been specified, otherwise pass NULL to
12791 	 * the driver. The latter will use the current one
12792 	 */
12793 	chandef.chan = NULL;
12794 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12795 		err = nl80211_parse_chandef(rdev, info, &chandef);
12796 		if (err)
12797 			return err;
12798 	}
12799 
12800 	if (!chandef.chan && params.offchan)
12801 		return -EINVAL;
12802 
12803 	if (params.offchan &&
12804 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
12805 		return -EBUSY;
12806 
12807 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12808 	/*
12809 	 * This now races due to the unlock, but we cannot check
12810 	 * the valid links for the _station_ anyway, so that's up
12811 	 * to the driver.
12812 	 */
12813 	if (params.link_id >= 0 &&
12814 	    !(wdev->valid_links & BIT(params.link_id)))
12815 		return -EINVAL;
12816 
12817 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12818 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12819 
12820 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
12821 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
12822 					    &params.csa_offsets,
12823 					    &params.n_csa_offsets);
12824 	if (err)
12825 		return err;
12826 
12827 	if (!params.dont_wait_for_ack) {
12828 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12829 		if (!msg)
12830 			return -ENOMEM;
12831 
12832 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12833 				     NL80211_CMD_FRAME);
12834 		if (!hdr) {
12835 			err = -ENOBUFS;
12836 			goto free_msg;
12837 		}
12838 	}
12839 
12840 	params.chan = chandef.chan;
12841 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12842 	if (err)
12843 		goto free_msg;
12844 
12845 	if (msg) {
12846 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12847 				      NL80211_ATTR_PAD))
12848 			goto nla_put_failure;
12849 
12850 		genlmsg_end(msg, hdr);
12851 		return genlmsg_reply(msg, info);
12852 	}
12853 
12854 	return 0;
12855 
12856  nla_put_failure:
12857 	err = -ENOBUFS;
12858  free_msg:
12859 	nlmsg_free(msg);
12860 	return err;
12861 }
12862 
12863 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12864 {
12865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12866 	struct wireless_dev *wdev = info->user_ptr[1];
12867 	u64 cookie;
12868 
12869 	if (!info->attrs[NL80211_ATTR_COOKIE])
12870 		return -EINVAL;
12871 
12872 	if (!rdev->ops->mgmt_tx_cancel_wait)
12873 		return -EOPNOTSUPP;
12874 
12875 	switch (wdev->iftype) {
12876 	case NL80211_IFTYPE_STATION:
12877 	case NL80211_IFTYPE_ADHOC:
12878 	case NL80211_IFTYPE_P2P_CLIENT:
12879 	case NL80211_IFTYPE_AP:
12880 	case NL80211_IFTYPE_AP_VLAN:
12881 	case NL80211_IFTYPE_P2P_GO:
12882 	case NL80211_IFTYPE_P2P_DEVICE:
12883 		break;
12884 	case NL80211_IFTYPE_NAN:
12885 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12886 					     NL80211_EXT_FEATURE_SECURE_NAN))
12887 			return -EOPNOTSUPP;
12888 		break;
12889 	default:
12890 		return -EOPNOTSUPP;
12891 	}
12892 
12893 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12894 
12895 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12896 }
12897 
12898 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12899 {
12900 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12901 	struct wireless_dev *wdev;
12902 	struct net_device *dev = info->user_ptr[1];
12903 	u8 ps_state;
12904 	bool state;
12905 	int err;
12906 
12907 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12908 		return -EINVAL;
12909 
12910 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12911 
12912 	wdev = dev->ieee80211_ptr;
12913 
12914 	if (!rdev->ops->set_power_mgmt)
12915 		return -EOPNOTSUPP;
12916 
12917 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12918 
12919 	if (state == wdev->ps)
12920 		return 0;
12921 
12922 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12923 	if (!err)
12924 		wdev->ps = state;
12925 	return err;
12926 }
12927 
12928 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12929 {
12930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12931 	enum nl80211_ps_state ps_state;
12932 	struct wireless_dev *wdev;
12933 	struct net_device *dev = info->user_ptr[1];
12934 	struct sk_buff *msg;
12935 	void *hdr;
12936 	int err;
12937 
12938 	wdev = dev->ieee80211_ptr;
12939 
12940 	if (!rdev->ops->set_power_mgmt)
12941 		return -EOPNOTSUPP;
12942 
12943 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12944 	if (!msg)
12945 		return -ENOMEM;
12946 
12947 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12948 			     NL80211_CMD_GET_POWER_SAVE);
12949 	if (!hdr) {
12950 		err = -ENOBUFS;
12951 		goto free_msg;
12952 	}
12953 
12954 	if (wdev->ps)
12955 		ps_state = NL80211_PS_ENABLED;
12956 	else
12957 		ps_state = NL80211_PS_DISABLED;
12958 
12959 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12960 		goto nla_put_failure;
12961 
12962 	genlmsg_end(msg, hdr);
12963 	return genlmsg_reply(msg, info);
12964 
12965  nla_put_failure:
12966 	err = -ENOBUFS;
12967  free_msg:
12968 	nlmsg_free(msg);
12969 	return err;
12970 }
12971 
12972 static const struct nla_policy
12973 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12974 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12975 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12976 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12977 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12978 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12979 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12980 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12981 };
12982 
12983 static int nl80211_set_cqm_txe(struct genl_info *info,
12984 			       u32 rate, u32 pkts, u32 intvl)
12985 {
12986 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12987 	struct net_device *dev = info->user_ptr[1];
12988 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12989 
12990 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12991 		return -EINVAL;
12992 
12993 	if (!rdev->ops->set_cqm_txe_config)
12994 		return -EOPNOTSUPP;
12995 
12996 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12997 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12998 		return -EOPNOTSUPP;
12999 
13000 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
13001 }
13002 
13003 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
13004 				    struct net_device *dev,
13005 				    struct cfg80211_cqm_config *cqm_config)
13006 {
13007 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13008 	s32 last, low, high;
13009 	u32 hyst;
13010 	int i, n, low_index;
13011 	int err;
13012 
13013 	/*
13014 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
13015 	 * event has been received yet, we should receive an event after a
13016 	 * connection is established and enough beacons received to calculate
13017 	 * the average.
13018 	 */
13019 	if (!cqm_config->last_rssi_event_value &&
13020 	    wdev->links[0].client.current_bss &&
13021 	    rdev->ops->get_station) {
13022 		struct station_info sinfo = {};
13023 		u8 *mac_addr;
13024 
13025 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
13026 
13027 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
13028 		if (err)
13029 			return err;
13030 
13031 		cfg80211_sinfo_release_content(&sinfo);
13032 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
13033 			cqm_config->last_rssi_event_value =
13034 				(s8) sinfo.rx_beacon_signal_avg;
13035 	}
13036 
13037 	last = cqm_config->last_rssi_event_value;
13038 	hyst = cqm_config->rssi_hyst;
13039 	n = cqm_config->n_rssi_thresholds;
13040 
13041 	for (i = 0; i < n; i++) {
13042 		i = array_index_nospec(i, n);
13043 		if (last < cqm_config->rssi_thresholds[i])
13044 			break;
13045 	}
13046 
13047 	low_index = i - 1;
13048 	if (low_index >= 0) {
13049 		low_index = array_index_nospec(low_index, n);
13050 		low = cqm_config->rssi_thresholds[low_index] - hyst;
13051 	} else {
13052 		low = S32_MIN;
13053 	}
13054 	if (i < n) {
13055 		i = array_index_nospec(i, n);
13056 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
13057 	} else {
13058 		high = S32_MAX;
13059 	}
13060 
13061 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
13062 }
13063 
13064 static int nl80211_set_cqm_rssi(struct genl_info *info,
13065 				const s32 *thresholds, int n_thresholds,
13066 				u32 hysteresis)
13067 {
13068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13069 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
13070 	struct net_device *dev = info->user_ptr[1];
13071 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13072 	s32 prev = S32_MIN;
13073 	int i, err;
13074 
13075 	/* Check all values negative and sorted */
13076 	for (i = 0; i < n_thresholds; i++) {
13077 		if (thresholds[i] > 0 || thresholds[i] <= prev)
13078 			return -EINVAL;
13079 
13080 		prev = thresholds[i];
13081 	}
13082 
13083 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13084 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13085 		return -EOPNOTSUPP;
13086 
13087 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
13088 		n_thresholds = 0;
13089 
13090 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
13091 
13092 	/* if already disabled just succeed */
13093 	if (!n_thresholds && !old)
13094 		return 0;
13095 
13096 	if (n_thresholds > 1) {
13097 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13098 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
13099 		    !rdev->ops->set_cqm_rssi_range_config)
13100 			return -EOPNOTSUPP;
13101 	} else {
13102 		if (!rdev->ops->set_cqm_rssi_config)
13103 			return -EOPNOTSUPP;
13104 	}
13105 
13106 	if (n_thresholds) {
13107 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
13108 						 n_thresholds),
13109 				     GFP_KERNEL);
13110 		if (!cqm_config)
13111 			return -ENOMEM;
13112 
13113 		cqm_config->rssi_hyst = hysteresis;
13114 		cqm_config->n_rssi_thresholds = n_thresholds;
13115 		memcpy(cqm_config->rssi_thresholds, thresholds,
13116 		       flex_array_size(cqm_config, rssi_thresholds,
13117 				       n_thresholds));
13118 		cqm_config->use_range_api = n_thresholds > 1 ||
13119 					    !rdev->ops->set_cqm_rssi_config;
13120 
13121 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
13122 
13123 		if (cqm_config->use_range_api)
13124 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
13125 		else
13126 			err = rdev_set_cqm_rssi_config(rdev, dev,
13127 						       thresholds[0],
13128 						       hysteresis);
13129 	} else {
13130 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13131 		/* if enabled as range also disable via range */
13132 		if (old->use_range_api)
13133 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13134 		else
13135 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13136 	}
13137 
13138 	if (err) {
13139 		rcu_assign_pointer(wdev->cqm_config, old);
13140 		kfree_rcu(cqm_config, rcu_head);
13141 	} else {
13142 		kfree_rcu(old, rcu_head);
13143 	}
13144 
13145 	return err;
13146 }
13147 
13148 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13149 {
13150 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13151 	struct nlattr *cqm;
13152 	int err;
13153 
13154 	cqm = info->attrs[NL80211_ATTR_CQM];
13155 	if (!cqm)
13156 		return -EINVAL;
13157 
13158 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13159 					  nl80211_attr_cqm_policy,
13160 					  info->extack);
13161 	if (err)
13162 		return err;
13163 
13164 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13165 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13166 		const s32 *thresholds =
13167 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13168 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13169 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13170 
13171 		if (len % 4)
13172 			return -EINVAL;
13173 
13174 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13175 					    hysteresis);
13176 	}
13177 
13178 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13179 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13180 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13181 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13182 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13183 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13184 
13185 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13186 	}
13187 
13188 	return -EINVAL;
13189 }
13190 
13191 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13192 {
13193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13194 	struct net_device *dev = info->user_ptr[1];
13195 	struct ocb_setup setup = {};
13196 	int err;
13197 
13198 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13199 	if (err)
13200 		return err;
13201 
13202 	return cfg80211_join_ocb(rdev, dev, &setup);
13203 }
13204 
13205 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13206 {
13207 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13208 	struct net_device *dev = info->user_ptr[1];
13209 
13210 	return cfg80211_leave_ocb(rdev, dev);
13211 }
13212 
13213 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13214 {
13215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13216 	struct net_device *dev = info->user_ptr[1];
13217 	struct mesh_config cfg;
13218 	struct mesh_setup setup;
13219 	int err;
13220 
13221 	/* start with default */
13222 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13223 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13224 
13225 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13226 		/* and parse parameters if given */
13227 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13228 		if (err)
13229 			return err;
13230 	}
13231 
13232 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13233 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13234 		return -EINVAL;
13235 
13236 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13237 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13238 
13239 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13240 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13241 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13242 			return -EINVAL;
13243 
13244 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13245 		setup.beacon_interval =
13246 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13247 
13248 		err = cfg80211_validate_beacon_int(rdev,
13249 						   NL80211_IFTYPE_MESH_POINT,
13250 						   setup.beacon_interval);
13251 		if (err)
13252 			return err;
13253 	}
13254 
13255 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13256 		setup.dtim_period =
13257 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13258 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13259 			return -EINVAL;
13260 	}
13261 
13262 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13263 		/* parse additional setup parameters if given */
13264 		err = nl80211_parse_mesh_setup(info, &setup);
13265 		if (err)
13266 			return err;
13267 	}
13268 
13269 	if (setup.user_mpm)
13270 		cfg.auto_open_plinks = false;
13271 
13272 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13273 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13274 		if (err)
13275 			return err;
13276 	} else {
13277 		/* __cfg80211_join_mesh() will sort it out */
13278 		setup.chandef.chan = NULL;
13279 	}
13280 
13281 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13282 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13283 		int n_rates =
13284 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13285 		struct ieee80211_supported_band *sband;
13286 
13287 		if (!setup.chandef.chan)
13288 			return -EINVAL;
13289 
13290 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13291 
13292 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13293 					     &setup.basic_rates);
13294 		if (err)
13295 			return err;
13296 	}
13297 
13298 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13299 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13300 						    NL80211_ATTR_TX_RATES,
13301 						    &setup.beacon_rate,
13302 						    dev, false, 0);
13303 		if (err)
13304 			return err;
13305 
13306 		if (!setup.chandef.chan)
13307 			return -EINVAL;
13308 
13309 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13310 					      &setup.beacon_rate);
13311 		if (err)
13312 			return err;
13313 	}
13314 
13315 	setup.userspace_handles_dfs =
13316 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13317 
13318 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13319 		int r = validate_pae_over_nl80211(rdev, info);
13320 
13321 		if (r < 0)
13322 			return r;
13323 
13324 		setup.control_port_over_nl80211 = true;
13325 	}
13326 
13327 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13328 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13329 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13330 
13331 	return err;
13332 }
13333 
13334 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13335 {
13336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13337 	struct net_device *dev = info->user_ptr[1];
13338 
13339 	return cfg80211_leave_mesh(rdev, dev);
13340 }
13341 
13342 #ifdef CONFIG_PM
13343 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13344 					struct cfg80211_registered_device *rdev)
13345 {
13346 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13347 	struct nlattr *nl_pats, *nl_pat;
13348 	int i, pat_len;
13349 
13350 	if (!wowlan->n_patterns)
13351 		return 0;
13352 
13353 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13354 	if (!nl_pats)
13355 		return -ENOBUFS;
13356 
13357 	for (i = 0; i < wowlan->n_patterns; i++) {
13358 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13359 		if (!nl_pat)
13360 			return -ENOBUFS;
13361 		pat_len = wowlan->patterns[i].pattern_len;
13362 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13363 			    wowlan->patterns[i].mask) ||
13364 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13365 			    wowlan->patterns[i].pattern) ||
13366 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13367 				wowlan->patterns[i].pkt_offset))
13368 			return -ENOBUFS;
13369 		nla_nest_end(msg, nl_pat);
13370 	}
13371 	nla_nest_end(msg, nl_pats);
13372 
13373 	return 0;
13374 }
13375 
13376 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13377 				   struct cfg80211_wowlan_tcp *tcp)
13378 {
13379 	struct nlattr *nl_tcp;
13380 
13381 	if (!tcp)
13382 		return 0;
13383 
13384 	nl_tcp = nla_nest_start_noflag(msg,
13385 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13386 	if (!nl_tcp)
13387 		return -ENOBUFS;
13388 
13389 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13390 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13391 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13392 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13393 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13394 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13395 		    tcp->payload_len, tcp->payload) ||
13396 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13397 			tcp->data_interval) ||
13398 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13399 		    tcp->wake_len, tcp->wake_data) ||
13400 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13401 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13402 		return -ENOBUFS;
13403 
13404 	if (tcp->payload_seq.len &&
13405 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13406 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13407 		return -ENOBUFS;
13408 
13409 	if (tcp->payload_tok.len &&
13410 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13411 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13412 		    &tcp->payload_tok))
13413 		return -ENOBUFS;
13414 
13415 	nla_nest_end(msg, nl_tcp);
13416 
13417 	return 0;
13418 }
13419 
13420 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13421 				  struct cfg80211_sched_scan_request *req)
13422 {
13423 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13424 	int i;
13425 
13426 	if (!req)
13427 		return 0;
13428 
13429 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13430 	if (!nd)
13431 		return -ENOBUFS;
13432 
13433 	if (req->n_scan_plans == 1 &&
13434 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13435 			req->scan_plans[0].interval * 1000))
13436 		return -ENOBUFS;
13437 
13438 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13439 		return -ENOBUFS;
13440 
13441 	if (req->relative_rssi_set) {
13442 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13443 
13444 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13445 			       req->relative_rssi))
13446 			return -ENOBUFS;
13447 
13448 		rssi_adjust.band = req->rssi_adjust.band;
13449 		rssi_adjust.delta = req->rssi_adjust.delta;
13450 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13451 			    sizeof(rssi_adjust), &rssi_adjust))
13452 			return -ENOBUFS;
13453 	}
13454 
13455 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13456 	if (!freqs)
13457 		return -ENOBUFS;
13458 
13459 	for (i = 0; i < req->n_channels; i++) {
13460 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13461 			return -ENOBUFS;
13462 	}
13463 
13464 	nla_nest_end(msg, freqs);
13465 
13466 	if (req->n_match_sets) {
13467 		matches = nla_nest_start_noflag(msg,
13468 						NL80211_ATTR_SCHED_SCAN_MATCH);
13469 		if (!matches)
13470 			return -ENOBUFS;
13471 
13472 		for (i = 0; i < req->n_match_sets; i++) {
13473 			match = nla_nest_start_noflag(msg, i);
13474 			if (!match)
13475 				return -ENOBUFS;
13476 
13477 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13478 				    req->match_sets[i].ssid.ssid_len,
13479 				    req->match_sets[i].ssid.ssid))
13480 				return -ENOBUFS;
13481 			nla_nest_end(msg, match);
13482 		}
13483 		nla_nest_end(msg, matches);
13484 	}
13485 
13486 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13487 	if (!scan_plans)
13488 		return -ENOBUFS;
13489 
13490 	for (i = 0; i < req->n_scan_plans; i++) {
13491 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13492 		if (!scan_plan)
13493 			return -ENOBUFS;
13494 
13495 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13496 				req->scan_plans[i].interval) ||
13497 		    (req->scan_plans[i].iterations &&
13498 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13499 				 req->scan_plans[i].iterations)))
13500 			return -ENOBUFS;
13501 		nla_nest_end(msg, scan_plan);
13502 	}
13503 	nla_nest_end(msg, scan_plans);
13504 
13505 	nla_nest_end(msg, nd);
13506 
13507 	return 0;
13508 }
13509 
13510 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13511 {
13512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13513 	struct sk_buff *msg;
13514 	void *hdr;
13515 	u32 size = NLMSG_DEFAULT_SIZE;
13516 
13517 	if (!rdev->wiphy.wowlan)
13518 		return -EOPNOTSUPP;
13519 
13520 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13521 		/* adjust size to have room for all the data */
13522 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13523 			rdev->wiphy.wowlan_config->tcp->payload_len +
13524 			rdev->wiphy.wowlan_config->tcp->wake_len +
13525 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13526 	}
13527 
13528 	msg = nlmsg_new(size, GFP_KERNEL);
13529 	if (!msg)
13530 		return -ENOMEM;
13531 
13532 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13533 			     NL80211_CMD_GET_WOWLAN);
13534 	if (!hdr)
13535 		goto nla_put_failure;
13536 
13537 	if (rdev->wiphy.wowlan_config) {
13538 		struct nlattr *nl_wowlan;
13539 
13540 		nl_wowlan = nla_nest_start_noflag(msg,
13541 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13542 		if (!nl_wowlan)
13543 			goto nla_put_failure;
13544 
13545 		if ((rdev->wiphy.wowlan_config->any &&
13546 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13547 		    (rdev->wiphy.wowlan_config->disconnect &&
13548 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13549 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13550 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13551 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13552 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13553 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13554 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13555 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13556 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13557 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13558 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13559 			goto nla_put_failure;
13560 
13561 		if (nl80211_send_wowlan_patterns(msg, rdev))
13562 			goto nla_put_failure;
13563 
13564 		if (nl80211_send_wowlan_tcp(msg,
13565 					    rdev->wiphy.wowlan_config->tcp))
13566 			goto nla_put_failure;
13567 
13568 		if (nl80211_send_wowlan_nd(
13569 			    msg,
13570 			    rdev->wiphy.wowlan_config->nd_config))
13571 			goto nla_put_failure;
13572 
13573 		nla_nest_end(msg, nl_wowlan);
13574 	}
13575 
13576 	genlmsg_end(msg, hdr);
13577 	return genlmsg_reply(msg, info);
13578 
13579 nla_put_failure:
13580 	nlmsg_free(msg);
13581 	return -ENOBUFS;
13582 }
13583 
13584 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13585 				    struct nlattr *attr,
13586 				    struct cfg80211_wowlan *trig)
13587 {
13588 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13589 	struct cfg80211_wowlan_tcp *cfg;
13590 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13591 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13592 	u32 size;
13593 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13594 	int err, port;
13595 
13596 	if (!rdev->wiphy.wowlan->tcp)
13597 		return -EINVAL;
13598 
13599 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13600 					  nl80211_wowlan_tcp_policy, NULL);
13601 	if (err)
13602 		return err;
13603 
13604 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13605 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13606 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13607 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13608 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13609 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13610 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13611 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13612 		return -EINVAL;
13613 
13614 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13615 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13616 		return -EINVAL;
13617 
13618 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13619 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13620 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13621 		return -EINVAL;
13622 
13623 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13624 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13625 		return -EINVAL;
13626 
13627 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13628 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13629 		return -EINVAL;
13630 
13631 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13632 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13633 
13634 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13635 		tokens_size = tokln - sizeof(*tok);
13636 
13637 		if (!tok->len || tokens_size % tok->len)
13638 			return -EINVAL;
13639 		if (!rdev->wiphy.wowlan->tcp->tok)
13640 			return -EINVAL;
13641 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13642 			return -EINVAL;
13643 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13644 			return -EINVAL;
13645 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13646 			return -EINVAL;
13647 		if (tok->offset + tok->len > data_size)
13648 			return -EINVAL;
13649 	}
13650 
13651 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13652 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13653 		if (!rdev->wiphy.wowlan->tcp->seq)
13654 			return -EINVAL;
13655 		if (seq->len == 0 || seq->len > 4)
13656 			return -EINVAL;
13657 		if (seq->len + seq->offset > data_size)
13658 			return -EINVAL;
13659 	}
13660 
13661 	size = sizeof(*cfg);
13662 	size += data_size;
13663 	size += wake_size + wake_mask_size;
13664 	size += tokens_size;
13665 
13666 	cfg = kzalloc(size, GFP_KERNEL);
13667 	if (!cfg)
13668 		return -ENOMEM;
13669 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13670 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13671 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13672 	       ETH_ALEN);
13673 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13674 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13675 	else
13676 		port = 0;
13677 #ifdef CONFIG_INET
13678 	/* allocate a socket and port for it and use it */
13679 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13680 			    IPPROTO_TCP, &cfg->sock, 1);
13681 	if (err) {
13682 		kfree(cfg);
13683 		return err;
13684 	}
13685 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13686 		sock_release(cfg->sock);
13687 		kfree(cfg);
13688 		return -EADDRINUSE;
13689 	}
13690 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13691 #else
13692 	if (!port) {
13693 		kfree(cfg);
13694 		return -EINVAL;
13695 	}
13696 	cfg->src_port = port;
13697 #endif
13698 
13699 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13700 	cfg->payload_len = data_size;
13701 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13702 	memcpy((void *)cfg->payload,
13703 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13704 	       data_size);
13705 	if (seq)
13706 		cfg->payload_seq = *seq;
13707 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13708 	cfg->wake_len = wake_size;
13709 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13710 	memcpy((void *)cfg->wake_data,
13711 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13712 	       wake_size);
13713 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13714 			 data_size + wake_size;
13715 	memcpy((void *)cfg->wake_mask,
13716 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13717 	       wake_mask_size);
13718 	if (tok) {
13719 		cfg->tokens_size = tokens_size;
13720 		cfg->payload_tok = *tok;
13721 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13722 		       tokens_size);
13723 	}
13724 
13725 	trig->tcp = cfg;
13726 
13727 	return 0;
13728 }
13729 
13730 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13731 				   const struct wiphy_wowlan_support *wowlan,
13732 				   struct nlattr *attr,
13733 				   struct cfg80211_wowlan *trig)
13734 {
13735 	struct nlattr **tb;
13736 	int err;
13737 
13738 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13739 	if (!tb)
13740 		return -ENOMEM;
13741 
13742 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13743 		err = -EOPNOTSUPP;
13744 		goto out;
13745 	}
13746 
13747 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13748 					  nl80211_policy, NULL);
13749 	if (err)
13750 		goto out;
13751 
13752 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13753 						   wowlan->max_nd_match_sets);
13754 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13755 	if (err)
13756 		trig->nd_config = NULL;
13757 
13758 out:
13759 	kfree(tb);
13760 	return err;
13761 }
13762 
13763 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13764 {
13765 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13766 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13767 	struct cfg80211_wowlan new_triggers = {};
13768 	struct cfg80211_wowlan *ntrig;
13769 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13770 	int err, i;
13771 	bool prev_enabled = rdev->wiphy.wowlan_config;
13772 	bool regular = false;
13773 
13774 	if (!wowlan)
13775 		return -EOPNOTSUPP;
13776 
13777 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13778 		cfg80211_rdev_free_wowlan(rdev);
13779 		rdev->wiphy.wowlan_config = NULL;
13780 		goto set_wakeup;
13781 	}
13782 
13783 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13784 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13785 					  nl80211_wowlan_policy, info->extack);
13786 	if (err)
13787 		return err;
13788 
13789 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13790 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13791 			return -EINVAL;
13792 		new_triggers.any = true;
13793 	}
13794 
13795 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13796 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13797 			return -EINVAL;
13798 		new_triggers.disconnect = true;
13799 		regular = true;
13800 	}
13801 
13802 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13803 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13804 			return -EINVAL;
13805 		new_triggers.magic_pkt = true;
13806 		regular = true;
13807 	}
13808 
13809 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13810 		return -EINVAL;
13811 
13812 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13813 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13814 			return -EINVAL;
13815 		new_triggers.gtk_rekey_failure = true;
13816 		regular = true;
13817 	}
13818 
13819 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13820 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13821 			return -EINVAL;
13822 		new_triggers.eap_identity_req = true;
13823 		regular = true;
13824 	}
13825 
13826 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13827 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13828 			return -EINVAL;
13829 		new_triggers.four_way_handshake = true;
13830 		regular = true;
13831 	}
13832 
13833 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13834 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13835 			return -EINVAL;
13836 		new_triggers.rfkill_release = true;
13837 		regular = true;
13838 	}
13839 
13840 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13841 		struct nlattr *pat;
13842 		int n_patterns = 0;
13843 		int rem, pat_len, mask_len, pkt_offset;
13844 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13845 
13846 		regular = true;
13847 
13848 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13849 				    rem)
13850 			n_patterns++;
13851 		if (n_patterns > wowlan->n_patterns)
13852 			return -EINVAL;
13853 
13854 		new_triggers.patterns = kcalloc(n_patterns,
13855 						sizeof(new_triggers.patterns[0]),
13856 						GFP_KERNEL);
13857 		if (!new_triggers.patterns)
13858 			return -ENOMEM;
13859 
13860 		new_triggers.n_patterns = n_patterns;
13861 		i = 0;
13862 
13863 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13864 				    rem) {
13865 			u8 *mask_pat;
13866 
13867 			err = nla_parse_nested_deprecated(pat_tb,
13868 							  MAX_NL80211_PKTPAT,
13869 							  pat,
13870 							  nl80211_packet_pattern_policy,
13871 							  info->extack);
13872 			if (err)
13873 				goto error;
13874 
13875 			err = -EINVAL;
13876 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13877 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13878 				goto error;
13879 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13880 			mask_len = DIV_ROUND_UP(pat_len, 8);
13881 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13882 				goto error;
13883 			if (pat_len > wowlan->pattern_max_len ||
13884 			    pat_len < wowlan->pattern_min_len)
13885 				goto error;
13886 
13887 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13888 				pkt_offset = 0;
13889 			else
13890 				pkt_offset = nla_get_u32(
13891 					pat_tb[NL80211_PKTPAT_OFFSET]);
13892 			if (pkt_offset > wowlan->max_pkt_offset)
13893 				goto error;
13894 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13895 
13896 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13897 			if (!mask_pat) {
13898 				err = -ENOMEM;
13899 				goto error;
13900 			}
13901 			new_triggers.patterns[i].mask = mask_pat;
13902 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13903 			       mask_len);
13904 			mask_pat += mask_len;
13905 			new_triggers.patterns[i].pattern = mask_pat;
13906 			new_triggers.patterns[i].pattern_len = pat_len;
13907 			memcpy(mask_pat,
13908 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13909 			       pat_len);
13910 			i++;
13911 		}
13912 	}
13913 
13914 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13915 		regular = true;
13916 		err = nl80211_parse_wowlan_tcp(
13917 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13918 			&new_triggers);
13919 		if (err)
13920 			goto error;
13921 	}
13922 
13923 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13924 		regular = true;
13925 		err = nl80211_parse_wowlan_nd(
13926 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13927 			&new_triggers);
13928 		if (err)
13929 			goto error;
13930 	}
13931 
13932 	/* The 'any' trigger means the device continues operating more or less
13933 	 * as in its normal operation mode and wakes up the host on most of the
13934 	 * normal interrupts (like packet RX, ...)
13935 	 * It therefore makes little sense to combine with the more constrained
13936 	 * wakeup trigger modes.
13937 	 */
13938 	if (new_triggers.any && regular) {
13939 		err = -EINVAL;
13940 		goto error;
13941 	}
13942 
13943 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13944 	if (!ntrig) {
13945 		err = -ENOMEM;
13946 		goto error;
13947 	}
13948 	cfg80211_rdev_free_wowlan(rdev);
13949 	rdev->wiphy.wowlan_config = ntrig;
13950 
13951  set_wakeup:
13952 	if (rdev->ops->set_wakeup &&
13953 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13954 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13955 
13956 	return 0;
13957  error:
13958 	for (i = 0; i < new_triggers.n_patterns; i++)
13959 		kfree(new_triggers.patterns[i].mask);
13960 	kfree(new_triggers.patterns);
13961 	if (new_triggers.tcp && new_triggers.tcp->sock)
13962 		sock_release(new_triggers.tcp->sock);
13963 	kfree(new_triggers.tcp);
13964 	kfree(new_triggers.nd_config);
13965 	return err;
13966 }
13967 #endif
13968 
13969 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13970 				       struct cfg80211_registered_device *rdev)
13971 {
13972 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13973 	int i, j, pat_len;
13974 	struct cfg80211_coalesce_rules *rule;
13975 
13976 	if (!rdev->coalesce->n_rules)
13977 		return 0;
13978 
13979 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13980 	if (!nl_rules)
13981 		return -ENOBUFS;
13982 
13983 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13984 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13985 		if (!nl_rule)
13986 			return -ENOBUFS;
13987 
13988 		rule = &rdev->coalesce->rules[i];
13989 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13990 				rule->delay))
13991 			return -ENOBUFS;
13992 
13993 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13994 				rule->condition))
13995 			return -ENOBUFS;
13996 
13997 		nl_pats = nla_nest_start_noflag(msg,
13998 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13999 		if (!nl_pats)
14000 			return -ENOBUFS;
14001 
14002 		for (j = 0; j < rule->n_patterns; j++) {
14003 			nl_pat = nla_nest_start_noflag(msg, j + 1);
14004 			if (!nl_pat)
14005 				return -ENOBUFS;
14006 			pat_len = rule->patterns[j].pattern_len;
14007 			if (nla_put(msg, NL80211_PKTPAT_MASK,
14008 				    DIV_ROUND_UP(pat_len, 8),
14009 				    rule->patterns[j].mask) ||
14010 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14011 				    rule->patterns[j].pattern) ||
14012 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14013 					rule->patterns[j].pkt_offset))
14014 				return -ENOBUFS;
14015 			nla_nest_end(msg, nl_pat);
14016 		}
14017 		nla_nest_end(msg, nl_pats);
14018 		nla_nest_end(msg, nl_rule);
14019 	}
14020 	nla_nest_end(msg, nl_rules);
14021 
14022 	return 0;
14023 }
14024 
14025 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
14026 {
14027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14028 	struct sk_buff *msg;
14029 	void *hdr;
14030 
14031 	if (!rdev->wiphy.coalesce)
14032 		return -EOPNOTSUPP;
14033 
14034 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14035 	if (!msg)
14036 		return -ENOMEM;
14037 
14038 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14039 			     NL80211_CMD_GET_COALESCE);
14040 	if (!hdr)
14041 		goto nla_put_failure;
14042 
14043 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
14044 		goto nla_put_failure;
14045 
14046 	genlmsg_end(msg, hdr);
14047 	return genlmsg_reply(msg, info);
14048 
14049 nla_put_failure:
14050 	nlmsg_free(msg);
14051 	return -ENOBUFS;
14052 }
14053 
14054 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
14055 {
14056 	int i, j;
14057 	struct cfg80211_coalesce_rules *rule;
14058 
14059 	if (!coalesce)
14060 		return;
14061 
14062 	for (i = 0; i < coalesce->n_rules; i++) {
14063 		rule = &coalesce->rules[i];
14064 		for (j = 0; j < rule->n_patterns; j++)
14065 			kfree(rule->patterns[j].mask);
14066 		kfree(rule->patterns);
14067 	}
14068 	kfree(coalesce);
14069 }
14070 
14071 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
14072 				       struct nlattr *rule,
14073 				       struct cfg80211_coalesce_rules *new_rule)
14074 {
14075 	int err, i;
14076 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14077 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
14078 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
14079 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14080 
14081 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
14082 					  rule, nl80211_coalesce_policy, NULL);
14083 	if (err)
14084 		return err;
14085 
14086 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
14087 		new_rule->delay =
14088 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
14089 	if (new_rule->delay > coalesce->max_delay)
14090 		return -EINVAL;
14091 
14092 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
14093 		new_rule->condition =
14094 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
14095 
14096 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
14097 		return -EINVAL;
14098 
14099 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14100 			    rem)
14101 		n_patterns++;
14102 	if (n_patterns > coalesce->n_patterns)
14103 		return -EINVAL;
14104 
14105 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
14106 				     GFP_KERNEL);
14107 	if (!new_rule->patterns)
14108 		return -ENOMEM;
14109 
14110 	new_rule->n_patterns = n_patterns;
14111 	i = 0;
14112 
14113 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14114 			    rem) {
14115 		u8 *mask_pat;
14116 
14117 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
14118 						  pat,
14119 						  nl80211_packet_pattern_policy,
14120 						  NULL);
14121 		if (err)
14122 			return err;
14123 
14124 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
14125 		    !pat_tb[NL80211_PKTPAT_PATTERN])
14126 			return -EINVAL;
14127 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14128 		mask_len = DIV_ROUND_UP(pat_len, 8);
14129 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14130 			return -EINVAL;
14131 		if (pat_len > coalesce->pattern_max_len ||
14132 		    pat_len < coalesce->pattern_min_len)
14133 			return -EINVAL;
14134 
14135 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
14136 			pkt_offset = 0;
14137 		else
14138 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
14139 		if (pkt_offset > coalesce->max_pkt_offset)
14140 			return -EINVAL;
14141 		new_rule->patterns[i].pkt_offset = pkt_offset;
14142 
14143 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14144 		if (!mask_pat)
14145 			return -ENOMEM;
14146 
14147 		new_rule->patterns[i].mask = mask_pat;
14148 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14149 		       mask_len);
14150 
14151 		mask_pat += mask_len;
14152 		new_rule->patterns[i].pattern = mask_pat;
14153 		new_rule->patterns[i].pattern_len = pat_len;
14154 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14155 		       pat_len);
14156 		i++;
14157 	}
14158 
14159 	return 0;
14160 }
14161 
14162 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14163 {
14164 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14165 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14166 	struct cfg80211_coalesce *new_coalesce;
14167 	int err, rem_rule, n_rules = 0, i;
14168 	struct nlattr *rule;
14169 
14170 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14171 		return -EOPNOTSUPP;
14172 
14173 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14174 		cfg80211_free_coalesce(rdev->coalesce);
14175 		rdev->coalesce = NULL;
14176 		rdev_set_coalesce(rdev, NULL);
14177 		return 0;
14178 	}
14179 
14180 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14181 			    rem_rule)
14182 		n_rules++;
14183 	if (n_rules > coalesce->n_rules)
14184 		return -EINVAL;
14185 
14186 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14187 			       GFP_KERNEL);
14188 	if (!new_coalesce)
14189 		return -ENOMEM;
14190 
14191 	new_coalesce->n_rules = n_rules;
14192 	i = 0;
14193 
14194 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14195 			    rem_rule) {
14196 		err = nl80211_parse_coalesce_rule(rdev, rule,
14197 						  &new_coalesce->rules[i]);
14198 		if (err)
14199 			goto error;
14200 
14201 		i++;
14202 	}
14203 
14204 	err = rdev_set_coalesce(rdev, new_coalesce);
14205 	if (err)
14206 		goto error;
14207 
14208 	cfg80211_free_coalesce(rdev->coalesce);
14209 	rdev->coalesce = new_coalesce;
14210 
14211 	return 0;
14212 error:
14213 	cfg80211_free_coalesce(new_coalesce);
14214 
14215 	return err;
14216 }
14217 
14218 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14219 {
14220 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14221 	struct net_device *dev = info->user_ptr[1];
14222 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14223 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14224 	struct cfg80211_gtk_rekey_data rekey_data = {};
14225 	int err;
14226 
14227 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14228 		return -EINVAL;
14229 
14230 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14231 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14232 					  nl80211_rekey_policy, info->extack);
14233 	if (err)
14234 		return err;
14235 
14236 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14237 	    !tb[NL80211_REKEY_DATA_KCK])
14238 		return -EINVAL;
14239 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14240 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14241 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14242 		return -ERANGE;
14243 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14244 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14245 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14246 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14247 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14248 		return -ERANGE;
14249 
14250 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14251 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14252 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14253 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14254 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14255 	if (tb[NL80211_REKEY_DATA_AKM])
14256 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14257 
14258 	if (!wdev->connected)
14259 		return -ENOTCONN;
14260 
14261 	if (!rdev->ops->set_rekey_data)
14262 		return -EOPNOTSUPP;
14263 
14264 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14265 }
14266 
14267 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14268 					     struct genl_info *info)
14269 {
14270 	struct net_device *dev = info->user_ptr[1];
14271 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14272 
14273 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14274 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14275 		return -EINVAL;
14276 
14277 	if (wdev->ap_unexpected_nlportid)
14278 		return -EBUSY;
14279 
14280 	wdev->ap_unexpected_nlportid = info->snd_portid;
14281 	return 0;
14282 }
14283 
14284 static int nl80211_probe_client(struct sk_buff *skb,
14285 				struct genl_info *info)
14286 {
14287 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14288 	struct net_device *dev = info->user_ptr[1];
14289 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14290 	struct sk_buff *msg;
14291 	void *hdr;
14292 	const u8 *addr;
14293 	u64 cookie;
14294 	int err;
14295 
14296 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14297 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14298 		return -EOPNOTSUPP;
14299 
14300 	if (!info->attrs[NL80211_ATTR_MAC])
14301 		return -EINVAL;
14302 
14303 	if (!rdev->ops->probe_client)
14304 		return -EOPNOTSUPP;
14305 
14306 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14307 	if (!msg)
14308 		return -ENOMEM;
14309 
14310 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14311 			     NL80211_CMD_PROBE_CLIENT);
14312 	if (!hdr) {
14313 		err = -ENOBUFS;
14314 		goto free_msg;
14315 	}
14316 
14317 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14318 
14319 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14320 	if (err)
14321 		goto free_msg;
14322 
14323 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14324 			      NL80211_ATTR_PAD))
14325 		goto nla_put_failure;
14326 
14327 	genlmsg_end(msg, hdr);
14328 
14329 	return genlmsg_reply(msg, info);
14330 
14331  nla_put_failure:
14332 	err = -ENOBUFS;
14333  free_msg:
14334 	nlmsg_free(msg);
14335 	return err;
14336 }
14337 
14338 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14339 {
14340 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14341 	struct cfg80211_beacon_registration *reg, *nreg;
14342 	int rv;
14343 
14344 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14345 		return -EOPNOTSUPP;
14346 
14347 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14348 	if (!nreg)
14349 		return -ENOMEM;
14350 
14351 	/* First, check if already registered. */
14352 	spin_lock_bh(&rdev->beacon_registrations_lock);
14353 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14354 		if (reg->nlportid == info->snd_portid) {
14355 			rv = -EALREADY;
14356 			goto out_err;
14357 		}
14358 	}
14359 	/* Add it to the list */
14360 	nreg->nlportid = info->snd_portid;
14361 	list_add(&nreg->list, &rdev->beacon_registrations);
14362 
14363 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14364 
14365 	return 0;
14366 out_err:
14367 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14368 	kfree(nreg);
14369 	return rv;
14370 }
14371 
14372 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14373 {
14374 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14375 	struct wireless_dev *wdev = info->user_ptr[1];
14376 	int err;
14377 
14378 	if (!rdev->ops->start_p2p_device)
14379 		return -EOPNOTSUPP;
14380 
14381 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14382 		return -EOPNOTSUPP;
14383 
14384 	if (wdev_running(wdev))
14385 		return 0;
14386 
14387 	if (rfkill_blocked(rdev->wiphy.rfkill))
14388 		return -ERFKILL;
14389 
14390 	err = rdev_start_p2p_device(rdev, wdev);
14391 	if (err)
14392 		return err;
14393 
14394 	wdev->is_running = true;
14395 	rdev->opencount++;
14396 
14397 	return 0;
14398 }
14399 
14400 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14401 {
14402 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14403 	struct wireless_dev *wdev = info->user_ptr[1];
14404 
14405 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14406 		return -EOPNOTSUPP;
14407 
14408 	if (!rdev->ops->stop_p2p_device)
14409 		return -EOPNOTSUPP;
14410 
14411 	cfg80211_stop_p2p_device(rdev, wdev);
14412 
14413 	return 0;
14414 }
14415 
14416 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14417 {
14418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14419 	struct wireless_dev *wdev = info->user_ptr[1];
14420 	struct cfg80211_nan_conf conf = {};
14421 	int err;
14422 
14423 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14424 		return -EOPNOTSUPP;
14425 
14426 	if (wdev_running(wdev))
14427 		return -EEXIST;
14428 
14429 	if (rfkill_blocked(rdev->wiphy.rfkill))
14430 		return -ERFKILL;
14431 
14432 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14433 		return -EINVAL;
14434 
14435 	conf.master_pref =
14436 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14437 
14438 	if (info->attrs[NL80211_ATTR_BANDS]) {
14439 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14440 
14441 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14442 			return -EOPNOTSUPP;
14443 
14444 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14445 			return -EINVAL;
14446 
14447 		conf.bands = bands;
14448 	}
14449 
14450 	err = rdev_start_nan(rdev, wdev, &conf);
14451 	if (err)
14452 		return err;
14453 
14454 	wdev->is_running = true;
14455 	rdev->opencount++;
14456 
14457 	return 0;
14458 }
14459 
14460 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14461 {
14462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14463 	struct wireless_dev *wdev = info->user_ptr[1];
14464 
14465 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14466 		return -EOPNOTSUPP;
14467 
14468 	cfg80211_stop_nan(rdev, wdev);
14469 
14470 	return 0;
14471 }
14472 
14473 static int validate_nan_filter(struct nlattr *filter_attr)
14474 {
14475 	struct nlattr *attr;
14476 	int len = 0, n_entries = 0, rem;
14477 
14478 	nla_for_each_nested(attr, filter_attr, rem) {
14479 		len += nla_len(attr);
14480 		n_entries++;
14481 	}
14482 
14483 	if (len >= U8_MAX)
14484 		return -EINVAL;
14485 
14486 	return n_entries;
14487 }
14488 
14489 static int handle_nan_filter(struct nlattr *attr_filter,
14490 			     struct cfg80211_nan_func *func,
14491 			     bool tx)
14492 {
14493 	struct nlattr *attr;
14494 	int n_entries, rem, i;
14495 	struct cfg80211_nan_func_filter *filter;
14496 
14497 	n_entries = validate_nan_filter(attr_filter);
14498 	if (n_entries < 0)
14499 		return n_entries;
14500 
14501 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14502 
14503 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14504 	if (!filter)
14505 		return -ENOMEM;
14506 
14507 	i = 0;
14508 	nla_for_each_nested(attr, attr_filter, rem) {
14509 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14510 		if (!filter[i].filter)
14511 			goto err;
14512 
14513 		filter[i].len = nla_len(attr);
14514 		i++;
14515 	}
14516 	if (tx) {
14517 		func->num_tx_filters = n_entries;
14518 		func->tx_filters = filter;
14519 	} else {
14520 		func->num_rx_filters = n_entries;
14521 		func->rx_filters = filter;
14522 	}
14523 
14524 	return 0;
14525 
14526 err:
14527 	i = 0;
14528 	nla_for_each_nested(attr, attr_filter, rem) {
14529 		kfree(filter[i].filter);
14530 		i++;
14531 	}
14532 	kfree(filter);
14533 	return -ENOMEM;
14534 }
14535 
14536 static int nl80211_nan_add_func(struct sk_buff *skb,
14537 				struct genl_info *info)
14538 {
14539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14540 	struct wireless_dev *wdev = info->user_ptr[1];
14541 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14542 	struct cfg80211_nan_func *func;
14543 	struct sk_buff *msg = NULL;
14544 	void *hdr = NULL;
14545 	int err = 0;
14546 
14547 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14548 		return -EOPNOTSUPP;
14549 
14550 	if (!wdev_running(wdev))
14551 		return -ENOTCONN;
14552 
14553 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14554 		return -EINVAL;
14555 
14556 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14557 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14558 					  nl80211_nan_func_policy,
14559 					  info->extack);
14560 	if (err)
14561 		return err;
14562 
14563 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14564 	if (!func)
14565 		return -ENOMEM;
14566 
14567 	func->cookie = cfg80211_assign_cookie(rdev);
14568 
14569 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14570 		err = -EINVAL;
14571 		goto out;
14572 	}
14573 
14574 
14575 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14576 
14577 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14578 		err = -EINVAL;
14579 		goto out;
14580 	}
14581 
14582 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14583 	       sizeof(func->service_id));
14584 
14585 	func->close_range =
14586 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14587 
14588 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14589 		func->serv_spec_info_len =
14590 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14591 		func->serv_spec_info =
14592 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14593 				func->serv_spec_info_len,
14594 				GFP_KERNEL);
14595 		if (!func->serv_spec_info) {
14596 			err = -ENOMEM;
14597 			goto out;
14598 		}
14599 	}
14600 
14601 	if (tb[NL80211_NAN_FUNC_TTL])
14602 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14603 
14604 	switch (func->type) {
14605 	case NL80211_NAN_FUNC_PUBLISH:
14606 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14607 			err = -EINVAL;
14608 			goto out;
14609 		}
14610 
14611 		func->publish_type =
14612 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14613 		func->publish_bcast =
14614 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14615 
14616 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14617 			func->publish_bcast) {
14618 			err = -EINVAL;
14619 			goto out;
14620 		}
14621 		break;
14622 	case NL80211_NAN_FUNC_SUBSCRIBE:
14623 		func->subscribe_active =
14624 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14625 		break;
14626 	case NL80211_NAN_FUNC_FOLLOW_UP:
14627 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14628 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14629 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14630 			err = -EINVAL;
14631 			goto out;
14632 		}
14633 
14634 		func->followup_id =
14635 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14636 		func->followup_reqid =
14637 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14638 		memcpy(func->followup_dest.addr,
14639 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14640 		       sizeof(func->followup_dest.addr));
14641 		if (func->ttl) {
14642 			err = -EINVAL;
14643 			goto out;
14644 		}
14645 		break;
14646 	default:
14647 		err = -EINVAL;
14648 		goto out;
14649 	}
14650 
14651 	if (tb[NL80211_NAN_FUNC_SRF]) {
14652 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14653 
14654 		err = nla_parse_nested_deprecated(srf_tb,
14655 						  NL80211_NAN_SRF_ATTR_MAX,
14656 						  tb[NL80211_NAN_FUNC_SRF],
14657 						  nl80211_nan_srf_policy,
14658 						  info->extack);
14659 		if (err)
14660 			goto out;
14661 
14662 		func->srf_include =
14663 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14664 
14665 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14666 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14667 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14668 				err = -EINVAL;
14669 				goto out;
14670 			}
14671 
14672 			func->srf_bf_len =
14673 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14674 			func->srf_bf =
14675 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14676 					func->srf_bf_len, GFP_KERNEL);
14677 			if (!func->srf_bf) {
14678 				err = -ENOMEM;
14679 				goto out;
14680 			}
14681 
14682 			func->srf_bf_idx =
14683 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14684 		} else {
14685 			struct nlattr *attr, *mac_attr =
14686 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14687 			int n_entries, rem, i = 0;
14688 
14689 			if (!mac_attr) {
14690 				err = -EINVAL;
14691 				goto out;
14692 			}
14693 
14694 			n_entries = validate_acl_mac_addrs(mac_attr);
14695 			if (n_entries <= 0) {
14696 				err = -EINVAL;
14697 				goto out;
14698 			}
14699 
14700 			func->srf_num_macs = n_entries;
14701 			func->srf_macs =
14702 				kcalloc(n_entries, sizeof(*func->srf_macs),
14703 					GFP_KERNEL);
14704 			if (!func->srf_macs) {
14705 				err = -ENOMEM;
14706 				goto out;
14707 			}
14708 
14709 			nla_for_each_nested(attr, mac_attr, rem)
14710 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14711 				       sizeof(*func->srf_macs));
14712 		}
14713 	}
14714 
14715 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14716 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14717 					func, true);
14718 		if (err)
14719 			goto out;
14720 	}
14721 
14722 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14723 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14724 					func, false);
14725 		if (err)
14726 			goto out;
14727 	}
14728 
14729 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14730 	if (!msg) {
14731 		err = -ENOMEM;
14732 		goto out;
14733 	}
14734 
14735 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14736 			     NL80211_CMD_ADD_NAN_FUNCTION);
14737 	/* This can't really happen - we just allocated 4KB */
14738 	if (WARN_ON(!hdr)) {
14739 		err = -ENOMEM;
14740 		goto out;
14741 	}
14742 
14743 	err = rdev_add_nan_func(rdev, wdev, func);
14744 out:
14745 	if (err < 0) {
14746 		cfg80211_free_nan_func(func);
14747 		nlmsg_free(msg);
14748 		return err;
14749 	}
14750 
14751 	/* propagate the instance id and cookie to userspace  */
14752 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14753 			      NL80211_ATTR_PAD))
14754 		goto nla_put_failure;
14755 
14756 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14757 	if (!func_attr)
14758 		goto nla_put_failure;
14759 
14760 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14761 		       func->instance_id))
14762 		goto nla_put_failure;
14763 
14764 	nla_nest_end(msg, func_attr);
14765 
14766 	genlmsg_end(msg, hdr);
14767 	return genlmsg_reply(msg, info);
14768 
14769 nla_put_failure:
14770 	nlmsg_free(msg);
14771 	return -ENOBUFS;
14772 }
14773 
14774 static int nl80211_nan_del_func(struct sk_buff *skb,
14775 			       struct genl_info *info)
14776 {
14777 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14778 	struct wireless_dev *wdev = info->user_ptr[1];
14779 	u64 cookie;
14780 
14781 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14782 		return -EOPNOTSUPP;
14783 
14784 	if (!wdev_running(wdev))
14785 		return -ENOTCONN;
14786 
14787 	if (!info->attrs[NL80211_ATTR_COOKIE])
14788 		return -EINVAL;
14789 
14790 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14791 
14792 	rdev_del_nan_func(rdev, wdev, cookie);
14793 
14794 	return 0;
14795 }
14796 
14797 static int nl80211_nan_change_config(struct sk_buff *skb,
14798 				     struct genl_info *info)
14799 {
14800 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14801 	struct wireless_dev *wdev = info->user_ptr[1];
14802 	struct cfg80211_nan_conf conf = {};
14803 	u32 changed = 0;
14804 
14805 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14806 		return -EOPNOTSUPP;
14807 
14808 	if (!wdev_running(wdev))
14809 		return -ENOTCONN;
14810 
14811 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14812 		conf.master_pref =
14813 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14814 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14815 			return -EINVAL;
14816 
14817 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14818 	}
14819 
14820 	if (info->attrs[NL80211_ATTR_BANDS]) {
14821 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14822 
14823 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14824 			return -EOPNOTSUPP;
14825 
14826 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14827 			return -EINVAL;
14828 
14829 		conf.bands = bands;
14830 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14831 	}
14832 
14833 	if (!changed)
14834 		return -EINVAL;
14835 
14836 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14837 }
14838 
14839 void cfg80211_nan_match(struct wireless_dev *wdev,
14840 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14841 {
14842 	struct wiphy *wiphy = wdev->wiphy;
14843 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14844 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14845 	struct sk_buff *msg;
14846 	void *hdr;
14847 
14848 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14849 		return;
14850 
14851 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14852 	if (!msg)
14853 		return;
14854 
14855 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14856 	if (!hdr) {
14857 		nlmsg_free(msg);
14858 		return;
14859 	}
14860 
14861 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14862 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14863 					 wdev->netdev->ifindex)) ||
14864 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14865 			      NL80211_ATTR_PAD))
14866 		goto nla_put_failure;
14867 
14868 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14869 			      NL80211_ATTR_PAD) ||
14870 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14871 		goto nla_put_failure;
14872 
14873 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14874 	if (!match_attr)
14875 		goto nla_put_failure;
14876 
14877 	local_func_attr = nla_nest_start_noflag(msg,
14878 						NL80211_NAN_MATCH_FUNC_LOCAL);
14879 	if (!local_func_attr)
14880 		goto nla_put_failure;
14881 
14882 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14883 		goto nla_put_failure;
14884 
14885 	nla_nest_end(msg, local_func_attr);
14886 
14887 	peer_func_attr = nla_nest_start_noflag(msg,
14888 					       NL80211_NAN_MATCH_FUNC_PEER);
14889 	if (!peer_func_attr)
14890 		goto nla_put_failure;
14891 
14892 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14893 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14894 		goto nla_put_failure;
14895 
14896 	if (match->info && match->info_len &&
14897 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14898 		    match->info))
14899 		goto nla_put_failure;
14900 
14901 	nla_nest_end(msg, peer_func_attr);
14902 	nla_nest_end(msg, match_attr);
14903 	genlmsg_end(msg, hdr);
14904 
14905 	if (!wdev->owner_nlportid)
14906 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14907 					msg, 0, NL80211_MCGRP_NAN, gfp);
14908 	else
14909 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14910 				wdev->owner_nlportid);
14911 
14912 	return;
14913 
14914 nla_put_failure:
14915 	nlmsg_free(msg);
14916 }
14917 EXPORT_SYMBOL(cfg80211_nan_match);
14918 
14919 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14920 				  u8 inst_id,
14921 				  enum nl80211_nan_func_term_reason reason,
14922 				  u64 cookie, gfp_t gfp)
14923 {
14924 	struct wiphy *wiphy = wdev->wiphy;
14925 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14926 	struct sk_buff *msg;
14927 	struct nlattr *func_attr;
14928 	void *hdr;
14929 
14930 	if (WARN_ON(!inst_id))
14931 		return;
14932 
14933 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14934 	if (!msg)
14935 		return;
14936 
14937 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14938 	if (!hdr) {
14939 		nlmsg_free(msg);
14940 		return;
14941 	}
14942 
14943 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14944 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14945 					 wdev->netdev->ifindex)) ||
14946 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14947 			      NL80211_ATTR_PAD))
14948 		goto nla_put_failure;
14949 
14950 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14951 			      NL80211_ATTR_PAD))
14952 		goto nla_put_failure;
14953 
14954 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14955 	if (!func_attr)
14956 		goto nla_put_failure;
14957 
14958 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14959 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14960 		goto nla_put_failure;
14961 
14962 	nla_nest_end(msg, func_attr);
14963 	genlmsg_end(msg, hdr);
14964 
14965 	if (!wdev->owner_nlportid)
14966 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14967 					msg, 0, NL80211_MCGRP_NAN, gfp);
14968 	else
14969 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14970 				wdev->owner_nlportid);
14971 
14972 	return;
14973 
14974 nla_put_failure:
14975 	nlmsg_free(msg);
14976 }
14977 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14978 
14979 static int nl80211_get_protocol_features(struct sk_buff *skb,
14980 					 struct genl_info *info)
14981 {
14982 	void *hdr;
14983 	struct sk_buff *msg;
14984 
14985 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14986 	if (!msg)
14987 		return -ENOMEM;
14988 
14989 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14990 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14991 	if (!hdr)
14992 		goto nla_put_failure;
14993 
14994 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14995 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14996 		goto nla_put_failure;
14997 
14998 	genlmsg_end(msg, hdr);
14999 	return genlmsg_reply(msg, info);
15000 
15001  nla_put_failure:
15002 	kfree_skb(msg);
15003 	return -ENOBUFS;
15004 }
15005 
15006 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
15007 {
15008 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15009 	struct cfg80211_update_ft_ies_params ft_params;
15010 	struct net_device *dev = info->user_ptr[1];
15011 
15012 	if (!rdev->ops->update_ft_ies)
15013 		return -EOPNOTSUPP;
15014 
15015 	if (!info->attrs[NL80211_ATTR_MDID] ||
15016 	    !info->attrs[NL80211_ATTR_IE])
15017 		return -EINVAL;
15018 
15019 	memset(&ft_params, 0, sizeof(ft_params));
15020 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
15021 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15022 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15023 
15024 	return rdev_update_ft_ies(rdev, dev, &ft_params);
15025 }
15026 
15027 static int nl80211_crit_protocol_start(struct sk_buff *skb,
15028 				       struct genl_info *info)
15029 {
15030 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15031 	struct wireless_dev *wdev = info->user_ptr[1];
15032 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
15033 	u16 duration;
15034 	int ret;
15035 
15036 	if (!rdev->ops->crit_proto_start)
15037 		return -EOPNOTSUPP;
15038 
15039 	if (WARN_ON(!rdev->ops->crit_proto_stop))
15040 		return -EINVAL;
15041 
15042 	if (rdev->crit_proto_nlportid)
15043 		return -EBUSY;
15044 
15045 	/* determine protocol if provided */
15046 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
15047 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
15048 
15049 	if (proto >= NUM_NL80211_CRIT_PROTO)
15050 		return -EINVAL;
15051 
15052 	/* timeout must be provided */
15053 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
15054 		return -EINVAL;
15055 
15056 	duration =
15057 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
15058 
15059 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
15060 	if (!ret)
15061 		rdev->crit_proto_nlportid = info->snd_portid;
15062 
15063 	return ret;
15064 }
15065 
15066 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
15067 				      struct genl_info *info)
15068 {
15069 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15070 	struct wireless_dev *wdev = info->user_ptr[1];
15071 
15072 	if (!rdev->ops->crit_proto_stop)
15073 		return -EOPNOTSUPP;
15074 
15075 	if (rdev->crit_proto_nlportid) {
15076 		rdev->crit_proto_nlportid = 0;
15077 		rdev_crit_proto_stop(rdev, wdev);
15078 	}
15079 	return 0;
15080 }
15081 
15082 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
15083 				       struct nlattr *attr,
15084 				       struct netlink_ext_ack *extack)
15085 {
15086 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
15087 		if (attr->nla_type & NLA_F_NESTED) {
15088 			NL_SET_ERR_MSG_ATTR(extack, attr,
15089 					    "unexpected nested data");
15090 			return -EINVAL;
15091 		}
15092 
15093 		return 0;
15094 	}
15095 
15096 	if (!(attr->nla_type & NLA_F_NESTED)) {
15097 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
15098 		return -EINVAL;
15099 	}
15100 
15101 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
15102 }
15103 
15104 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
15105 {
15106 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15107 	struct wireless_dev *wdev =
15108 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
15109 					   info->attrs);
15110 	int i, err;
15111 	u32 vid, subcmd;
15112 
15113 	if (!rdev->wiphy.vendor_commands)
15114 		return -EOPNOTSUPP;
15115 
15116 	if (IS_ERR(wdev)) {
15117 		err = PTR_ERR(wdev);
15118 		if (err != -EINVAL)
15119 			return err;
15120 		wdev = NULL;
15121 	} else if (wdev->wiphy != &rdev->wiphy) {
15122 		return -EINVAL;
15123 	}
15124 
15125 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15126 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15127 		return -EINVAL;
15128 
15129 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15130 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15131 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15132 		const struct wiphy_vendor_command *vcmd;
15133 		void *data = NULL;
15134 		int len = 0;
15135 
15136 		vcmd = &rdev->wiphy.vendor_commands[i];
15137 
15138 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15139 			continue;
15140 
15141 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15142 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15143 			if (!wdev)
15144 				return -EINVAL;
15145 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15146 			    !wdev->netdev)
15147 				return -EINVAL;
15148 
15149 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15150 				if (!wdev_running(wdev))
15151 					return -ENETDOWN;
15152 			}
15153 		} else {
15154 			wdev = NULL;
15155 		}
15156 
15157 		if (!vcmd->doit)
15158 			return -EOPNOTSUPP;
15159 
15160 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15161 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15162 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15163 
15164 			err = nl80211_vendor_check_policy(vcmd,
15165 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15166 					info->extack);
15167 			if (err)
15168 				return err;
15169 		}
15170 
15171 		rdev->cur_cmd_info = info;
15172 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15173 		rdev->cur_cmd_info = NULL;
15174 		return err;
15175 	}
15176 
15177 	return -EOPNOTSUPP;
15178 }
15179 
15180 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15181 				       struct netlink_callback *cb,
15182 				       struct cfg80211_registered_device **rdev,
15183 				       struct wireless_dev **wdev)
15184 {
15185 	struct nlattr **attrbuf;
15186 	u32 vid, subcmd;
15187 	unsigned int i;
15188 	int vcmd_idx = -1;
15189 	int err;
15190 	void *data = NULL;
15191 	unsigned int data_len = 0;
15192 
15193 	if (cb->args[0]) {
15194 		/* subtract the 1 again here */
15195 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15196 		struct wireless_dev *tmp;
15197 
15198 		if (!wiphy)
15199 			return -ENODEV;
15200 		*rdev = wiphy_to_rdev(wiphy);
15201 		*wdev = NULL;
15202 
15203 		if (cb->args[1]) {
15204 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15205 				if (tmp->identifier == cb->args[1] - 1) {
15206 					*wdev = tmp;
15207 					break;
15208 				}
15209 			}
15210 		}
15211 
15212 		/* keep rtnl locked in successful case */
15213 		return 0;
15214 	}
15215 
15216 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15217 	if (!attrbuf)
15218 		return -ENOMEM;
15219 
15220 	err = nlmsg_parse_deprecated(cb->nlh,
15221 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15222 				     attrbuf, nl80211_fam.maxattr,
15223 				     nl80211_policy, NULL);
15224 	if (err)
15225 		goto out;
15226 
15227 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15228 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15229 		err = -EINVAL;
15230 		goto out;
15231 	}
15232 
15233 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15234 	if (IS_ERR(*wdev))
15235 		*wdev = NULL;
15236 
15237 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15238 	if (IS_ERR(*rdev)) {
15239 		err = PTR_ERR(*rdev);
15240 		goto out;
15241 	}
15242 
15243 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15244 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15245 
15246 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15247 		const struct wiphy_vendor_command *vcmd;
15248 
15249 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15250 
15251 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15252 			continue;
15253 
15254 		if (!vcmd->dumpit) {
15255 			err = -EOPNOTSUPP;
15256 			goto out;
15257 		}
15258 
15259 		vcmd_idx = i;
15260 		break;
15261 	}
15262 
15263 	if (vcmd_idx < 0) {
15264 		err = -EOPNOTSUPP;
15265 		goto out;
15266 	}
15267 
15268 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15269 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15270 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15271 
15272 		err = nl80211_vendor_check_policy(
15273 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15274 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15275 				cb->extack);
15276 		if (err)
15277 			goto out;
15278 	}
15279 
15280 	/* 0 is the first index - add 1 to parse only once */
15281 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15282 	/* add 1 to know if it was NULL */
15283 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15284 	cb->args[2] = vcmd_idx;
15285 	cb->args[3] = (unsigned long)data;
15286 	cb->args[4] = data_len;
15287 
15288 	/* keep rtnl locked in successful case */
15289 	err = 0;
15290 out:
15291 	kfree(attrbuf);
15292 	return err;
15293 }
15294 
15295 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15296 				   struct netlink_callback *cb)
15297 {
15298 	struct cfg80211_registered_device *rdev;
15299 	struct wireless_dev *wdev;
15300 	unsigned int vcmd_idx;
15301 	const struct wiphy_vendor_command *vcmd;
15302 	void *data;
15303 	int data_len;
15304 	int err;
15305 	struct nlattr *vendor_data;
15306 
15307 	rtnl_lock();
15308 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15309 	if (err)
15310 		goto out;
15311 
15312 	vcmd_idx = cb->args[2];
15313 	data = (void *)cb->args[3];
15314 	data_len = cb->args[4];
15315 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15316 
15317 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15318 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15319 		if (!wdev) {
15320 			err = -EINVAL;
15321 			goto out;
15322 		}
15323 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15324 		    !wdev->netdev) {
15325 			err = -EINVAL;
15326 			goto out;
15327 		}
15328 
15329 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15330 			if (!wdev_running(wdev)) {
15331 				err = -ENETDOWN;
15332 				goto out;
15333 			}
15334 		}
15335 	}
15336 
15337 	while (1) {
15338 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15339 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15340 					   NL80211_CMD_VENDOR);
15341 		if (!hdr)
15342 			break;
15343 
15344 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15345 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15346 					       wdev_id(wdev),
15347 					       NL80211_ATTR_PAD))) {
15348 			genlmsg_cancel(skb, hdr);
15349 			break;
15350 		}
15351 
15352 		vendor_data = nla_nest_start_noflag(skb,
15353 						    NL80211_ATTR_VENDOR_DATA);
15354 		if (!vendor_data) {
15355 			genlmsg_cancel(skb, hdr);
15356 			break;
15357 		}
15358 
15359 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15360 				   (unsigned long *)&cb->args[5]);
15361 		nla_nest_end(skb, vendor_data);
15362 
15363 		if (err == -ENOBUFS || err == -ENOENT) {
15364 			genlmsg_cancel(skb, hdr);
15365 			break;
15366 		} else if (err <= 0) {
15367 			genlmsg_cancel(skb, hdr);
15368 			goto out;
15369 		}
15370 
15371 		genlmsg_end(skb, hdr);
15372 	}
15373 
15374 	err = skb->len;
15375  out:
15376 	rtnl_unlock();
15377 	return err;
15378 }
15379 
15380 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15381 					   enum nl80211_commands cmd,
15382 					   enum nl80211_attrs attr,
15383 					   int approxlen)
15384 {
15385 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15386 
15387 	if (WARN_ON(!rdev->cur_cmd_info))
15388 		return NULL;
15389 
15390 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15391 					   rdev->cur_cmd_info->snd_portid,
15392 					   rdev->cur_cmd_info->snd_seq,
15393 					   cmd, attr, NULL, GFP_KERNEL);
15394 }
15395 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15396 
15397 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15398 {
15399 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15400 	void *hdr = ((void **)skb->cb)[1];
15401 	struct nlattr *data = ((void **)skb->cb)[2];
15402 
15403 	/* clear CB data for netlink core to own from now on */
15404 	memset(skb->cb, 0, sizeof(skb->cb));
15405 
15406 	if (WARN_ON(!rdev->cur_cmd_info)) {
15407 		kfree_skb(skb);
15408 		return -EINVAL;
15409 	}
15410 
15411 	nla_nest_end(skb, data);
15412 	genlmsg_end(skb, hdr);
15413 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15414 }
15415 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15416 
15417 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15418 {
15419 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15420 
15421 	if (WARN_ON(!rdev->cur_cmd_info))
15422 		return 0;
15423 
15424 	return rdev->cur_cmd_info->snd_portid;
15425 }
15426 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15427 
15428 static int nl80211_set_qos_map(struct sk_buff *skb,
15429 			       struct genl_info *info)
15430 {
15431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15432 	struct cfg80211_qos_map *qos_map = NULL;
15433 	struct net_device *dev = info->user_ptr[1];
15434 	u8 *pos, len, num_des, des_len, des;
15435 	int ret;
15436 
15437 	if (!rdev->ops->set_qos_map)
15438 		return -EOPNOTSUPP;
15439 
15440 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15441 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15442 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15443 
15444 		if (len % 2)
15445 			return -EINVAL;
15446 
15447 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15448 		if (!qos_map)
15449 			return -ENOMEM;
15450 
15451 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15452 		if (num_des) {
15453 			des_len = num_des *
15454 				sizeof(struct cfg80211_dscp_exception);
15455 			memcpy(qos_map->dscp_exception, pos, des_len);
15456 			qos_map->num_des = num_des;
15457 			for (des = 0; des < num_des; des++) {
15458 				if (qos_map->dscp_exception[des].up > 7) {
15459 					kfree(qos_map);
15460 					return -EINVAL;
15461 				}
15462 			}
15463 			pos += des_len;
15464 		}
15465 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15466 	}
15467 
15468 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15469 	if (!ret)
15470 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15471 
15472 	kfree(qos_map);
15473 	return ret;
15474 }
15475 
15476 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15477 {
15478 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15479 	struct net_device *dev = info->user_ptr[1];
15480 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15481 	const u8 *peer;
15482 	u8 tsid, up;
15483 	u16 admitted_time = 0;
15484 
15485 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15486 		return -EOPNOTSUPP;
15487 
15488 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15489 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15490 		return -EINVAL;
15491 
15492 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15493 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15494 
15495 	/* WMM uses TIDs 0-7 even for TSPEC */
15496 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15497 		/* TODO: handle 802.11 TSPEC/admission control
15498 		 * need more attributes for that (e.g. BA session requirement);
15499 		 * change the WMM admission test above to allow both then
15500 		 */
15501 		return -EINVAL;
15502 	}
15503 
15504 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15505 
15506 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15507 		admitted_time =
15508 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15509 		if (!admitted_time)
15510 			return -EINVAL;
15511 	}
15512 
15513 	switch (wdev->iftype) {
15514 	case NL80211_IFTYPE_STATION:
15515 	case NL80211_IFTYPE_P2P_CLIENT:
15516 		if (wdev->connected)
15517 			break;
15518 		return -ENOTCONN;
15519 	default:
15520 		return -EOPNOTSUPP;
15521 	}
15522 
15523 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15524 }
15525 
15526 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15527 {
15528 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15529 	struct net_device *dev = info->user_ptr[1];
15530 	const u8 *peer;
15531 	u8 tsid;
15532 
15533 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15534 		return -EINVAL;
15535 
15536 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15537 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15538 
15539 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
15540 }
15541 
15542 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15543 				       struct genl_info *info)
15544 {
15545 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15546 	struct net_device *dev = info->user_ptr[1];
15547 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15548 	struct cfg80211_chan_def chandef = {};
15549 	const u8 *addr;
15550 	u8 oper_class;
15551 	int err;
15552 
15553 	if (!rdev->ops->tdls_channel_switch ||
15554 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15555 		return -EOPNOTSUPP;
15556 
15557 	switch (dev->ieee80211_ptr->iftype) {
15558 	case NL80211_IFTYPE_STATION:
15559 	case NL80211_IFTYPE_P2P_CLIENT:
15560 		break;
15561 	default:
15562 		return -EOPNOTSUPP;
15563 	}
15564 
15565 	if (!info->attrs[NL80211_ATTR_MAC] ||
15566 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15567 		return -EINVAL;
15568 
15569 	err = nl80211_parse_chandef(rdev, info, &chandef);
15570 	if (err)
15571 		return err;
15572 
15573 	/*
15574 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15575 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15576 	 * specification is not defined for them.
15577 	 */
15578 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15579 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15580 	    chandef.width != NL80211_CHAN_WIDTH_20)
15581 		return -EINVAL;
15582 
15583 	/* we will be active on the TDLS link */
15584 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15585 					   wdev->iftype))
15586 		return -EINVAL;
15587 
15588 	/* don't allow switching to DFS channels */
15589 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15590 		return -EINVAL;
15591 
15592 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15593 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15594 
15595 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15596 }
15597 
15598 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15599 					      struct genl_info *info)
15600 {
15601 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15602 	struct net_device *dev = info->user_ptr[1];
15603 	const u8 *addr;
15604 
15605 	if (!rdev->ops->tdls_channel_switch ||
15606 	    !rdev->ops->tdls_cancel_channel_switch ||
15607 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15608 		return -EOPNOTSUPP;
15609 
15610 	switch (dev->ieee80211_ptr->iftype) {
15611 	case NL80211_IFTYPE_STATION:
15612 	case NL80211_IFTYPE_P2P_CLIENT:
15613 		break;
15614 	default:
15615 		return -EOPNOTSUPP;
15616 	}
15617 
15618 	if (!info->attrs[NL80211_ATTR_MAC])
15619 		return -EINVAL;
15620 
15621 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15622 
15623 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15624 
15625 	return 0;
15626 }
15627 
15628 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15629 					    struct genl_info *info)
15630 {
15631 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15632 	struct net_device *dev = info->user_ptr[1];
15633 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15634 	const struct nlattr *nla;
15635 	bool enabled;
15636 
15637 	if (!rdev->ops->set_multicast_to_unicast)
15638 		return -EOPNOTSUPP;
15639 
15640 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15641 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15642 		return -EOPNOTSUPP;
15643 
15644 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15645 	enabled = nla_get_flag(nla);
15646 
15647 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15648 }
15649 
15650 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15651 {
15652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15653 	struct net_device *dev = info->user_ptr[1];
15654 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15655 	struct cfg80211_pmk_conf pmk_conf = {};
15656 
15657 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15658 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15659 		return -EOPNOTSUPP;
15660 
15661 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15662 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15663 		return -EOPNOTSUPP;
15664 
15665 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15666 		return -EINVAL;
15667 
15668 	if (!wdev->connected)
15669 		return -ENOTCONN;
15670 
15671 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15672 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
15673 		return -EINVAL;
15674 
15675 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15676 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15677 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15678 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
15679 		return -EINVAL;
15680 
15681 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15682 		pmk_conf.pmk_r0_name =
15683 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15684 
15685 	return rdev_set_pmk(rdev, dev, &pmk_conf);
15686 }
15687 
15688 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15689 {
15690 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15691 	struct net_device *dev = info->user_ptr[1];
15692 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15693 	const u8 *aa;
15694 
15695 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15696 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15697 		return -EOPNOTSUPP;
15698 
15699 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15700 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15701 		return -EOPNOTSUPP;
15702 
15703 	if (!info->attrs[NL80211_ATTR_MAC])
15704 		return -EINVAL;
15705 
15706 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15707 	return rdev_del_pmk(rdev, dev, aa);
15708 }
15709 
15710 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15711 {
15712 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15713 	struct net_device *dev = info->user_ptr[1];
15714 	struct cfg80211_external_auth_params params;
15715 
15716 	if (!rdev->ops->external_auth)
15717 		return -EOPNOTSUPP;
15718 
15719 	if (!info->attrs[NL80211_ATTR_SSID] &&
15720 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15721 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15722 		return -EINVAL;
15723 
15724 	if (!info->attrs[NL80211_ATTR_BSSID])
15725 		return -EINVAL;
15726 
15727 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15728 		return -EINVAL;
15729 
15730 	memset(&params, 0, sizeof(params));
15731 
15732 	if (info->attrs[NL80211_ATTR_SSID]) {
15733 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15734 		if (params.ssid.ssid_len == 0)
15735 			return -EINVAL;
15736 		memcpy(params.ssid.ssid,
15737 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15738 		       params.ssid.ssid_len);
15739 	}
15740 
15741 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15742 	       ETH_ALEN);
15743 
15744 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15745 
15746 	if (info->attrs[NL80211_ATTR_PMKID])
15747 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15748 
15749 	return rdev_external_auth(rdev, dev, &params);
15750 }
15751 
15752 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15753 {
15754 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15755 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15756 	struct net_device *dev = info->user_ptr[1];
15757 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15758 	const u8 *buf;
15759 	size_t len;
15760 	u8 *dest;
15761 	u16 proto;
15762 	bool noencrypt;
15763 	u64 cookie = 0;
15764 	int link_id;
15765 	int err;
15766 
15767 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15768 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15769 		return -EOPNOTSUPP;
15770 
15771 	if (!rdev->ops->tx_control_port)
15772 		return -EOPNOTSUPP;
15773 
15774 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15775 	    !info->attrs[NL80211_ATTR_MAC] ||
15776 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15777 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15778 		return -EINVAL;
15779 	}
15780 
15781 	switch (wdev->iftype) {
15782 	case NL80211_IFTYPE_AP:
15783 	case NL80211_IFTYPE_P2P_GO:
15784 	case NL80211_IFTYPE_MESH_POINT:
15785 		break;
15786 	case NL80211_IFTYPE_ADHOC:
15787 		if (wdev->u.ibss.current_bss)
15788 			break;
15789 		return -ENOTCONN;
15790 	case NL80211_IFTYPE_STATION:
15791 	case NL80211_IFTYPE_P2P_CLIENT:
15792 		if (wdev->connected)
15793 			break;
15794 		return -ENOTCONN;
15795 	default:
15796 		return -EOPNOTSUPP;
15797 	}
15798 
15799 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15800 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15801 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15802 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15803 	noencrypt =
15804 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15805 
15806 	link_id = nl80211_link_id_or_invalid(info->attrs);
15807 
15808 	err = rdev_tx_control_port(rdev, dev, buf, len,
15809 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15810 				   dont_wait_for_ack ? NULL : &cookie);
15811 	if (!err && !dont_wait_for_ack)
15812 		nl_set_extack_cookie_u64(info->extack, cookie);
15813 	return err;
15814 }
15815 
15816 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15817 					   struct genl_info *info)
15818 {
15819 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15820 	struct net_device *dev = info->user_ptr[1];
15821 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15822 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15823 	unsigned int link_id = nl80211_link_id(info->attrs);
15824 	struct sk_buff *msg;
15825 	void *hdr;
15826 	struct nlattr *ftm_stats_attr;
15827 	int err;
15828 
15829 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15830 	    !wdev->links[link_id].ap.beacon_interval)
15831 		return -EOPNOTSUPP;
15832 
15833 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15834 	if (err)
15835 		return err;
15836 
15837 	if (!ftm_stats.filled)
15838 		return -ENODATA;
15839 
15840 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15841 	if (!msg)
15842 		return -ENOMEM;
15843 
15844 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15845 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15846 	if (!hdr)
15847 		goto nla_put_failure;
15848 
15849 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15850 		goto nla_put_failure;
15851 
15852 	ftm_stats_attr = nla_nest_start_noflag(msg,
15853 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15854 	if (!ftm_stats_attr)
15855 		goto nla_put_failure;
15856 
15857 #define SET_FTM(field, name, type)					 \
15858 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15859 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15860 			     ftm_stats.field))				 \
15861 		goto nla_put_failure; } while (0)
15862 #define SET_FTM_U64(field, name)					 \
15863 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15864 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15865 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15866 		goto nla_put_failure; } while (0)
15867 
15868 	SET_FTM(success_num, SUCCESS_NUM, u32);
15869 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15870 	SET_FTM(failed_num, FAILED_NUM, u32);
15871 	SET_FTM(asap_num, ASAP_NUM, u32);
15872 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15873 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15874 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15875 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15876 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15877 #undef SET_FTM
15878 
15879 	nla_nest_end(msg, ftm_stats_attr);
15880 
15881 	genlmsg_end(msg, hdr);
15882 	return genlmsg_reply(msg, info);
15883 
15884 nla_put_failure:
15885 	nlmsg_free(msg);
15886 	return -ENOBUFS;
15887 }
15888 
15889 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15890 {
15891 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15892 	struct cfg80211_update_owe_info owe_info;
15893 	struct net_device *dev = info->user_ptr[1];
15894 
15895 	if (!rdev->ops->update_owe_info)
15896 		return -EOPNOTSUPP;
15897 
15898 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15899 	    !info->attrs[NL80211_ATTR_MAC])
15900 		return -EINVAL;
15901 
15902 	memset(&owe_info, 0, sizeof(owe_info));
15903 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15904 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15905 
15906 	if (info->attrs[NL80211_ATTR_IE]) {
15907 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15908 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15909 	}
15910 
15911 	return rdev_update_owe_info(rdev, dev, &owe_info);
15912 }
15913 
15914 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15915 {
15916 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15917 	struct net_device *dev = info->user_ptr[1];
15918 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15919 	struct station_info sinfo = {};
15920 	const u8 *buf;
15921 	size_t len;
15922 	u8 *dest;
15923 	int err;
15924 
15925 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15926 		return -EOPNOTSUPP;
15927 
15928 	if (!info->attrs[NL80211_ATTR_MAC] ||
15929 	    !info->attrs[NL80211_ATTR_FRAME]) {
15930 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15931 		return -EINVAL;
15932 	}
15933 
15934 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15935 		return -EOPNOTSUPP;
15936 
15937 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15938 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15939 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15940 
15941 	if (len < sizeof(struct ethhdr))
15942 		return -EINVAL;
15943 
15944 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15945 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15946 		return -EINVAL;
15947 
15948 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15949 	if (err)
15950 		return err;
15951 
15952 	cfg80211_sinfo_release_content(&sinfo);
15953 
15954 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15955 }
15956 
15957 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15958 			  struct nlattr *attrs[], struct net_device *dev,
15959 			  struct cfg80211_tid_cfg *tid_conf,
15960 			  struct genl_info *info, const u8 *peer,
15961 			  unsigned int link_id)
15962 {
15963 	struct netlink_ext_ack *extack = info->extack;
15964 	u64 mask;
15965 	int err;
15966 
15967 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15968 		return -EINVAL;
15969 
15970 	tid_conf->config_override =
15971 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15972 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15973 
15974 	if (tid_conf->config_override) {
15975 		if (rdev->ops->reset_tid_config) {
15976 			err = rdev_reset_tid_config(rdev, dev, peer,
15977 						    tid_conf->tids);
15978 			if (err)
15979 				return err;
15980 		} else {
15981 			return -EINVAL;
15982 		}
15983 	}
15984 
15985 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15986 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15987 		tid_conf->noack =
15988 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15989 	}
15990 
15991 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15992 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15993 		tid_conf->retry_short =
15994 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15995 
15996 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15997 			return -EINVAL;
15998 	}
15999 
16000 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
16001 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
16002 		tid_conf->retry_long =
16003 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
16004 
16005 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
16006 			return -EINVAL;
16007 	}
16008 
16009 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
16010 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
16011 		tid_conf->ampdu =
16012 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
16013 	}
16014 
16015 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
16016 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
16017 		tid_conf->rtscts =
16018 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
16019 	}
16020 
16021 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
16022 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
16023 		tid_conf->amsdu =
16024 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
16025 	}
16026 
16027 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
16028 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
16029 
16030 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
16031 
16032 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
16033 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
16034 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
16035 						    &tid_conf->txrate_mask, dev,
16036 						    true, link_id);
16037 			if (err)
16038 				return err;
16039 
16040 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
16041 		}
16042 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
16043 	}
16044 
16045 	if (peer)
16046 		mask = rdev->wiphy.tid_config_support.peer;
16047 	else
16048 		mask = rdev->wiphy.tid_config_support.vif;
16049 
16050 	if (tid_conf->mask & ~mask) {
16051 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
16052 		return -EOPNOTSUPP;
16053 	}
16054 
16055 	return 0;
16056 }
16057 
16058 static int nl80211_set_tid_config(struct sk_buff *skb,
16059 				  struct genl_info *info)
16060 {
16061 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16062 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
16063 	unsigned int link_id = nl80211_link_id(info->attrs);
16064 	struct net_device *dev = info->user_ptr[1];
16065 	struct cfg80211_tid_config *tid_config;
16066 	struct nlattr *tid;
16067 	int conf_idx = 0, rem_conf;
16068 	int ret = -EINVAL;
16069 	u32 num_conf = 0;
16070 
16071 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
16072 		return -EINVAL;
16073 
16074 	if (!rdev->ops->set_tid_config)
16075 		return -EOPNOTSUPP;
16076 
16077 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16078 			    rem_conf)
16079 		num_conf++;
16080 
16081 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16082 			     GFP_KERNEL);
16083 	if (!tid_config)
16084 		return -ENOMEM;
16085 
16086 	tid_config->n_tid_conf = num_conf;
16087 
16088 	if (info->attrs[NL80211_ATTR_MAC])
16089 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16090 
16091 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16092 			    rem_conf) {
16093 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16094 				       tid, NULL, NULL);
16095 
16096 		if (ret)
16097 			goto bad_tid_conf;
16098 
16099 		ret = parse_tid_conf(rdev, attrs, dev,
16100 				     &tid_config->tid_conf[conf_idx],
16101 				     info, tid_config->peer, link_id);
16102 		if (ret)
16103 			goto bad_tid_conf;
16104 
16105 		conf_idx++;
16106 	}
16107 
16108 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16109 
16110 bad_tid_conf:
16111 	kfree(tid_config);
16112 	return ret;
16113 }
16114 
16115 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16116 {
16117 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16118 	struct cfg80211_color_change_settings params = {};
16119 	struct net_device *dev = info->user_ptr[1];
16120 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16121 	struct nlattr **tb;
16122 	u16 offset;
16123 	int err;
16124 
16125 	if (!rdev->ops->color_change)
16126 		return -EOPNOTSUPP;
16127 
16128 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16129 				     NL80211_EXT_FEATURE_BSS_COLOR))
16130 		return -EOPNOTSUPP;
16131 
16132 	if (wdev->iftype != NL80211_IFTYPE_AP)
16133 		return -EOPNOTSUPP;
16134 
16135 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16136 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16137 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16138 		return -EINVAL;
16139 
16140 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16141 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16142 
16143 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16144 				   info->extack);
16145 	if (err)
16146 		return err;
16147 
16148 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16149 	if (!tb)
16150 		return -ENOMEM;
16151 
16152 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16153 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16154 			       nl80211_policy, info->extack);
16155 	if (err)
16156 		goto out;
16157 
16158 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16159 				   info->extack);
16160 	if (err)
16161 		goto out;
16162 
16163 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16164 		err = -EINVAL;
16165 		goto out;
16166 	}
16167 
16168 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16169 		err = -EINVAL;
16170 		goto out;
16171 	}
16172 
16173 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16174 	if (offset >= params.beacon_color_change.tail_len) {
16175 		err = -EINVAL;
16176 		goto out;
16177 	}
16178 
16179 	if (params.beacon_color_change.tail[offset] != params.count) {
16180 		err = -EINVAL;
16181 		goto out;
16182 	}
16183 
16184 	params.counter_offset_beacon = offset;
16185 
16186 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16187 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16188 		    sizeof(u16)) {
16189 			err = -EINVAL;
16190 			goto out;
16191 		}
16192 
16193 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16194 		if (offset >= params.beacon_color_change.probe_resp_len) {
16195 			err = -EINVAL;
16196 			goto out;
16197 		}
16198 
16199 		if (params.beacon_color_change.probe_resp[offset] !=
16200 		    params.count) {
16201 			err = -EINVAL;
16202 			goto out;
16203 		}
16204 
16205 		params.counter_offset_presp = offset;
16206 	}
16207 
16208 	params.link_id = nl80211_link_id(info->attrs);
16209 	err = rdev_color_change(rdev, dev, &params);
16210 
16211 out:
16212 	kfree(params.beacon_next.mbssid_ies);
16213 	kfree(params.beacon_color_change.mbssid_ies);
16214 	kfree(params.beacon_next.rnr_ies);
16215 	kfree(params.beacon_color_change.rnr_ies);
16216 	kfree(tb);
16217 	return err;
16218 }
16219 
16220 static int nl80211_set_fils_aad(struct sk_buff *skb,
16221 				struct genl_info *info)
16222 {
16223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16224 	struct net_device *dev = info->user_ptr[1];
16225 	struct cfg80211_fils_aad fils_aad = {};
16226 	u8 *nonces;
16227 
16228 	if (!info->attrs[NL80211_ATTR_MAC] ||
16229 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16230 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16231 		return -EINVAL;
16232 
16233 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16234 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16235 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16236 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16237 	fils_aad.snonce = nonces;
16238 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16239 
16240 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16241 }
16242 
16243 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16244 {
16245 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16246 	unsigned int link_id = nl80211_link_id(info->attrs);
16247 	struct net_device *dev = info->user_ptr[1];
16248 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16249 	int ret;
16250 
16251 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16252 		return -EINVAL;
16253 
16254 	switch (wdev->iftype) {
16255 	case NL80211_IFTYPE_AP:
16256 		break;
16257 	default:
16258 		return -EINVAL;
16259 	}
16260 
16261 	if (!info->attrs[NL80211_ATTR_MAC] ||
16262 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16263 		return -EINVAL;
16264 
16265 	wdev->valid_links |= BIT(link_id);
16266 	ether_addr_copy(wdev->links[link_id].addr,
16267 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16268 
16269 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16270 	if (ret) {
16271 		wdev->valid_links &= ~BIT(link_id);
16272 		eth_zero_addr(wdev->links[link_id].addr);
16273 	}
16274 
16275 	return ret;
16276 }
16277 
16278 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16279 {
16280 	unsigned int link_id = nl80211_link_id(info->attrs);
16281 	struct net_device *dev = info->user_ptr[1];
16282 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16283 
16284 	/* cannot remove if there's no link */
16285 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16286 		return -EINVAL;
16287 
16288 	switch (wdev->iftype) {
16289 	case NL80211_IFTYPE_AP:
16290 		break;
16291 	default:
16292 		return -EINVAL;
16293 	}
16294 
16295 	cfg80211_remove_link(wdev, link_id);
16296 
16297 	return 0;
16298 }
16299 
16300 static int
16301 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16302 			     bool add)
16303 {
16304 	struct link_station_parameters params = {};
16305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16306 	struct net_device *dev = info->user_ptr[1];
16307 	int err;
16308 
16309 	if ((add && !rdev->ops->add_link_station) ||
16310 	    (!add && !rdev->ops->mod_link_station))
16311 		return -EOPNOTSUPP;
16312 
16313 	if (add && !info->attrs[NL80211_ATTR_MAC])
16314 		return -EINVAL;
16315 
16316 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16317 		return -EINVAL;
16318 
16319 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16320 		return -EINVAL;
16321 
16322 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16323 
16324 	if (info->attrs[NL80211_ATTR_MAC]) {
16325 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16326 		if (!is_valid_ether_addr(params.link_mac))
16327 			return -EINVAL;
16328 	}
16329 
16330 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16331 		return -EINVAL;
16332 
16333 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16334 
16335 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16336 		params.supported_rates =
16337 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16338 		params.supported_rates_len =
16339 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16340 	}
16341 
16342 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16343 		params.ht_capa =
16344 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16345 
16346 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16347 		params.vht_capa =
16348 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16349 
16350 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16351 		params.he_capa =
16352 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16353 		params.he_capa_len =
16354 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16355 
16356 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16357 			params.eht_capa =
16358 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16359 			params.eht_capa_len =
16360 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16361 
16362 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16363 							(const u8 *)params.eht_capa,
16364 							params.eht_capa_len,
16365 							false))
16366 				return -EINVAL;
16367 		}
16368 	}
16369 
16370 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16371 		params.he_6ghz_capa =
16372 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16373 
16374 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16375 		params.opmode_notif_used = true;
16376 		params.opmode_notif =
16377 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16378 	}
16379 
16380 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16381 						&params.txpwr_set);
16382 	if (err)
16383 		return err;
16384 
16385 	if (add)
16386 		return rdev_add_link_station(rdev, dev, &params);
16387 
16388 	return rdev_mod_link_station(rdev, dev, &params);
16389 }
16390 
16391 static int
16392 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16393 {
16394 	return nl80211_add_mod_link_station(skb, info, true);
16395 }
16396 
16397 static int
16398 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16399 {
16400 	return nl80211_add_mod_link_station(skb, info, false);
16401 }
16402 
16403 static int
16404 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16405 {
16406 	struct link_station_del_parameters params = {};
16407 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16408 	struct net_device *dev = info->user_ptr[1];
16409 
16410 	if (!rdev->ops->del_link_station)
16411 		return -EOPNOTSUPP;
16412 
16413 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16414 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16415 		return -EINVAL;
16416 
16417 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16418 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16419 
16420 	return rdev_del_link_station(rdev, dev, &params);
16421 }
16422 
16423 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16424 				    struct genl_info *info)
16425 {
16426 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16427 	struct net_device *dev = info->user_ptr[1];
16428 	struct cfg80211_set_hw_timestamp hwts = {};
16429 
16430 	if (!rdev->wiphy.hw_timestamp_max_peers)
16431 		return -EOPNOTSUPP;
16432 
16433 	if (!info->attrs[NL80211_ATTR_MAC] &&
16434 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16435 		return -EOPNOTSUPP;
16436 
16437 	if (info->attrs[NL80211_ATTR_MAC])
16438 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16439 
16440 	hwts.enable =
16441 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16442 
16443 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16444 }
16445 
16446 static int
16447 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
16448 {
16449 	struct cfg80211_ttlm_params params = {};
16450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16451 	struct net_device *dev = info->user_ptr[1];
16452 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16453 
16454 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16455 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16456 		return -EOPNOTSUPP;
16457 
16458 	if (!wdev->connected)
16459 		return -ENOLINK;
16460 
16461 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
16462 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
16463 		return -EINVAL;
16464 
16465 	nla_memcpy(params.dlink,
16466 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
16467 		   sizeof(params.dlink));
16468 	nla_memcpy(params.ulink,
16469 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
16470 		   sizeof(params.ulink));
16471 
16472 	return rdev_set_ttlm(rdev, dev, &params);
16473 }
16474 
16475 #define NL80211_FLAG_NEED_WIPHY		0x01
16476 #define NL80211_FLAG_NEED_NETDEV	0x02
16477 #define NL80211_FLAG_NEED_RTNL		0x04
16478 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16479 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16480 					 NL80211_FLAG_CHECK_NETDEV_UP)
16481 #define NL80211_FLAG_NEED_WDEV		0x10
16482 /* If a netdev is associated, it must be UP, P2P must be started */
16483 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16484 					 NL80211_FLAG_CHECK_NETDEV_UP)
16485 #define NL80211_FLAG_CLEAR_SKB		0x20
16486 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16487 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16488 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16489 
16490 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16491 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16492 	SELECTOR(__sel, WIPHY,				\
16493 		 NL80211_FLAG_NEED_WIPHY)		\
16494 	SELECTOR(__sel, WDEV,				\
16495 		 NL80211_FLAG_NEED_WDEV)		\
16496 	SELECTOR(__sel, NETDEV,				\
16497 		 NL80211_FLAG_NEED_NETDEV)		\
16498 	SELECTOR(__sel, NETDEV_LINK,			\
16499 		 NL80211_FLAG_NEED_NETDEV |		\
16500 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16501 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16502 		 NL80211_FLAG_NEED_NETDEV |		\
16503 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16504 	SELECTOR(__sel, WIPHY_RTNL,			\
16505 		 NL80211_FLAG_NEED_WIPHY |		\
16506 		 NL80211_FLAG_NEED_RTNL)		\
16507 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16508 		 NL80211_FLAG_NEED_WIPHY |		\
16509 		 NL80211_FLAG_NEED_RTNL |		\
16510 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16511 	SELECTOR(__sel, WDEV_RTNL,			\
16512 		 NL80211_FLAG_NEED_WDEV |		\
16513 		 NL80211_FLAG_NEED_RTNL)		\
16514 	SELECTOR(__sel, NETDEV_RTNL,			\
16515 		 NL80211_FLAG_NEED_NETDEV |		\
16516 		 NL80211_FLAG_NEED_RTNL)		\
16517 	SELECTOR(__sel, NETDEV_UP,			\
16518 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16519 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16520 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16521 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16522 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16523 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16524 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16525 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16526 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16527 		 NL80211_FLAG_CLEAR_SKB |		\
16528 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16529 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16530 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16531 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16532 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
16533 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16534 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16535 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16536 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16537 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16538 		 NL80211_FLAG_CLEAR_SKB)		\
16539 	SELECTOR(__sel, WDEV_UP,			\
16540 		 NL80211_FLAG_NEED_WDEV_UP)		\
16541 	SELECTOR(__sel, WDEV_UP_LINK,			\
16542 		 NL80211_FLAG_NEED_WDEV_UP |		\
16543 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16544 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16545 		 NL80211_FLAG_NEED_WDEV_UP |		\
16546 		 NL80211_FLAG_NEED_RTNL)		\
16547 	SELECTOR(__sel, WIPHY_CLEAR,			\
16548 		 NL80211_FLAG_NEED_WIPHY |		\
16549 		 NL80211_FLAG_CLEAR_SKB)
16550 
16551 enum nl80211_internal_flags_selector {
16552 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16553 	INTERNAL_FLAG_SELECTORS(_)
16554 #undef SELECTOR
16555 };
16556 
16557 static u32 nl80211_internal_flags[] = {
16558 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16559 	INTERNAL_FLAG_SELECTORS(_)
16560 #undef SELECTOR
16561 };
16562 
16563 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16564 			    struct sk_buff *skb,
16565 			    struct genl_info *info)
16566 {
16567 	struct cfg80211_registered_device *rdev = NULL;
16568 	struct wireless_dev *wdev = NULL;
16569 	struct net_device *dev = NULL;
16570 	u32 internal_flags;
16571 	int err;
16572 
16573 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16574 		return -EINVAL;
16575 
16576 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16577 
16578 	rtnl_lock();
16579 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16580 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16581 		if (IS_ERR(rdev)) {
16582 			err = PTR_ERR(rdev);
16583 			goto out_unlock;
16584 		}
16585 		info->user_ptr[0] = rdev;
16586 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16587 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16588 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16589 						  info->attrs);
16590 		if (IS_ERR(wdev)) {
16591 			err = PTR_ERR(wdev);
16592 			goto out_unlock;
16593 		}
16594 
16595 		dev = wdev->netdev;
16596 		dev_hold(dev);
16597 		rdev = wiphy_to_rdev(wdev->wiphy);
16598 
16599 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16600 			if (!dev) {
16601 				err = -EINVAL;
16602 				goto out_unlock;
16603 			}
16604 
16605 			info->user_ptr[1] = dev;
16606 		} else {
16607 			info->user_ptr[1] = wdev;
16608 		}
16609 
16610 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16611 		    !wdev_running(wdev)) {
16612 			err = -ENETDOWN;
16613 			goto out_unlock;
16614 		}
16615 
16616 		info->user_ptr[0] = rdev;
16617 	}
16618 
16619 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16620 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16621 
16622 		if (!wdev) {
16623 			err = -EINVAL;
16624 			goto out_unlock;
16625 		}
16626 
16627 		/* MLO -> require valid link ID */
16628 		if (wdev->valid_links &&
16629 		    (!link_id ||
16630 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16631 			err = -EINVAL;
16632 			goto out_unlock;
16633 		}
16634 
16635 		/* non-MLO -> no link ID attribute accepted */
16636 		if (!wdev->valid_links && link_id) {
16637 			err = -EINVAL;
16638 			goto out_unlock;
16639 		}
16640 	}
16641 
16642 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16643 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16644 		    (wdev && wdev->valid_links)) {
16645 			err = -EINVAL;
16646 			goto out_unlock;
16647 		}
16648 	}
16649 
16650 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16651 		wiphy_lock(&rdev->wiphy);
16652 		/* we keep the mutex locked until post_doit */
16653 		__release(&rdev->wiphy.mtx);
16654 	}
16655 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16656 		rtnl_unlock();
16657 
16658 	return 0;
16659 out_unlock:
16660 	rtnl_unlock();
16661 	dev_put(dev);
16662 	return err;
16663 }
16664 
16665 static void nl80211_post_doit(const struct genl_split_ops *ops,
16666 			      struct sk_buff *skb,
16667 			      struct genl_info *info)
16668 {
16669 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16670 
16671 	if (info->user_ptr[1]) {
16672 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16673 			struct wireless_dev *wdev = info->user_ptr[1];
16674 
16675 			dev_put(wdev->netdev);
16676 		} else {
16677 			dev_put(info->user_ptr[1]);
16678 		}
16679 	}
16680 
16681 	if (info->user_ptr[0] &&
16682 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16683 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16684 
16685 		/* we kept the mutex locked since pre_doit */
16686 		__acquire(&rdev->wiphy.mtx);
16687 		wiphy_unlock(&rdev->wiphy);
16688 	}
16689 
16690 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16691 		rtnl_unlock();
16692 
16693 	/* If needed, clear the netlink message payload from the SKB
16694 	 * as it might contain key data that shouldn't stick around on
16695 	 * the heap after the SKB is freed. The netlink message header
16696 	 * is still needed for further processing, so leave it intact.
16697 	 */
16698 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16699 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16700 
16701 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16702 	}
16703 }
16704 
16705 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16706 				     struct cfg80211_sar_specs *sar_specs,
16707 				     struct nlattr *spec[], int index)
16708 {
16709 	u32 range_index, i;
16710 
16711 	if (!sar_specs || !spec)
16712 		return -EINVAL;
16713 
16714 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16715 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16716 		return -EINVAL;
16717 
16718 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16719 
16720 	/* check if range_index exceeds num_freq_ranges */
16721 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16722 		return -EINVAL;
16723 
16724 	/* check if range_index duplicates */
16725 	for (i = 0; i < index; i++) {
16726 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16727 			return -EINVAL;
16728 	}
16729 
16730 	sar_specs->sub_specs[index].power =
16731 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16732 
16733 	sar_specs->sub_specs[index].freq_range_index = range_index;
16734 
16735 	return 0;
16736 }
16737 
16738 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16739 {
16740 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16741 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16742 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16743 	struct cfg80211_sar_specs *sar_spec;
16744 	enum nl80211_sar_type type;
16745 	struct nlattr *spec_list;
16746 	u32 specs;
16747 	int rem, err;
16748 
16749 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16750 		return -EOPNOTSUPP;
16751 
16752 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16753 		return -EINVAL;
16754 
16755 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16756 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16757 			 NULL, NULL);
16758 
16759 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16760 		return -EINVAL;
16761 
16762 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16763 	if (type != rdev->wiphy.sar_capa->type)
16764 		return -EINVAL;
16765 
16766 	specs = 0;
16767 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16768 		specs++;
16769 
16770 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16771 		return -EINVAL;
16772 
16773 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16774 	if (!sar_spec)
16775 		return -ENOMEM;
16776 
16777 	sar_spec->type = type;
16778 	specs = 0;
16779 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16780 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16781 				 spec_list, NULL, NULL);
16782 
16783 		switch (type) {
16784 		case NL80211_SAR_TYPE_POWER:
16785 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16786 						      spec, specs)) {
16787 				err = -EINVAL;
16788 				goto error;
16789 			}
16790 			break;
16791 		default:
16792 			err = -EINVAL;
16793 			goto error;
16794 		}
16795 		specs++;
16796 	}
16797 
16798 	sar_spec->num_sub_specs = specs;
16799 
16800 	rdev->cur_cmd_info = info;
16801 	err = rdev_set_sar_specs(rdev, sar_spec);
16802 	rdev->cur_cmd_info = NULL;
16803 error:
16804 	kfree(sar_spec);
16805 	return err;
16806 }
16807 
16808 #define SELECTOR(__sel, name, value) \
16809 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16810 int __missing_selector(void);
16811 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16812 
16813 static const struct genl_ops nl80211_ops[] = {
16814 	{
16815 		.cmd = NL80211_CMD_GET_WIPHY,
16816 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16817 		.doit = nl80211_get_wiphy,
16818 		.dumpit = nl80211_dump_wiphy,
16819 		.done = nl80211_dump_wiphy_done,
16820 		/* can be retrieved by unprivileged users */
16821 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16822 	},
16823 };
16824 
16825 static const struct genl_small_ops nl80211_small_ops[] = {
16826 	{
16827 		.cmd = NL80211_CMD_SET_WIPHY,
16828 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16829 		.doit = nl80211_set_wiphy,
16830 		.flags = GENL_UNS_ADMIN_PERM,
16831 	},
16832 	{
16833 		.cmd = NL80211_CMD_GET_INTERFACE,
16834 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16835 		.doit = nl80211_get_interface,
16836 		.dumpit = nl80211_dump_interface,
16837 		/* can be retrieved by unprivileged users */
16838 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16839 	},
16840 	{
16841 		.cmd = NL80211_CMD_SET_INTERFACE,
16842 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16843 		.doit = nl80211_set_interface,
16844 		.flags = GENL_UNS_ADMIN_PERM,
16845 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16846 					 NL80211_FLAG_NEED_RTNL),
16847 	},
16848 	{
16849 		.cmd = NL80211_CMD_NEW_INTERFACE,
16850 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16851 		.doit = nl80211_new_interface,
16852 		.flags = GENL_UNS_ADMIN_PERM,
16853 		.internal_flags =
16854 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16855 			       NL80211_FLAG_NEED_RTNL |
16856 			       /* we take the wiphy mutex later ourselves */
16857 			       NL80211_FLAG_NO_WIPHY_MTX),
16858 	},
16859 	{
16860 		.cmd = NL80211_CMD_DEL_INTERFACE,
16861 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16862 		.doit = nl80211_del_interface,
16863 		.flags = GENL_UNS_ADMIN_PERM,
16864 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16865 					 NL80211_FLAG_NEED_RTNL),
16866 	},
16867 	{
16868 		.cmd = NL80211_CMD_GET_KEY,
16869 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16870 		.doit = nl80211_get_key,
16871 		.flags = GENL_UNS_ADMIN_PERM,
16872 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16873 	},
16874 	{
16875 		.cmd = NL80211_CMD_SET_KEY,
16876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16877 		.doit = nl80211_set_key,
16878 		.flags = GENL_UNS_ADMIN_PERM,
16879 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16880 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16881 					 NL80211_FLAG_CLEAR_SKB),
16882 	},
16883 	{
16884 		.cmd = NL80211_CMD_NEW_KEY,
16885 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16886 		.doit = nl80211_new_key,
16887 		.flags = GENL_UNS_ADMIN_PERM,
16888 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16889 					 NL80211_FLAG_CLEAR_SKB),
16890 	},
16891 	{
16892 		.cmd = NL80211_CMD_DEL_KEY,
16893 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16894 		.doit = nl80211_del_key,
16895 		.flags = GENL_UNS_ADMIN_PERM,
16896 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16897 	},
16898 	{
16899 		.cmd = NL80211_CMD_SET_BEACON,
16900 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16901 		.flags = GENL_UNS_ADMIN_PERM,
16902 		.doit = nl80211_set_beacon,
16903 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16904 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16905 	},
16906 	{
16907 		.cmd = NL80211_CMD_START_AP,
16908 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16909 		.flags = GENL_UNS_ADMIN_PERM,
16910 		.doit = nl80211_start_ap,
16911 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16912 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16913 	},
16914 	{
16915 		.cmd = NL80211_CMD_STOP_AP,
16916 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16917 		.flags = GENL_UNS_ADMIN_PERM,
16918 		.doit = nl80211_stop_ap,
16919 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16920 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16921 	},
16922 	{
16923 		.cmd = NL80211_CMD_GET_STATION,
16924 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16925 		.doit = nl80211_get_station,
16926 		.dumpit = nl80211_dump_station,
16927 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16928 	},
16929 	{
16930 		.cmd = NL80211_CMD_SET_STATION,
16931 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16932 		.doit = nl80211_set_station,
16933 		.flags = GENL_UNS_ADMIN_PERM,
16934 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16935 	},
16936 	{
16937 		.cmd = NL80211_CMD_NEW_STATION,
16938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16939 		.doit = nl80211_new_station,
16940 		.flags = GENL_UNS_ADMIN_PERM,
16941 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16942 	},
16943 	{
16944 		.cmd = NL80211_CMD_DEL_STATION,
16945 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16946 		.doit = nl80211_del_station,
16947 		.flags = GENL_UNS_ADMIN_PERM,
16948 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
16949 		 * whether MAC address is passed or not. If MAC address is
16950 		 * passed, then even during MLO, link ID is not required.
16951 		 */
16952 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16953 	},
16954 	{
16955 		.cmd = NL80211_CMD_GET_MPATH,
16956 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16957 		.doit = nl80211_get_mpath,
16958 		.dumpit = nl80211_dump_mpath,
16959 		.flags = GENL_UNS_ADMIN_PERM,
16960 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16961 	},
16962 	{
16963 		.cmd = NL80211_CMD_GET_MPP,
16964 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16965 		.doit = nl80211_get_mpp,
16966 		.dumpit = nl80211_dump_mpp,
16967 		.flags = GENL_UNS_ADMIN_PERM,
16968 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16969 	},
16970 	{
16971 		.cmd = NL80211_CMD_SET_MPATH,
16972 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16973 		.doit = nl80211_set_mpath,
16974 		.flags = GENL_UNS_ADMIN_PERM,
16975 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16976 	},
16977 	{
16978 		.cmd = NL80211_CMD_NEW_MPATH,
16979 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16980 		.doit = nl80211_new_mpath,
16981 		.flags = GENL_UNS_ADMIN_PERM,
16982 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16983 	},
16984 	{
16985 		.cmd = NL80211_CMD_DEL_MPATH,
16986 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16987 		.doit = nl80211_del_mpath,
16988 		.flags = GENL_UNS_ADMIN_PERM,
16989 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16990 	},
16991 	{
16992 		.cmd = NL80211_CMD_SET_BSS,
16993 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16994 		.doit = nl80211_set_bss,
16995 		.flags = GENL_UNS_ADMIN_PERM,
16996 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16997 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16998 	},
16999 	{
17000 		.cmd = NL80211_CMD_GET_REG,
17001 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17002 		.doit = nl80211_get_reg_do,
17003 		.dumpit = nl80211_get_reg_dump,
17004 		/* can be retrieved by unprivileged users */
17005 	},
17006 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
17007 	{
17008 		.cmd = NL80211_CMD_SET_REG,
17009 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17010 		.doit = nl80211_set_reg,
17011 		.flags = GENL_ADMIN_PERM,
17012 	},
17013 #endif
17014 	{
17015 		.cmd = NL80211_CMD_REQ_SET_REG,
17016 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17017 		.doit = nl80211_req_set_reg,
17018 		.flags = GENL_ADMIN_PERM,
17019 	},
17020 	{
17021 		.cmd = NL80211_CMD_RELOAD_REGDB,
17022 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17023 		.doit = nl80211_reload_regdb,
17024 		.flags = GENL_ADMIN_PERM,
17025 	},
17026 	{
17027 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
17028 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17029 		.doit = nl80211_get_mesh_config,
17030 		/* can be retrieved by unprivileged users */
17031 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17032 	},
17033 	{
17034 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
17035 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17036 		.doit = nl80211_update_mesh_config,
17037 		.flags = GENL_UNS_ADMIN_PERM,
17038 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17039 	},
17040 	{
17041 		.cmd = NL80211_CMD_TRIGGER_SCAN,
17042 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17043 		.doit = nl80211_trigger_scan,
17044 		.flags = GENL_UNS_ADMIN_PERM,
17045 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17046 	},
17047 	{
17048 		.cmd = NL80211_CMD_ABORT_SCAN,
17049 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17050 		.doit = nl80211_abort_scan,
17051 		.flags = GENL_UNS_ADMIN_PERM,
17052 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17053 	},
17054 	{
17055 		.cmd = NL80211_CMD_GET_SCAN,
17056 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17057 		.dumpit = nl80211_dump_scan,
17058 	},
17059 	{
17060 		.cmd = NL80211_CMD_START_SCHED_SCAN,
17061 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17062 		.doit = nl80211_start_sched_scan,
17063 		.flags = GENL_UNS_ADMIN_PERM,
17064 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17065 	},
17066 	{
17067 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
17068 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17069 		.doit = nl80211_stop_sched_scan,
17070 		.flags = GENL_UNS_ADMIN_PERM,
17071 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17072 	},
17073 	{
17074 		.cmd = NL80211_CMD_AUTHENTICATE,
17075 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17076 		.doit = nl80211_authenticate,
17077 		.flags = GENL_UNS_ADMIN_PERM,
17078 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17079 					 NL80211_FLAG_CLEAR_SKB),
17080 	},
17081 	{
17082 		.cmd = NL80211_CMD_ASSOCIATE,
17083 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17084 		.doit = nl80211_associate,
17085 		.flags = GENL_UNS_ADMIN_PERM,
17086 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17087 					 NL80211_FLAG_CLEAR_SKB),
17088 	},
17089 	{
17090 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17091 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17092 		.doit = nl80211_deauthenticate,
17093 		.flags = GENL_UNS_ADMIN_PERM,
17094 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17095 	},
17096 	{
17097 		.cmd = NL80211_CMD_DISASSOCIATE,
17098 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17099 		.doit = nl80211_disassociate,
17100 		.flags = GENL_UNS_ADMIN_PERM,
17101 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17102 	},
17103 	{
17104 		.cmd = NL80211_CMD_JOIN_IBSS,
17105 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17106 		.doit = nl80211_join_ibss,
17107 		.flags = GENL_UNS_ADMIN_PERM,
17108 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17109 	},
17110 	{
17111 		.cmd = NL80211_CMD_LEAVE_IBSS,
17112 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17113 		.doit = nl80211_leave_ibss,
17114 		.flags = GENL_UNS_ADMIN_PERM,
17115 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17116 	},
17117 #ifdef CONFIG_NL80211_TESTMODE
17118 	{
17119 		.cmd = NL80211_CMD_TESTMODE,
17120 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17121 		.doit = nl80211_testmode_do,
17122 		.dumpit = nl80211_testmode_dump,
17123 		.flags = GENL_UNS_ADMIN_PERM,
17124 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17125 	},
17126 #endif
17127 	{
17128 		.cmd = NL80211_CMD_CONNECT,
17129 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17130 		.doit = nl80211_connect,
17131 		.flags = GENL_UNS_ADMIN_PERM,
17132 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17133 					 NL80211_FLAG_CLEAR_SKB),
17134 	},
17135 	{
17136 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17137 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17138 		.doit = nl80211_update_connect_params,
17139 		.flags = GENL_ADMIN_PERM,
17140 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17141 					 NL80211_FLAG_CLEAR_SKB),
17142 	},
17143 	{
17144 		.cmd = NL80211_CMD_DISCONNECT,
17145 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17146 		.doit = nl80211_disconnect,
17147 		.flags = GENL_UNS_ADMIN_PERM,
17148 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17149 	},
17150 	{
17151 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17152 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17153 		.doit = nl80211_wiphy_netns,
17154 		.flags = GENL_UNS_ADMIN_PERM,
17155 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17156 					 NL80211_FLAG_NEED_RTNL |
17157 					 NL80211_FLAG_NO_WIPHY_MTX),
17158 	},
17159 	{
17160 		.cmd = NL80211_CMD_GET_SURVEY,
17161 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17162 		.dumpit = nl80211_dump_survey,
17163 	},
17164 	{
17165 		.cmd = NL80211_CMD_SET_PMKSA,
17166 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17167 		.doit = nl80211_set_pmksa,
17168 		.flags = GENL_UNS_ADMIN_PERM,
17169 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17170 					 NL80211_FLAG_CLEAR_SKB),
17171 	},
17172 	{
17173 		.cmd = NL80211_CMD_DEL_PMKSA,
17174 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17175 		.doit = nl80211_del_pmksa,
17176 		.flags = GENL_UNS_ADMIN_PERM,
17177 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17178 	},
17179 	{
17180 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17181 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17182 		.doit = nl80211_flush_pmksa,
17183 		.flags = GENL_UNS_ADMIN_PERM,
17184 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17185 	},
17186 	{
17187 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17188 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17189 		.doit = nl80211_remain_on_channel,
17190 		.flags = GENL_UNS_ADMIN_PERM,
17191 		/* FIXME: requiring a link ID here is probably not good */
17192 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17193 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17194 	},
17195 	{
17196 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17197 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17198 		.doit = nl80211_cancel_remain_on_channel,
17199 		.flags = GENL_UNS_ADMIN_PERM,
17200 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17201 	},
17202 	{
17203 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17204 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17205 		.doit = nl80211_set_tx_bitrate_mask,
17206 		.flags = GENL_UNS_ADMIN_PERM,
17207 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17208 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17209 	},
17210 	{
17211 		.cmd = NL80211_CMD_REGISTER_FRAME,
17212 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17213 		.doit = nl80211_register_mgmt,
17214 		.flags = GENL_UNS_ADMIN_PERM,
17215 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17216 	},
17217 	{
17218 		.cmd = NL80211_CMD_FRAME,
17219 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17220 		.doit = nl80211_tx_mgmt,
17221 		.flags = GENL_UNS_ADMIN_PERM,
17222 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17223 	},
17224 	{
17225 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17226 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17227 		.doit = nl80211_tx_mgmt_cancel_wait,
17228 		.flags = GENL_UNS_ADMIN_PERM,
17229 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17230 	},
17231 	{
17232 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17233 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17234 		.doit = nl80211_set_power_save,
17235 		.flags = GENL_UNS_ADMIN_PERM,
17236 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17237 	},
17238 	{
17239 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17240 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17241 		.doit = nl80211_get_power_save,
17242 		/* can be retrieved by unprivileged users */
17243 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17244 	},
17245 	{
17246 		.cmd = NL80211_CMD_SET_CQM,
17247 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17248 		.doit = nl80211_set_cqm,
17249 		.flags = GENL_UNS_ADMIN_PERM,
17250 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17251 	},
17252 	{
17253 		.cmd = NL80211_CMD_SET_CHANNEL,
17254 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17255 		.doit = nl80211_set_channel,
17256 		.flags = GENL_UNS_ADMIN_PERM,
17257 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17258 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17259 	},
17260 	{
17261 		.cmd = NL80211_CMD_JOIN_MESH,
17262 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17263 		.doit = nl80211_join_mesh,
17264 		.flags = GENL_UNS_ADMIN_PERM,
17265 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17266 	},
17267 	{
17268 		.cmd = NL80211_CMD_LEAVE_MESH,
17269 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17270 		.doit = nl80211_leave_mesh,
17271 		.flags = GENL_UNS_ADMIN_PERM,
17272 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17273 	},
17274 	{
17275 		.cmd = NL80211_CMD_JOIN_OCB,
17276 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17277 		.doit = nl80211_join_ocb,
17278 		.flags = GENL_UNS_ADMIN_PERM,
17279 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17280 	},
17281 	{
17282 		.cmd = NL80211_CMD_LEAVE_OCB,
17283 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17284 		.doit = nl80211_leave_ocb,
17285 		.flags = GENL_UNS_ADMIN_PERM,
17286 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17287 	},
17288 #ifdef CONFIG_PM
17289 	{
17290 		.cmd = NL80211_CMD_GET_WOWLAN,
17291 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17292 		.doit = nl80211_get_wowlan,
17293 		/* can be retrieved by unprivileged users */
17294 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17295 	},
17296 	{
17297 		.cmd = NL80211_CMD_SET_WOWLAN,
17298 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17299 		.doit = nl80211_set_wowlan,
17300 		.flags = GENL_UNS_ADMIN_PERM,
17301 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17302 	},
17303 #endif
17304 	{
17305 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17306 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17307 		.doit = nl80211_set_rekey_data,
17308 		.flags = GENL_UNS_ADMIN_PERM,
17309 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17310 					 NL80211_FLAG_CLEAR_SKB),
17311 	},
17312 	{
17313 		.cmd = NL80211_CMD_TDLS_MGMT,
17314 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17315 		.doit = nl80211_tdls_mgmt,
17316 		.flags = GENL_UNS_ADMIN_PERM,
17317 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17318 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17319 	},
17320 	{
17321 		.cmd = NL80211_CMD_TDLS_OPER,
17322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17323 		.doit = nl80211_tdls_oper,
17324 		.flags = GENL_UNS_ADMIN_PERM,
17325 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17326 	},
17327 	{
17328 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17329 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17330 		.doit = nl80211_register_unexpected_frame,
17331 		.flags = GENL_UNS_ADMIN_PERM,
17332 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17333 	},
17334 	{
17335 		.cmd = NL80211_CMD_PROBE_CLIENT,
17336 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17337 		.doit = nl80211_probe_client,
17338 		.flags = GENL_UNS_ADMIN_PERM,
17339 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17340 	},
17341 	{
17342 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17343 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17344 		.doit = nl80211_register_beacons,
17345 		.flags = GENL_UNS_ADMIN_PERM,
17346 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17347 	},
17348 	{
17349 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17350 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17351 		.doit = nl80211_set_noack_map,
17352 		.flags = GENL_UNS_ADMIN_PERM,
17353 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17354 	},
17355 	{
17356 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17357 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17358 		.doit = nl80211_start_p2p_device,
17359 		.flags = GENL_UNS_ADMIN_PERM,
17360 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17361 					 NL80211_FLAG_NEED_RTNL),
17362 	},
17363 	{
17364 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17365 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17366 		.doit = nl80211_stop_p2p_device,
17367 		.flags = GENL_UNS_ADMIN_PERM,
17368 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17369 					 NL80211_FLAG_NEED_RTNL),
17370 	},
17371 	{
17372 		.cmd = NL80211_CMD_START_NAN,
17373 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17374 		.doit = nl80211_start_nan,
17375 		.flags = GENL_ADMIN_PERM,
17376 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17377 					 NL80211_FLAG_NEED_RTNL),
17378 	},
17379 	{
17380 		.cmd = NL80211_CMD_STOP_NAN,
17381 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17382 		.doit = nl80211_stop_nan,
17383 		.flags = GENL_ADMIN_PERM,
17384 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17385 					 NL80211_FLAG_NEED_RTNL),
17386 	},
17387 	{
17388 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17389 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17390 		.doit = nl80211_nan_add_func,
17391 		.flags = GENL_ADMIN_PERM,
17392 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17393 	},
17394 	{
17395 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17396 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17397 		.doit = nl80211_nan_del_func,
17398 		.flags = GENL_ADMIN_PERM,
17399 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17400 	},
17401 	{
17402 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17403 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17404 		.doit = nl80211_nan_change_config,
17405 		.flags = GENL_ADMIN_PERM,
17406 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17407 	},
17408 	{
17409 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17410 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17411 		.doit = nl80211_set_mcast_rate,
17412 		.flags = GENL_UNS_ADMIN_PERM,
17413 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17414 	},
17415 	{
17416 		.cmd = NL80211_CMD_SET_MAC_ACL,
17417 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17418 		.doit = nl80211_set_mac_acl,
17419 		.flags = GENL_UNS_ADMIN_PERM,
17420 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17421 					 NL80211_FLAG_MLO_UNSUPPORTED),
17422 	},
17423 	{
17424 		.cmd = NL80211_CMD_RADAR_DETECT,
17425 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17426 		.doit = nl80211_start_radar_detection,
17427 		.flags = GENL_UNS_ADMIN_PERM,
17428 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17429 					 NL80211_FLAG_NO_WIPHY_MTX |
17430 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17431 	},
17432 	{
17433 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17434 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17435 		.doit = nl80211_get_protocol_features,
17436 	},
17437 	{
17438 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17439 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17440 		.doit = nl80211_update_ft_ies,
17441 		.flags = GENL_UNS_ADMIN_PERM,
17442 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17443 	},
17444 	{
17445 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17446 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17447 		.doit = nl80211_crit_protocol_start,
17448 		.flags = GENL_UNS_ADMIN_PERM,
17449 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17450 	},
17451 	{
17452 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17453 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17454 		.doit = nl80211_crit_protocol_stop,
17455 		.flags = GENL_UNS_ADMIN_PERM,
17456 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17457 	},
17458 	{
17459 		.cmd = NL80211_CMD_GET_COALESCE,
17460 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17461 		.doit = nl80211_get_coalesce,
17462 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17463 	},
17464 	{
17465 		.cmd = NL80211_CMD_SET_COALESCE,
17466 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17467 		.doit = nl80211_set_coalesce,
17468 		.flags = GENL_UNS_ADMIN_PERM,
17469 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17470 	},
17471 	{
17472 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17473 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17474 		.doit = nl80211_channel_switch,
17475 		.flags = GENL_UNS_ADMIN_PERM,
17476 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17477 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17478 	},
17479 	{
17480 		.cmd = NL80211_CMD_VENDOR,
17481 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17482 		.doit = nl80211_vendor_cmd,
17483 		.dumpit = nl80211_vendor_cmd_dump,
17484 		.flags = GENL_UNS_ADMIN_PERM,
17485 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17486 					 NL80211_FLAG_CLEAR_SKB),
17487 	},
17488 	{
17489 		.cmd = NL80211_CMD_SET_QOS_MAP,
17490 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17491 		.doit = nl80211_set_qos_map,
17492 		.flags = GENL_UNS_ADMIN_PERM,
17493 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17494 	},
17495 	{
17496 		.cmd = NL80211_CMD_ADD_TX_TS,
17497 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17498 		.doit = nl80211_add_tx_ts,
17499 		.flags = GENL_UNS_ADMIN_PERM,
17500 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17501 					 NL80211_FLAG_MLO_UNSUPPORTED),
17502 	},
17503 	{
17504 		.cmd = NL80211_CMD_DEL_TX_TS,
17505 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17506 		.doit = nl80211_del_tx_ts,
17507 		.flags = GENL_UNS_ADMIN_PERM,
17508 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17509 	},
17510 	{
17511 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17512 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17513 		.doit = nl80211_tdls_channel_switch,
17514 		.flags = GENL_UNS_ADMIN_PERM,
17515 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17516 	},
17517 	{
17518 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17519 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17520 		.doit = nl80211_tdls_cancel_channel_switch,
17521 		.flags = GENL_UNS_ADMIN_PERM,
17522 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17523 	},
17524 	{
17525 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17526 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17527 		.doit = nl80211_set_multicast_to_unicast,
17528 		.flags = GENL_UNS_ADMIN_PERM,
17529 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17530 	},
17531 	{
17532 		.cmd = NL80211_CMD_SET_PMK,
17533 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17534 		.doit = nl80211_set_pmk,
17535 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17536 					 NL80211_FLAG_CLEAR_SKB),
17537 	},
17538 	{
17539 		.cmd = NL80211_CMD_DEL_PMK,
17540 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17541 		.doit = nl80211_del_pmk,
17542 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17543 	},
17544 	{
17545 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17546 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17547 		.doit = nl80211_external_auth,
17548 		.flags = GENL_ADMIN_PERM,
17549 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17550 	},
17551 	{
17552 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17553 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17554 		.doit = nl80211_tx_control_port,
17555 		.flags = GENL_UNS_ADMIN_PERM,
17556 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17557 	},
17558 	{
17559 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17560 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17561 		.doit = nl80211_get_ftm_responder_stats,
17562 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17563 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17564 	},
17565 	{
17566 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17567 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17568 		.doit = nl80211_pmsr_start,
17569 		.flags = GENL_UNS_ADMIN_PERM,
17570 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17571 	},
17572 	{
17573 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17574 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17575 		.doit = nl80211_notify_radar_detection,
17576 		.flags = GENL_UNS_ADMIN_PERM,
17577 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17578 	},
17579 	{
17580 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17581 		.doit = nl80211_update_owe_info,
17582 		.flags = GENL_ADMIN_PERM,
17583 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17584 	},
17585 	{
17586 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17587 		.doit = nl80211_probe_mesh_link,
17588 		.flags = GENL_UNS_ADMIN_PERM,
17589 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17590 	},
17591 	{
17592 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17593 		.doit = nl80211_set_tid_config,
17594 		.flags = GENL_UNS_ADMIN_PERM,
17595 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17596 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17597 	},
17598 	{
17599 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17600 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17601 		.doit = nl80211_set_sar_specs,
17602 		.flags = GENL_UNS_ADMIN_PERM,
17603 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17604 					 NL80211_FLAG_NEED_RTNL),
17605 	},
17606 	{
17607 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17608 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17609 		.doit = nl80211_color_change,
17610 		.flags = GENL_UNS_ADMIN_PERM,
17611 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17612 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17613 	},
17614 	{
17615 		.cmd = NL80211_CMD_SET_FILS_AAD,
17616 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17617 		.doit = nl80211_set_fils_aad,
17618 		.flags = GENL_UNS_ADMIN_PERM,
17619 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17620 	},
17621 	{
17622 		.cmd = NL80211_CMD_ADD_LINK,
17623 		.doit = nl80211_add_link,
17624 		.flags = GENL_UNS_ADMIN_PERM,
17625 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17626 	},
17627 	{
17628 		.cmd = NL80211_CMD_REMOVE_LINK,
17629 		.doit = nl80211_remove_link,
17630 		.flags = GENL_UNS_ADMIN_PERM,
17631 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17632 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17633 	},
17634 	{
17635 		.cmd = NL80211_CMD_ADD_LINK_STA,
17636 		.doit = nl80211_add_link_station,
17637 		.flags = GENL_UNS_ADMIN_PERM,
17638 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17639 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17640 	},
17641 	{
17642 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17643 		.doit = nl80211_modify_link_station,
17644 		.flags = GENL_UNS_ADMIN_PERM,
17645 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17646 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17647 	},
17648 	{
17649 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17650 		.doit = nl80211_remove_link_station,
17651 		.flags = GENL_UNS_ADMIN_PERM,
17652 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17653 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17654 	},
17655 	{
17656 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17657 		.doit = nl80211_set_hw_timestamp,
17658 		.flags = GENL_UNS_ADMIN_PERM,
17659 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17660 	},
17661 	{
17662 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
17663 		.doit = nl80211_set_ttlm,
17664 		.flags = GENL_UNS_ADMIN_PERM,
17665 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17666 	},
17667 };
17668 
17669 static struct genl_family nl80211_fam __ro_after_init = {
17670 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17671 	.hdrsize = 0,			/* no private header */
17672 	.version = 1,			/* no particular meaning now */
17673 	.maxattr = NL80211_ATTR_MAX,
17674 	.policy = nl80211_policy,
17675 	.netnsok = true,
17676 	.pre_doit = nl80211_pre_doit,
17677 	.post_doit = nl80211_post_doit,
17678 	.module = THIS_MODULE,
17679 	.ops = nl80211_ops,
17680 	.n_ops = ARRAY_SIZE(nl80211_ops),
17681 	.small_ops = nl80211_small_ops,
17682 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17683 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17684 	.mcgrps = nl80211_mcgrps,
17685 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17686 	.parallel_ops = true,
17687 };
17688 
17689 /* notification functions */
17690 
17691 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17692 			  enum nl80211_commands cmd)
17693 {
17694 	struct sk_buff *msg;
17695 	struct nl80211_dump_wiphy_state state = {};
17696 
17697 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17698 		cmd != NL80211_CMD_DEL_WIPHY);
17699 
17700 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17701 	if (!msg)
17702 		return;
17703 
17704 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17705 		nlmsg_free(msg);
17706 		return;
17707 	}
17708 
17709 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17710 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17711 }
17712 
17713 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17714 				struct wireless_dev *wdev,
17715 				enum nl80211_commands cmd)
17716 {
17717 	struct sk_buff *msg;
17718 
17719 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17720 	if (!msg)
17721 		return;
17722 
17723 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17724 		nlmsg_free(msg);
17725 		return;
17726 	}
17727 
17728 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17729 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17730 }
17731 
17732 static int nl80211_add_scan_req(struct sk_buff *msg,
17733 				struct cfg80211_registered_device *rdev)
17734 {
17735 	struct cfg80211_scan_request *req = rdev->scan_req;
17736 	struct nlattr *nest;
17737 	int i;
17738 	struct cfg80211_scan_info *info;
17739 
17740 	if (WARN_ON(!req))
17741 		return 0;
17742 
17743 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17744 	if (!nest)
17745 		goto nla_put_failure;
17746 	for (i = 0; i < req->n_ssids; i++) {
17747 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17748 			goto nla_put_failure;
17749 	}
17750 	nla_nest_end(msg, nest);
17751 
17752 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17753 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17754 		if (!nest)
17755 			goto nla_put_failure;
17756 		for (i = 0; i < req->n_channels; i++) {
17757 			if (nla_put_u32(msg, i,
17758 				   ieee80211_channel_to_khz(req->channels[i])))
17759 				goto nla_put_failure;
17760 		}
17761 		nla_nest_end(msg, nest);
17762 	} else {
17763 		nest = nla_nest_start_noflag(msg,
17764 					     NL80211_ATTR_SCAN_FREQUENCIES);
17765 		if (!nest)
17766 			goto nla_put_failure;
17767 		for (i = 0; i < req->n_channels; i++) {
17768 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17769 				goto nla_put_failure;
17770 		}
17771 		nla_nest_end(msg, nest);
17772 	}
17773 
17774 	if (req->ie &&
17775 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17776 		goto nla_put_failure;
17777 
17778 	if (req->flags &&
17779 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17780 		goto nla_put_failure;
17781 
17782 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17783 		&rdev->scan_req->info;
17784 	if (info->scan_start_tsf &&
17785 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17786 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17787 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17788 		     info->tsf_bssid)))
17789 		goto nla_put_failure;
17790 
17791 	return 0;
17792  nla_put_failure:
17793 	return -ENOBUFS;
17794 }
17795 
17796 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17797 				 struct cfg80211_registered_device *rdev,
17798 				 struct wireless_dev *wdev,
17799 				 u32 portid, u32 seq, int flags,
17800 				 u32 cmd)
17801 {
17802 	void *hdr;
17803 
17804 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17805 	if (!hdr)
17806 		return -1;
17807 
17808 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17809 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17810 					 wdev->netdev->ifindex)) ||
17811 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17812 			      NL80211_ATTR_PAD))
17813 		goto nla_put_failure;
17814 
17815 	/* ignore errors and send incomplete event anyway */
17816 	nl80211_add_scan_req(msg, rdev);
17817 
17818 	genlmsg_end(msg, hdr);
17819 	return 0;
17820 
17821  nla_put_failure:
17822 	genlmsg_cancel(msg, hdr);
17823 	return -EMSGSIZE;
17824 }
17825 
17826 static int
17827 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17828 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17829 {
17830 	void *hdr;
17831 
17832 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17833 	if (!hdr)
17834 		return -1;
17835 
17836 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17837 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17838 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17839 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17840 			      NL80211_ATTR_PAD))
17841 		goto nla_put_failure;
17842 
17843 	genlmsg_end(msg, hdr);
17844 	return 0;
17845 
17846  nla_put_failure:
17847 	genlmsg_cancel(msg, hdr);
17848 	return -EMSGSIZE;
17849 }
17850 
17851 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17852 			     struct wireless_dev *wdev)
17853 {
17854 	struct sk_buff *msg;
17855 
17856 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17857 	if (!msg)
17858 		return;
17859 
17860 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17861 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17862 		nlmsg_free(msg);
17863 		return;
17864 	}
17865 
17866 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17867 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17868 }
17869 
17870 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17871 				       struct wireless_dev *wdev, bool aborted)
17872 {
17873 	struct sk_buff *msg;
17874 
17875 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17876 	if (!msg)
17877 		return NULL;
17878 
17879 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17880 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17881 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17882 		nlmsg_free(msg);
17883 		return NULL;
17884 	}
17885 
17886 	return msg;
17887 }
17888 
17889 /* send message created by nl80211_build_scan_msg() */
17890 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17891 			   struct sk_buff *msg)
17892 {
17893 	if (!msg)
17894 		return;
17895 
17896 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17897 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17898 }
17899 
17900 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17901 {
17902 	struct sk_buff *msg;
17903 
17904 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17905 	if (!msg)
17906 		return;
17907 
17908 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17909 		nlmsg_free(msg);
17910 		return;
17911 	}
17912 
17913 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17914 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17915 }
17916 
17917 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17918 					  struct regulatory_request *request)
17919 {
17920 	/* Userspace can always count this one always being set */
17921 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17922 		goto nla_put_failure;
17923 
17924 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17925 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17926 			       NL80211_REGDOM_TYPE_WORLD))
17927 			goto nla_put_failure;
17928 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17929 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17930 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17931 			goto nla_put_failure;
17932 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17933 		   request->intersect) {
17934 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17935 			       NL80211_REGDOM_TYPE_INTERSECTION))
17936 			goto nla_put_failure;
17937 	} else {
17938 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17939 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17940 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17941 				   request->alpha2))
17942 			goto nla_put_failure;
17943 	}
17944 
17945 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17946 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17947 
17948 		if (wiphy &&
17949 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17950 			goto nla_put_failure;
17951 
17952 		if (wiphy &&
17953 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17954 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17955 			goto nla_put_failure;
17956 	}
17957 
17958 	return true;
17959 
17960 nla_put_failure:
17961 	return false;
17962 }
17963 
17964 /*
17965  * This can happen on global regulatory changes or device specific settings
17966  * based on custom regulatory domains.
17967  */
17968 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17969 				     struct regulatory_request *request)
17970 {
17971 	struct sk_buff *msg;
17972 	void *hdr;
17973 
17974 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17975 	if (!msg)
17976 		return;
17977 
17978 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17979 	if (!hdr)
17980 		goto nla_put_failure;
17981 
17982 	if (!nl80211_reg_change_event_fill(msg, request))
17983 		goto nla_put_failure;
17984 
17985 	genlmsg_end(msg, hdr);
17986 
17987 	rcu_read_lock();
17988 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17989 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17990 	rcu_read_unlock();
17991 
17992 	return;
17993 
17994 nla_put_failure:
17995 	nlmsg_free(msg);
17996 }
17997 
17998 struct nl80211_mlme_event {
17999 	enum nl80211_commands cmd;
18000 	const u8 *buf;
18001 	size_t buf_len;
18002 	int uapsd_queues;
18003 	const u8 *req_ies;
18004 	size_t req_ies_len;
18005 	bool reconnect;
18006 };
18007 
18008 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
18009 				    struct net_device *netdev,
18010 				    const struct nl80211_mlme_event *event,
18011 				    gfp_t gfp)
18012 {
18013 	struct sk_buff *msg;
18014 	void *hdr;
18015 
18016 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
18017 	if (!msg)
18018 		return;
18019 
18020 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
18021 	if (!hdr) {
18022 		nlmsg_free(msg);
18023 		return;
18024 	}
18025 
18026 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18027 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18028 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
18029 	    (event->req_ies &&
18030 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
18031 		     event->req_ies)))
18032 		goto nla_put_failure;
18033 
18034 	if (event->reconnect &&
18035 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
18036 		goto nla_put_failure;
18037 
18038 	if (event->uapsd_queues >= 0) {
18039 		struct nlattr *nla_wmm =
18040 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
18041 		if (!nla_wmm)
18042 			goto nla_put_failure;
18043 
18044 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
18045 			       event->uapsd_queues))
18046 			goto nla_put_failure;
18047 
18048 		nla_nest_end(msg, nla_wmm);
18049 	}
18050 
18051 	genlmsg_end(msg, hdr);
18052 
18053 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18054 				NL80211_MCGRP_MLME, gfp);
18055 	return;
18056 
18057  nla_put_failure:
18058 	nlmsg_free(msg);
18059 }
18060 
18061 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
18062 			  struct net_device *netdev, const u8 *buf,
18063 			  size_t len, gfp_t gfp)
18064 {
18065 	struct nl80211_mlme_event event = {
18066 		.cmd = NL80211_CMD_AUTHENTICATE,
18067 		.buf = buf,
18068 		.buf_len = len,
18069 		.uapsd_queues = -1,
18070 	};
18071 
18072 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18073 }
18074 
18075 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
18076 			   struct net_device *netdev,
18077 			   const struct cfg80211_rx_assoc_resp_data *data)
18078 {
18079 	struct nl80211_mlme_event event = {
18080 		.cmd = NL80211_CMD_ASSOCIATE,
18081 		.buf = data->buf,
18082 		.buf_len = data->len,
18083 		.uapsd_queues = data->uapsd_queues,
18084 		.req_ies = data->req_ies,
18085 		.req_ies_len = data->req_ies_len,
18086 	};
18087 
18088 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
18089 }
18090 
18091 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
18092 			 struct net_device *netdev, const u8 *buf,
18093 			 size_t len, bool reconnect, gfp_t gfp)
18094 {
18095 	struct nl80211_mlme_event event = {
18096 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18097 		.buf = buf,
18098 		.buf_len = len,
18099 		.reconnect = reconnect,
18100 		.uapsd_queues = -1,
18101 	};
18102 
18103 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18104 }
18105 
18106 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
18107 			   struct net_device *netdev, const u8 *buf,
18108 			   size_t len, bool reconnect, gfp_t gfp)
18109 {
18110 	struct nl80211_mlme_event event = {
18111 		.cmd = NL80211_CMD_DISASSOCIATE,
18112 		.buf = buf,
18113 		.buf_len = len,
18114 		.reconnect = reconnect,
18115 		.uapsd_queues = -1,
18116 	};
18117 
18118 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18119 }
18120 
18121 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
18122 				  size_t len)
18123 {
18124 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18125 	struct wiphy *wiphy = wdev->wiphy;
18126 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18127 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18128 	struct nl80211_mlme_event event = {
18129 		.buf = buf,
18130 		.buf_len = len,
18131 		.uapsd_queues = -1,
18132 	};
18133 
18134 	if (WARN_ON(len < 2))
18135 		return;
18136 
18137 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18138 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18139 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18140 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18141 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18142 		if (wdev->unprot_beacon_reported &&
18143 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18144 			return;
18145 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18146 		wdev->unprot_beacon_reported = jiffies;
18147 	} else {
18148 		return;
18149 	}
18150 
18151 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18152 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18153 }
18154 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18155 
18156 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18157 				      struct net_device *netdev, int cmd,
18158 				      const u8 *addr, gfp_t gfp)
18159 {
18160 	struct sk_buff *msg;
18161 	void *hdr;
18162 
18163 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18164 	if (!msg)
18165 		return;
18166 
18167 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18168 	if (!hdr) {
18169 		nlmsg_free(msg);
18170 		return;
18171 	}
18172 
18173 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18174 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18175 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18176 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18177 		goto nla_put_failure;
18178 
18179 	genlmsg_end(msg, hdr);
18180 
18181 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18182 				NL80211_MCGRP_MLME, gfp);
18183 	return;
18184 
18185  nla_put_failure:
18186 	nlmsg_free(msg);
18187 }
18188 
18189 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18190 			       struct net_device *netdev, const u8 *addr,
18191 			       gfp_t gfp)
18192 {
18193 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18194 				  addr, gfp);
18195 }
18196 
18197 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18198 				struct net_device *netdev, const u8 *addr,
18199 				gfp_t gfp)
18200 {
18201 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18202 				  addr, gfp);
18203 }
18204 
18205 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18206 				 struct net_device *netdev,
18207 				 struct cfg80211_connect_resp_params *cr,
18208 				 gfp_t gfp)
18209 {
18210 	struct sk_buff *msg;
18211 	void *hdr;
18212 	unsigned int link;
18213 	size_t link_info_size = 0;
18214 	const u8 *connected_addr = cr->valid_links ?
18215 				   cr->ap_mld_addr : cr->links[0].bssid;
18216 
18217 	if (cr->valid_links) {
18218 		for_each_valid_link(cr, link) {
18219 			/* Nested attribute header */
18220 			link_info_size += NLA_HDRLEN;
18221 			/* Link ID */
18222 			link_info_size += nla_total_size(sizeof(u8));
18223 			link_info_size += cr->links[link].addr ?
18224 					  nla_total_size(ETH_ALEN) : 0;
18225 			link_info_size += (cr->links[link].bssid ||
18226 					   cr->links[link].bss) ?
18227 					  nla_total_size(ETH_ALEN) : 0;
18228 			link_info_size += nla_total_size(sizeof(u16));
18229 		}
18230 	}
18231 
18232 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18233 			cr->fils.kek_len + cr->fils.pmk_len +
18234 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18235 			gfp);
18236 	if (!msg)
18237 		return;
18238 
18239 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18240 	if (!hdr) {
18241 		nlmsg_free(msg);
18242 		return;
18243 	}
18244 
18245 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18246 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18247 	    (connected_addr &&
18248 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18249 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18250 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18251 			cr->status) ||
18252 	    (cr->status < 0 &&
18253 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18254 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18255 			  cr->timeout_reason))) ||
18256 	    (cr->req_ie &&
18257 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18258 	    (cr->resp_ie &&
18259 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18260 		     cr->resp_ie)) ||
18261 	    (cr->fils.update_erp_next_seq_num &&
18262 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18263 			 cr->fils.erp_next_seq_num)) ||
18264 	    (cr->status == WLAN_STATUS_SUCCESS &&
18265 	     ((cr->fils.kek &&
18266 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18267 		       cr->fils.kek)) ||
18268 	      (cr->fils.pmk &&
18269 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18270 	      (cr->fils.pmkid &&
18271 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18272 		goto nla_put_failure;
18273 
18274 	if (cr->valid_links) {
18275 		int i = 1;
18276 		struct nlattr *nested;
18277 
18278 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18279 		if (!nested)
18280 			goto nla_put_failure;
18281 
18282 		for_each_valid_link(cr, link) {
18283 			struct nlattr *nested_mlo_links;
18284 			const u8 *bssid = cr->links[link].bss ?
18285 					  cr->links[link].bss->bssid :
18286 					  cr->links[link].bssid;
18287 
18288 			nested_mlo_links = nla_nest_start(msg, i);
18289 			if (!nested_mlo_links)
18290 				goto nla_put_failure;
18291 
18292 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18293 			    (bssid &&
18294 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18295 			    (cr->links[link].addr &&
18296 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18297 				     cr->links[link].addr)) ||
18298 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18299 					cr->links[link].status))
18300 				goto nla_put_failure;
18301 
18302 			nla_nest_end(msg, nested_mlo_links);
18303 			i++;
18304 		}
18305 		nla_nest_end(msg, nested);
18306 	}
18307 
18308 	genlmsg_end(msg, hdr);
18309 
18310 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18311 				NL80211_MCGRP_MLME, gfp);
18312 	return;
18313 
18314  nla_put_failure:
18315 	nlmsg_free(msg);
18316 }
18317 
18318 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18319 			 struct net_device *netdev,
18320 			 struct cfg80211_roam_info *info, gfp_t gfp)
18321 {
18322 	struct sk_buff *msg;
18323 	void *hdr;
18324 	size_t link_info_size = 0;
18325 	unsigned int link;
18326 	const u8 *connected_addr = info->ap_mld_addr ?
18327 				   info->ap_mld_addr :
18328 				   (info->links[0].bss ?
18329 				    info->links[0].bss->bssid :
18330 				    info->links[0].bssid);
18331 
18332 	if (info->valid_links) {
18333 		for_each_valid_link(info, link) {
18334 			/* Nested attribute header */
18335 			link_info_size += NLA_HDRLEN;
18336 			/* Link ID */
18337 			link_info_size += nla_total_size(sizeof(u8));
18338 			link_info_size += info->links[link].addr ?
18339 					  nla_total_size(ETH_ALEN) : 0;
18340 			link_info_size += (info->links[link].bssid ||
18341 					   info->links[link].bss) ?
18342 					  nla_total_size(ETH_ALEN) : 0;
18343 		}
18344 	}
18345 
18346 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18347 			info->fils.kek_len + info->fils.pmk_len +
18348 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18349 			link_info_size, gfp);
18350 	if (!msg)
18351 		return;
18352 
18353 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18354 	if (!hdr) {
18355 		nlmsg_free(msg);
18356 		return;
18357 	}
18358 
18359 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18360 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18361 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18362 	    (info->req_ie &&
18363 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18364 		     info->req_ie)) ||
18365 	    (info->resp_ie &&
18366 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18367 		     info->resp_ie)) ||
18368 	    (info->fils.update_erp_next_seq_num &&
18369 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18370 			 info->fils.erp_next_seq_num)) ||
18371 	    (info->fils.kek &&
18372 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18373 		     info->fils.kek)) ||
18374 	    (info->fils.pmk &&
18375 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18376 	    (info->fils.pmkid &&
18377 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18378 		goto nla_put_failure;
18379 
18380 	if (info->valid_links) {
18381 		int i = 1;
18382 		struct nlattr *nested;
18383 
18384 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18385 		if (!nested)
18386 			goto nla_put_failure;
18387 
18388 		for_each_valid_link(info, link) {
18389 			struct nlattr *nested_mlo_links;
18390 			const u8 *bssid = info->links[link].bss ?
18391 					  info->links[link].bss->bssid :
18392 					  info->links[link].bssid;
18393 
18394 			nested_mlo_links = nla_nest_start(msg, i);
18395 			if (!nested_mlo_links)
18396 				goto nla_put_failure;
18397 
18398 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18399 			    (bssid &&
18400 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18401 			    (info->links[link].addr &&
18402 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18403 				     info->links[link].addr)))
18404 				goto nla_put_failure;
18405 
18406 			nla_nest_end(msg, nested_mlo_links);
18407 			i++;
18408 		}
18409 		nla_nest_end(msg, nested);
18410 	}
18411 
18412 	genlmsg_end(msg, hdr);
18413 
18414 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18415 				NL80211_MCGRP_MLME, gfp);
18416 	return;
18417 
18418  nla_put_failure:
18419 	nlmsg_free(msg);
18420 }
18421 
18422 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18423 				  struct net_device *netdev, const u8 *peer_addr,
18424 				  const u8 *td_bitmap, u8 td_bitmap_len)
18425 {
18426 	struct sk_buff *msg;
18427 	void *hdr;
18428 
18429 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18430 	if (!msg)
18431 		return;
18432 
18433 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18434 	if (!hdr) {
18435 		nlmsg_free(msg);
18436 		return;
18437 	}
18438 
18439 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18440 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18441 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
18442 		goto nla_put_failure;
18443 
18444 	if ((td_bitmap_len > 0) && td_bitmap)
18445 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18446 			    td_bitmap_len, td_bitmap))
18447 			goto nla_put_failure;
18448 
18449 	genlmsg_end(msg, hdr);
18450 
18451 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18452 				NL80211_MCGRP_MLME, GFP_KERNEL);
18453 	return;
18454 
18455  nla_put_failure:
18456 	nlmsg_free(msg);
18457 }
18458 
18459 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18460 			       struct net_device *netdev, u16 reason,
18461 			       const u8 *ie, size_t ie_len, bool from_ap)
18462 {
18463 	struct sk_buff *msg;
18464 	void *hdr;
18465 
18466 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18467 	if (!msg)
18468 		return;
18469 
18470 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18471 	if (!hdr) {
18472 		nlmsg_free(msg);
18473 		return;
18474 	}
18475 
18476 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18477 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18478 	    (reason &&
18479 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18480 	    (from_ap &&
18481 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18482 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18483 		goto nla_put_failure;
18484 
18485 	genlmsg_end(msg, hdr);
18486 
18487 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18488 				NL80211_MCGRP_MLME, GFP_KERNEL);
18489 	return;
18490 
18491  nla_put_failure:
18492 	nlmsg_free(msg);
18493 }
18494 
18495 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18496 {
18497 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18498 	struct wiphy *wiphy = wdev->wiphy;
18499 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18500 	struct sk_buff *msg;
18501 	struct nlattr *links;
18502 	void *hdr;
18503 
18504 	lockdep_assert_wiphy(wdev->wiphy);
18505 	trace_cfg80211_links_removed(dev, link_mask);
18506 
18507 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18508 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18509 		return;
18510 
18511 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18512 		    (wdev->valid_links & link_mask) != link_mask ||
18513 		    wdev->valid_links == link_mask))
18514 		return;
18515 
18516 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18517 	wdev->valid_links &= ~link_mask;
18518 
18519 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18520 	if (!msg)
18521 		return;
18522 
18523 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18524 	if (!hdr) {
18525 		nlmsg_free(msg);
18526 		return;
18527 	}
18528 
18529 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18530 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18531 		goto nla_put_failure;
18532 
18533 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18534 	if (!links)
18535 		goto nla_put_failure;
18536 
18537 	while (link_mask) {
18538 		struct nlattr *link;
18539 		int link_id = __ffs(link_mask);
18540 
18541 		link = nla_nest_start(msg, link_id + 1);
18542 		if (!link)
18543 			goto nla_put_failure;
18544 
18545 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18546 			goto nla_put_failure;
18547 
18548 		nla_nest_end(msg, link);
18549 		link_mask &= ~(1 << link_id);
18550 	}
18551 
18552 	nla_nest_end(msg, links);
18553 
18554 	genlmsg_end(msg, hdr);
18555 
18556 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18557 				NL80211_MCGRP_MLME, GFP_KERNEL);
18558 	return;
18559 
18560  nla_put_failure:
18561 	nlmsg_free(msg);
18562 }
18563 EXPORT_SYMBOL(cfg80211_links_removed);
18564 
18565 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18566 			     struct net_device *netdev, const u8 *bssid,
18567 			     gfp_t gfp)
18568 {
18569 	struct sk_buff *msg;
18570 	void *hdr;
18571 
18572 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18573 	if (!msg)
18574 		return;
18575 
18576 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18577 	if (!hdr) {
18578 		nlmsg_free(msg);
18579 		return;
18580 	}
18581 
18582 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18583 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18584 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18585 		goto nla_put_failure;
18586 
18587 	genlmsg_end(msg, hdr);
18588 
18589 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18590 				NL80211_MCGRP_MLME, gfp);
18591 	return;
18592 
18593  nla_put_failure:
18594 	nlmsg_free(msg);
18595 }
18596 
18597 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18598 					const u8 *ie, u8 ie_len,
18599 					int sig_dbm, gfp_t gfp)
18600 {
18601 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18602 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18603 	struct sk_buff *msg;
18604 	void *hdr;
18605 
18606 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18607 		return;
18608 
18609 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18610 
18611 	msg = nlmsg_new(100 + ie_len, gfp);
18612 	if (!msg)
18613 		return;
18614 
18615 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18616 	if (!hdr) {
18617 		nlmsg_free(msg);
18618 		return;
18619 	}
18620 
18621 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18622 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18623 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18624 	    (ie_len && ie &&
18625 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18626 	    (sig_dbm &&
18627 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18628 		goto nla_put_failure;
18629 
18630 	genlmsg_end(msg, hdr);
18631 
18632 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18633 				NL80211_MCGRP_MLME, gfp);
18634 	return;
18635 
18636  nla_put_failure:
18637 	nlmsg_free(msg);
18638 }
18639 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18640 
18641 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18642 				 struct net_device *netdev, const u8 *addr,
18643 				 enum nl80211_key_type key_type, int key_id,
18644 				 const u8 *tsc, gfp_t gfp)
18645 {
18646 	struct sk_buff *msg;
18647 	void *hdr;
18648 
18649 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18650 	if (!msg)
18651 		return;
18652 
18653 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18654 	if (!hdr) {
18655 		nlmsg_free(msg);
18656 		return;
18657 	}
18658 
18659 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18660 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18661 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18662 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18663 	    (key_id != -1 &&
18664 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18665 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18666 		goto nla_put_failure;
18667 
18668 	genlmsg_end(msg, hdr);
18669 
18670 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18671 				NL80211_MCGRP_MLME, gfp);
18672 	return;
18673 
18674  nla_put_failure:
18675 	nlmsg_free(msg);
18676 }
18677 
18678 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18679 				    struct ieee80211_channel *channel_before,
18680 				    struct ieee80211_channel *channel_after)
18681 {
18682 	struct sk_buff *msg;
18683 	void *hdr;
18684 	struct nlattr *nl_freq;
18685 
18686 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18687 	if (!msg)
18688 		return;
18689 
18690 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18691 	if (!hdr) {
18692 		nlmsg_free(msg);
18693 		return;
18694 	}
18695 
18696 	/*
18697 	 * Since we are applying the beacon hint to a wiphy we know its
18698 	 * wiphy_idx is valid
18699 	 */
18700 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18701 		goto nla_put_failure;
18702 
18703 	/* Before */
18704 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18705 	if (!nl_freq)
18706 		goto nla_put_failure;
18707 
18708 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18709 		goto nla_put_failure;
18710 	nla_nest_end(msg, nl_freq);
18711 
18712 	/* After */
18713 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18714 	if (!nl_freq)
18715 		goto nla_put_failure;
18716 
18717 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18718 		goto nla_put_failure;
18719 	nla_nest_end(msg, nl_freq);
18720 
18721 	genlmsg_end(msg, hdr);
18722 
18723 	rcu_read_lock();
18724 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18725 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18726 	rcu_read_unlock();
18727 
18728 	return;
18729 
18730 nla_put_failure:
18731 	nlmsg_free(msg);
18732 }
18733 
18734 static void nl80211_send_remain_on_chan_event(
18735 	int cmd, struct cfg80211_registered_device *rdev,
18736 	struct wireless_dev *wdev, u64 cookie,
18737 	struct ieee80211_channel *chan,
18738 	unsigned int duration, gfp_t gfp)
18739 {
18740 	struct sk_buff *msg;
18741 	void *hdr;
18742 
18743 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18744 	if (!msg)
18745 		return;
18746 
18747 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18748 	if (!hdr) {
18749 		nlmsg_free(msg);
18750 		return;
18751 	}
18752 
18753 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18754 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18755 					 wdev->netdev->ifindex)) ||
18756 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18757 			      NL80211_ATTR_PAD) ||
18758 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18759 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18760 			NL80211_CHAN_NO_HT) ||
18761 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18762 			      NL80211_ATTR_PAD))
18763 		goto nla_put_failure;
18764 
18765 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18766 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18767 		goto nla_put_failure;
18768 
18769 	genlmsg_end(msg, hdr);
18770 
18771 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18772 				NL80211_MCGRP_MLME, gfp);
18773 	return;
18774 
18775  nla_put_failure:
18776 	nlmsg_free(msg);
18777 }
18778 
18779 void cfg80211_assoc_comeback(struct net_device *netdev,
18780 			     const u8 *ap_addr, u32 timeout)
18781 {
18782 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18783 	struct wiphy *wiphy = wdev->wiphy;
18784 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18785 	struct sk_buff *msg;
18786 	void *hdr;
18787 
18788 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18789 
18790 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18791 	if (!msg)
18792 		return;
18793 
18794 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18795 	if (!hdr) {
18796 		nlmsg_free(msg);
18797 		return;
18798 	}
18799 
18800 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18801 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18802 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18803 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18804 		goto nla_put_failure;
18805 
18806 	genlmsg_end(msg, hdr);
18807 
18808 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18809 				NL80211_MCGRP_MLME, GFP_KERNEL);
18810 	return;
18811 
18812  nla_put_failure:
18813 	nlmsg_free(msg);
18814 }
18815 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18816 
18817 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18818 			       struct ieee80211_channel *chan,
18819 			       unsigned int duration, gfp_t gfp)
18820 {
18821 	struct wiphy *wiphy = wdev->wiphy;
18822 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18823 
18824 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18825 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18826 					  rdev, wdev, cookie, chan,
18827 					  duration, gfp);
18828 }
18829 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18830 
18831 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18832 					struct ieee80211_channel *chan,
18833 					gfp_t gfp)
18834 {
18835 	struct wiphy *wiphy = wdev->wiphy;
18836 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18837 
18838 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18839 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18840 					  rdev, wdev, cookie, chan, 0, gfp);
18841 }
18842 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18843 
18844 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18845 					struct ieee80211_channel *chan,
18846 					gfp_t gfp)
18847 {
18848 	struct wiphy *wiphy = wdev->wiphy;
18849 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18850 
18851 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18852 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18853 					  rdev, wdev, cookie, chan, 0, gfp);
18854 }
18855 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18856 
18857 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18858 		      struct station_info *sinfo, gfp_t gfp)
18859 {
18860 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18861 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18862 	struct sk_buff *msg;
18863 
18864 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18865 
18866 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18867 	if (!msg)
18868 		return;
18869 
18870 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18871 				 rdev, dev, mac_addr, sinfo) < 0) {
18872 		nlmsg_free(msg);
18873 		return;
18874 	}
18875 
18876 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18877 				NL80211_MCGRP_MLME, gfp);
18878 }
18879 EXPORT_SYMBOL(cfg80211_new_sta);
18880 
18881 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18882 			    struct station_info *sinfo, gfp_t gfp)
18883 {
18884 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18885 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18886 	struct sk_buff *msg;
18887 	struct station_info empty_sinfo = {};
18888 
18889 	if (!sinfo)
18890 		sinfo = &empty_sinfo;
18891 
18892 	trace_cfg80211_del_sta(dev, mac_addr);
18893 
18894 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18895 	if (!msg) {
18896 		cfg80211_sinfo_release_content(sinfo);
18897 		return;
18898 	}
18899 
18900 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18901 				 rdev, dev, mac_addr, sinfo) < 0) {
18902 		nlmsg_free(msg);
18903 		return;
18904 	}
18905 
18906 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18907 				NL80211_MCGRP_MLME, gfp);
18908 }
18909 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18910 
18911 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18912 			  enum nl80211_connect_failed_reason reason,
18913 			  gfp_t gfp)
18914 {
18915 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18916 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18917 	struct sk_buff *msg;
18918 	void *hdr;
18919 
18920 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18921 	if (!msg)
18922 		return;
18923 
18924 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18925 	if (!hdr) {
18926 		nlmsg_free(msg);
18927 		return;
18928 	}
18929 
18930 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18931 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18932 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18933 		goto nla_put_failure;
18934 
18935 	genlmsg_end(msg, hdr);
18936 
18937 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18938 				NL80211_MCGRP_MLME, gfp);
18939 	return;
18940 
18941  nla_put_failure:
18942 	nlmsg_free(msg);
18943 }
18944 EXPORT_SYMBOL(cfg80211_conn_failed);
18945 
18946 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18947 				       const u8 *addr, gfp_t gfp)
18948 {
18949 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18950 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18951 	struct sk_buff *msg;
18952 	void *hdr;
18953 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18954 
18955 	if (!nlportid)
18956 		return false;
18957 
18958 	msg = nlmsg_new(100, gfp);
18959 	if (!msg)
18960 		return true;
18961 
18962 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18963 	if (!hdr) {
18964 		nlmsg_free(msg);
18965 		return true;
18966 	}
18967 
18968 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18969 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18970 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18971 		goto nla_put_failure;
18972 
18973 	genlmsg_end(msg, hdr);
18974 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18975 	return true;
18976 
18977  nla_put_failure:
18978 	nlmsg_free(msg);
18979 	return true;
18980 }
18981 
18982 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18983 				const u8 *addr, gfp_t gfp)
18984 {
18985 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18986 	bool ret;
18987 
18988 	trace_cfg80211_rx_spurious_frame(dev, addr);
18989 
18990 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18991 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18992 		trace_cfg80211_return_bool(false);
18993 		return false;
18994 	}
18995 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18996 					 addr, gfp);
18997 	trace_cfg80211_return_bool(ret);
18998 	return ret;
18999 }
19000 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
19001 
19002 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
19003 					const u8 *addr, gfp_t gfp)
19004 {
19005 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19006 	bool ret;
19007 
19008 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
19009 
19010 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19011 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
19012 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
19013 		trace_cfg80211_return_bool(false);
19014 		return false;
19015 	}
19016 	ret = __nl80211_unexpected_frame(dev,
19017 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
19018 					 addr, gfp);
19019 	trace_cfg80211_return_bool(ret);
19020 	return ret;
19021 }
19022 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
19023 
19024 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
19025 		      struct wireless_dev *wdev, u32 nlportid,
19026 		      struct cfg80211_rx_info *info, gfp_t gfp)
19027 {
19028 	struct net_device *netdev = wdev->netdev;
19029 	struct sk_buff *msg;
19030 	void *hdr;
19031 
19032 	msg = nlmsg_new(100 + info->len, gfp);
19033 	if (!msg)
19034 		return -ENOMEM;
19035 
19036 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19037 	if (!hdr) {
19038 		nlmsg_free(msg);
19039 		return -ENOMEM;
19040 	}
19041 
19042 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19043 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19044 					netdev->ifindex)) ||
19045 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19046 			      NL80211_ATTR_PAD) ||
19047 	    (info->have_link_id &&
19048 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
19049 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
19050 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
19051 	    (info->sig_dbm &&
19052 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
19053 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
19054 	    (info->flags &&
19055 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
19056 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
19057 						  NL80211_ATTR_RX_HW_TIMESTAMP,
19058 						  info->rx_tstamp,
19059 						  NL80211_ATTR_PAD)) ||
19060 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
19061 						   NL80211_ATTR_TX_HW_TIMESTAMP,
19062 						   info->ack_tstamp,
19063 						   NL80211_ATTR_PAD)))
19064 		goto nla_put_failure;
19065 
19066 	genlmsg_end(msg, hdr);
19067 
19068 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19069 
19070  nla_put_failure:
19071 	nlmsg_free(msg);
19072 	return -ENOBUFS;
19073 }
19074 
19075 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
19076 				    struct cfg80211_tx_status *status,
19077 				    gfp_t gfp, enum nl80211_commands command)
19078 {
19079 	struct wiphy *wiphy = wdev->wiphy;
19080 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19081 	struct net_device *netdev = wdev->netdev;
19082 	struct sk_buff *msg;
19083 	void *hdr;
19084 
19085 	if (command == NL80211_CMD_FRAME_TX_STATUS)
19086 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
19087 					      status->ack);
19088 	else
19089 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
19090 						      status->ack);
19091 
19092 	msg = nlmsg_new(100 + status->len, gfp);
19093 	if (!msg)
19094 		return;
19095 
19096 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
19097 	if (!hdr) {
19098 		nlmsg_free(msg);
19099 		return;
19100 	}
19101 
19102 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19103 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19104 				   netdev->ifindex)) ||
19105 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19106 			      NL80211_ATTR_PAD) ||
19107 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
19108 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
19109 			      NL80211_ATTR_PAD) ||
19110 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19111 	    (status->tx_tstamp &&
19112 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
19113 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
19114 	    (status->ack_tstamp &&
19115 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
19116 			       status->ack_tstamp, NL80211_ATTR_PAD)))
19117 		goto nla_put_failure;
19118 
19119 	genlmsg_end(msg, hdr);
19120 
19121 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19122 				NL80211_MCGRP_MLME, gfp);
19123 	return;
19124 
19125 nla_put_failure:
19126 	nlmsg_free(msg);
19127 }
19128 
19129 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19130 				     const u8 *buf, size_t len, bool ack,
19131 				     gfp_t gfp)
19132 {
19133 	struct cfg80211_tx_status status = {
19134 		.cookie = cookie,
19135 		.buf = buf,
19136 		.len = len,
19137 		.ack = ack
19138 	};
19139 
19140 	nl80211_frame_tx_status(wdev, &status, gfp,
19141 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19142 }
19143 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19144 
19145 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19146 				 struct cfg80211_tx_status *status, gfp_t gfp)
19147 {
19148 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19149 }
19150 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19151 
19152 static int __nl80211_rx_control_port(struct net_device *dev,
19153 				     struct sk_buff *skb,
19154 				     bool unencrypted,
19155 				     int link_id,
19156 				     gfp_t gfp)
19157 {
19158 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19159 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19160 	struct ethhdr *ehdr = eth_hdr(skb);
19161 	const u8 *addr = ehdr->h_source;
19162 	u16 proto = be16_to_cpu(skb->protocol);
19163 	struct sk_buff *msg;
19164 	void *hdr;
19165 	struct nlattr *frame;
19166 
19167 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19168 
19169 	if (!nlportid)
19170 		return -ENOENT;
19171 
19172 	msg = nlmsg_new(100 + skb->len, gfp);
19173 	if (!msg)
19174 		return -ENOMEM;
19175 
19176 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19177 	if (!hdr) {
19178 		nlmsg_free(msg);
19179 		return -ENOBUFS;
19180 	}
19181 
19182 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19183 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19184 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19185 			      NL80211_ATTR_PAD) ||
19186 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19187 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19188 	    (link_id >= 0 &&
19189 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19190 	    (unencrypted && nla_put_flag(msg,
19191 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19192 		goto nla_put_failure;
19193 
19194 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19195 	if (!frame)
19196 		goto nla_put_failure;
19197 
19198 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19199 	genlmsg_end(msg, hdr);
19200 
19201 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19202 
19203  nla_put_failure:
19204 	nlmsg_free(msg);
19205 	return -ENOBUFS;
19206 }
19207 
19208 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19209 			      bool unencrypted, int link_id)
19210 {
19211 	int ret;
19212 
19213 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19214 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19215 					GFP_ATOMIC);
19216 	trace_cfg80211_return_bool(ret == 0);
19217 	return ret == 0;
19218 }
19219 EXPORT_SYMBOL(cfg80211_rx_control_port);
19220 
19221 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19222 					    const char *mac, gfp_t gfp)
19223 {
19224 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19225 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19226 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19227 	void **cb;
19228 
19229 	if (!msg)
19230 		return NULL;
19231 
19232 	cb = (void **)msg->cb;
19233 
19234 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19235 	if (!cb[0]) {
19236 		nlmsg_free(msg);
19237 		return NULL;
19238 	}
19239 
19240 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19241 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19242 		goto nla_put_failure;
19243 
19244 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19245 		goto nla_put_failure;
19246 
19247 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19248 	if (!cb[1])
19249 		goto nla_put_failure;
19250 
19251 	cb[2] = rdev;
19252 
19253 	return msg;
19254  nla_put_failure:
19255 	nlmsg_free(msg);
19256 	return NULL;
19257 }
19258 
19259 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19260 {
19261 	void **cb = (void **)msg->cb;
19262 	struct cfg80211_registered_device *rdev = cb[2];
19263 
19264 	nla_nest_end(msg, cb[1]);
19265 	genlmsg_end(msg, cb[0]);
19266 
19267 	memset(msg->cb, 0, sizeof(msg->cb));
19268 
19269 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19270 				NL80211_MCGRP_MLME, gfp);
19271 }
19272 
19273 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19274 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19275 			      s32 rssi_level, gfp_t gfp)
19276 {
19277 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19278 	struct cfg80211_cqm_config *cqm_config;
19279 
19280 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19281 
19282 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19283 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19284 		return;
19285 
19286 	rcu_read_lock();
19287 	cqm_config = rcu_dereference(wdev->cqm_config);
19288 	if (cqm_config) {
19289 		cqm_config->last_rssi_event_value = rssi_level;
19290 		cqm_config->last_rssi_event_type = rssi_event;
19291 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19292 	}
19293 	rcu_read_unlock();
19294 }
19295 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19296 
19297 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19298 {
19299 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19300 						 cqm_rssi_work);
19301 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19302 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19303 	struct cfg80211_cqm_config *cqm_config;
19304 	struct sk_buff *msg;
19305 	s32 rssi_level;
19306 
19307 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
19308 	if (!cqm_config)
19309 		return;
19310 
19311 	if (cqm_config->use_range_api)
19312 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19313 
19314 	rssi_level = cqm_config->last_rssi_event_value;
19315 	rssi_event = cqm_config->last_rssi_event_type;
19316 
19317 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19318 	if (!msg)
19319 		return;
19320 
19321 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19322 			rssi_event))
19323 		goto nla_put_failure;
19324 
19325 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19326 				      rssi_level))
19327 		goto nla_put_failure;
19328 
19329 	cfg80211_send_cqm(msg, GFP_KERNEL);
19330 
19331 	return;
19332 
19333  nla_put_failure:
19334 	nlmsg_free(msg);
19335 }
19336 
19337 void cfg80211_cqm_txe_notify(struct net_device *dev,
19338 			     const u8 *peer, u32 num_packets,
19339 			     u32 rate, u32 intvl, gfp_t gfp)
19340 {
19341 	struct sk_buff *msg;
19342 
19343 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19344 	if (!msg)
19345 		return;
19346 
19347 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19348 		goto nla_put_failure;
19349 
19350 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19351 		goto nla_put_failure;
19352 
19353 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19354 		goto nla_put_failure;
19355 
19356 	cfg80211_send_cqm(msg, gfp);
19357 	return;
19358 
19359  nla_put_failure:
19360 	nlmsg_free(msg);
19361 }
19362 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19363 
19364 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19365 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19366 {
19367 	struct sk_buff *msg;
19368 
19369 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19370 
19371 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19372 	if (!msg)
19373 		return;
19374 
19375 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19376 		goto nla_put_failure;
19377 
19378 	cfg80211_send_cqm(msg, gfp);
19379 	return;
19380 
19381  nla_put_failure:
19382 	nlmsg_free(msg);
19383 }
19384 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19385 
19386 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19387 {
19388 	struct sk_buff *msg;
19389 
19390 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19391 	if (!msg)
19392 		return;
19393 
19394 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19395 		goto nla_put_failure;
19396 
19397 	cfg80211_send_cqm(msg, gfp);
19398 	return;
19399 
19400  nla_put_failure:
19401 	nlmsg_free(msg);
19402 }
19403 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19404 
19405 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19406 				     struct net_device *netdev, const u8 *bssid,
19407 				     const u8 *replay_ctr, gfp_t gfp)
19408 {
19409 	struct sk_buff *msg;
19410 	struct nlattr *rekey_attr;
19411 	void *hdr;
19412 
19413 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19414 	if (!msg)
19415 		return;
19416 
19417 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19418 	if (!hdr) {
19419 		nlmsg_free(msg);
19420 		return;
19421 	}
19422 
19423 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19424 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19425 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19426 		goto nla_put_failure;
19427 
19428 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19429 	if (!rekey_attr)
19430 		goto nla_put_failure;
19431 
19432 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19433 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19434 		goto nla_put_failure;
19435 
19436 	nla_nest_end(msg, rekey_attr);
19437 
19438 	genlmsg_end(msg, hdr);
19439 
19440 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19441 				NL80211_MCGRP_MLME, gfp);
19442 	return;
19443 
19444  nla_put_failure:
19445 	nlmsg_free(msg);
19446 }
19447 
19448 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19449 			       const u8 *replay_ctr, gfp_t gfp)
19450 {
19451 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19452 	struct wiphy *wiphy = wdev->wiphy;
19453 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19454 
19455 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19456 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19457 }
19458 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19459 
19460 static void
19461 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19462 			       struct net_device *netdev, int index,
19463 			       const u8 *bssid, bool preauth, gfp_t gfp)
19464 {
19465 	struct sk_buff *msg;
19466 	struct nlattr *attr;
19467 	void *hdr;
19468 
19469 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19470 	if (!msg)
19471 		return;
19472 
19473 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19474 	if (!hdr) {
19475 		nlmsg_free(msg);
19476 		return;
19477 	}
19478 
19479 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19480 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19481 		goto nla_put_failure;
19482 
19483 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19484 	if (!attr)
19485 		goto nla_put_failure;
19486 
19487 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19488 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19489 	    (preauth &&
19490 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19491 		goto nla_put_failure;
19492 
19493 	nla_nest_end(msg, attr);
19494 
19495 	genlmsg_end(msg, hdr);
19496 
19497 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19498 				NL80211_MCGRP_MLME, gfp);
19499 	return;
19500 
19501  nla_put_failure:
19502 	nlmsg_free(msg);
19503 }
19504 
19505 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19506 				     const u8 *bssid, bool preauth, gfp_t gfp)
19507 {
19508 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19509 	struct wiphy *wiphy = wdev->wiphy;
19510 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19511 
19512 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19513 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19514 }
19515 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19516 
19517 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19518 				     struct net_device *netdev,
19519 				     unsigned int link_id,
19520 				     struct cfg80211_chan_def *chandef,
19521 				     gfp_t gfp,
19522 				     enum nl80211_commands notif,
19523 				     u8 count, bool quiet)
19524 {
19525 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19526 	struct sk_buff *msg;
19527 	void *hdr;
19528 
19529 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19530 	if (!msg)
19531 		return;
19532 
19533 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19534 	if (!hdr) {
19535 		nlmsg_free(msg);
19536 		return;
19537 	}
19538 
19539 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19540 		goto nla_put_failure;
19541 
19542 	if (wdev->valid_links &&
19543 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19544 		goto nla_put_failure;
19545 
19546 	if (nl80211_send_chandef(msg, chandef))
19547 		goto nla_put_failure;
19548 
19549 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19550 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19551 			goto nla_put_failure;
19552 		if (quiet &&
19553 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19554 			goto nla_put_failure;
19555 	}
19556 
19557 	genlmsg_end(msg, hdr);
19558 
19559 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19560 				NL80211_MCGRP_MLME, gfp);
19561 	return;
19562 
19563  nla_put_failure:
19564 	nlmsg_free(msg);
19565 }
19566 
19567 void cfg80211_ch_switch_notify(struct net_device *dev,
19568 			       struct cfg80211_chan_def *chandef,
19569 			       unsigned int link_id)
19570 {
19571 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19572 	struct wiphy *wiphy = wdev->wiphy;
19573 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19574 
19575 	lockdep_assert_wiphy(wdev->wiphy);
19576 	WARN_INVALID_LINK_ID(wdev, link_id);
19577 
19578 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19579 
19580 	switch (wdev->iftype) {
19581 	case NL80211_IFTYPE_STATION:
19582 	case NL80211_IFTYPE_P2P_CLIENT:
19583 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19584 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19585 							chandef->chan);
19586 		break;
19587 	case NL80211_IFTYPE_MESH_POINT:
19588 		wdev->u.mesh.chandef = *chandef;
19589 		wdev->u.mesh.preset_chandef = *chandef;
19590 		break;
19591 	case NL80211_IFTYPE_AP:
19592 	case NL80211_IFTYPE_P2P_GO:
19593 		wdev->links[link_id].ap.chandef = *chandef;
19594 		break;
19595 	case NL80211_IFTYPE_ADHOC:
19596 		wdev->u.ibss.chandef = *chandef;
19597 		break;
19598 	default:
19599 		WARN_ON(1);
19600 		break;
19601 	}
19602 
19603 	cfg80211_schedule_channels_check(wdev);
19604 	cfg80211_sched_dfs_chan_update(rdev);
19605 
19606 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19607 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19608 }
19609 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19610 
19611 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19612 				       struct cfg80211_chan_def *chandef,
19613 				       unsigned int link_id, u8 count,
19614 				       bool quiet)
19615 {
19616 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19617 	struct wiphy *wiphy = wdev->wiphy;
19618 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19619 
19620 	lockdep_assert_wiphy(wdev->wiphy);
19621 	WARN_INVALID_LINK_ID(wdev, link_id);
19622 
19623 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19624 
19625 
19626 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19627 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19628 				 count, quiet);
19629 }
19630 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19631 
19632 int cfg80211_bss_color_notify(struct net_device *dev,
19633 			      enum nl80211_commands cmd, u8 count,
19634 			      u64 color_bitmap, u8 link_id)
19635 {
19636 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19637 	struct wiphy *wiphy = wdev->wiphy;
19638 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19639 	struct sk_buff *msg;
19640 	void *hdr;
19641 
19642 	lockdep_assert_wiphy(wdev->wiphy);
19643 
19644 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19645 
19646 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19647 	if (!msg)
19648 		return -ENOMEM;
19649 
19650 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19651 	if (!hdr)
19652 		goto nla_put_failure;
19653 
19654 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19655 		goto nla_put_failure;
19656 
19657 	if (wdev->valid_links &&
19658 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19659 		goto nla_put_failure;
19660 
19661 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19662 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19663 		goto nla_put_failure;
19664 
19665 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19666 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19667 			      color_bitmap, NL80211_ATTR_PAD))
19668 		goto nla_put_failure;
19669 
19670 	genlmsg_end(msg, hdr);
19671 
19672 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19673 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19674 
19675 nla_put_failure:
19676 	nlmsg_free(msg);
19677 	return -EINVAL;
19678 }
19679 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19680 
19681 void
19682 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19683 		     const struct cfg80211_chan_def *chandef,
19684 		     enum nl80211_radar_event event,
19685 		     struct net_device *netdev, gfp_t gfp)
19686 {
19687 	struct sk_buff *msg;
19688 	void *hdr;
19689 
19690 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19691 	if (!msg)
19692 		return;
19693 
19694 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19695 	if (!hdr) {
19696 		nlmsg_free(msg);
19697 		return;
19698 	}
19699 
19700 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19701 		goto nla_put_failure;
19702 
19703 	/* NOP and radar events don't need a netdev parameter */
19704 	if (netdev) {
19705 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19706 
19707 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19708 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19709 				      NL80211_ATTR_PAD))
19710 			goto nla_put_failure;
19711 	}
19712 
19713 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19714 		goto nla_put_failure;
19715 
19716 	if (nl80211_send_chandef(msg, chandef))
19717 		goto nla_put_failure;
19718 
19719 	genlmsg_end(msg, hdr);
19720 
19721 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19722 				NL80211_MCGRP_MLME, gfp);
19723 	return;
19724 
19725  nla_put_failure:
19726 	nlmsg_free(msg);
19727 }
19728 
19729 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19730 				       struct sta_opmode_info *sta_opmode,
19731 				       gfp_t gfp)
19732 {
19733 	struct sk_buff *msg;
19734 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19735 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19736 	void *hdr;
19737 
19738 	if (WARN_ON(!mac))
19739 		return;
19740 
19741 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19742 	if (!msg)
19743 		return;
19744 
19745 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19746 	if (!hdr) {
19747 		nlmsg_free(msg);
19748 		return;
19749 	}
19750 
19751 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19752 		goto nla_put_failure;
19753 
19754 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19755 		goto nla_put_failure;
19756 
19757 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19758 		goto nla_put_failure;
19759 
19760 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19761 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19762 		goto nla_put_failure;
19763 
19764 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19765 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19766 		goto nla_put_failure;
19767 
19768 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19769 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19770 		goto nla_put_failure;
19771 
19772 	genlmsg_end(msg, hdr);
19773 
19774 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19775 				NL80211_MCGRP_MLME, gfp);
19776 
19777 	return;
19778 
19779 nla_put_failure:
19780 	nlmsg_free(msg);
19781 }
19782 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19783 
19784 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19785 			   u64 cookie, bool acked, s32 ack_signal,
19786 			   bool is_valid_ack_signal, gfp_t gfp)
19787 {
19788 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19789 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19790 	struct sk_buff *msg;
19791 	void *hdr;
19792 
19793 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19794 
19795 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19796 
19797 	if (!msg)
19798 		return;
19799 
19800 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19801 	if (!hdr) {
19802 		nlmsg_free(msg);
19803 		return;
19804 	}
19805 
19806 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19807 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19808 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19809 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19810 			      NL80211_ATTR_PAD) ||
19811 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19812 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19813 						ack_signal)))
19814 		goto nla_put_failure;
19815 
19816 	genlmsg_end(msg, hdr);
19817 
19818 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19819 				NL80211_MCGRP_MLME, gfp);
19820 	return;
19821 
19822  nla_put_failure:
19823 	nlmsg_free(msg);
19824 }
19825 EXPORT_SYMBOL(cfg80211_probe_status);
19826 
19827 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19828 				     size_t len, int freq, int sig_dbm)
19829 {
19830 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19831 	struct sk_buff *msg;
19832 	void *hdr;
19833 	struct cfg80211_beacon_registration *reg;
19834 
19835 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19836 
19837 	spin_lock_bh(&rdev->beacon_registrations_lock);
19838 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19839 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19840 		if (!msg) {
19841 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19842 			return;
19843 		}
19844 
19845 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19846 		if (!hdr)
19847 			goto nla_put_failure;
19848 
19849 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19850 		    (freq &&
19851 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19852 				  KHZ_TO_MHZ(freq)) ||
19853 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19854 				  freq % 1000))) ||
19855 		    (sig_dbm &&
19856 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19857 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19858 			goto nla_put_failure;
19859 
19860 		genlmsg_end(msg, hdr);
19861 
19862 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19863 	}
19864 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19865 	return;
19866 
19867  nla_put_failure:
19868 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19869 	nlmsg_free(msg);
19870 }
19871 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19872 
19873 #ifdef CONFIG_PM
19874 static int cfg80211_net_detect_results(struct sk_buff *msg,
19875 				       struct cfg80211_wowlan_wakeup *wakeup)
19876 {
19877 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19878 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19879 	int i, j;
19880 
19881 	nl_results = nla_nest_start_noflag(msg,
19882 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19883 	if (!nl_results)
19884 		return -EMSGSIZE;
19885 
19886 	for (i = 0; i < nd->n_matches; i++) {
19887 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19888 
19889 		nl_match = nla_nest_start_noflag(msg, i);
19890 		if (!nl_match)
19891 			break;
19892 
19893 		/* The SSID attribute is optional in nl80211, but for
19894 		 * simplicity reasons it's always present in the
19895 		 * cfg80211 structure.  If a driver can't pass the
19896 		 * SSID, that needs to be changed.  A zero length SSID
19897 		 * is still a valid SSID (wildcard), so it cannot be
19898 		 * used for this purpose.
19899 		 */
19900 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19901 			    match->ssid.ssid)) {
19902 			nla_nest_cancel(msg, nl_match);
19903 			goto out;
19904 		}
19905 
19906 		if (match->n_channels) {
19907 			nl_freqs = nla_nest_start_noflag(msg,
19908 							 NL80211_ATTR_SCAN_FREQUENCIES);
19909 			if (!nl_freqs) {
19910 				nla_nest_cancel(msg, nl_match);
19911 				goto out;
19912 			}
19913 
19914 			for (j = 0; j < match->n_channels; j++) {
19915 				if (nla_put_u32(msg, j, match->channels[j])) {
19916 					nla_nest_cancel(msg, nl_freqs);
19917 					nla_nest_cancel(msg, nl_match);
19918 					goto out;
19919 				}
19920 			}
19921 
19922 			nla_nest_end(msg, nl_freqs);
19923 		}
19924 
19925 		nla_nest_end(msg, nl_match);
19926 	}
19927 
19928 out:
19929 	nla_nest_end(msg, nl_results);
19930 	return 0;
19931 }
19932 
19933 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19934 				   struct cfg80211_wowlan_wakeup *wakeup,
19935 				   gfp_t gfp)
19936 {
19937 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19938 	struct sk_buff *msg;
19939 	void *hdr;
19940 	int size = 200;
19941 
19942 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19943 
19944 	if (wakeup)
19945 		size += wakeup->packet_present_len;
19946 
19947 	msg = nlmsg_new(size, gfp);
19948 	if (!msg)
19949 		return;
19950 
19951 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19952 	if (!hdr)
19953 		goto free_msg;
19954 
19955 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19956 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19957 			      NL80211_ATTR_PAD))
19958 		goto free_msg;
19959 
19960 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19961 					wdev->netdev->ifindex))
19962 		goto free_msg;
19963 
19964 	if (wakeup) {
19965 		struct nlattr *reasons;
19966 
19967 		reasons = nla_nest_start_noflag(msg,
19968 						NL80211_ATTR_WOWLAN_TRIGGERS);
19969 		if (!reasons)
19970 			goto free_msg;
19971 
19972 		if (wakeup->disconnect &&
19973 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19974 			goto free_msg;
19975 		if (wakeup->magic_pkt &&
19976 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19977 			goto free_msg;
19978 		if (wakeup->gtk_rekey_failure &&
19979 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19980 			goto free_msg;
19981 		if (wakeup->eap_identity_req &&
19982 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19983 			goto free_msg;
19984 		if (wakeup->four_way_handshake &&
19985 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19986 			goto free_msg;
19987 		if (wakeup->rfkill_release &&
19988 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19989 			goto free_msg;
19990 
19991 		if (wakeup->pattern_idx >= 0 &&
19992 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19993 				wakeup->pattern_idx))
19994 			goto free_msg;
19995 
19996 		if (wakeup->tcp_match &&
19997 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19998 			goto free_msg;
19999 
20000 		if (wakeup->tcp_connlost &&
20001 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
20002 			goto free_msg;
20003 
20004 		if (wakeup->tcp_nomoretokens &&
20005 		    nla_put_flag(msg,
20006 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
20007 			goto free_msg;
20008 
20009 		if (wakeup->unprot_deauth_disassoc &&
20010 		    nla_put_flag(msg,
20011 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
20012 			goto free_msg;
20013 
20014 		if (wakeup->packet) {
20015 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
20016 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
20017 
20018 			if (!wakeup->packet_80211) {
20019 				pkt_attr =
20020 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
20021 				len_attr =
20022 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
20023 			}
20024 
20025 			if (wakeup->packet_len &&
20026 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
20027 				goto free_msg;
20028 
20029 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
20030 				    wakeup->packet))
20031 				goto free_msg;
20032 		}
20033 
20034 		if (wakeup->net_detect &&
20035 		    cfg80211_net_detect_results(msg, wakeup))
20036 				goto free_msg;
20037 
20038 		nla_nest_end(msg, reasons);
20039 	}
20040 
20041 	genlmsg_end(msg, hdr);
20042 
20043 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20044 				NL80211_MCGRP_MLME, gfp);
20045 	return;
20046 
20047  free_msg:
20048 	nlmsg_free(msg);
20049 }
20050 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
20051 #endif
20052 
20053 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
20054 				enum nl80211_tdls_operation oper,
20055 				u16 reason_code, gfp_t gfp)
20056 {
20057 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20058 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20059 	struct sk_buff *msg;
20060 	void *hdr;
20061 
20062 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
20063 					 reason_code);
20064 
20065 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20066 	if (!msg)
20067 		return;
20068 
20069 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
20070 	if (!hdr) {
20071 		nlmsg_free(msg);
20072 		return;
20073 	}
20074 
20075 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20076 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20077 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
20078 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
20079 	    (reason_code > 0 &&
20080 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
20081 		goto nla_put_failure;
20082 
20083 	genlmsg_end(msg, hdr);
20084 
20085 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20086 				NL80211_MCGRP_MLME, gfp);
20087 	return;
20088 
20089  nla_put_failure:
20090 	nlmsg_free(msg);
20091 }
20092 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
20093 
20094 static int nl80211_netlink_notify(struct notifier_block * nb,
20095 				  unsigned long state,
20096 				  void *_notify)
20097 {
20098 	struct netlink_notify *notify = _notify;
20099 	struct cfg80211_registered_device *rdev;
20100 	struct wireless_dev *wdev;
20101 	struct cfg80211_beacon_registration *reg, *tmp;
20102 
20103 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
20104 		return NOTIFY_DONE;
20105 
20106 	rcu_read_lock();
20107 
20108 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
20109 		struct cfg80211_sched_scan_request *sched_scan_req;
20110 
20111 		list_for_each_entry_rcu(sched_scan_req,
20112 					&rdev->sched_scan_req_list,
20113 					list) {
20114 			if (sched_scan_req->owner_nlportid == notify->portid) {
20115 				sched_scan_req->nl_owner_dead = true;
20116 				wiphy_work_queue(&rdev->wiphy,
20117 						 &rdev->sched_scan_stop_wk);
20118 			}
20119 		}
20120 
20121 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
20122 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
20123 
20124 			if (wdev->owner_nlportid == notify->portid) {
20125 				wdev->nl_owner_dead = true;
20126 				schedule_work(&rdev->destroy_work);
20127 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20128 				schedule_work(&wdev->disconnect_wk);
20129 			}
20130 
20131 			cfg80211_release_pmsr(wdev, notify->portid);
20132 		}
20133 
20134 		spin_lock_bh(&rdev->beacon_registrations_lock);
20135 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20136 					 list) {
20137 			if (reg->nlportid == notify->portid) {
20138 				list_del(&reg->list);
20139 				kfree(reg);
20140 				break;
20141 			}
20142 		}
20143 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20144 	}
20145 
20146 	rcu_read_unlock();
20147 
20148 	/*
20149 	 * It is possible that the user space process that is controlling the
20150 	 * indoor setting disappeared, so notify the regulatory core.
20151 	 */
20152 	regulatory_netlink_notify(notify->portid);
20153 	return NOTIFY_OK;
20154 }
20155 
20156 static struct notifier_block nl80211_netlink_notifier = {
20157 	.notifier_call = nl80211_netlink_notify,
20158 };
20159 
20160 void cfg80211_ft_event(struct net_device *netdev,
20161 		       struct cfg80211_ft_event_params *ft_event)
20162 {
20163 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20164 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20165 	struct sk_buff *msg;
20166 	void *hdr;
20167 
20168 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20169 
20170 	if (!ft_event->target_ap)
20171 		return;
20172 
20173 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20174 			GFP_KERNEL);
20175 	if (!msg)
20176 		return;
20177 
20178 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20179 	if (!hdr)
20180 		goto out;
20181 
20182 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20183 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20184 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20185 		goto out;
20186 
20187 	if (ft_event->ies &&
20188 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20189 		goto out;
20190 	if (ft_event->ric_ies &&
20191 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20192 		    ft_event->ric_ies))
20193 		goto out;
20194 
20195 	genlmsg_end(msg, hdr);
20196 
20197 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20198 				NL80211_MCGRP_MLME, GFP_KERNEL);
20199 	return;
20200  out:
20201 	nlmsg_free(msg);
20202 }
20203 EXPORT_SYMBOL(cfg80211_ft_event);
20204 
20205 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20206 {
20207 	struct cfg80211_registered_device *rdev;
20208 	struct sk_buff *msg;
20209 	void *hdr;
20210 	u32 nlportid;
20211 
20212 	rdev = wiphy_to_rdev(wdev->wiphy);
20213 	if (!rdev->crit_proto_nlportid)
20214 		return;
20215 
20216 	nlportid = rdev->crit_proto_nlportid;
20217 	rdev->crit_proto_nlportid = 0;
20218 
20219 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20220 	if (!msg)
20221 		return;
20222 
20223 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20224 	if (!hdr)
20225 		goto nla_put_failure;
20226 
20227 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20228 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20229 			      NL80211_ATTR_PAD))
20230 		goto nla_put_failure;
20231 
20232 	genlmsg_end(msg, hdr);
20233 
20234 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20235 	return;
20236 
20237  nla_put_failure:
20238 	nlmsg_free(msg);
20239 }
20240 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20241 
20242 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20243 {
20244 	struct wiphy *wiphy = wdev->wiphy;
20245 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20246 	struct sk_buff *msg;
20247 	void *hdr;
20248 
20249 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20250 	if (!msg)
20251 		return;
20252 
20253 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20254 	if (!hdr)
20255 		goto out;
20256 
20257 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20258 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20259 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20260 			      NL80211_ATTR_PAD) ||
20261 	    (wdev->valid_links &&
20262 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20263 		goto out;
20264 
20265 	genlmsg_end(msg, hdr);
20266 
20267 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20268 				NL80211_MCGRP_MLME, GFP_KERNEL);
20269 	return;
20270  out:
20271 	nlmsg_free(msg);
20272 }
20273 
20274 int cfg80211_external_auth_request(struct net_device *dev,
20275 				   struct cfg80211_external_auth_params *params,
20276 				   gfp_t gfp)
20277 {
20278 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20279 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20280 	struct sk_buff *msg;
20281 	void *hdr;
20282 
20283 	if (!wdev->conn_owner_nlportid)
20284 		return -EINVAL;
20285 
20286 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20287 	if (!msg)
20288 		return -ENOMEM;
20289 
20290 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20291 	if (!hdr)
20292 		goto nla_put_failure;
20293 
20294 	/* Some historical mistakes in drivers <-> userspace interface (notably
20295 	 * between drivers and wpa_supplicant) led to a big-endian conversion
20296 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
20297 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
20298 	 * benefit of older wpa_supplicant versions, send this particular value
20299 	 * in big-endian. Note that newer wpa_supplicant will also detect this
20300 	 * particular value in big endian still, so it all continues to work.
20301 	 */
20302 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
20303 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
20304 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
20305 			goto nla_put_failure;
20306 	} else {
20307 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
20308 				params->key_mgmt_suite))
20309 			goto nla_put_failure;
20310 	}
20311 
20312 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20313 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20314 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20315 			params->action) ||
20316 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20317 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20318 		    params->ssid.ssid) ||
20319 	    (!is_zero_ether_addr(params->mld_addr) &&
20320 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20321 		goto nla_put_failure;
20322 
20323 	genlmsg_end(msg, hdr);
20324 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20325 			wdev->conn_owner_nlportid);
20326 	return 0;
20327 
20328  nla_put_failure:
20329 	nlmsg_free(msg);
20330 	return -ENOBUFS;
20331 }
20332 EXPORT_SYMBOL(cfg80211_external_auth_request);
20333 
20334 void cfg80211_update_owe_info_event(struct net_device *netdev,
20335 				    struct cfg80211_update_owe_info *owe_info,
20336 				    gfp_t gfp)
20337 {
20338 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20339 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20340 	struct sk_buff *msg;
20341 	void *hdr;
20342 
20343 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20344 
20345 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20346 	if (!msg)
20347 		return;
20348 
20349 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20350 	if (!hdr)
20351 		goto nla_put_failure;
20352 
20353 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20354 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20355 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20356 		goto nla_put_failure;
20357 
20358 	if (!owe_info->ie_len ||
20359 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20360 		goto nla_put_failure;
20361 
20362 	if (owe_info->assoc_link_id != -1) {
20363 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20364 			       owe_info->assoc_link_id))
20365 			goto nla_put_failure;
20366 
20367 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20368 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20369 			    owe_info->peer_mld_addr))
20370 			goto nla_put_failure;
20371 	}
20372 
20373 	genlmsg_end(msg, hdr);
20374 
20375 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20376 				NL80211_MCGRP_MLME, gfp);
20377 	return;
20378 
20379 nla_put_failure:
20380 	genlmsg_cancel(msg, hdr);
20381 	nlmsg_free(msg);
20382 }
20383 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20384 
20385 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
20386 {
20387 	struct wiphy *wiphy = wdev->wiphy;
20388 
20389 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
20390 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
20391 	    (wiphy_ext_feature_isset(wiphy,
20392 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
20393 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
20394 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
20395 		reg_check_channels();
20396 }
20397 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
20398 
20399 /* initialisation/exit functions */
20400 
20401 int __init nl80211_init(void)
20402 {
20403 	int err;
20404 
20405 	err = genl_register_family(&nl80211_fam);
20406 	if (err)
20407 		return err;
20408 
20409 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20410 	if (err)
20411 		goto err_out;
20412 
20413 	return 0;
20414  err_out:
20415 	genl_unregister_family(&nl80211_fam);
20416 	return err;
20417 }
20418 
20419 void nl80211_exit(void)
20420 {
20421 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20422 	genl_unregister_family(&nl80211_fam);
20423 }
20424