xref: /linux/net/wireless/nl80211.c (revision 42726ec644cbdde0035c3e0417fee8ed9547e120) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2026 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <linux/random.h>
25 #include <net/net_namespace.h>
26 #include <net/genetlink.h>
27 #include <net/cfg80211.h>
28 #include <net/sock.h>
29 #include <net/inet_connection_sock.h>
30 #include "core.h"
31 #include "nl80211.h"
32 #include "reg.h"
33 #include "rdev-ops.h"
34 
35 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
36 				   struct genl_info *info,
37 				   struct cfg80211_crypto_settings *settings,
38 				   int cipher_limit);
39 
40 /* the netlink family */
41 static struct genl_family nl80211_fam;
42 
43 /* multicast groups */
44 enum nl80211_multicast_groups {
45 	NL80211_MCGRP_CONFIG,
46 	NL80211_MCGRP_SCAN,
47 	NL80211_MCGRP_REGULATORY,
48 	NL80211_MCGRP_MLME,
49 	NL80211_MCGRP_VENDOR,
50 	NL80211_MCGRP_NAN,
51 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
52 };
53 
54 static const struct genl_multicast_group nl80211_mcgrps[] = {
55 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
56 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
57 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
58 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
59 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
60 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
61 #ifdef CONFIG_NL80211_TESTMODE
62 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
63 #endif
64 };
65 
66 /* returns ERR_PTR values */
67 static struct wireless_dev *
68 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
69 			   struct net *netns, struct nlattr **attrs)
70 {
71 	struct wireless_dev *result = NULL;
72 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
73 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
74 	u64 wdev_id = 0;
75 	int wiphy_idx = -1;
76 	int ifidx = -1;
77 
78 	if (!have_ifidx && !have_wdev_id)
79 		return ERR_PTR(-EINVAL);
80 
81 	if (have_ifidx)
82 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
83 	if (have_wdev_id) {
84 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
85 		wiphy_idx = wdev_id >> 32;
86 	}
87 
88 	if (rdev) {
89 		struct wireless_dev *wdev;
90 
91 		lockdep_assert_held(&rdev->wiphy.mtx);
92 
93 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
94 			if (have_ifidx && wdev->netdev &&
95 			    wdev->netdev->ifindex == ifidx) {
96 				result = wdev;
97 				break;
98 			}
99 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
100 				result = wdev;
101 				break;
102 			}
103 		}
104 
105 		return result ?: ERR_PTR(-ENODEV);
106 	}
107 
108 	ASSERT_RTNL();
109 
110 	for_each_rdev(rdev) {
111 		struct wireless_dev *wdev;
112 
113 		if (wiphy_net(&rdev->wiphy) != netns)
114 			continue;
115 
116 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
117 			continue;
118 
119 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
120 			if (have_ifidx && wdev->netdev &&
121 			    wdev->netdev->ifindex == ifidx) {
122 				result = wdev;
123 				break;
124 			}
125 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
126 				result = wdev;
127 				break;
128 			}
129 		}
130 
131 		if (result)
132 			break;
133 	}
134 
135 	if (result)
136 		return result;
137 	return ERR_PTR(-ENODEV);
138 }
139 
140 static struct cfg80211_registered_device *
141 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
142 {
143 	struct cfg80211_registered_device *rdev = NULL, *tmp;
144 	struct net_device *netdev;
145 
146 	ASSERT_RTNL();
147 
148 	if (!attrs[NL80211_ATTR_WIPHY] &&
149 	    !attrs[NL80211_ATTR_IFINDEX] &&
150 	    !attrs[NL80211_ATTR_WDEV])
151 		return ERR_PTR(-EINVAL);
152 
153 	if (attrs[NL80211_ATTR_WIPHY])
154 		rdev = cfg80211_rdev_by_wiphy_idx(
155 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
156 
157 	if (attrs[NL80211_ATTR_WDEV]) {
158 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
159 		struct wireless_dev *wdev;
160 		bool found = false;
161 
162 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
163 		if (tmp) {
164 			/* make sure wdev exists */
165 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
166 				if (wdev->identifier != (u32)wdev_id)
167 					continue;
168 				found = true;
169 				break;
170 			}
171 
172 			if (!found)
173 				tmp = NULL;
174 
175 			if (rdev && tmp != rdev)
176 				return ERR_PTR(-EINVAL);
177 			rdev = tmp;
178 		}
179 	}
180 
181 	if (attrs[NL80211_ATTR_IFINDEX]) {
182 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
183 
184 		netdev = __dev_get_by_index(netns, ifindex);
185 		if (netdev) {
186 			if (netdev->ieee80211_ptr)
187 				tmp = wiphy_to_rdev(
188 					netdev->ieee80211_ptr->wiphy);
189 			else
190 				tmp = NULL;
191 
192 			/* not wireless device -- return error */
193 			if (!tmp)
194 				return ERR_PTR(-EINVAL);
195 
196 			/* mismatch -- return error */
197 			if (rdev && tmp != rdev)
198 				return ERR_PTR(-EINVAL);
199 
200 			rdev = tmp;
201 		}
202 	}
203 
204 	if (!rdev)
205 		return ERR_PTR(-ENODEV);
206 
207 	if (netns != wiphy_net(&rdev->wiphy))
208 		return ERR_PTR(-ENODEV);
209 
210 	return rdev;
211 }
212 
213 /*
214  * This function returns a pointer to the driver
215  * that the genl_info item that is passed refers to.
216  *
217  * The result of this can be a PTR_ERR and hence must
218  * be checked with IS_ERR() for errors.
219  */
220 static struct cfg80211_registered_device *
221 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
222 {
223 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
224 }
225 
226 static int validate_beacon_head(const struct nlattr *attr,
227 				struct netlink_ext_ack *extack)
228 {
229 	const u8 *data = nla_data(attr);
230 	unsigned int len = nla_len(attr);
231 	const struct element *elem;
232 	const struct ieee80211_mgmt *mgmt = (void *)data;
233 	const struct ieee80211_ext *ext;
234 	unsigned int fixedlen, hdrlen;
235 	bool s1g_bcn;
236 
237 	if (len < offsetofend(typeof(*mgmt), frame_control))
238 		goto err;
239 
240 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
241 	if (s1g_bcn) {
242 		ext = (struct ieee80211_ext *)mgmt;
243 		fixedlen =
244 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
245 			ieee80211_s1g_optional_len(ext->frame_control);
246 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
247 	} else {
248 		fixedlen = offsetof(struct ieee80211_mgmt,
249 				    u.beacon.variable);
250 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
251 	}
252 
253 	if (len < fixedlen)
254 		goto err;
255 
256 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
257 		goto err;
258 
259 	data += fixedlen;
260 	len -= fixedlen;
261 
262 	for_each_element(elem, data, len) {
263 		/* nothing */
264 	}
265 
266 	if (for_each_element_completed(elem, data, len))
267 		return 0;
268 
269 err:
270 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
271 	return -EINVAL;
272 }
273 
274 static int validate_ie_attr(const struct nlattr *attr,
275 			    struct netlink_ext_ack *extack)
276 {
277 	const u8 *data = nla_data(attr);
278 	unsigned int len = nla_len(attr);
279 	const struct element *elem;
280 
281 	for_each_element(elem, data, len) {
282 		/* nothing */
283 	}
284 
285 	if (for_each_element_completed(elem, data, len))
286 		return 0;
287 
288 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
289 	return -EINVAL;
290 }
291 
292 static int validate_he_capa(const struct nlattr *attr,
293 			    struct netlink_ext_ack *extack)
294 {
295 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
296 		return -EINVAL;
297 
298 	return 0;
299 }
300 
301 static int validate_supported_selectors(const struct nlattr *attr,
302 					struct netlink_ext_ack *extack)
303 {
304 	const u8 *supported_selectors = nla_data(attr);
305 	u8 supported_selectors_len = nla_len(attr);
306 
307 	/* The top bit must not be set as it is not part of the selector */
308 	for (int i = 0; i < supported_selectors_len; i++) {
309 		if (supported_selectors[i] & 0x80)
310 			return -EINVAL;
311 	}
312 
313 	return 0;
314 }
315 
316 static int validate_nan_cluster_id(const struct nlattr *attr,
317 				   struct netlink_ext_ack *extack)
318 {
319 	const u8 *data = nla_data(attr);
320 	unsigned int len = nla_len(attr);
321 	static const u8 cluster_id_prefix[4] = {0x50, 0x6f, 0x9a, 0x1};
322 
323 	if (len != ETH_ALEN) {
324 		NL_SET_ERR_MSG_ATTR(extack, attr, "bad cluster id length");
325 		return -EINVAL;
326 	}
327 
328 	if (memcmp(data, cluster_id_prefix, sizeof(cluster_id_prefix))) {
329 		NL_SET_ERR_MSG_ATTR(extack, attr, "invalid cluster id prefix");
330 		return -EINVAL;
331 	}
332 
333 	return 0;
334 }
335 
336 static int validate_nan_avail_blob(const struct nlattr *attr,
337 				   struct netlink_ext_ack *extack)
338 {
339 	const u8 *data = nla_data(attr);
340 	unsigned int len = nla_len(attr);
341 	u16 attr_len;
342 
343 	/* Need at least: Attr ID (1) + Length (2) */
344 	if (len < 3) {
345 		NL_SET_ERR_MSG_FMT(extack,
346 				   "NAN Availability: Too short (need at least 3 bytes, have %u)",
347 				   len);
348 		return -EINVAL;
349 	}
350 
351 	if (data[0] != 0x12) {
352 		NL_SET_ERR_MSG_FMT(extack,
353 				   "NAN Availability: Invalid Attribute ID 0x%02x (expected 0x12)",
354 				   data[0]);
355 		return -EINVAL;
356 	}
357 
358 	attr_len = get_unaligned_le16(&data[1]);
359 
360 	if (attr_len != len - 3) {
361 		NL_SET_ERR_MSG_FMT(extack,
362 				   "NAN Availability: Length field (%u) doesn't match data length (%u)",
363 				   attr_len, len - 3);
364 		return -EINVAL;
365 	}
366 
367 	return 0;
368 }
369 
370 static int validate_nan_ulw(const struct nlattr *attr,
371 			    struct netlink_ext_ack *extack)
372 {
373 	const u8 *data = nla_data(attr);
374 	unsigned int len = nla_len(attr);
375 	unsigned int pos = 0;
376 
377 	while (pos < len) {
378 		u16 attr_len;
379 
380 		/* Need at least: Attr ID (1) + Length (2) */
381 		if (pos + 3 > len) {
382 			NL_SET_ERR_MSG_FMT(extack,
383 					   "ULW: Incomplete header (need 3 bytes, have %u)",
384 					   len - pos);
385 			return -EINVAL;
386 		}
387 
388 		if (data[pos] != 0x17) {
389 			NL_SET_ERR_MSG_FMT(extack,
390 					   "ULW: Invalid Attribute ID 0x%02x (expected 0x17)",
391 					   data[pos]);
392 			return -EINVAL;
393 		}
394 		pos++;
395 
396 		/* Length is in little-endian format */
397 		attr_len = get_unaligned_le16(&data[pos]);
398 		pos += 2;
399 
400 		/*
401 		 * Check if length is one of the valid values: 16 (no
402 		 * channel/band entry included), 18 (band entry included),
403 		 * 21 (channel entry included without Auxiliary channel bitmap),
404 		 * or 23 (channel entry included with Auxiliary channel bitmap).
405 		 */
406 		if (attr_len != 16 && attr_len != 18 && attr_len != 21 &&
407 		    attr_len != 23) {
408 			NL_SET_ERR_MSG_FMT(extack,
409 					   "ULW: Invalid length %u (must be 16, 18, 21, or 23)",
410 					   attr_len);
411 			return -EINVAL;
412 		}
413 
414 		if (pos + attr_len > len) {
415 			NL_SET_ERR_MSG_FMT(extack,
416 					   "ULW: Length field (%u) exceeds remaining data (%u)",
417 					   attr_len, len - pos);
418 			return -EINVAL;
419 		}
420 
421 		pos += attr_len;
422 	}
423 
424 	return 0;
425 }
426 
427 static int validate_uhr_capa(const struct nlattr *attr,
428 			     struct netlink_ext_ack *extack)
429 {
430 	const u8 *data = nla_data(attr);
431 	unsigned int len = nla_len(attr);
432 
433 	if (!ieee80211_uhr_capa_size_ok(data, len, false))
434 		return -EINVAL;
435 	return 0;
436 }
437 
438 static int validate_uhr_operation(const struct nlattr *attr,
439 				  struct netlink_ext_ack *extack)
440 {
441 	const u8 *data = nla_data(attr);
442 	unsigned int len = nla_len(attr);
443 
444 	if (!ieee80211_uhr_oper_size_ok(data, len, false))
445 		return -EINVAL;
446 	return 0;
447 }
448 
449 /* policy for the attributes */
450 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
451 
452 static const struct nla_policy
453 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
454 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
455 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
456 					.len = U8_MAX },
457 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
458 					     .len = U8_MAX },
459 };
460 
461 static const struct nla_policy
462 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
463 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
464 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
465 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
466 		NLA_POLICY_MAX(NLA_U8, 15),
467 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
468 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
469 		NLA_POLICY_MAX(NLA_U8, 15),
470 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
471 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
472 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
473 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
474 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
475 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
476 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
477 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
478 	[NL80211_PMSR_FTM_REQ_ATTR_RSTA] = { .type = NLA_FLAG },
479 };
480 
481 static const struct nla_policy
482 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
483 	[NL80211_PMSR_TYPE_FTM] =
484 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
485 };
486 
487 static const struct nla_policy
488 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
489 	[NL80211_PMSR_REQ_ATTR_DATA] =
490 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
491 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
492 };
493 
494 static const struct nla_policy
495 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
496 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
497 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
498 	[NL80211_PMSR_PEER_ATTR_REQ] =
499 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
500 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
501 };
502 
503 static const struct nla_policy
504 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
505 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
506 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
507 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
508 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
509 	[NL80211_PMSR_ATTR_PEERS] =
510 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
511 };
512 
513 static const struct nla_policy
514 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
515 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
516 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
517 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
518 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
519 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
520 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
521 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
522 		NLA_POLICY_EXACT_LEN(8),
523 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
524 		NLA_POLICY_EXACT_LEN(8),
525 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
526 };
527 
528 static const struct nla_policy
529 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
530 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
531 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
532 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
533 };
534 
535 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
536 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
537 				    .len = NL80211_MAX_SUPP_RATES },
538 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
539 				.len = NL80211_MAX_SUPP_HT_RATES },
540 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
541 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
542 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
543 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
544 						   NL80211_RATE_INFO_HE_GI_0_8,
545 						   NL80211_RATE_INFO_HE_GI_3_2),
546 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
547 						   NL80211_RATE_INFO_HE_1XLTF,
548 						   NL80211_RATE_INFO_HE_4XLTF),
549 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
550 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
551 						   NL80211_RATE_INFO_EHT_GI_0_8,
552 						   NL80211_RATE_INFO_EHT_GI_3_2),
553 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
554 						   NL80211_RATE_INFO_EHT_1XLTF,
555 						   NL80211_RATE_INFO_EHT_8XLTF),
556 
557 };
558 
559 static const struct nla_policy
560 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
561 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
562 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
563 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
564 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
565 	[NL80211_TID_CONFIG_ATTR_NOACK] =
566 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
567 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
568 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
569 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
570 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
571 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
572 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
573 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
574 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
575 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
576 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
577 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
578 			NLA_POLICY_NESTED(nl80211_txattr_policy),
579 };
580 
581 static const struct nla_policy
582 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
583 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
584 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
585 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
586 			NLA_POLICY_RANGE(NLA_BINARY,
587 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
588 					 IEEE80211_MAX_DATA_LEN),
589 };
590 
591 static const struct nla_policy
592 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
593 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
594 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
595 						       .len = IEEE80211_MAX_DATA_LEN }
596 };
597 
598 static const struct nla_policy
599 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
600 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
601 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
602 };
603 
604 static const struct nla_policy
605 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
606 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
607 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
608 };
609 
610 static const struct nla_policy
611 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
612 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
613 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
614 						NLA_POLICY_MIN(NLA_U8, 1),
615 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
616 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
617 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
618 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
619 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
620 };
621 
622 static const struct nla_policy
623 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
624 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
625 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
626 };
627 
628 static const struct nla_policy
629 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
630 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
631 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
632 				       IEEE80211_MAX_DATA_LEN),
633 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
634 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
635 				       IEEE80211_MAX_DATA_LEN),
636 };
637 
638 static const struct nla_policy
639 nl80211_nan_band_conf_policy[NL80211_NAN_BAND_CONF_ATTR_MAX + 1] = {
640 	[NL80211_NAN_BAND_CONF_BAND] = NLA_POLICY_MAX(NLA_U8,
641 						      NUM_NL80211_BANDS - 1),
642 	[NL80211_NAN_BAND_CONF_FREQ] = { .type = NLA_U16 },
643 	[NL80211_NAN_BAND_CONF_RSSI_CLOSE] = NLA_POLICY_MIN(NLA_S8, -59),
644 	[NL80211_NAN_BAND_CONF_RSSI_MIDDLE] = NLA_POLICY_MIN(NLA_S8, -74),
645 	[NL80211_NAN_BAND_CONF_WAKE_DW] = NLA_POLICY_MAX(NLA_U8, 5),
646 	[NL80211_NAN_BAND_CONF_DISABLE_SCAN] = { .type = NLA_FLAG },
647 };
648 
649 static const struct nla_policy
650 nl80211_nan_peer_map_policy[NL80211_NAN_PEER_MAP_ATTR_MAX + 1] = {
651 	[NL80211_NAN_PEER_MAP_ATTR_MAP_ID] = NLA_POLICY_MAX(NLA_U8, 15),
652 	[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS] =
653 		NLA_POLICY_EXACT_LEN(CFG80211_NAN_SCHED_NUM_TIME_SLOTS),
654 };
655 
656 static const struct nla_policy
657 nl80211_nan_conf_policy[NL80211_NAN_CONF_ATTR_MAX + 1] = {
658 	[NL80211_NAN_CONF_CLUSTER_ID] =
659 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_cluster_id,
660 				       ETH_ALEN),
661 	[NL80211_NAN_CONF_EXTRA_ATTRS] = { .type = NLA_BINARY,
662 					   .len = IEEE80211_MAX_DATA_LEN},
663 	[NL80211_NAN_CONF_VENDOR_ELEMS] =
664 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
665 				       IEEE80211_MAX_DATA_LEN),
666 	[NL80211_NAN_CONF_BAND_CONFIGS] =
667 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_band_conf_policy),
668 	[NL80211_NAN_CONF_SCAN_PERIOD] = { .type = NLA_U16 },
669 	[NL80211_NAN_CONF_SCAN_DWELL_TIME] = NLA_POLICY_RANGE(NLA_U16, 50, 512),
670 	[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL] =
671 		NLA_POLICY_RANGE(NLA_U8, 50, 200),
672 	[NL80211_NAN_CONF_NOTIFY_DW] = { .type = NLA_FLAG },
673 };
674 
675 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
676 	.min = 0,
677 	.max = 0xffff,
678 };
679 
680 static const struct netlink_range_validation q_range = {
681 	.max = INT_MAX,
682 };
683 
684 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
685 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
686 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
687 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
688 				      .len = 20-1 },
689 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
690 
691 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
692 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
693 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
694 						NL80211_EDMG_CHANNELS_MIN,
695 						NL80211_EDMG_CHANNELS_MAX),
696 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
697 						NL80211_EDMG_BW_CONFIG_MIN,
698 						NL80211_EDMG_BW_CONFIG_MAX),
699 
700 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
701 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
702 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
703 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
704 
705 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
706 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
707 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
708 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
709 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
710 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
711 
712 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
713 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
714 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
715 
716 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
717 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
718 
719 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
720 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
721 				    .len = WLAN_MAX_KEY_LEN },
722 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
723 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
724 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
725 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
726 	[NL80211_ATTR_KEY_TYPE] =
727 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
728 
729 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
730 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
731 	[NL80211_ATTR_BEACON_HEAD] =
732 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
733 				       IEEE80211_MAX_DATA_LEN),
734 	[NL80211_ATTR_BEACON_TAIL] =
735 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
736 				       IEEE80211_MAX_DATA_LEN),
737 	[NL80211_ATTR_STA_AID] =
738 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
739 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
740 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
741 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
742 					       .len = NL80211_MAX_SUPP_RATES },
743 	[NL80211_ATTR_STA_PLINK_ACTION] =
744 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
745 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
746 		NLA_POLICY_RANGE(NLA_U8,
747 				 NL80211_TX_POWER_AUTOMATIC,
748 				 NL80211_TX_POWER_FIXED),
749 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
750 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
751 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
752 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
753 				   .len = IEEE80211_MAX_MESH_ID_LEN },
754 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
755 
756 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
757 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
758 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
759 
760 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
761 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
762 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
763 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
764 					   .len = NL80211_MAX_SUPP_RATES },
765 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
766 
767 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
768 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
769 
770 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
771 
772 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
773 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
774 						   validate_ie_attr,
775 						   IEEE80211_MAX_DATA_LEN),
776 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
777 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
778 
779 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
780 				.len = IEEE80211_MAX_SSID_LEN },
781 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
782 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
783 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
784 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
785 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
786 						  NL80211_MFP_NO,
787 						  NL80211_MFP_OPTIONAL),
788 	[NL80211_ATTR_STA_FLAGS2] =
789 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
790 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
791 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
792 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
793 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
794 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
795 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
796 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
797 	[NL80211_ATTR_WPA_VERSIONS] =
798 		NLA_POLICY_RANGE(NLA_U32, 0,
799 				 NL80211_WPA_VERSION_1 |
800 				 NL80211_WPA_VERSION_2 |
801 				 NL80211_WPA_VERSION_3),
802 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
803 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
804 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
805 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
806 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
807 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
808 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
809 				 .len = IEEE80211_MAX_DATA_LEN },
810 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
811 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
812 						   NL80211_PS_DISABLED,
813 						   NL80211_PS_ENABLED),
814 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
815 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
816 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
817 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
818 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
819 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
820 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
821 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
822 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
823 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
824 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
825 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
826 	[NL80211_ATTR_STA_PLINK_STATE] =
827 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
828 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
829 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
830 	[NL80211_ATTR_MESH_PEER_AID] =
831 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
832 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
833 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
834 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
835 	[NL80211_ATTR_HIDDEN_SSID] =
836 		NLA_POLICY_RANGE(NLA_U32,
837 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
838 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
839 	[NL80211_ATTR_IE_PROBE_RESP] =
840 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
841 				       IEEE80211_MAX_DATA_LEN),
842 	[NL80211_ATTR_IE_ASSOC_RESP] =
843 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
844 				       IEEE80211_MAX_DATA_LEN),
845 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
846 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
847 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
848 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
849 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
850 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
851 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
852 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
853 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
854 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
855 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
856 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
857 				      .len = IEEE80211_MAX_DATA_LEN },
858 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
859 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
860 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
861 		.len = NL80211_HT_CAPABILITY_LEN
862 	},
863 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
864 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
865 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
866 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
867 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
868 
869 	/* need to include at least Auth Transaction and Status Code */
870 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
871 
872 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
873 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
874 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
875 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
876 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
877 		NLA_POLICY_RANGE(NLA_U32,
878 				 NL80211_MESH_POWER_UNKNOWN + 1,
879 				 NL80211_MESH_POWER_MAX),
880 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
881 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
882 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
883 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
884 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
885 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
886 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
887 		.len = NL80211_VHT_CAPABILITY_LEN,
888 	},
889 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
890 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
891 				  .len = IEEE80211_MAX_DATA_LEN },
892 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
893 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
894 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
895 	[NL80211_ATTR_PEER_AID] =
896 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
897 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
898 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
899 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
900 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
901 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
902 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
903 	/*
904 	 * The value of the Length field of the Supported Operating
905 	 * Classes element is between 2 and 253.
906 	 */
907 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
908 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
909 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
910 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
911 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
912 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
913 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
914 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
915 						  IEEE80211_QOS_MAP_LEN_MIN,
916 						  IEEE80211_QOS_MAP_LEN_MAX),
917 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
918 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
919 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
920 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
921 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
922 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
923 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
924 	[NL80211_ATTR_USER_PRIO] =
925 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
926 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
927 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
928 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
929 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
930 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
931 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
932 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
933 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
934 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
935 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
936 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
937 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
938 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
939 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
940 	},
941 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
942 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
943 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
944 	[NL80211_ATTR_NAN_CONFIG] = NLA_POLICY_NESTED(nl80211_nan_conf_policy),
945 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
946 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
947 				    .len = FILS_MAX_KEK_LEN },
948 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
949 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
950 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
951 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
952 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
953 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
954 	},
955 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
956 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
957 					     .len = FILS_ERP_MAX_USERNAME_LEN },
958 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
959 					  .len = FILS_ERP_MAX_REALM_LEN },
960 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
961 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
962 					.len = FILS_ERP_MAX_RRK_LEN },
963 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
964 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
965 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
966 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
967 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
968 
969 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
970 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
971 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
972 	[NL80211_ATTR_HE_CAPABILITY] =
973 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
974 				       NL80211_HE_MAX_CAPABILITY_LEN),
975 	[NL80211_ATTR_FTM_RESPONDER] =
976 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
977 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
978 	[NL80211_ATTR_PEER_MEASUREMENTS] =
979 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
980 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
981 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
982 					.len = SAE_PASSWORD_MAX_LEN },
983 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
984 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
985 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
986 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
987 	[NL80211_ATTR_TID_CONFIG] =
988 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
989 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
990 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
991 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
992 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
993 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
994 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
995 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
996 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
997 	[NL80211_ATTR_FILS_DISCOVERY] =
998 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
999 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
1000 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
1001 	[NL80211_ATTR_S1G_CAPABILITY] =
1002 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
1003 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
1004 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
1005 	[NL80211_ATTR_SAE_PWE] =
1006 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
1007 				 NL80211_SAE_PWE_BOTH),
1008 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
1009 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
1010 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
1011 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
1012 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
1013 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
1014 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
1015 	[NL80211_ATTR_MBSSID_CONFIG] =
1016 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
1017 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
1018 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
1019 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
1020 	[NL80211_ATTR_EHT_CAPABILITY] =
1021 		NLA_POLICY_RANGE(NLA_BINARY,
1022 				 NL80211_EHT_MIN_CAPABILITY_LEN,
1023 				 NL80211_EHT_MAX_CAPABILITY_LEN),
1024 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
1025 	[NL80211_ATTR_MLO_LINKS] =
1026 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
1027 	[NL80211_ATTR_MLO_LINK_ID] =
1028 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
1029 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
1030 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
1031 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
1032 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
1033 	[NL80211_ATTR_PUNCT_BITMAP] =
1034 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
1035 
1036 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
1037 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
1038 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
1039 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
1040 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
1041 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
1042 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
1043 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
1044 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
1045 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
1046 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
1047 				       NL80211_MAX_SUPP_SELECTORS),
1048 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
1049 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
1050 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
1051 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
1052 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
1053 	[NL80211_ATTR_S1G_SHORT_BEACON] =
1054 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
1055 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
1056 	[NL80211_ATTR_S1G_PRIMARY_2MHZ] = { .type = NLA_FLAG },
1057 	[NL80211_ATTR_EPP_PEER] = { .type = NLA_FLAG },
1058 	[NL80211_ATTR_UHR_CAPABILITY] =
1059 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_capa, 255),
1060 	[NL80211_ATTR_DISABLE_UHR] = { .type = NLA_FLAG },
1061 	[NL80211_ATTR_UHR_OPERATION] =
1062 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_operation),
1063 	[NL80211_ATTR_NAN_CHANNEL] = NLA_POLICY_NESTED(nl80211_policy),
1064 	[NL80211_ATTR_NAN_CHANNEL_ENTRY] = NLA_POLICY_EXACT_LEN(6),
1065 	[NL80211_ATTR_NAN_RX_NSS] = { .type = NLA_U8 },
1066 	[NL80211_ATTR_NAN_TIME_SLOTS] =
1067 		NLA_POLICY_EXACT_LEN(CFG80211_NAN_SCHED_NUM_TIME_SLOTS),
1068 	[NL80211_ATTR_NAN_AVAIL_BLOB] =
1069 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_avail_blob),
1070 	[NL80211_ATTR_NAN_SCHED_DEFERRED] = { .type = NLA_FLAG },
1071 	[NL80211_ATTR_NAN_NMI_MAC] = NLA_POLICY_ETH_ADDR,
1072 	[NL80211_ATTR_NAN_ULW] =
1073 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_ulw),
1074 	[NL80211_ATTR_NAN_COMMITTED_DW] = { .type = NLA_U16 },
1075 	[NL80211_ATTR_NAN_SEQ_ID] = { .type = NLA_U8 },
1076 	[NL80211_ATTR_NAN_MAX_CHAN_SWITCH_TIME] = { .type = NLA_U16 },
1077 	[NL80211_ATTR_NAN_PEER_MAPS] =
1078 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_peer_map_policy),
1079 };
1080 
1081 /* policy for the key attributes */
1082 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
1083 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
1084 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
1085 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
1086 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
1087 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
1088 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
1089 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
1090 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
1091 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
1092 };
1093 
1094 /* policy for the key default flags */
1095 static const struct nla_policy
1096 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
1097 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
1098 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
1099 };
1100 
1101 #ifdef CONFIG_PM
1102 /* policy for WoWLAN attributes */
1103 static const struct nla_policy
1104 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
1105 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
1106 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
1107 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
1108 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
1109 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
1110 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
1111 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
1112 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
1113 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
1114 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
1115 };
1116 
1117 static const struct nla_policy
1118 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
1119 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
1120 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
1121 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1122 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
1123 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
1124 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1125 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
1126 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
1127 	},
1128 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
1129 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
1130 	},
1131 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
1132 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1133 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
1134 };
1135 #endif /* CONFIG_PM */
1136 
1137 /* policy for coalesce rule attributes */
1138 static const struct nla_policy
1139 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
1140 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
1141 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
1142 		NLA_POLICY_RANGE(NLA_U32,
1143 				 NL80211_COALESCE_CONDITION_MATCH,
1144 				 NL80211_COALESCE_CONDITION_NO_MATCH),
1145 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
1146 };
1147 
1148 /* policy for GTK rekey offload attributes */
1149 static const struct nla_policy
1150 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
1151 	[NL80211_REKEY_DATA_KEK] = {
1152 		.type = NLA_BINARY,
1153 		.len = NL80211_KEK_EXT_LEN
1154 	},
1155 	[NL80211_REKEY_DATA_KCK] = {
1156 		.type = NLA_BINARY,
1157 		.len = NL80211_KCK_EXT_LEN_32
1158 	},
1159 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
1160 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
1161 };
1162 
1163 static const struct nla_policy
1164 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
1165 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
1166 						 .len = IEEE80211_MAX_SSID_LEN },
1167 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1168 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
1169 };
1170 
1171 static const struct nla_policy
1172 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
1173 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
1174 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
1175 };
1176 
1177 static const struct nla_policy
1178 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
1179 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
1180 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
1181 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
1182 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
1183 	},
1184 };
1185 
1186 /* policy for NAN function attributes */
1187 static const struct nla_policy
1188 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
1189 	[NL80211_NAN_FUNC_TYPE] =
1190 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
1191 	[NL80211_NAN_FUNC_SERVICE_ID] = {
1192 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
1193 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
1194 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
1195 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1196 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1197 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1198 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1199 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1200 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1201 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1202 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1203 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1204 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1205 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1206 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1207 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1208 };
1209 
1210 /* policy for Service Response Filter attributes */
1211 static const struct nla_policy
1212 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1213 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1214 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1215 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1216 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1217 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1218 };
1219 
1220 /* policy for packet pattern attributes */
1221 static const struct nla_policy
1222 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1223 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1224 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1225 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1226 };
1227 
1228 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1229 				     struct cfg80211_registered_device **rdev,
1230 				     struct wireless_dev **wdev,
1231 				     struct nlattr **attrbuf)
1232 {
1233 	int err;
1234 
1235 	if (!cb->args[0]) {
1236 		struct nlattr **attrbuf_free = NULL;
1237 
1238 		if (!attrbuf) {
1239 			attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
1240 			if (!attrbuf)
1241 				return -ENOMEM;
1242 			attrbuf_free = attrbuf;
1243 		}
1244 
1245 		err = nlmsg_parse_deprecated(cb->nlh,
1246 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1247 					     attrbuf, nl80211_fam.maxattr,
1248 					     nl80211_policy, NULL);
1249 		if (err) {
1250 			kfree(attrbuf_free);
1251 			return err;
1252 		}
1253 
1254 		rtnl_lock();
1255 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1256 						   attrbuf);
1257 		kfree(attrbuf_free);
1258 		if (IS_ERR(*wdev)) {
1259 			rtnl_unlock();
1260 			return PTR_ERR(*wdev);
1261 		}
1262 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1263 		mutex_lock(&(*rdev)->wiphy.mtx);
1264 		rtnl_unlock();
1265 		/* 0 is the first index - add 1 to parse only once */
1266 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1267 		cb->args[1] = (*wdev)->identifier;
1268 	} else {
1269 		/* subtract the 1 again here */
1270 		struct wiphy *wiphy;
1271 		struct wireless_dev *tmp;
1272 
1273 		rtnl_lock();
1274 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1275 		if (!wiphy) {
1276 			rtnl_unlock();
1277 			return -ENODEV;
1278 		}
1279 		*rdev = wiphy_to_rdev(wiphy);
1280 		*wdev = NULL;
1281 
1282 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1283 			if (tmp->identifier == cb->args[1]) {
1284 				*wdev = tmp;
1285 				break;
1286 			}
1287 		}
1288 
1289 		if (!*wdev) {
1290 			rtnl_unlock();
1291 			return -ENODEV;
1292 		}
1293 		mutex_lock(&(*rdev)->wiphy.mtx);
1294 		rtnl_unlock();
1295 	}
1296 
1297 	return 0;
1298 }
1299 
1300 /* message building helper */
1301 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1302 		     int flags, u8 cmd)
1303 {
1304 	/* since there is no private header just add the generic one */
1305 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1306 }
1307 
1308 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1309 				     const struct ieee80211_reg_rule *rule)
1310 {
1311 	int j;
1312 	struct nlattr *nl_wmm_rules =
1313 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1314 
1315 	if (!nl_wmm_rules)
1316 		goto nla_put_failure;
1317 
1318 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1319 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1320 
1321 		if (!nl_wmm_rule)
1322 			goto nla_put_failure;
1323 
1324 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1325 				rule->wmm_rule.client[j].cw_min) ||
1326 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1327 				rule->wmm_rule.client[j].cw_max) ||
1328 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1329 			       rule->wmm_rule.client[j].aifsn) ||
1330 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1331 			        rule->wmm_rule.client[j].cot))
1332 			goto nla_put_failure;
1333 
1334 		nla_nest_end(msg, nl_wmm_rule);
1335 	}
1336 	nla_nest_end(msg, nl_wmm_rules);
1337 
1338 	return 0;
1339 
1340 nla_put_failure:
1341 	return -ENOBUFS;
1342 }
1343 
1344 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1345 				   struct ieee80211_channel *chan,
1346 				   bool large)
1347 {
1348 	/* Some channels must be completely excluded from the
1349 	 * list to protect old user-space tools from breaking
1350 	 */
1351 	if (!large && chan->flags &
1352 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1353 		return 0;
1354 	if (!large && chan->freq_offset)
1355 		return 0;
1356 
1357 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1358 			chan->center_freq))
1359 		goto nla_put_failure;
1360 
1361 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1362 		goto nla_put_failure;
1363 
1364 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1365 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1366 		goto nla_put_failure;
1367 
1368 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1369 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1370 		goto nla_put_failure;
1371 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1372 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1373 			goto nla_put_failure;
1374 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1375 			goto nla_put_failure;
1376 	}
1377 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1378 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1379 			goto nla_put_failure;
1380 		if (large) {
1381 			u32 time;
1382 
1383 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1384 
1385 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1386 					chan->dfs_state))
1387 				goto nla_put_failure;
1388 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1389 					time))
1390 				goto nla_put_failure;
1391 			if (nla_put_u32(msg,
1392 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1393 					chan->dfs_cac_ms))
1394 				goto nla_put_failure;
1395 		}
1396 	}
1397 
1398 	if (large) {
1399 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1400 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1401 			goto nla_put_failure;
1402 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1403 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1404 			goto nla_put_failure;
1405 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1406 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1407 			goto nla_put_failure;
1408 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1409 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1410 			goto nla_put_failure;
1411 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1412 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1413 			goto nla_put_failure;
1414 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1415 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1416 			goto nla_put_failure;
1417 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1418 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1419 			goto nla_put_failure;
1420 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1421 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1422 			goto nla_put_failure;
1423 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1424 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1425 			goto nla_put_failure;
1426 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1427 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1428 			goto nla_put_failure;
1429 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1430 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1431 			goto nla_put_failure;
1432 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1433 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1434 			goto nla_put_failure;
1435 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1436 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1437 			goto nla_put_failure;
1438 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1439 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1440 			goto nla_put_failure;
1441 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1442 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1443 			goto nla_put_failure;
1444 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1445 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1446 			goto nla_put_failure;
1447 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1448 		    nla_put_flag(msg,
1449 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1450 			goto nla_put_failure;
1451 		if ((chan->flags & IEEE80211_CHAN_NO_4MHZ) &&
1452 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_4MHZ))
1453 			goto nla_put_failure;
1454 		if ((chan->flags & IEEE80211_CHAN_NO_8MHZ) &&
1455 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_8MHZ))
1456 			goto nla_put_failure;
1457 		if ((chan->flags & IEEE80211_CHAN_NO_16MHZ) &&
1458 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_16MHZ))
1459 			goto nla_put_failure;
1460 		if ((chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY) &&
1461 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_S1G_NO_PRIMARY))
1462 			goto nla_put_failure;
1463 		if ((chan->flags & IEEE80211_CHAN_NO_UHR) &&
1464 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_UHR))
1465 			goto nla_put_failure;
1466 		if (chan->cac_start_time &&
1467 		    nla_put_u64_64bit(msg,
1468 				      NL80211_FREQUENCY_ATTR_CAC_START_TIME,
1469 				      chan->cac_start_time,
1470 				      NL80211_FREQUENCY_ATTR_PAD))
1471 			goto nla_put_failure;
1472 	}
1473 
1474 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1475 			DBM_TO_MBM(chan->max_power)))
1476 		goto nla_put_failure;
1477 
1478 	if (large) {
1479 		const struct ieee80211_reg_rule *rule =
1480 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1481 
1482 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1483 			if (nl80211_msg_put_wmm_rules(msg, rule))
1484 				goto nla_put_failure;
1485 		}
1486 	}
1487 
1488 	return 0;
1489 
1490  nla_put_failure:
1491 	return -ENOBUFS;
1492 }
1493 
1494 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1495 				  struct cfg80211_txq_stats *txqstats,
1496 				  int attrtype)
1497 {
1498 	struct nlattr *txqattr;
1499 
1500 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1501 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1502 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1503 		return false;						  \
1504 	} while (0)
1505 
1506 	txqattr = nla_nest_start_noflag(msg, attrtype);
1507 	if (!txqattr)
1508 		return false;
1509 
1510 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1511 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1512 	PUT_TXQVAL_U32(FLOWS, flows);
1513 	PUT_TXQVAL_U32(DROPS, drops);
1514 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1515 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1516 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1517 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1518 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1519 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1520 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1521 	nla_nest_end(msg, txqattr);
1522 
1523 #undef PUT_TXQVAL_U32
1524 	return true;
1525 }
1526 
1527 /* netlink command implementations */
1528 
1529 /**
1530  * nl80211_link_id - return link ID
1531  * @attrs: attributes to look at
1532  *
1533  * Returns: the link ID or 0 if not given
1534  *
1535  * Note this function doesn't do any validation of the link
1536  * ID validity wrt. links that were actually added, so it must
1537  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1538  * or if additional validation is done.
1539  */
1540 static unsigned int nl80211_link_id(struct nlattr **attrs)
1541 {
1542 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1543 
1544 	return nla_get_u8_default(linkid, 0);
1545 }
1546 
1547 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1548 {
1549 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1550 
1551 	if (!linkid)
1552 		return -1;
1553 
1554 	return nla_get_u8(linkid);
1555 }
1556 
1557 struct key_parse {
1558 	struct key_params p;
1559 	int idx;
1560 	int type;
1561 	bool def, defmgmt, defbeacon;
1562 	bool def_uni, def_multi;
1563 };
1564 
1565 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1566 				 struct key_parse *k)
1567 {
1568 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1569 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1570 					      nl80211_key_policy,
1571 					      info->extack);
1572 	if (err)
1573 		return err;
1574 
1575 	k->def = !!tb[NL80211_KEY_DEFAULT];
1576 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1577 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1578 
1579 	if (k->def) {
1580 		k->def_uni = true;
1581 		k->def_multi = true;
1582 	}
1583 	if (k->defmgmt || k->defbeacon)
1584 		k->def_multi = true;
1585 
1586 	if (tb[NL80211_KEY_IDX])
1587 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1588 
1589 	if (tb[NL80211_KEY_DATA]) {
1590 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1591 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1592 	}
1593 
1594 	if (tb[NL80211_KEY_SEQ]) {
1595 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1596 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1597 	}
1598 
1599 	if (tb[NL80211_KEY_CIPHER])
1600 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1601 
1602 	if (tb[NL80211_KEY_TYPE])
1603 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1604 
1605 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1606 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1607 
1608 		err = nla_parse_nested_deprecated(kdt,
1609 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1610 						  tb[NL80211_KEY_DEFAULT_TYPES],
1611 						  nl80211_key_default_policy,
1612 						  info->extack);
1613 		if (err)
1614 			return err;
1615 
1616 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1617 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1618 	}
1619 
1620 	if (tb[NL80211_KEY_MODE])
1621 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1622 
1623 	return 0;
1624 }
1625 
1626 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1627 {
1628 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1629 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1630 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1631 	}
1632 
1633 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1634 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1635 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1636 	}
1637 
1638 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1639 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1640 
1641 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1642 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1643 
1644 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1645 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1646 
1647 	if (k->def) {
1648 		k->def_uni = true;
1649 		k->def_multi = true;
1650 	}
1651 	if (k->defmgmt)
1652 		k->def_multi = true;
1653 
1654 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1655 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1656 
1657 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1658 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1659 		int err = nla_parse_nested_deprecated(kdt,
1660 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1661 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1662 						      nl80211_key_default_policy,
1663 						      info->extack);
1664 		if (err)
1665 			return err;
1666 
1667 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1668 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1669 	}
1670 
1671 	return 0;
1672 }
1673 
1674 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1675 {
1676 	int err;
1677 
1678 	memset(k, 0, sizeof(*k));
1679 	k->idx = -1;
1680 	k->type = -1;
1681 
1682 	if (info->attrs[NL80211_ATTR_KEY])
1683 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1684 	else
1685 		err = nl80211_parse_key_old(info, k);
1686 
1687 	if (err)
1688 		return err;
1689 
1690 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1691 	    (k->defbeacon ? 1 : 0) > 1) {
1692 		GENL_SET_ERR_MSG(info,
1693 				 "key with multiple default flags is invalid");
1694 		return -EINVAL;
1695 	}
1696 
1697 	if (k->defmgmt || k->defbeacon) {
1698 		if (k->def_uni || !k->def_multi) {
1699 			GENL_SET_ERR_MSG(info,
1700 					 "defmgmt/defbeacon key must be mcast");
1701 			return -EINVAL;
1702 		}
1703 	}
1704 
1705 	if (k->idx != -1) {
1706 		if (k->defmgmt) {
1707 			if (k->idx < 4 || k->idx > 5) {
1708 				GENL_SET_ERR_MSG(info,
1709 						 "defmgmt key idx not 4 or 5");
1710 				return -EINVAL;
1711 			}
1712 		} else if (k->defbeacon) {
1713 			if (k->idx < 6 || k->idx > 7) {
1714 				GENL_SET_ERR_MSG(info,
1715 						 "defbeacon key idx not 6 or 7");
1716 				return -EINVAL;
1717 			}
1718 		} else if (k->def) {
1719 			if (k->idx < 0 || k->idx > 3) {
1720 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1721 				return -EINVAL;
1722 			}
1723 		} else {
1724 			if (k->idx < 0 || k->idx > 7) {
1725 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1726 				return -EINVAL;
1727 			}
1728 		}
1729 	}
1730 
1731 	return 0;
1732 }
1733 
1734 static struct cfg80211_cached_keys *
1735 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1736 		       struct genl_info *info, bool *no_ht)
1737 {
1738 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1739 	struct key_parse parse;
1740 	struct nlattr *key;
1741 	struct cfg80211_cached_keys *result;
1742 	int rem, err, def = 0;
1743 	bool have_key = false;
1744 
1745 	nla_for_each_nested(key, keys, rem) {
1746 		have_key = true;
1747 		break;
1748 	}
1749 
1750 	if (!have_key)
1751 		return NULL;
1752 
1753 	result = kzalloc_obj(*result);
1754 	if (!result)
1755 		return ERR_PTR(-ENOMEM);
1756 
1757 	result->def = -1;
1758 
1759 	nla_for_each_nested(key, keys, rem) {
1760 		memset(&parse, 0, sizeof(parse));
1761 		parse.idx = -1;
1762 
1763 		err = nl80211_parse_key_new(info, key, &parse);
1764 		if (err)
1765 			goto error;
1766 		err = -EINVAL;
1767 		if (!parse.p.key)
1768 			goto error;
1769 		if (parse.idx < 0 || parse.idx > 3) {
1770 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1771 			goto error;
1772 		}
1773 		if (parse.def) {
1774 			if (def) {
1775 				GENL_SET_ERR_MSG(info,
1776 						 "only one key can be default");
1777 				goto error;
1778 			}
1779 			def = 1;
1780 			result->def = parse.idx;
1781 			if (!parse.def_uni || !parse.def_multi)
1782 				goto error;
1783 		} else if (parse.defmgmt)
1784 			goto error;
1785 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1786 						     parse.idx, false, NULL);
1787 		if (err)
1788 			goto error;
1789 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1790 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1791 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1792 			err = -EINVAL;
1793 			goto error;
1794 		}
1795 		result->params[parse.idx].cipher = parse.p.cipher;
1796 		result->params[parse.idx].key_len = parse.p.key_len;
1797 		result->params[parse.idx].key = result->data[parse.idx];
1798 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1799 
1800 		/* must be WEP key if we got here */
1801 		if (no_ht)
1802 			*no_ht = true;
1803 	}
1804 
1805 	if (result->def < 0) {
1806 		err = -EINVAL;
1807 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1808 		goto error;
1809 	}
1810 
1811 	return result;
1812  error:
1813 	kfree_sensitive(result);
1814 	return ERR_PTR(err);
1815 }
1816 
1817 static int nl80211_key_allowed(struct wireless_dev *wdev)
1818 {
1819 	lockdep_assert_wiphy(wdev->wiphy);
1820 
1821 	switch (wdev->iftype) {
1822 	case NL80211_IFTYPE_AP:
1823 	case NL80211_IFTYPE_AP_VLAN:
1824 	case NL80211_IFTYPE_P2P_GO:
1825 	case NL80211_IFTYPE_MESH_POINT:
1826 		break;
1827 	case NL80211_IFTYPE_ADHOC:
1828 		if (wdev->u.ibss.current_bss)
1829 			return 0;
1830 		return -ENOLINK;
1831 	case NL80211_IFTYPE_STATION:
1832 	case NL80211_IFTYPE_P2P_CLIENT:
1833 		if (wdev->connected ||
1834 		    (wiphy_ext_feature_isset(wdev->wiphy,
1835 					     NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)))
1836 			return 0;
1837 		return -ENOLINK;
1838 	case NL80211_IFTYPE_NAN:
1839 	case NL80211_IFTYPE_NAN_DATA:
1840 		if (wiphy_ext_feature_isset(wdev->wiphy,
1841 					    NL80211_EXT_FEATURE_SECURE_NAN))
1842 			return 0;
1843 		return -EINVAL;
1844 	case NL80211_IFTYPE_UNSPECIFIED:
1845 	case NL80211_IFTYPE_OCB:
1846 	case NL80211_IFTYPE_MONITOR:
1847 	case NL80211_IFTYPE_P2P_DEVICE:
1848 	case NL80211_IFTYPE_WDS:
1849 	case NUM_NL80211_IFTYPES:
1850 		return -EINVAL;
1851 	}
1852 
1853 	return 0;
1854 }
1855 
1856 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1857 							u32 freq)
1858 {
1859 	struct ieee80211_channel *chan;
1860 
1861 	chan = ieee80211_get_channel_khz(wiphy, freq);
1862 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1863 		return NULL;
1864 	return chan;
1865 }
1866 
1867 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1868 {
1869 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1870 	int i;
1871 
1872 	if (!nl_modes)
1873 		goto nla_put_failure;
1874 
1875 	i = 0;
1876 	while (ifmodes) {
1877 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1878 			goto nla_put_failure;
1879 		ifmodes >>= 1;
1880 		i++;
1881 	}
1882 
1883 	nla_nest_end(msg, nl_modes);
1884 	return 0;
1885 
1886 nla_put_failure:
1887 	return -ENOBUFS;
1888 }
1889 
1890 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1891 				   const struct ieee80211_iface_combination *c,
1892 				   u16 nested)
1893 {
1894 	struct nlattr *nl_combi, *nl_limits;
1895 	int i;
1896 
1897 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1898 	if (!nl_combi)
1899 		goto nla_put_failure;
1900 
1901 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1902 					       nested);
1903 	if (!nl_limits)
1904 		goto nla_put_failure;
1905 
1906 	for (i = 0; i < c->n_limits; i++) {
1907 		struct nlattr *nl_limit;
1908 
1909 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1910 		if (!nl_limit)
1911 			goto nla_put_failure;
1912 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1913 			goto nla_put_failure;
1914 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1915 					c->limits[i].types))
1916 			goto nla_put_failure;
1917 		nla_nest_end(msg, nl_limit);
1918 	}
1919 
1920 	nla_nest_end(msg, nl_limits);
1921 
1922 	if (c->beacon_int_infra_match &&
1923 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1924 		goto nla_put_failure;
1925 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1926 			c->num_different_channels) ||
1927 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1928 			c->max_interfaces))
1929 		goto nla_put_failure;
1930 	if (large &&
1931 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1932 			c->radar_detect_widths) ||
1933 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1934 			c->radar_detect_regions)))
1935 		goto nla_put_failure;
1936 	if (c->beacon_int_min_gcd &&
1937 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1938 			c->beacon_int_min_gcd))
1939 		goto nla_put_failure;
1940 
1941 	nla_nest_end(msg, nl_combi);
1942 
1943 	return 0;
1944 nla_put_failure:
1945 	return -ENOBUFS;
1946 }
1947 
1948 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1949 					  struct sk_buff *msg,
1950 					  int attr, int radio,
1951 					  bool large, u16 nested)
1952 {
1953 	const struct ieee80211_iface_combination *c;
1954 	struct nlattr *nl_combis;
1955 	int i, n;
1956 
1957 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1958 	if (!nl_combis)
1959 		goto nla_put_failure;
1960 
1961 	if (radio >= 0) {
1962 		c = wiphy->radio[0].iface_combinations;
1963 		n = wiphy->radio[0].n_iface_combinations;
1964 	} else {
1965 		c = wiphy->iface_combinations;
1966 		n = wiphy->n_iface_combinations;
1967 	}
1968 	for (i = 0; i < n; i++)
1969 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1970 			goto nla_put_failure;
1971 
1972 	nla_nest_end(msg, nl_combis);
1973 
1974 	return 0;
1975 nla_put_failure:
1976 	return -ENOBUFS;
1977 }
1978 
1979 #ifdef CONFIG_PM
1980 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1981 					struct sk_buff *msg)
1982 {
1983 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1984 	struct nlattr *nl_tcp;
1985 
1986 	if (!tcp)
1987 		return 0;
1988 
1989 	nl_tcp = nla_nest_start_noflag(msg,
1990 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1991 	if (!nl_tcp)
1992 		return -ENOBUFS;
1993 
1994 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1995 			tcp->data_payload_max))
1996 		return -ENOBUFS;
1997 
1998 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1999 			tcp->data_payload_max))
2000 		return -ENOBUFS;
2001 
2002 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
2003 		return -ENOBUFS;
2004 
2005 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
2006 				sizeof(*tcp->tok), tcp->tok))
2007 		return -ENOBUFS;
2008 
2009 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
2010 			tcp->data_interval_max))
2011 		return -ENOBUFS;
2012 
2013 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
2014 			tcp->wake_payload_max))
2015 		return -ENOBUFS;
2016 
2017 	nla_nest_end(msg, nl_tcp);
2018 	return 0;
2019 }
2020 
2021 static int nl80211_send_wowlan(struct sk_buff *msg,
2022 			       struct cfg80211_registered_device *rdev,
2023 			       bool large)
2024 {
2025 	struct nlattr *nl_wowlan;
2026 
2027 	if (!rdev->wiphy.wowlan)
2028 		return 0;
2029 
2030 	nl_wowlan = nla_nest_start_noflag(msg,
2031 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
2032 	if (!nl_wowlan)
2033 		return -ENOBUFS;
2034 
2035 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
2036 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
2037 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
2038 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
2039 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
2040 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
2041 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
2042 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
2043 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
2044 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
2045 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
2046 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
2047 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
2048 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
2049 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
2050 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
2051 		return -ENOBUFS;
2052 
2053 	if (rdev->wiphy.wowlan->n_patterns) {
2054 		struct nl80211_pattern_support pat = {
2055 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
2056 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
2057 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
2058 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
2059 		};
2060 
2061 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
2062 			    sizeof(pat), &pat))
2063 			return -ENOBUFS;
2064 	}
2065 
2066 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
2067 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
2068 			rdev->wiphy.wowlan->max_nd_match_sets))
2069 		return -ENOBUFS;
2070 
2071 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
2072 		return -ENOBUFS;
2073 
2074 	nla_nest_end(msg, nl_wowlan);
2075 
2076 	return 0;
2077 }
2078 #endif
2079 
2080 static int nl80211_send_coalesce(struct sk_buff *msg,
2081 				 struct cfg80211_registered_device *rdev)
2082 {
2083 	struct nl80211_coalesce_rule_support rule;
2084 
2085 	if (!rdev->wiphy.coalesce)
2086 		return 0;
2087 
2088 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
2089 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
2090 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
2091 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
2092 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
2093 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
2094 
2095 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
2096 		return -ENOBUFS;
2097 
2098 	return 0;
2099 }
2100 
2101 static int
2102 nl80211_send_iftype_data(struct sk_buff *msg,
2103 			 const struct ieee80211_supported_band *sband,
2104 			 const struct ieee80211_sband_iftype_data *iftdata)
2105 {
2106 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
2107 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
2108 	const struct ieee80211_sta_uhr_cap *uhr_cap = &iftdata->uhr_cap;
2109 
2110 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
2111 				iftdata->types_mask))
2112 		return -ENOBUFS;
2113 
2114 	if (he_cap->has_he) {
2115 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
2116 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
2117 			    he_cap->he_cap_elem.mac_cap_info) ||
2118 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
2119 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
2120 			    he_cap->he_cap_elem.phy_cap_info) ||
2121 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
2122 			    sizeof(he_cap->he_mcs_nss_supp),
2123 			    &he_cap->he_mcs_nss_supp) ||
2124 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
2125 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
2126 			return -ENOBUFS;
2127 	}
2128 
2129 	if (eht_cap->has_eht && he_cap->has_he) {
2130 		u8 mcs_nss_size, ppe_thresh_size;
2131 		u16 ppe_thres_hdr;
2132 		bool is_ap;
2133 
2134 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
2135 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
2136 
2137 		mcs_nss_size =
2138 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
2139 						   &eht_cap->eht_cap_elem,
2140 						   is_ap);
2141 
2142 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
2143 		ppe_thresh_size =
2144 			ieee80211_eht_ppe_size(ppe_thres_hdr,
2145 					       eht_cap->eht_cap_elem.phy_cap_info);
2146 
2147 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
2148 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
2149 			    eht_cap->eht_cap_elem.mac_cap_info) ||
2150 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
2151 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
2152 			    eht_cap->eht_cap_elem.phy_cap_info) ||
2153 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
2154 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
2155 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
2156 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
2157 			return -ENOBUFS;
2158 	}
2159 
2160 	if (uhr_cap->has_uhr) {
2161 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_MAC,
2162 			    sizeof(uhr_cap->mac), &uhr_cap->mac) ||
2163 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_PHY,
2164 			    sizeof(uhr_cap->phy), &uhr_cap->phy))
2165 			return -ENOBUFS;
2166 	}
2167 
2168 	if (sband->band == NL80211_BAND_6GHZ &&
2169 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
2170 		    sizeof(iftdata->he_6ghz_capa),
2171 		    &iftdata->he_6ghz_capa))
2172 		return -ENOBUFS;
2173 
2174 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
2175 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
2176 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
2177 		return -ENOBUFS;
2178 
2179 	return 0;
2180 }
2181 
2182 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
2183 				      struct ieee80211_supported_band *sband,
2184 				      bool large)
2185 {
2186 	struct nlattr *nl_rates, *nl_rate;
2187 	struct ieee80211_rate *rate;
2188 	int i;
2189 
2190 	/* add HT info */
2191 	if (sband->ht_cap.ht_supported &&
2192 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
2193 		     sizeof(sband->ht_cap.mcs),
2194 		     &sband->ht_cap.mcs) ||
2195 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
2196 			 sband->ht_cap.cap) ||
2197 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
2198 			sband->ht_cap.ampdu_factor) ||
2199 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
2200 			sband->ht_cap.ampdu_density)))
2201 		return -ENOBUFS;
2202 
2203 	/* add VHT info */
2204 	if (sband->vht_cap.vht_supported &&
2205 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
2206 		     sizeof(sband->vht_cap.vht_mcs),
2207 		     &sband->vht_cap.vht_mcs) ||
2208 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
2209 			 sband->vht_cap.cap)))
2210 		return -ENOBUFS;
2211 
2212 	if (large && sband->n_iftype_data) {
2213 		struct nlattr *nl_iftype_data =
2214 			nla_nest_start_noflag(msg,
2215 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2216 		const struct ieee80211_sband_iftype_data *iftd;
2217 		int err;
2218 
2219 		if (!nl_iftype_data)
2220 			return -ENOBUFS;
2221 
2222 		for_each_sband_iftype_data(sband, i, iftd) {
2223 			struct nlattr *iftdata;
2224 
2225 			iftdata = nla_nest_start_noflag(msg, i + 1);
2226 			if (!iftdata)
2227 				return -ENOBUFS;
2228 
2229 			err = nl80211_send_iftype_data(msg, sband, iftd);
2230 			if (err)
2231 				return err;
2232 
2233 			nla_nest_end(msg, iftdata);
2234 		}
2235 
2236 		nla_nest_end(msg, nl_iftype_data);
2237 	}
2238 
2239 	/* add EDMG info */
2240 	if (large && sband->edmg_cap.channels &&
2241 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2242 		       sband->edmg_cap.channels) ||
2243 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2244 		       sband->edmg_cap.bw_config)))
2245 
2246 		return -ENOBUFS;
2247 
2248 	/* add bitrates */
2249 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2250 	if (!nl_rates)
2251 		return -ENOBUFS;
2252 
2253 	for (i = 0; i < sband->n_bitrates; i++) {
2254 		nl_rate = nla_nest_start_noflag(msg, i);
2255 		if (!nl_rate)
2256 			return -ENOBUFS;
2257 
2258 		rate = &sband->bitrates[i];
2259 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2260 				rate->bitrate))
2261 			return -ENOBUFS;
2262 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2263 		    nla_put_flag(msg,
2264 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2265 			return -ENOBUFS;
2266 
2267 		nla_nest_end(msg, nl_rate);
2268 	}
2269 
2270 	nla_nest_end(msg, nl_rates);
2271 
2272 	/* S1G capabilities */
2273 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2274 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2275 		     sizeof(sband->s1g_cap.cap),
2276 		     sband->s1g_cap.cap) ||
2277 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2278 		     sizeof(sband->s1g_cap.nss_mcs),
2279 		     sband->s1g_cap.nss_mcs)))
2280 		return -ENOBUFS;
2281 
2282 	return 0;
2283 }
2284 
2285 static int
2286 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2287 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2288 {
2289 	u16 stypes;
2290 	struct nlattr *nl_ftypes, *nl_ifs;
2291 	enum nl80211_iftype ift;
2292 	int i;
2293 
2294 	if (!mgmt_stypes)
2295 		return 0;
2296 
2297 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2298 	if (!nl_ifs)
2299 		return -ENOBUFS;
2300 
2301 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2302 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2303 		if (!nl_ftypes)
2304 			return -ENOBUFS;
2305 		i = 0;
2306 		stypes = mgmt_stypes[ift].tx;
2307 		while (stypes) {
2308 			if ((stypes & 1) &&
2309 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2310 					(i << 4) | IEEE80211_FTYPE_MGMT))
2311 				return -ENOBUFS;
2312 			stypes >>= 1;
2313 			i++;
2314 		}
2315 		nla_nest_end(msg, nl_ftypes);
2316 	}
2317 
2318 	nla_nest_end(msg, nl_ifs);
2319 
2320 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2321 	if (!nl_ifs)
2322 		return -ENOBUFS;
2323 
2324 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2325 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2326 		if (!nl_ftypes)
2327 			return -ENOBUFS;
2328 		i = 0;
2329 		stypes = mgmt_stypes[ift].rx;
2330 		while (stypes) {
2331 			if ((stypes & 1) &&
2332 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2333 					(i << 4) | IEEE80211_FTYPE_MGMT))
2334 				return -ENOBUFS;
2335 			stypes >>= 1;
2336 			i++;
2337 		}
2338 		nla_nest_end(msg, nl_ftypes);
2339 	}
2340 	nla_nest_end(msg, nl_ifs);
2341 
2342 	return 0;
2343 }
2344 
2345 #define CMD(op, n)							\
2346 	 do {								\
2347 		if (rdev->ops->op) {					\
2348 			i++;						\
2349 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2350 				goto nla_put_failure;			\
2351 		}							\
2352 	} while (0)
2353 
2354 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2355 					struct sk_buff *msg)
2356 {
2357 	int i = 0;
2358 
2359 	/*
2360 	 * do *NOT* add anything into this function, new things need to be
2361 	 * advertised only to new versions of userspace that can deal with
2362 	 * the split (and they can't possibly care about new features...
2363 	 */
2364 	CMD(add_virtual_intf, NEW_INTERFACE);
2365 	CMD(change_virtual_intf, SET_INTERFACE);
2366 	CMD(add_key, NEW_KEY);
2367 	CMD(start_ap, START_AP);
2368 	CMD(add_station, NEW_STATION);
2369 	CMD(add_mpath, NEW_MPATH);
2370 	CMD(update_mesh_config, SET_MESH_CONFIG);
2371 	CMD(change_bss, SET_BSS);
2372 	CMD(auth, AUTHENTICATE);
2373 	CMD(assoc, ASSOCIATE);
2374 	CMD(deauth, DEAUTHENTICATE);
2375 	CMD(disassoc, DISASSOCIATE);
2376 	CMD(join_ibss, JOIN_IBSS);
2377 	CMD(join_mesh, JOIN_MESH);
2378 	CMD(set_pmksa, SET_PMKSA);
2379 	CMD(del_pmksa, DEL_PMKSA);
2380 	CMD(flush_pmksa, FLUSH_PMKSA);
2381 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2382 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2383 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2384 	CMD(mgmt_tx, FRAME);
2385 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2386 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2387 		i++;
2388 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2389 			goto nla_put_failure;
2390 	}
2391 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2392 	    rdev->ops->join_mesh) {
2393 		i++;
2394 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2395 			goto nla_put_failure;
2396 	}
2397 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2398 		CMD(tdls_mgmt, TDLS_MGMT);
2399 		CMD(tdls_oper, TDLS_OPER);
2400 	}
2401 	if (rdev->wiphy.max_sched_scan_reqs)
2402 		CMD(sched_scan_start, START_SCHED_SCAN);
2403 	CMD(probe_client, PROBE_CLIENT);
2404 	CMD(set_noack_map, SET_NOACK_MAP);
2405 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2406 		i++;
2407 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2408 			goto nla_put_failure;
2409 	}
2410 	CMD(start_p2p_device, START_P2P_DEVICE);
2411 	CMD(set_mcast_rate, SET_MCAST_RATE);
2412 #ifdef CONFIG_NL80211_TESTMODE
2413 	CMD(testmode_cmd, TESTMODE);
2414 #endif
2415 
2416 	if (rdev->ops->connect || rdev->ops->auth) {
2417 		i++;
2418 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2419 			goto nla_put_failure;
2420 	}
2421 
2422 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2423 		i++;
2424 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2425 			goto nla_put_failure;
2426 	}
2427 
2428 	return i;
2429  nla_put_failure:
2430 	return -ENOBUFS;
2431 }
2432 
2433 static int
2434 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2435 			   struct sk_buff *msg)
2436 {
2437 	struct nlattr *ftm;
2438 
2439 	if (!cap->ftm.supported)
2440 		return 0;
2441 
2442 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2443 	if (!ftm)
2444 		return -ENOBUFS;
2445 
2446 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2447 		return -ENOBUFS;
2448 	if (cap->ftm.non_asap &&
2449 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2450 		return -ENOBUFS;
2451 	if (cap->ftm.request_lci &&
2452 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2453 		return -ENOBUFS;
2454 	if (cap->ftm.request_civicloc &&
2455 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2456 		return -ENOBUFS;
2457 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2458 			cap->ftm.preambles))
2459 		return -ENOBUFS;
2460 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2461 			cap->ftm.bandwidths))
2462 		return -ENOBUFS;
2463 	if (cap->ftm.max_bursts_exponent >= 0 &&
2464 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2465 			cap->ftm.max_bursts_exponent))
2466 		return -ENOBUFS;
2467 	if (cap->ftm.max_ftms_per_burst &&
2468 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2469 			cap->ftm.max_ftms_per_burst))
2470 		return -ENOBUFS;
2471 	if (cap->ftm.trigger_based &&
2472 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2473 		return -ENOBUFS;
2474 	if (cap->ftm.non_trigger_based &&
2475 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2476 		return -ENOBUFS;
2477 	if (cap->ftm.support_6ghz &&
2478 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_6GHZ_SUPPORT))
2479 		return -ENOBUFS;
2480 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_LTF_REP,
2481 			cap->ftm.max_tx_ltf_rep))
2482 		return -ENOBUFS;
2483 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_LTF_REP,
2484 			cap->ftm.max_rx_ltf_rep))
2485 		return -ENOBUFS;
2486 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_STS,
2487 			cap->ftm.max_tx_sts))
2488 		return -ENOBUFS;
2489 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_STS,
2490 			cap->ftm.max_rx_sts))
2491 		return -ENOBUFS;
2492 	if (cap->ftm.max_total_ltf_tx > 0 &&
2493 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_TX,
2494 			cap->ftm.max_total_ltf_tx))
2495 		return -ENOBUFS;
2496 	if (cap->ftm.max_total_ltf_rx > 0 &&
2497 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_RX,
2498 			cap->ftm.max_total_ltf_rx))
2499 		return -ENOBUFS;
2500 	if (cap->ftm.support_rsta &&
2501 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_RSTA_SUPPORT))
2502 		return -ENOBUFS;
2503 
2504 	nla_nest_end(msg, ftm);
2505 	return 0;
2506 }
2507 
2508 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2509 				  struct sk_buff *msg)
2510 {
2511 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2512 	struct nlattr *pmsr, *caps;
2513 
2514 	if (!cap)
2515 		return 0;
2516 
2517 	/*
2518 	 * we don't need to clean up anything here since the caller
2519 	 * will genlmsg_cancel() if we fail
2520 	 */
2521 
2522 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2523 	if (!pmsr)
2524 		return -ENOBUFS;
2525 
2526 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2527 		return -ENOBUFS;
2528 
2529 	if (cap->report_ap_tsf &&
2530 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2531 		return -ENOBUFS;
2532 
2533 	if (cap->randomize_mac_addr &&
2534 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2535 		return -ENOBUFS;
2536 
2537 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2538 	if (!caps)
2539 		return -ENOBUFS;
2540 
2541 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2542 		return -ENOBUFS;
2543 
2544 	nla_nest_end(msg, caps);
2545 	nla_nest_end(msg, pmsr);
2546 
2547 	return 0;
2548 }
2549 
2550 static int
2551 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2552 			      struct sk_buff *msg)
2553 {
2554 	int i;
2555 	struct nlattr *nested, *nested_akms;
2556 	const struct wiphy_iftype_akm_suites *iftype_akms;
2557 
2558 	if (!rdev->wiphy.num_iftype_akm_suites ||
2559 	    !rdev->wiphy.iftype_akm_suites)
2560 		return 0;
2561 
2562 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2563 	if (!nested)
2564 		return -ENOBUFS;
2565 
2566 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2567 		nested_akms = nla_nest_start(msg, i + 1);
2568 		if (!nested_akms)
2569 			return -ENOBUFS;
2570 
2571 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2572 
2573 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2574 					iftype_akms->iftypes_mask))
2575 			return -ENOBUFS;
2576 
2577 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2578 			    sizeof(u32) * iftype_akms->n_akm_suites,
2579 			    iftype_akms->akm_suites)) {
2580 			return -ENOBUFS;
2581 		}
2582 		nla_nest_end(msg, nested_akms);
2583 	}
2584 
2585 	nla_nest_end(msg, nested);
2586 
2587 	return 0;
2588 }
2589 
2590 static int
2591 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2592 			       struct sk_buff *msg)
2593 {
2594 	struct nlattr *supp;
2595 
2596 	if (!rdev->wiphy.tid_config_support.vif &&
2597 	    !rdev->wiphy.tid_config_support.peer)
2598 		return 0;
2599 
2600 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2601 	if (!supp)
2602 		return -ENOSPC;
2603 
2604 	if (rdev->wiphy.tid_config_support.vif &&
2605 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2606 			      rdev->wiphy.tid_config_support.vif,
2607 			      NL80211_TID_CONFIG_ATTR_PAD))
2608 		goto fail;
2609 
2610 	if (rdev->wiphy.tid_config_support.peer &&
2611 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2612 			      rdev->wiphy.tid_config_support.peer,
2613 			      NL80211_TID_CONFIG_ATTR_PAD))
2614 		goto fail;
2615 
2616 	/* for now we just use the same value ... makes more sense */
2617 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2618 		       rdev->wiphy.tid_config_support.max_retry))
2619 		goto fail;
2620 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2621 		       rdev->wiphy.tid_config_support.max_retry))
2622 		goto fail;
2623 
2624 	nla_nest_end(msg, supp);
2625 
2626 	return 0;
2627 fail:
2628 	nla_nest_cancel(msg, supp);
2629 	return -ENOBUFS;
2630 }
2631 
2632 static int
2633 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2634 		      struct sk_buff *msg)
2635 {
2636 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2637 	u8 num_freq_ranges;
2638 	int i;
2639 
2640 	if (!rdev->wiphy.sar_capa)
2641 		return 0;
2642 
2643 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2644 
2645 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2646 	if (!sar_capa)
2647 		return -ENOSPC;
2648 
2649 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2650 		goto fail;
2651 
2652 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2653 	if (!specs)
2654 		goto fail;
2655 
2656 	/* report supported freq_ranges */
2657 	for (i = 0; i < num_freq_ranges; i++) {
2658 		sub_freq_range = nla_nest_start(msg, i + 1);
2659 		if (!sub_freq_range)
2660 			goto fail;
2661 
2662 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2663 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2664 			goto fail;
2665 
2666 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2667 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2668 			goto fail;
2669 
2670 		nla_nest_end(msg, sub_freq_range);
2671 	}
2672 
2673 	nla_nest_end(msg, specs);
2674 	nla_nest_end(msg, sar_capa);
2675 
2676 	return 0;
2677 fail:
2678 	nla_nest_cancel(msg, sar_capa);
2679 	return -ENOBUFS;
2680 }
2681 
2682 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2683 {
2684 	struct nlattr *config;
2685 
2686 	if (!wiphy->mbssid_max_interfaces)
2687 		return 0;
2688 
2689 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2690 	if (!config)
2691 		return -ENOBUFS;
2692 
2693 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2694 		       wiphy->mbssid_max_interfaces))
2695 		goto fail;
2696 
2697 	if (wiphy->ema_max_profile_periodicity &&
2698 	    nla_put_u8(msg,
2699 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2700 		       wiphy->ema_max_profile_periodicity))
2701 		goto fail;
2702 
2703 	nla_nest_end(msg, config);
2704 	return 0;
2705 
2706 fail:
2707 	nla_nest_cancel(msg, config);
2708 	return -ENOBUFS;
2709 }
2710 
2711 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2712 {
2713 	const struct wiphy_radio *r = &wiphy->radio[idx];
2714 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2715 	struct nlattr *radio, *freq;
2716 	int i;
2717 
2718 	radio = nla_nest_start(msg, idx);
2719 	if (!radio)
2720 		return -ENOBUFS;
2721 
2722 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2723 		goto nla_put_failure;
2724 
2725 	if (rcfg->rts_threshold &&
2726 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2727 			rcfg->rts_threshold))
2728 		goto nla_put_failure;
2729 
2730 	if (r->antenna_mask &&
2731 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2732 			r->antenna_mask))
2733 		goto nla_put_failure;
2734 
2735 	for (i = 0; i < r->n_freq_range; i++) {
2736 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2737 
2738 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2739 		if (!freq)
2740 			goto nla_put_failure;
2741 
2742 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2743 				range->start_freq) ||
2744 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2745 				range->end_freq))
2746 			goto nla_put_failure;
2747 
2748 		nla_nest_end(msg, freq);
2749 	}
2750 
2751 	for (i = 0; i < r->n_iface_combinations; i++)
2752 		if (nl80211_put_ifcomb_data(msg, true,
2753 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2754 					    &r->iface_combinations[i],
2755 					    NLA_F_NESTED))
2756 			goto nla_put_failure;
2757 
2758 	nla_nest_end(msg, radio);
2759 
2760 	return 0;
2761 
2762 nla_put_failure:
2763 	return -ENOBUFS;
2764 }
2765 
2766 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2767 {
2768 	struct nlattr *radios;
2769 	int i;
2770 
2771 	if (!wiphy->n_radio)
2772 		return 0;
2773 
2774 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2775 	if (!radios)
2776 		return -ENOBUFS;
2777 
2778 	for (i = 0; i < wiphy->n_radio; i++)
2779 		if (nl80211_put_radio(wiphy, msg, i))
2780 			goto fail;
2781 
2782 	nla_nest_end(msg, radios);
2783 
2784 	if (nl80211_put_iface_combinations(wiphy, msg,
2785 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2786 					   -1, true, NLA_F_NESTED))
2787 		return -ENOBUFS;
2788 
2789 	return 0;
2790 
2791 fail:
2792 	nla_nest_cancel(msg, radios);
2793 	return -ENOBUFS;
2794 }
2795 
2796 static int nl80211_put_nan_phy_cap(struct wiphy *wiphy, struct sk_buff *msg)
2797 {
2798 	struct nlattr *nl_phy_cap;
2799 	const struct ieee80211_sta_ht_cap *ht_cap;
2800 	const struct ieee80211_sta_vht_cap *vht_cap;
2801 	const struct ieee80211_sta_he_cap *he_cap;
2802 
2803 	if (!cfg80211_iftype_allowed(wiphy, NL80211_IFTYPE_NAN_DATA, false, 0))
2804 		return 0;
2805 
2806 	ht_cap = &wiphy->nan_capa.phy.ht;
2807 	vht_cap = &wiphy->nan_capa.phy.vht;
2808 	he_cap = &wiphy->nan_capa.phy.he;
2809 
2810 	/* HT is mandatory */
2811 	if (WARN_ON(!ht_cap->ht_supported))
2812 		return 0;
2813 
2814 	nl_phy_cap = nla_nest_start_noflag(msg, NL80211_NAN_CAPA_PHY);
2815 	if (!nl_phy_cap)
2816 		return -ENOBUFS;
2817 
2818 	if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HT_MCS_SET,
2819 		    sizeof(ht_cap->mcs), &ht_cap->mcs) ||
2820 	    nla_put_u16(msg, NL80211_NAN_PHY_CAP_ATTR_HT_CAPA, ht_cap->cap) ||
2821 	    nla_put_u8(msg, NL80211_NAN_PHY_CAP_ATTR_HT_AMPDU_FACTOR,
2822 		       ht_cap->ampdu_factor) ||
2823 	    nla_put_u8(msg, NL80211_NAN_PHY_CAP_ATTR_HT_AMPDU_DENSITY,
2824 		       ht_cap->ampdu_density))
2825 		goto fail;
2826 
2827 	if (vht_cap->vht_supported) {
2828 		if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_VHT_MCS_SET,
2829 			    sizeof(vht_cap->vht_mcs), &vht_cap->vht_mcs) ||
2830 		    nla_put_u32(msg, NL80211_NAN_PHY_CAP_ATTR_VHT_CAPA,
2831 				vht_cap->cap))
2832 			goto fail;
2833 	}
2834 
2835 	if (he_cap->has_he) {
2836 		if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_MAC,
2837 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
2838 			    he_cap->he_cap_elem.mac_cap_info) ||
2839 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_PHY,
2840 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
2841 			    he_cap->he_cap_elem.phy_cap_info) ||
2842 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_MCS_SET,
2843 			    sizeof(he_cap->he_mcs_nss_supp),
2844 			    &he_cap->he_mcs_nss_supp) ||
2845 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_PPE,
2846 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
2847 			goto fail;
2848 	}
2849 
2850 	nla_nest_end(msg, nl_phy_cap);
2851 	return 0;
2852 
2853 fail:
2854 	nla_nest_cancel(msg, nl_phy_cap);
2855 	return -ENOBUFS;
2856 }
2857 
2858 static int nl80211_put_nan_capa(struct wiphy *wiphy, struct sk_buff *msg)
2859 {
2860 	struct nlattr *nan_caps;
2861 
2862 	nan_caps = nla_nest_start(msg, NL80211_ATTR_NAN_CAPABILITIES);
2863 	if (!nan_caps)
2864 		return -ENOBUFS;
2865 
2866 	if (wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_CONFIGURABLE_SYNC &&
2867 	    nla_put_flag(msg, NL80211_NAN_CAPA_CONFIGURABLE_SYNC))
2868 		goto fail;
2869 
2870 	if ((wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE) &&
2871 	    nla_put_flag(msg, NL80211_NAN_CAPA_USERSPACE_DE))
2872 		goto fail;
2873 
2874 	if (nla_put_u8(msg, NL80211_NAN_CAPA_OP_MODE,
2875 		       wiphy->nan_capa.op_mode) ||
2876 	    nla_put_u8(msg, NL80211_NAN_CAPA_NUM_ANTENNAS,
2877 		       wiphy->nan_capa.n_antennas) ||
2878 	    nla_put_u16(msg, NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME,
2879 			wiphy->nan_capa.max_channel_switch_time) ||
2880 	    nla_put_u8(msg, NL80211_NAN_CAPA_CAPABILITIES,
2881 		       wiphy->nan_capa.dev_capabilities))
2882 		goto fail;
2883 
2884 	if (nl80211_put_nan_phy_cap(wiphy, msg))
2885 		goto fail;
2886 
2887 	nla_nest_end(msg, nan_caps);
2888 
2889 	return 0;
2890 
2891 fail:
2892 	nla_nest_cancel(msg, nan_caps);
2893 	return -ENOBUFS;
2894 }
2895 
2896 struct nl80211_dump_wiphy_state {
2897 	s64 filter_wiphy;
2898 	long start;
2899 	long split_start, band_start, chan_start, capa_start;
2900 	bool split;
2901 };
2902 
2903 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2904 			      enum nl80211_commands cmd,
2905 			      struct sk_buff *msg, u32 portid, u32 seq,
2906 			      int flags, struct nl80211_dump_wiphy_state *state)
2907 {
2908 	void *hdr;
2909 	struct nlattr *nl_bands, *nl_band;
2910 	struct nlattr *nl_freqs, *nl_freq;
2911 	struct nlattr *nl_cmds;
2912 	enum nl80211_band band;
2913 	struct ieee80211_channel *chan;
2914 	int i;
2915 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2916 				rdev->wiphy.mgmt_stypes;
2917 	u32 features;
2918 
2919 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2920 	if (!hdr)
2921 		return -ENOBUFS;
2922 
2923 	if (WARN_ON(!state))
2924 		return -EINVAL;
2925 
2926 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2927 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2928 			   wiphy_name(&rdev->wiphy)) ||
2929 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2930 			cfg80211_rdev_list_generation))
2931 		goto nla_put_failure;
2932 
2933 	if (cmd != NL80211_CMD_NEW_WIPHY)
2934 		goto finish;
2935 
2936 	switch (state->split_start) {
2937 	case 0:
2938 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2939 			       rdev->wiphy.retry_short) ||
2940 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2941 			       rdev->wiphy.retry_long) ||
2942 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2943 				rdev->wiphy.frag_threshold) ||
2944 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2945 				rdev->wiphy.rts_threshold) ||
2946 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2947 			       rdev->wiphy.coverage_class) ||
2948 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2949 			       rdev->wiphy.max_scan_ssids) ||
2950 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2951 			       rdev->wiphy.max_sched_scan_ssids) ||
2952 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2953 				rdev->wiphy.max_scan_ie_len) ||
2954 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2955 				rdev->wiphy.max_sched_scan_ie_len) ||
2956 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2957 			       rdev->wiphy.max_match_sets))
2958 			goto nla_put_failure;
2959 
2960 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2961 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2962 			goto nla_put_failure;
2963 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2964 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2965 			goto nla_put_failure;
2966 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2967 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2968 			goto nla_put_failure;
2969 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2970 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2971 			goto nla_put_failure;
2972 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2973 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2974 			goto nla_put_failure;
2975 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2976 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2977 			goto nla_put_failure;
2978 		state->split_start++;
2979 		if (state->split)
2980 			break;
2981 		fallthrough;
2982 	case 1:
2983 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2984 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2985 			    rdev->wiphy.cipher_suites))
2986 			goto nla_put_failure;
2987 
2988 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2989 			       rdev->wiphy.max_num_pmkids))
2990 			goto nla_put_failure;
2991 
2992 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2993 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2994 			goto nla_put_failure;
2995 
2996 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2997 				rdev->wiphy.available_antennas_tx) ||
2998 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2999 				rdev->wiphy.available_antennas_rx))
3000 			goto nla_put_failure;
3001 
3002 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
3003 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
3004 				rdev->wiphy.probe_resp_offload))
3005 			goto nla_put_failure;
3006 
3007 		if ((rdev->wiphy.available_antennas_tx ||
3008 		     rdev->wiphy.available_antennas_rx) &&
3009 		    rdev->ops->get_antenna) {
3010 			u32 tx_ant = 0, rx_ant = 0;
3011 			int res;
3012 
3013 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
3014 			if (!res) {
3015 				if (nla_put_u32(msg,
3016 						NL80211_ATTR_WIPHY_ANTENNA_TX,
3017 						tx_ant) ||
3018 				    nla_put_u32(msg,
3019 						NL80211_ATTR_WIPHY_ANTENNA_RX,
3020 						rx_ant))
3021 					goto nla_put_failure;
3022 			}
3023 		}
3024 
3025 		state->split_start++;
3026 		if (state->split)
3027 			break;
3028 		fallthrough;
3029 	case 2:
3030 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
3031 					rdev->wiphy.interface_modes))
3032 				goto nla_put_failure;
3033 		state->split_start++;
3034 		if (state->split)
3035 			break;
3036 		fallthrough;
3037 	case 3:
3038 		nl_bands = nla_nest_start_noflag(msg,
3039 						 NL80211_ATTR_WIPHY_BANDS);
3040 		if (!nl_bands)
3041 			goto nla_put_failure;
3042 
3043 		for (band = state->band_start;
3044 		     band < (state->split ?
3045 				NUM_NL80211_BANDS :
3046 				NL80211_BAND_60GHZ + 1);
3047 		     band++) {
3048 			struct ieee80211_supported_band *sband;
3049 
3050 			/* omit higher bands for ancient software */
3051 			if (band > NL80211_BAND_5GHZ && !state->split)
3052 				break;
3053 
3054 			sband = rdev->wiphy.bands[band];
3055 
3056 			if (!sband)
3057 				continue;
3058 
3059 			nl_band = nla_nest_start_noflag(msg, band);
3060 			if (!nl_band)
3061 				goto nla_put_failure;
3062 
3063 			switch (state->chan_start) {
3064 			case 0:
3065 				if (nl80211_send_band_rateinfo(msg, sband,
3066 							       state->split))
3067 					goto nla_put_failure;
3068 				state->chan_start++;
3069 				if (state->split)
3070 					break;
3071 				fallthrough;
3072 			default:
3073 				/* add frequencies */
3074 				nl_freqs = nla_nest_start_noflag(msg,
3075 								 NL80211_BAND_ATTR_FREQS);
3076 				if (!nl_freqs)
3077 					goto nla_put_failure;
3078 
3079 				for (i = state->chan_start - 1;
3080 				     i < sband->n_channels;
3081 				     i++) {
3082 					nl_freq = nla_nest_start_noflag(msg,
3083 									i);
3084 					if (!nl_freq)
3085 						goto nla_put_failure;
3086 
3087 					chan = &sband->channels[i];
3088 
3089 					if (nl80211_msg_put_channel(
3090 							msg, &rdev->wiphy, chan,
3091 							state->split))
3092 						goto nla_put_failure;
3093 
3094 					nla_nest_end(msg, nl_freq);
3095 					if (state->split)
3096 						break;
3097 				}
3098 				if (i < sband->n_channels)
3099 					state->chan_start = i + 2;
3100 				else
3101 					state->chan_start = 0;
3102 				nla_nest_end(msg, nl_freqs);
3103 			}
3104 
3105 			nla_nest_end(msg, nl_band);
3106 
3107 			if (state->split) {
3108 				/* start again here */
3109 				if (state->chan_start)
3110 					band--;
3111 				break;
3112 			}
3113 		}
3114 		nla_nest_end(msg, nl_bands);
3115 
3116 		if (band < NUM_NL80211_BANDS)
3117 			state->band_start = band + 1;
3118 		else
3119 			state->band_start = 0;
3120 
3121 		/* if bands & channels are done, continue outside */
3122 		if (state->band_start == 0 && state->chan_start == 0)
3123 			state->split_start++;
3124 		if (state->split)
3125 			break;
3126 		fallthrough;
3127 	case 4:
3128 		nl_cmds = nla_nest_start_noflag(msg,
3129 						NL80211_ATTR_SUPPORTED_COMMANDS);
3130 		if (!nl_cmds)
3131 			goto nla_put_failure;
3132 
3133 		i = nl80211_add_commands_unsplit(rdev, msg);
3134 		if (i < 0)
3135 			goto nla_put_failure;
3136 		if (state->split) {
3137 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
3138 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
3139 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
3140 				CMD(channel_switch, CHANNEL_SWITCH);
3141 			CMD(set_qos_map, SET_QOS_MAP);
3142 			if (rdev->wiphy.features &
3143 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
3144 				CMD(add_tx_ts, ADD_TX_TS);
3145 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
3146 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
3147 			CMD(update_ft_ies, UPDATE_FT_IES);
3148 			if (rdev->wiphy.sar_capa)
3149 				CMD(set_sar_specs, SET_SAR_SPECS);
3150 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
3151 		}
3152 #undef CMD
3153 
3154 		nla_nest_end(msg, nl_cmds);
3155 		state->split_start++;
3156 		if (state->split)
3157 			break;
3158 		fallthrough;
3159 	case 5:
3160 		if (rdev->ops->remain_on_channel &&
3161 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
3162 		    nla_put_u32(msg,
3163 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
3164 				rdev->wiphy.max_remain_on_channel_duration))
3165 			goto nla_put_failure;
3166 
3167 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
3168 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
3169 			goto nla_put_failure;
3170 
3171 		state->split_start++;
3172 		if (state->split)
3173 			break;
3174 		fallthrough;
3175 	case 6:
3176 #ifdef CONFIG_PM
3177 		if (nl80211_send_wowlan(msg, rdev, state->split))
3178 			goto nla_put_failure;
3179 		state->split_start++;
3180 		if (state->split)
3181 			break;
3182 #else
3183 		state->split_start++;
3184 #endif
3185 		fallthrough;
3186 	case 7:
3187 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
3188 					rdev->wiphy.software_iftypes))
3189 			goto nla_put_failure;
3190 
3191 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
3192 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
3193 						   rdev->wiphy.n_radio ? 0 : -1,
3194 						   state->split, 0))
3195 			goto nla_put_failure;
3196 
3197 		state->split_start++;
3198 		if (state->split)
3199 			break;
3200 		fallthrough;
3201 	case 8:
3202 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
3203 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
3204 				rdev->wiphy.ap_sme_capa))
3205 			goto nla_put_failure;
3206 
3207 		features = rdev->wiphy.features;
3208 		/*
3209 		 * We can only add the per-channel limit information if the
3210 		 * dump is split, otherwise it makes it too big. Therefore
3211 		 * only advertise it in that case.
3212 		 */
3213 		if (state->split)
3214 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
3215 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
3216 			goto nla_put_failure;
3217 
3218 		if (rdev->wiphy.ht_capa_mod_mask &&
3219 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
3220 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
3221 			    rdev->wiphy.ht_capa_mod_mask))
3222 			goto nla_put_failure;
3223 
3224 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
3225 		    rdev->wiphy.max_acl_mac_addrs &&
3226 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
3227 				rdev->wiphy.max_acl_mac_addrs))
3228 			goto nla_put_failure;
3229 
3230 		/*
3231 		 * Any information below this point is only available to
3232 		 * applications that can deal with it being split. This
3233 		 * helps ensure that newly added capabilities don't break
3234 		 * older tools by overrunning their buffers.
3235 		 *
3236 		 * We still increment split_start so that in the split
3237 		 * case we'll continue with more data in the next round,
3238 		 * but break unconditionally so unsplit data stops here.
3239 		 */
3240 		if (state->split)
3241 			state->split_start++;
3242 		else
3243 			state->split_start = 0;
3244 		break;
3245 	case 9:
3246 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
3247 			goto nla_put_failure;
3248 
3249 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
3250 				rdev->wiphy.max_sched_scan_plans) ||
3251 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
3252 				rdev->wiphy.max_sched_scan_plan_interval) ||
3253 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
3254 				rdev->wiphy.max_sched_scan_plan_iterations))
3255 			goto nla_put_failure;
3256 
3257 		if (rdev->wiphy.extended_capabilities &&
3258 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
3259 			     rdev->wiphy.extended_capabilities_len,
3260 			     rdev->wiphy.extended_capabilities) ||
3261 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3262 			     rdev->wiphy.extended_capabilities_len,
3263 			     rdev->wiphy.extended_capabilities_mask)))
3264 			goto nla_put_failure;
3265 
3266 		if (rdev->wiphy.vht_capa_mod_mask &&
3267 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
3268 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
3269 			    rdev->wiphy.vht_capa_mod_mask))
3270 			goto nla_put_failure;
3271 
3272 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3273 			    rdev->wiphy.perm_addr))
3274 			goto nla_put_failure;
3275 
3276 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
3277 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
3278 			    rdev->wiphy.addr_mask))
3279 			goto nla_put_failure;
3280 
3281 		if (rdev->wiphy.n_addresses > 1) {
3282 			void *attr;
3283 
3284 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
3285 			if (!attr)
3286 				goto nla_put_failure;
3287 
3288 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
3289 				if (nla_put(msg, i + 1, ETH_ALEN,
3290 					    rdev->wiphy.addresses[i].addr))
3291 					goto nla_put_failure;
3292 
3293 			nla_nest_end(msg, attr);
3294 		}
3295 
3296 		state->split_start++;
3297 		break;
3298 	case 10:
3299 		if (nl80211_send_coalesce(msg, rdev))
3300 			goto nla_put_failure;
3301 
3302 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
3303 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
3304 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
3305 			goto nla_put_failure;
3306 
3307 		if (rdev->wiphy.max_ap_assoc_sta &&
3308 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
3309 				rdev->wiphy.max_ap_assoc_sta))
3310 			goto nla_put_failure;
3311 
3312 		state->split_start++;
3313 		break;
3314 	case 11:
3315 		if (rdev->wiphy.n_vendor_commands) {
3316 			const struct nl80211_vendor_cmd_info *info;
3317 			struct nlattr *nested;
3318 
3319 			nested = nla_nest_start_noflag(msg,
3320 						       NL80211_ATTR_VENDOR_DATA);
3321 			if (!nested)
3322 				goto nla_put_failure;
3323 
3324 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
3325 				info = &rdev->wiphy.vendor_commands[i].info;
3326 				if (nla_put(msg, i + 1, sizeof(*info), info))
3327 					goto nla_put_failure;
3328 			}
3329 			nla_nest_end(msg, nested);
3330 		}
3331 
3332 		if (rdev->wiphy.n_vendor_events) {
3333 			const struct nl80211_vendor_cmd_info *info;
3334 			struct nlattr *nested;
3335 
3336 			nested = nla_nest_start_noflag(msg,
3337 						       NL80211_ATTR_VENDOR_EVENTS);
3338 			if (!nested)
3339 				goto nla_put_failure;
3340 
3341 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3342 				info = &rdev->wiphy.vendor_events[i];
3343 				if (nla_put(msg, i + 1, sizeof(*info), info))
3344 					goto nla_put_failure;
3345 			}
3346 			nla_nest_end(msg, nested);
3347 		}
3348 		state->split_start++;
3349 		break;
3350 	case 12:
3351 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3352 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3353 			       rdev->wiphy.max_num_csa_counters))
3354 			goto nla_put_failure;
3355 
3356 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3357 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3358 			goto nla_put_failure;
3359 
3360 		if (rdev->wiphy.max_sched_scan_reqs &&
3361 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3362 				rdev->wiphy.max_sched_scan_reqs))
3363 			goto nla_put_failure;
3364 
3365 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3366 			    sizeof(rdev->wiphy.ext_features),
3367 			    rdev->wiphy.ext_features))
3368 			goto nla_put_failure;
3369 
3370 		if (rdev->wiphy.bss_param_support) {
3371 			struct nlattr *nested;
3372 			u32 parsup = rdev->wiphy.bss_param_support;
3373 
3374 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3375 			if (!nested)
3376 				goto nla_put_failure;
3377 
3378 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3379 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3380 				goto nla_put_failure;
3381 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3382 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3383 				goto nla_put_failure;
3384 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3385 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3386 				goto nla_put_failure;
3387 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3388 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3389 				goto nla_put_failure;
3390 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3391 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3392 				goto nla_put_failure;
3393 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3394 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3395 				goto nla_put_failure;
3396 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3397 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3398 				goto nla_put_failure;
3399 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3400 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3401 				goto nla_put_failure;
3402 			nla_nest_end(msg, nested);
3403 		}
3404 		if (rdev->wiphy.bss_select_support) {
3405 			struct nlattr *nested;
3406 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3407 
3408 			nested = nla_nest_start_noflag(msg,
3409 						       NL80211_ATTR_BSS_SELECT);
3410 			if (!nested)
3411 				goto nla_put_failure;
3412 
3413 			i = 0;
3414 			while (bss_select_support) {
3415 				if ((bss_select_support & 1) &&
3416 				    nla_put_flag(msg, i))
3417 					goto nla_put_failure;
3418 				i++;
3419 				bss_select_support >>= 1;
3420 			}
3421 			nla_nest_end(msg, nested);
3422 		}
3423 
3424 		state->split_start++;
3425 		break;
3426 	case 13:
3427 		if (rdev->wiphy.num_iftype_ext_capab &&
3428 		    rdev->wiphy.iftype_ext_capab) {
3429 			struct nlattr *nested_ext_capab, *nested;
3430 
3431 			nested = nla_nest_start_noflag(msg,
3432 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3433 			if (!nested)
3434 				goto nla_put_failure;
3435 
3436 			for (i = state->capa_start;
3437 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3438 				const struct wiphy_iftype_ext_capab *capab;
3439 
3440 				capab = &rdev->wiphy.iftype_ext_capab[i];
3441 
3442 				nested_ext_capab = nla_nest_start_noflag(msg,
3443 									 i);
3444 				if (!nested_ext_capab ||
3445 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3446 						capab->iftype) ||
3447 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3448 					    capab->extended_capabilities_len,
3449 					    capab->extended_capabilities) ||
3450 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3451 					    capab->extended_capabilities_len,
3452 					    capab->extended_capabilities_mask))
3453 					goto nla_put_failure;
3454 
3455 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3456 				    (nla_put_u16(msg,
3457 						 NL80211_ATTR_EML_CAPABILITY,
3458 						 capab->eml_capabilities) ||
3459 				     nla_put_u16(msg,
3460 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3461 						 capab->mld_capa_and_ops)))
3462 					goto nla_put_failure;
3463 
3464 				nla_nest_end(msg, nested_ext_capab);
3465 				if (state->split)
3466 					break;
3467 			}
3468 			nla_nest_end(msg, nested);
3469 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3470 				state->capa_start = i + 1;
3471 				break;
3472 			}
3473 		}
3474 
3475 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3476 				rdev->wiphy.nan_supported_bands))
3477 			goto nla_put_failure;
3478 
3479 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3480 					    NL80211_EXT_FEATURE_TXQS)) {
3481 			struct cfg80211_txq_stats txqstats = {};
3482 			int res;
3483 
3484 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3485 			if (!res &&
3486 			    !nl80211_put_txq_stats(msg, &txqstats,
3487 						   NL80211_ATTR_TXQ_STATS))
3488 				goto nla_put_failure;
3489 
3490 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3491 					rdev->wiphy.txq_limit))
3492 				goto nla_put_failure;
3493 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3494 					rdev->wiphy.txq_memory_limit))
3495 				goto nla_put_failure;
3496 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3497 					rdev->wiphy.txq_quantum))
3498 				goto nla_put_failure;
3499 		}
3500 
3501 		state->split_start++;
3502 		break;
3503 	case 14:
3504 		if (nl80211_send_pmsr_capa(rdev, msg))
3505 			goto nla_put_failure;
3506 
3507 		state->split_start++;
3508 		break;
3509 	case 15:
3510 		if (rdev->wiphy.akm_suites &&
3511 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3512 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3513 			    rdev->wiphy.akm_suites))
3514 			goto nla_put_failure;
3515 
3516 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3517 			goto nla_put_failure;
3518 
3519 		if (nl80211_put_tid_config_support(rdev, msg))
3520 			goto nla_put_failure;
3521 		state->split_start++;
3522 		break;
3523 	case 16:
3524 		if (nl80211_put_sar_specs(rdev, msg))
3525 			goto nla_put_failure;
3526 
3527 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3528 			goto nla_put_failure;
3529 
3530 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3531 				rdev->wiphy.max_num_akm_suites))
3532 			goto nla_put_failure;
3533 
3534 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3535 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3536 
3537 		if (rdev->wiphy.hw_timestamp_max_peers &&
3538 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3539 				rdev->wiphy.hw_timestamp_max_peers))
3540 			goto nla_put_failure;
3541 
3542 		state->split_start++;
3543 		break;
3544 	case 17:
3545 		if (nl80211_put_radios(&rdev->wiphy, msg))
3546 			goto nla_put_failure;
3547 
3548 		state->split_start++;
3549 		break;
3550 	case 18:
3551 		if (nl80211_put_nan_capa(&rdev->wiphy, msg))
3552 			goto nla_put_failure;
3553 
3554 		/* done */
3555 		state->split_start = 0;
3556 		break;
3557 	}
3558  finish:
3559 	genlmsg_end(msg, hdr);
3560 	return 0;
3561 
3562  nla_put_failure:
3563 	genlmsg_cancel(msg, hdr);
3564 	return -EMSGSIZE;
3565 }
3566 
3567 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3568 				    struct netlink_callback *cb,
3569 				    struct nl80211_dump_wiphy_state *state)
3570 {
3571 	struct nlattr **tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
3572 	int ret;
3573 
3574 	if (!tb)
3575 		return -ENOMEM;
3576 
3577 	ret = nlmsg_parse_deprecated(cb->nlh,
3578 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3579 				     tb, nl80211_fam.maxattr,
3580 				     nl80211_policy, NULL);
3581 	/* ignore parse errors for backward compatibility */
3582 	if (ret) {
3583 		ret = 0;
3584 		goto out;
3585 	}
3586 
3587 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3588 	if (tb[NL80211_ATTR_WIPHY])
3589 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3590 	if (tb[NL80211_ATTR_WDEV])
3591 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3592 	if (tb[NL80211_ATTR_IFINDEX]) {
3593 		struct net_device *netdev;
3594 		struct cfg80211_registered_device *rdev;
3595 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3596 
3597 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3598 		if (!netdev) {
3599 			ret = -ENODEV;
3600 			goto out;
3601 		}
3602 		if (netdev->ieee80211_ptr) {
3603 			rdev = wiphy_to_rdev(
3604 				netdev->ieee80211_ptr->wiphy);
3605 			state->filter_wiphy = rdev->wiphy_idx;
3606 		}
3607 	}
3608 
3609 	ret = 0;
3610 out:
3611 	kfree(tb);
3612 	return ret;
3613 }
3614 
3615 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3616 {
3617 	int idx = 0, ret;
3618 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3619 	struct cfg80211_registered_device *rdev;
3620 
3621 	rtnl_lock();
3622 	if (!state) {
3623 		state = kzalloc_obj(*state);
3624 		if (!state) {
3625 			rtnl_unlock();
3626 			return -ENOMEM;
3627 		}
3628 		state->filter_wiphy = -1;
3629 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3630 		if (ret) {
3631 			kfree(state);
3632 			rtnl_unlock();
3633 			return ret;
3634 		}
3635 		cb->args[0] = (long)state;
3636 	}
3637 
3638 	for_each_rdev(rdev) {
3639 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3640 			continue;
3641 		if (++idx <= state->start)
3642 			continue;
3643 		if (state->filter_wiphy != -1 &&
3644 		    state->filter_wiphy != rdev->wiphy_idx)
3645 			continue;
3646 		wiphy_lock(&rdev->wiphy);
3647 		/* attempt to fit multiple wiphy data chunks into the skb */
3648 		do {
3649 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3650 						 skb,
3651 						 NETLINK_CB(cb->skb).portid,
3652 						 cb->nlh->nlmsg_seq,
3653 						 NLM_F_MULTI, state);
3654 			if (ret < 0) {
3655 				/*
3656 				 * If sending the wiphy data didn't fit (ENOBUFS
3657 				 * or EMSGSIZE returned), this SKB is still
3658 				 * empty (so it's not too big because another
3659 				 * wiphy dataset is already in the skb) and
3660 				 * we've not tried to adjust the dump allocation
3661 				 * yet ... then adjust the alloc size to be
3662 				 * bigger, and return 1 but with the empty skb.
3663 				 * This results in an empty message being RX'ed
3664 				 * in userspace, but that is ignored.
3665 				 *
3666 				 * We can then retry with the larger buffer.
3667 				 */
3668 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3669 				    !skb->len && !state->split &&
3670 				    cb->min_dump_alloc < 4096) {
3671 					cb->min_dump_alloc = 4096;
3672 					state->split_start = 0;
3673 					wiphy_unlock(&rdev->wiphy);
3674 					rtnl_unlock();
3675 					return 1;
3676 				}
3677 				idx--;
3678 				break;
3679 			}
3680 		} while (state->split_start > 0);
3681 		wiphy_unlock(&rdev->wiphy);
3682 		break;
3683 	}
3684 	rtnl_unlock();
3685 
3686 	state->start = idx;
3687 
3688 	return skb->len;
3689 }
3690 
3691 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3692 {
3693 	kfree((void *)cb->args[0]);
3694 	return 0;
3695 }
3696 
3697 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3698 {
3699 	struct sk_buff *msg;
3700 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3701 	struct nl80211_dump_wiphy_state state = {};
3702 
3703 	msg = nlmsg_new(4096, GFP_KERNEL);
3704 	if (!msg)
3705 		return -ENOMEM;
3706 
3707 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3708 			       info->snd_portid, info->snd_seq, 0,
3709 			       &state) < 0) {
3710 		nlmsg_free(msg);
3711 		return -ENOBUFS;
3712 	}
3713 
3714 	return genlmsg_reply(msg, info);
3715 }
3716 
3717 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3718 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3719 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3720 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3721 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3722 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3723 };
3724 
3725 static int parse_txq_params(struct nlattr *tb[],
3726 			    struct ieee80211_txq_params *txq_params)
3727 {
3728 	u8 ac;
3729 
3730 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3731 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3732 	    !tb[NL80211_TXQ_ATTR_AIFS])
3733 		return -EINVAL;
3734 
3735 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3736 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3737 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3738 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3739 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3740 
3741 	if (ac >= NL80211_NUM_ACS)
3742 		return -EINVAL;
3743 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3744 	return 0;
3745 }
3746 
3747 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3748 {
3749 	/*
3750 	 * You can only set the channel explicitly for some interfaces,
3751 	 * most have their channel managed via their respective
3752 	 * "establish a connection" command (connect, join, ...)
3753 	 *
3754 	 * For AP/GO and mesh mode, the channel can be set with the
3755 	 * channel userspace API, but is only stored and passed to the
3756 	 * low-level driver when the AP starts or the mesh is joined.
3757 	 * This is for backward compatibility, userspace can also give
3758 	 * the channel in the start-ap or join-mesh commands instead.
3759 	 *
3760 	 * Monitors are special as they are normally slaved to
3761 	 * whatever else is going on, so they have their own special
3762 	 * operation to set the monitor channel if possible.
3763 	 */
3764 	return !wdev ||
3765 		wdev->iftype == NL80211_IFTYPE_AP ||
3766 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3767 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3768 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3769 }
3770 
3771 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3772 				  struct netlink_ext_ack *extack,
3773 				  struct nlattr **attrs, bool monitor,
3774 				  struct cfg80211_chan_def *chandef)
3775 {
3776 	u32 control_freq;
3777 
3778 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3779 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3780 				    "Frequency is missing");
3781 		return -EINVAL;
3782 	}
3783 
3784 	control_freq = MHZ_TO_KHZ(
3785 			nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
3786 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3787 		control_freq +=
3788 		    nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3789 
3790 	memset(chandef, 0, sizeof(*chandef));
3791 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3792 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3793 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3794 	chandef->freq1_offset = control_freq % 1000;
3795 	chandef->center_freq2 = 0;
3796 	chandef->s1g_primary_2mhz = false;
3797 
3798 	if (!chandef->chan) {
3799 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3800 				    "Unknown channel");
3801 		return -EINVAL;
3802 	}
3803 
3804 	if (cfg80211_chandef_is_s1g(chandef))
3805 		chandef->width = NL80211_CHAN_WIDTH_1;
3806 
3807 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3808 		enum nl80211_channel_type chantype;
3809 
3810 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3811 
3812 		switch (chantype) {
3813 		case NL80211_CHAN_NO_HT:
3814 		case NL80211_CHAN_HT20:
3815 		case NL80211_CHAN_HT40PLUS:
3816 		case NL80211_CHAN_HT40MINUS:
3817 			if (chandef->chan->band == NL80211_BAND_60GHZ ||
3818 			    chandef->chan->band == NL80211_BAND_S1GHZ)
3819 				return -EINVAL;
3820 			cfg80211_chandef_create(chandef, chandef->chan,
3821 						chantype);
3822 			/* user input for center_freq is incorrect */
3823 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3824 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3825 				NL_SET_ERR_MSG_ATTR(extack,
3826 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3827 						    "bad center frequency 1");
3828 				return -EINVAL;
3829 			}
3830 			/* center_freq2 must be zero */
3831 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3832 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3833 				NL_SET_ERR_MSG_ATTR(extack,
3834 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3835 						    "center frequency 2 can't be used");
3836 				return -EINVAL;
3837 			}
3838 			break;
3839 		default:
3840 			NL_SET_ERR_MSG_ATTR(extack,
3841 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3842 					    "invalid channel type");
3843 			return -EINVAL;
3844 		}
3845 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3846 		chandef->width = nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3847 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3848 			chandef->center_freq1 =
3849 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3850 			chandef->freq1_offset = nla_get_u32_default(
3851 				attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET], 0);
3852 		}
3853 
3854 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3855 			chandef->center_freq2 =
3856 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3857 
3858 		chandef->s1g_primary_2mhz = nla_get_flag(
3859 			attrs[NL80211_ATTR_S1G_PRIMARY_2MHZ]);
3860 	}
3861 
3862 	if (attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3863 		chandef->edmg.channels =
3864 		      nla_get_u8(attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3865 
3866 		if (attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3867 			chandef->edmg.bw_config =
3868 		     nla_get_u8(attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3869 	} else {
3870 		chandef->edmg.bw_config = 0;
3871 		chandef->edmg.channels = 0;
3872 	}
3873 
3874 	if (attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3875 		chandef->punctured =
3876 			nla_get_u32(attrs[NL80211_ATTR_PUNCT_BITMAP]);
3877 
3878 		if (chandef->punctured &&
3879 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3880 					     NL80211_EXT_FEATURE_PUNCT)) {
3881 			NL_SET_ERR_MSG_ATTR(extack,
3882 					    attrs[NL80211_ATTR_WIPHY_FREQ],
3883 					    "driver doesn't support puncturing");
3884 			return -EINVAL;
3885 		}
3886 	}
3887 
3888 	if (!cfg80211_chandef_valid(chandef)) {
3889 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3890 				    "invalid channel definition");
3891 		return -EINVAL;
3892 	}
3893 
3894 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3895 				      IEEE80211_CHAN_DISABLED,
3896 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3897 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3898 				    "(extension) channel is disabled");
3899 		return -EINVAL;
3900 	}
3901 
3902 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3903 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3904 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3905 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3906 		return -EINVAL;
3907 	}
3908 
3909 	return 0;
3910 }
3911 
3912 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3913 			  struct netlink_ext_ack *extack,
3914 			  struct nlattr **attrs,
3915 			  struct cfg80211_chan_def *chandef)
3916 {
3917 	return _nl80211_parse_chandef(rdev, extack, attrs, false, chandef);
3918 }
3919 
3920 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3921 				 struct net_device *dev,
3922 				 struct genl_info *info,
3923 				 int _link_id)
3924 {
3925 	struct cfg80211_chan_def chandef;
3926 	int result;
3927 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3928 	struct wireless_dev *wdev = NULL;
3929 	int link_id = _link_id;
3930 
3931 	if (dev)
3932 		wdev = dev->ieee80211_ptr;
3933 	if (!nl80211_can_set_dev_channel(wdev))
3934 		return -EOPNOTSUPP;
3935 	if (wdev)
3936 		iftype = wdev->iftype;
3937 
3938 	if (link_id < 0) {
3939 		if (wdev && wdev->valid_links)
3940 			return -EINVAL;
3941 		link_id = 0;
3942 	}
3943 
3944 	result = _nl80211_parse_chandef(rdev, info->extack, info->attrs,
3945 					iftype == NL80211_IFTYPE_MONITOR,
3946 					&chandef);
3947 	if (result)
3948 		return result;
3949 
3950 	switch (iftype) {
3951 	case NL80211_IFTYPE_AP:
3952 	case NL80211_IFTYPE_P2P_GO:
3953 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3954 						   iftype))
3955 			return -EINVAL;
3956 		if (wdev->links[link_id].ap.beacon_interval) {
3957 			struct ieee80211_channel *cur_chan;
3958 
3959 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3960 			    !(rdev->wiphy.features &
3961 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3962 				return -EBUSY;
3963 
3964 			/* Only allow dynamic channel width changes */
3965 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3966 			if (chandef.chan != cur_chan)
3967 				return -EBUSY;
3968 
3969 			/* only allow this for regular channel widths */
3970 			switch (wdev->links[link_id].ap.chandef.width) {
3971 			case NL80211_CHAN_WIDTH_20_NOHT:
3972 			case NL80211_CHAN_WIDTH_20:
3973 			case NL80211_CHAN_WIDTH_40:
3974 			case NL80211_CHAN_WIDTH_80:
3975 			case NL80211_CHAN_WIDTH_80P80:
3976 			case NL80211_CHAN_WIDTH_160:
3977 			case NL80211_CHAN_WIDTH_320:
3978 				break;
3979 			default:
3980 				return -EINVAL;
3981 			}
3982 
3983 			switch (chandef.width) {
3984 			case NL80211_CHAN_WIDTH_20_NOHT:
3985 			case NL80211_CHAN_WIDTH_20:
3986 			case NL80211_CHAN_WIDTH_40:
3987 			case NL80211_CHAN_WIDTH_80:
3988 			case NL80211_CHAN_WIDTH_80P80:
3989 			case NL80211_CHAN_WIDTH_160:
3990 			case NL80211_CHAN_WIDTH_320:
3991 				break;
3992 			default:
3993 				return -EINVAL;
3994 			}
3995 
3996 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3997 						       &chandef);
3998 			if (result)
3999 				return result;
4000 			wdev->links[link_id].ap.chandef = chandef;
4001 		} else {
4002 			wdev->u.ap.preset_chandef = chandef;
4003 		}
4004 		return 0;
4005 	case NL80211_IFTYPE_MESH_POINT:
4006 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
4007 	case NL80211_IFTYPE_MONITOR:
4008 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
4009 	default:
4010 		break;
4011 	}
4012 
4013 	return -EINVAL;
4014 }
4015 
4016 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
4017 {
4018 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4019 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4020 	struct net_device *netdev = info->user_ptr[1];
4021 
4022 	return __nl80211_set_channel(rdev, netdev, info, link_id);
4023 }
4024 
4025 static int nl80211_set_wiphy_radio(struct genl_info *info,
4026 				   struct cfg80211_registered_device *rdev,
4027 				   int radio_idx)
4028 {
4029 	u32 rts_threshold = 0, old_rts, changed = 0;
4030 	int result;
4031 
4032 	if (!rdev->ops->set_wiphy_params)
4033 		return -EOPNOTSUPP;
4034 
4035 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4036 		rts_threshold = nla_get_u32(
4037 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4038 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4039 	}
4040 
4041 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
4042 
4043 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
4044 
4045 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4046 	if (result)
4047 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
4048 
4049 	return 0;
4050 }
4051 
4052 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
4053 {
4054 	struct cfg80211_registered_device *rdev = NULL;
4055 	struct net_device *netdev = NULL;
4056 	struct wireless_dev *wdev;
4057 	int result = 0, rem_txq_params = 0;
4058 	struct nlattr *nl_txq_params;
4059 	u32 changed;
4060 	u8 retry_short = 0, retry_long = 0;
4061 	u32 frag_threshold = 0, rts_threshold = 0;
4062 	u8 coverage_class = 0;
4063 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
4064 	int radio_idx = -1;
4065 
4066 	rtnl_lock();
4067 	/*
4068 	 * Try to find the wiphy and netdev. Normally this
4069 	 * function shouldn't need the netdev, but this is
4070 	 * done for backward compatibility -- previously
4071 	 * setting the channel was done per wiphy, but now
4072 	 * it is per netdev. Previous userland like hostapd
4073 	 * also passed a netdev to set_wiphy, so that it is
4074 	 * possible to let that go to the right netdev!
4075 	 */
4076 
4077 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
4078 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
4079 
4080 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
4081 		if (netdev && netdev->ieee80211_ptr)
4082 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
4083 		else
4084 			netdev = NULL;
4085 	}
4086 
4087 	if (!netdev) {
4088 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
4089 						  info->attrs);
4090 		if (IS_ERR(rdev)) {
4091 			rtnl_unlock();
4092 			return PTR_ERR(rdev);
4093 		}
4094 		wdev = NULL;
4095 		netdev = NULL;
4096 		result = 0;
4097 	} else
4098 		wdev = netdev->ieee80211_ptr;
4099 
4100 	guard(wiphy)(&rdev->wiphy);
4101 
4102 	/*
4103 	 * end workaround code, by now the rdev is available
4104 	 * and locked, and wdev may or may not be NULL.
4105 	 */
4106 
4107 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
4108 		result = cfg80211_dev_rename(
4109 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
4110 	rtnl_unlock();
4111 
4112 	if (result)
4113 		return result;
4114 
4115 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
4116 		/* Radio idx is not expected for non-multi radio wiphy */
4117 		if (rdev->wiphy.n_radio <= 0)
4118 			return -EINVAL;
4119 
4120 		radio_idx = nla_get_u8(
4121 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
4122 		if (radio_idx >= rdev->wiphy.n_radio)
4123 			return -EINVAL;
4124 
4125 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
4126 	}
4127 
4128 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
4129 		struct ieee80211_txq_params txq_params;
4130 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
4131 
4132 		if (!rdev->ops->set_txq_params)
4133 			return -EOPNOTSUPP;
4134 
4135 		if (!netdev)
4136 			return -EINVAL;
4137 
4138 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4139 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4140 			return -EINVAL;
4141 
4142 		if (!netif_running(netdev))
4143 			return -ENETDOWN;
4144 
4145 		nla_for_each_nested(nl_txq_params,
4146 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
4147 				    rem_txq_params) {
4148 			result = nla_parse_nested_deprecated(tb,
4149 							     NL80211_TXQ_ATTR_MAX,
4150 							     nl_txq_params,
4151 							     txq_params_policy,
4152 							     info->extack);
4153 			if (result)
4154 				return result;
4155 
4156 			result = parse_txq_params(tb, &txq_params);
4157 			if (result)
4158 				return result;
4159 
4160 			txq_params.link_id =
4161 				nl80211_link_id_or_invalid(info->attrs);
4162 
4163 			if (txq_params.link_id >= 0 &&
4164 			    !(netdev->ieee80211_ptr->valid_links &
4165 			      BIT(txq_params.link_id)))
4166 				result = -ENOLINK;
4167 			else if (txq_params.link_id >= 0 &&
4168 				 !netdev->ieee80211_ptr->valid_links)
4169 				result = -EINVAL;
4170 			else
4171 				result = rdev_set_txq_params(rdev, netdev,
4172 							     &txq_params);
4173 			if (result)
4174 				return result;
4175 		}
4176 	}
4177 
4178 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4179 		int link_id = nl80211_link_id_or_invalid(info->attrs);
4180 
4181 		if (wdev) {
4182 			result = __nl80211_set_channel(
4183 				rdev,
4184 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
4185 				info, link_id);
4186 		} else {
4187 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
4188 		}
4189 
4190 		if (result)
4191 			return result;
4192 	}
4193 
4194 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
4195 		struct wireless_dev *txp_wdev = wdev;
4196 		enum nl80211_tx_power_setting type;
4197 		int idx, mbm = 0;
4198 
4199 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
4200 			txp_wdev = NULL;
4201 
4202 		if (!rdev->ops->set_tx_power)
4203 			return -EOPNOTSUPP;
4204 
4205 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
4206 		type = nla_get_u32(info->attrs[idx]);
4207 
4208 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
4209 		    (type != NL80211_TX_POWER_AUTOMATIC))
4210 			return -EINVAL;
4211 
4212 		if (type != NL80211_TX_POWER_AUTOMATIC) {
4213 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
4214 			mbm = nla_get_u32(info->attrs[idx]);
4215 		}
4216 
4217 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
4218 					   mbm);
4219 		if (result)
4220 			return result;
4221 	}
4222 
4223 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
4224 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
4225 		u32 tx_ant, rx_ant;
4226 
4227 		if ((!rdev->wiphy.available_antennas_tx &&
4228 		     !rdev->wiphy.available_antennas_rx) ||
4229 		    !rdev->ops->set_antenna)
4230 			return -EOPNOTSUPP;
4231 
4232 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
4233 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
4234 
4235 		/* reject antenna configurations which don't match the
4236 		 * available antenna masks, except for the "all" mask */
4237 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
4238 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
4239 			return -EINVAL;
4240 
4241 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
4242 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
4243 
4244 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
4245 		if (result)
4246 			return result;
4247 	}
4248 
4249 	changed = 0;
4250 
4251 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
4252 		retry_short = nla_get_u8(
4253 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
4254 
4255 		changed |= WIPHY_PARAM_RETRY_SHORT;
4256 	}
4257 
4258 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
4259 		retry_long = nla_get_u8(
4260 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
4261 
4262 		changed |= WIPHY_PARAM_RETRY_LONG;
4263 	}
4264 
4265 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
4266 		frag_threshold = nla_get_u32(
4267 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
4268 		if (frag_threshold < 256)
4269 			return -EINVAL;
4270 
4271 		if (frag_threshold != (u32) -1) {
4272 			/*
4273 			 * Fragments (apart from the last one) are required to
4274 			 * have even length. Make the fragmentation code
4275 			 * simpler by stripping LSB should someone try to use
4276 			 * odd threshold value.
4277 			 */
4278 			frag_threshold &= ~0x1;
4279 		}
4280 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
4281 	}
4282 
4283 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4284 		rts_threshold = nla_get_u32(
4285 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4286 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4287 	}
4288 
4289 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
4290 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
4291 			return -EINVAL;
4292 
4293 		coverage_class = nla_get_u8(
4294 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
4295 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
4296 	}
4297 
4298 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
4299 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
4300 			return -EOPNOTSUPP;
4301 
4302 		changed |= WIPHY_PARAM_DYN_ACK;
4303 	}
4304 
4305 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
4306 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4307 					     NL80211_EXT_FEATURE_TXQS))
4308 			return -EOPNOTSUPP;
4309 
4310 		txq_limit = nla_get_u32(
4311 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
4312 		changed |= WIPHY_PARAM_TXQ_LIMIT;
4313 	}
4314 
4315 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
4316 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4317 					     NL80211_EXT_FEATURE_TXQS))
4318 			return -EOPNOTSUPP;
4319 
4320 		txq_memory_limit = nla_get_u32(
4321 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
4322 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
4323 	}
4324 
4325 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
4326 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4327 					     NL80211_EXT_FEATURE_TXQS))
4328 			return -EOPNOTSUPP;
4329 
4330 		txq_quantum = nla_get_u32(
4331 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
4332 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
4333 	}
4334 
4335 	if (changed) {
4336 		u8 old_retry_short, old_retry_long;
4337 		u32 old_frag_threshold, old_rts_threshold;
4338 		u8 old_coverage_class, i;
4339 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
4340 		u32 *old_radio_rts_threshold = NULL;
4341 
4342 		if (!rdev->ops->set_wiphy_params)
4343 			return -EOPNOTSUPP;
4344 
4345 		if (rdev->wiphy.n_radio) {
4346 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
4347 							  sizeof(u32),
4348 							  GFP_KERNEL);
4349 			if (!old_radio_rts_threshold)
4350 				return -ENOMEM;
4351 		}
4352 
4353 		old_retry_short = rdev->wiphy.retry_short;
4354 		old_retry_long = rdev->wiphy.retry_long;
4355 		old_frag_threshold = rdev->wiphy.frag_threshold;
4356 		old_rts_threshold = rdev->wiphy.rts_threshold;
4357 		if (old_radio_rts_threshold) {
4358 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4359 				old_radio_rts_threshold[i] =
4360 					rdev->wiphy.radio_cfg[i].rts_threshold;
4361 		}
4362 		old_coverage_class = rdev->wiphy.coverage_class;
4363 		old_txq_limit = rdev->wiphy.txq_limit;
4364 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4365 		old_txq_quantum = rdev->wiphy.txq_quantum;
4366 
4367 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4368 			rdev->wiphy.retry_short = retry_short;
4369 		if (changed & WIPHY_PARAM_RETRY_LONG)
4370 			rdev->wiphy.retry_long = retry_long;
4371 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4372 			rdev->wiphy.frag_threshold = frag_threshold;
4373 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4374 		    old_radio_rts_threshold) {
4375 			rdev->wiphy.rts_threshold = rts_threshold;
4376 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4377 				rdev->wiphy.radio_cfg[i].rts_threshold =
4378 					rdev->wiphy.rts_threshold;
4379 		}
4380 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4381 			rdev->wiphy.coverage_class = coverage_class;
4382 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4383 			rdev->wiphy.txq_limit = txq_limit;
4384 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4385 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4386 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4387 			rdev->wiphy.txq_quantum = txq_quantum;
4388 
4389 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4390 		if (result) {
4391 			rdev->wiphy.retry_short = old_retry_short;
4392 			rdev->wiphy.retry_long = old_retry_long;
4393 			rdev->wiphy.frag_threshold = old_frag_threshold;
4394 			rdev->wiphy.rts_threshold = old_rts_threshold;
4395 			if (old_radio_rts_threshold) {
4396 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4397 					rdev->wiphy.radio_cfg[i].rts_threshold =
4398 						old_radio_rts_threshold[i];
4399 			}
4400 			rdev->wiphy.coverage_class = old_coverage_class;
4401 			rdev->wiphy.txq_limit = old_txq_limit;
4402 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4403 			rdev->wiphy.txq_quantum = old_txq_quantum;
4404 		}
4405 
4406 		kfree(old_radio_rts_threshold);
4407 		return result;
4408 	}
4409 
4410 	return 0;
4411 }
4412 
4413 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4414 {
4415 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4416 		return -EINVAL;
4417 
4418 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4419 			chandef->chan->center_freq))
4420 		return -ENOBUFS;
4421 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4422 			chandef->chan->freq_offset))
4423 		return -ENOBUFS;
4424 	switch (chandef->width) {
4425 	case NL80211_CHAN_WIDTH_20_NOHT:
4426 	case NL80211_CHAN_WIDTH_20:
4427 	case NL80211_CHAN_WIDTH_40:
4428 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4429 				cfg80211_get_chandef_type(chandef)))
4430 			return -ENOBUFS;
4431 		break;
4432 	default:
4433 		break;
4434 	}
4435 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4436 		return -ENOBUFS;
4437 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4438 		return -ENOBUFS;
4439 	if (chandef->center_freq2 &&
4440 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4441 		return -ENOBUFS;
4442 	if (chandef->punctured &&
4443 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4444 		return -ENOBUFS;
4445 	if (chandef->s1g_primary_2mhz &&
4446 	    nla_put_flag(msg, NL80211_ATTR_S1G_PRIMARY_2MHZ))
4447 		return -ENOBUFS;
4448 
4449 	return 0;
4450 }
4451 EXPORT_SYMBOL(nl80211_send_chandef);
4452 
4453 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4454 			      struct cfg80211_registered_device *rdev,
4455 			      struct wireless_dev *wdev,
4456 			      enum nl80211_commands cmd)
4457 {
4458 	struct net_device *dev = wdev->netdev;
4459 	void *hdr;
4460 
4461 	lockdep_assert_wiphy(&rdev->wiphy);
4462 
4463 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4464 		cmd != NL80211_CMD_DEL_INTERFACE &&
4465 		cmd != NL80211_CMD_SET_INTERFACE);
4466 
4467 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4468 	if (!hdr)
4469 		return -1;
4470 
4471 	if (dev &&
4472 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4473 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4474 		goto nla_put_failure;
4475 
4476 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4477 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4478 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4479 			      NL80211_ATTR_PAD) ||
4480 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4481 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4482 			rdev->devlist_generation ^
4483 			(cfg80211_rdev_list_generation << 2)) ||
4484 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4485 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4486 		goto nla_put_failure;
4487 
4488 	if (rdev->ops->get_channel && !wdev->valid_links) {
4489 		struct cfg80211_chan_def chandef = {};
4490 		int ret;
4491 
4492 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4493 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4494 			goto nla_put_failure;
4495 	}
4496 
4497 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4498 		int dbm, ret;
4499 
4500 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4501 		if (ret == 0 &&
4502 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4503 				DBM_TO_MBM(dbm)))
4504 			goto nla_put_failure;
4505 	}
4506 
4507 	switch (wdev->iftype) {
4508 	case NL80211_IFTYPE_AP:
4509 	case NL80211_IFTYPE_P2P_GO:
4510 		if (wdev->u.ap.ssid_len &&
4511 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4512 			    wdev->u.ap.ssid))
4513 			goto nla_put_failure;
4514 		break;
4515 	case NL80211_IFTYPE_STATION:
4516 	case NL80211_IFTYPE_P2P_CLIENT:
4517 		if (wdev->u.client.ssid_len &&
4518 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4519 			    wdev->u.client.ssid))
4520 			goto nla_put_failure;
4521 		break;
4522 	case NL80211_IFTYPE_ADHOC:
4523 		if (wdev->u.ibss.ssid_len &&
4524 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4525 			    wdev->u.ibss.ssid))
4526 			goto nla_put_failure;
4527 		break;
4528 	default:
4529 		/* nothing */
4530 		break;
4531 	}
4532 
4533 	if (rdev->ops->get_txq_stats) {
4534 		struct cfg80211_txq_stats txqstats = {};
4535 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4536 
4537 		if (ret == 0 &&
4538 		    !nl80211_put_txq_stats(msg, &txqstats,
4539 					   NL80211_ATTR_TXQ_STATS))
4540 			goto nla_put_failure;
4541 	}
4542 
4543 	if (wdev->valid_links) {
4544 		unsigned int link_id;
4545 		struct nlattr *links = nla_nest_start(msg,
4546 						      NL80211_ATTR_MLO_LINKS);
4547 
4548 		if (!links)
4549 			goto nla_put_failure;
4550 
4551 		for_each_valid_link(wdev, link_id) {
4552 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4553 			struct cfg80211_chan_def chandef = {};
4554 			int ret;
4555 
4556 			if (!link)
4557 				goto nla_put_failure;
4558 
4559 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4560 				goto nla_put_failure;
4561 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4562 				    wdev->links[link_id].addr))
4563 				goto nla_put_failure;
4564 
4565 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4566 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4567 				goto nla_put_failure;
4568 
4569 			if (rdev->ops->get_tx_power) {
4570 				int dbm, ret;
4571 
4572 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4573 				if (ret == 0 &&
4574 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4575 						DBM_TO_MBM(dbm)))
4576 					goto nla_put_failure;
4577 			}
4578 			nla_nest_end(msg, link);
4579 		}
4580 
4581 		nla_nest_end(msg, links);
4582 	}
4583 
4584 	genlmsg_end(msg, hdr);
4585 	return 0;
4586 
4587  nla_put_failure:
4588 	genlmsg_cancel(msg, hdr);
4589 	return -EMSGSIZE;
4590 }
4591 
4592 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4593 {
4594 	int wp_idx = 0;
4595 	int if_idx = 0;
4596 	int wp_start = cb->args[0];
4597 	int if_start = cb->args[1];
4598 	int filter_wiphy = -1;
4599 	struct cfg80211_registered_device *rdev;
4600 	struct wireless_dev *wdev;
4601 	int ret;
4602 
4603 	rtnl_lock();
4604 	if (!cb->args[2]) {
4605 		struct nl80211_dump_wiphy_state state = {
4606 			.filter_wiphy = -1,
4607 		};
4608 
4609 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4610 		if (ret)
4611 			goto out_unlock;
4612 
4613 		filter_wiphy = state.filter_wiphy;
4614 
4615 		/*
4616 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4617 		 * value needed to determine that parsing is necessary.
4618 		 */
4619 		if (filter_wiphy >= 0)
4620 			cb->args[2] = filter_wiphy + 1;
4621 		else
4622 			cb->args[2] = -1;
4623 	} else if (cb->args[2] > 0) {
4624 		filter_wiphy = cb->args[2] - 1;
4625 	}
4626 
4627 	for_each_rdev(rdev) {
4628 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4629 			continue;
4630 		if (wp_idx < wp_start) {
4631 			wp_idx++;
4632 			continue;
4633 		}
4634 
4635 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4636 			continue;
4637 
4638 		if_idx = 0;
4639 
4640 		guard(wiphy)(&rdev->wiphy);
4641 
4642 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4643 			if (if_idx < if_start) {
4644 				if_idx++;
4645 				continue;
4646 			}
4647 
4648 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4649 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4650 					       rdev, wdev,
4651 					       NL80211_CMD_NEW_INTERFACE) < 0)
4652 				goto out;
4653 
4654 			if_idx++;
4655 		}
4656 
4657 		if_start = 0;
4658 		wp_idx++;
4659 	}
4660  out:
4661 	cb->args[0] = wp_idx;
4662 	cb->args[1] = if_idx;
4663 
4664 	ret = skb->len;
4665  out_unlock:
4666 	rtnl_unlock();
4667 
4668 	return ret;
4669 }
4670 
4671 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4672 {
4673 	struct sk_buff *msg;
4674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4675 	struct wireless_dev *wdev = info->user_ptr[1];
4676 
4677 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4678 	if (!msg)
4679 		return -ENOMEM;
4680 
4681 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4682 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4683 		nlmsg_free(msg);
4684 		return -ENOBUFS;
4685 	}
4686 
4687 	return genlmsg_reply(msg, info);
4688 }
4689 
4690 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4691 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4692 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4693 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4694 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4695 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4696 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4697 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4698 };
4699 
4700 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4701 {
4702 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4703 	int flag;
4704 
4705 	*mntrflags = 0;
4706 
4707 	if (!nla)
4708 		return -EINVAL;
4709 
4710 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4711 		return -EINVAL;
4712 
4713 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4714 		if (flags[flag])
4715 			*mntrflags |= (1<<flag);
4716 
4717 	/* cooked monitor mode is incompatible with other modes */
4718 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4719 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4720 		return -EOPNOTSUPP;
4721 
4722 	*mntrflags |= MONITOR_FLAG_CHANGED;
4723 
4724 	return 0;
4725 }
4726 
4727 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4728 				     enum nl80211_iftype type,
4729 				     struct genl_info *info,
4730 				     struct vif_params *params)
4731 {
4732 	bool change = false;
4733 	int err;
4734 
4735 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4736 		if (type != NL80211_IFTYPE_MONITOR)
4737 			return -EINVAL;
4738 
4739 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4740 					  &params->flags);
4741 		if (err)
4742 			return err;
4743 
4744 		change = true;
4745 	}
4746 
4747 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4748 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4749 		return -EOPNOTSUPP;
4750 
4751 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4752 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4753 		return -EOPNOTSUPP;
4754 
4755 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4756 		const u8 *mumimo_groups;
4757 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4758 
4759 		if (type != NL80211_IFTYPE_MONITOR)
4760 			return -EINVAL;
4761 
4762 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4763 			return -EOPNOTSUPP;
4764 
4765 		mumimo_groups =
4766 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4767 
4768 		/* bits 0 and 63 are reserved and must be zero */
4769 		if ((mumimo_groups[0] & BIT(0)) ||
4770 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4771 			return -EINVAL;
4772 
4773 		params->vht_mumimo_groups = mumimo_groups;
4774 		change = true;
4775 	}
4776 
4777 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4778 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4779 
4780 		if (type != NL80211_IFTYPE_MONITOR)
4781 			return -EINVAL;
4782 
4783 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4784 			return -EOPNOTSUPP;
4785 
4786 		params->vht_mumimo_follow_addr =
4787 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4788 		change = true;
4789 	}
4790 
4791 	return change ? 1 : 0;
4792 }
4793 
4794 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4795 			       struct net_device *netdev, u8 use_4addr,
4796 			       enum nl80211_iftype iftype)
4797 {
4798 	if (!use_4addr) {
4799 		if (netdev && netif_is_bridge_port(netdev))
4800 			return -EBUSY;
4801 		return 0;
4802 	}
4803 
4804 	switch (iftype) {
4805 	case NL80211_IFTYPE_AP_VLAN:
4806 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4807 			return 0;
4808 		break;
4809 	case NL80211_IFTYPE_STATION:
4810 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4811 			return 0;
4812 		break;
4813 	default:
4814 		break;
4815 	}
4816 
4817 	return -EOPNOTSUPP;
4818 }
4819 
4820 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4821 					u32 *radio_mask)
4822 {
4823 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4824 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4825 	u32 mask, allowed;
4826 
4827 	if (!attr) {
4828 		*radio_mask = 0;
4829 		return 0;
4830 	}
4831 
4832 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4833 	mask = nla_get_u32(attr);
4834 	if (mask & ~allowed)
4835 		return -EINVAL;
4836 	if (!mask)
4837 		mask = allowed;
4838 	*radio_mask = mask;
4839 
4840 	return 1;
4841 }
4842 
4843 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4844 {
4845 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4846 	struct vif_params params;
4847 	int err;
4848 	enum nl80211_iftype otype, ntype;
4849 	struct net_device *dev = info->user_ptr[1];
4850 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4851 	u32 radio_mask = 0;
4852 	bool change = false;
4853 
4854 	memset(&params, 0, sizeof(params));
4855 
4856 	otype = ntype = dev->ieee80211_ptr->iftype;
4857 
4858 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4859 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4860 		if (otype != ntype)
4861 			change = true;
4862 	}
4863 
4864 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4865 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4866 			return -EINVAL;
4867 		if (otype != NL80211_IFTYPE_MESH_POINT)
4868 			return -EINVAL;
4869 		if (netif_running(dev))
4870 			return -EBUSY;
4871 
4872 		wdev->u.mesh.id_up_len =
4873 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4874 		memcpy(wdev->u.mesh.id,
4875 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4876 		       wdev->u.mesh.id_up_len);
4877 	}
4878 
4879 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4880 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4881 		change = true;
4882 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4883 		if (err)
4884 			return err;
4885 	} else {
4886 		params.use_4addr = -1;
4887 	}
4888 
4889 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4890 	if (err < 0)
4891 		return err;
4892 	if (err > 0)
4893 		change = true;
4894 
4895 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4896 	if (err < 0)
4897 		return err;
4898 	if (err && netif_running(dev))
4899 		return -EBUSY;
4900 
4901 	if (change)
4902 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4903 	else
4904 		err = 0;
4905 
4906 	if (!err && params.use_4addr != -1)
4907 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4908 
4909 	if (radio_mask)
4910 		wdev->radio_mask = radio_mask;
4911 
4912 	if (change && !err)
4913 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4914 
4915 	return err;
4916 }
4917 
4918 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4919 {
4920 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4921 	struct vif_params params;
4922 	struct wireless_dev *wdev;
4923 	struct sk_buff *msg;
4924 	u32 radio_mask;
4925 	int err;
4926 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4927 
4928 	memset(&params, 0, sizeof(params));
4929 
4930 	if (!info->attrs[NL80211_ATTR_IFNAME])
4931 		return -EINVAL;
4932 
4933 	if (info->attrs[NL80211_ATTR_IFTYPE])
4934 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4935 
4936 	if (!rdev->ops->add_virtual_intf)
4937 		return -EOPNOTSUPP;
4938 
4939 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4940 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4941 	    info->attrs[NL80211_ATTR_MAC]) {
4942 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4943 			   ETH_ALEN);
4944 		if (!is_valid_ether_addr(params.macaddr))
4945 			return -EADDRNOTAVAIL;
4946 	}
4947 
4948 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4949 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4950 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4951 		if (err)
4952 			return err;
4953 	}
4954 
4955 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4956 		return -EOPNOTSUPP;
4957 
4958 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4959 	if (err < 0)
4960 		return err;
4961 
4962 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4963 	if (err < 0)
4964 		return err;
4965 
4966 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4967 	if (!msg)
4968 		return -ENOMEM;
4969 
4970 	wdev = rdev_add_virtual_intf(rdev,
4971 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4972 				NET_NAME_USER, type, &params);
4973 	if (WARN_ON(!wdev)) {
4974 		nlmsg_free(msg);
4975 		return -EPROTO;
4976 	} else if (IS_ERR(wdev)) {
4977 		nlmsg_free(msg);
4978 		return PTR_ERR(wdev);
4979 	}
4980 
4981 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4982 		wdev->owner_nlportid = info->snd_portid;
4983 
4984 	switch (type) {
4985 	case NL80211_IFTYPE_MESH_POINT:
4986 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4987 			break;
4988 		wdev->u.mesh.id_up_len =
4989 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4990 		memcpy(wdev->u.mesh.id,
4991 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4992 		       wdev->u.mesh.id_up_len);
4993 		break;
4994 	case NL80211_IFTYPE_NAN:
4995 	case NL80211_IFTYPE_P2P_DEVICE:
4996 		/*
4997 		 * P2P Device and NAN do not have a netdev, so don't go
4998 		 * through the netdev notifier and must be added here
4999 		 */
5000 		cfg80211_init_wdev(wdev);
5001 		cfg80211_register_wdev(rdev, wdev);
5002 		break;
5003 	default:
5004 		break;
5005 	}
5006 
5007 	if (radio_mask)
5008 		wdev->radio_mask = radio_mask;
5009 
5010 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
5011 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
5012 		nlmsg_free(msg);
5013 		return -ENOBUFS;
5014 	}
5015 
5016 	return genlmsg_reply(msg, info);
5017 }
5018 
5019 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
5020 {
5021 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5022 
5023 	/* to avoid failing a new interface creation due to pending removal */
5024 	cfg80211_destroy_ifaces(rdev);
5025 
5026 	guard(wiphy)(&rdev->wiphy);
5027 
5028 	return _nl80211_new_interface(skb, info);
5029 }
5030 
5031 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
5032 {
5033 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5034 	struct wireless_dev *wdev = info->user_ptr[1];
5035 
5036 	if (!rdev->ops->del_virtual_intf)
5037 		return -EOPNOTSUPP;
5038 
5039 	/*
5040 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
5041 	 * reach 0, and thus the rdev cannot be deleted.
5042 	 *
5043 	 * We need to do it for the dev_close(), since that will call
5044 	 * the netdev notifiers, and we need to acquire the mutex there
5045 	 * but don't know if we get there from here or from some other
5046 	 * place (e.g. "ip link set ... down").
5047 	 */
5048 	mutex_unlock(&rdev->wiphy.mtx);
5049 
5050 	/*
5051 	 * If we remove a wireless device without a netdev then clear
5052 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
5053 	 * to check if it needs to do dev_put(). Otherwise it crashes
5054 	 * since the wdev has been freed, unlike with a netdev where
5055 	 * we need the dev_put() for the netdev to really be freed.
5056 	 */
5057 	if (!wdev->netdev)
5058 		info->user_ptr[1] = NULL;
5059 	else
5060 		dev_close(wdev->netdev);
5061 
5062 	cfg80211_close_dependents(rdev, wdev);
5063 
5064 	mutex_lock(&rdev->wiphy.mtx);
5065 
5066 	return cfg80211_remove_virtual_intf(rdev, wdev);
5067 }
5068 
5069 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
5070 {
5071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5072 	struct net_device *dev = info->user_ptr[1];
5073 	u16 noack_map;
5074 
5075 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
5076 		return -EINVAL;
5077 
5078 	if (!rdev->ops->set_noack_map)
5079 		return -EOPNOTSUPP;
5080 
5081 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
5082 
5083 	return rdev_set_noack_map(rdev, dev, noack_map);
5084 }
5085 
5086 static int nl80211_validate_key_link_id(struct genl_info *info,
5087 					struct wireless_dev *wdev,
5088 					int link_id, bool pairwise)
5089 {
5090 	if (pairwise) {
5091 		if (link_id != -1) {
5092 			GENL_SET_ERR_MSG(info,
5093 					 "link ID not allowed for pairwise key");
5094 			return -EINVAL;
5095 		}
5096 
5097 		return 0;
5098 	}
5099 
5100 	if (wdev->valid_links) {
5101 		if (link_id == -1) {
5102 			GENL_SET_ERR_MSG(info,
5103 					 "link ID must for MLO group key");
5104 			return -EINVAL;
5105 		}
5106 		if (!(wdev->valid_links & BIT(link_id))) {
5107 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
5108 			return -EINVAL;
5109 		}
5110 	} else if (link_id != -1) {
5111 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
5112 		return -EINVAL;
5113 	}
5114 
5115 	return 0;
5116 }
5117 
5118 struct get_key_cookie {
5119 	struct sk_buff *msg;
5120 	int error;
5121 	int idx;
5122 };
5123 
5124 static void get_key_callback(void *c, struct key_params *params)
5125 {
5126 	struct nlattr *key;
5127 	struct get_key_cookie *cookie = c;
5128 
5129 	if ((params->seq &&
5130 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
5131 		     params->seq_len, params->seq)) ||
5132 	    (params->cipher &&
5133 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
5134 			 params->cipher)))
5135 		goto nla_put_failure;
5136 
5137 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
5138 	if (!key)
5139 		goto nla_put_failure;
5140 
5141 	if ((params->seq &&
5142 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
5143 		     params->seq_len, params->seq)) ||
5144 	    (params->cipher &&
5145 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
5146 			 params->cipher)))
5147 		goto nla_put_failure;
5148 
5149 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
5150 		goto nla_put_failure;
5151 
5152 	nla_nest_end(cookie->msg, key);
5153 
5154 	return;
5155  nla_put_failure:
5156 	cookie->error = 1;
5157 }
5158 
5159 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
5160 {
5161 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5162 	int err;
5163 	struct wireless_dev *wdev = info->user_ptr[1];
5164 	u8 key_idx = 0;
5165 	const u8 *mac_addr = NULL;
5166 	bool pairwise;
5167 	struct get_key_cookie cookie = {
5168 		.error = 0,
5169 	};
5170 	void *hdr;
5171 	struct sk_buff *msg;
5172 	bool bigtk_support = false;
5173 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5174 
5175 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5176 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
5177 		bigtk_support = true;
5178 
5179 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
5180 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
5181 	    wiphy_ext_feature_isset(&rdev->wiphy,
5182 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
5183 		bigtk_support = true;
5184 
5185 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
5186 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
5187 
5188 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
5189 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
5190 			return -EINVAL;
5191 		}
5192 	}
5193 
5194 	if (info->attrs[NL80211_ATTR_MAC])
5195 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5196 
5197 	pairwise = !!mac_addr;
5198 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
5199 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
5200 
5201 		if (kt != NL80211_KEYTYPE_GROUP &&
5202 		    kt != NL80211_KEYTYPE_PAIRWISE)
5203 			return -EINVAL;
5204 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
5205 	}
5206 
5207 	if (!rdev->ops->get_key)
5208 		return -EOPNOTSUPP;
5209 
5210 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5211 		return -ENOENT;
5212 
5213 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5214 	if (!msg)
5215 		return -ENOMEM;
5216 
5217 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5218 			     NL80211_CMD_NEW_KEY);
5219 	if (!hdr)
5220 		goto nla_put_failure;
5221 
5222 	cookie.msg = msg;
5223 	cookie.idx = key_idx;
5224 
5225 	if ((wdev->netdev &&
5226 	     nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex)) ||
5227 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5228 			      NL80211_ATTR_PAD) ||
5229 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
5230 		goto nla_put_failure;
5231 	if (mac_addr &&
5232 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
5233 		goto nla_put_failure;
5234 
5235 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
5236 	if (err)
5237 		goto free_msg;
5238 
5239 	err = rdev_get_key(rdev, wdev, link_id, key_idx, pairwise, mac_addr,
5240 			   &cookie, get_key_callback);
5241 
5242 	if (err)
5243 		goto free_msg;
5244 
5245 	if (cookie.error)
5246 		goto nla_put_failure;
5247 
5248 	genlmsg_end(msg, hdr);
5249 	return genlmsg_reply(msg, info);
5250 
5251  nla_put_failure:
5252 	err = -ENOBUFS;
5253  free_msg:
5254 	nlmsg_free(msg);
5255 	return err;
5256 }
5257 
5258 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
5259 {
5260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5261 	struct key_parse key;
5262 	int err;
5263 	struct wireless_dev *wdev = info->user_ptr[1];
5264 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5265 
5266 	err = nl80211_parse_key(info, &key);
5267 	if (err)
5268 		return err;
5269 
5270 	if (key.idx < 0)
5271 		return -EINVAL;
5272 
5273 	/* Only support setting default key and
5274 	 * Extended Key ID action NL80211_KEY_SET_TX.
5275 	 */
5276 	if (!key.def && !key.defmgmt && !key.defbeacon &&
5277 	    !(key.p.mode == NL80211_KEY_SET_TX))
5278 		return -EINVAL;
5279 
5280 	if (key.def) {
5281 		if (!rdev->ops->set_default_key)
5282 			return -EOPNOTSUPP;
5283 
5284 		if (!wdev->netdev)
5285 			return -EINVAL;
5286 
5287 		err = nl80211_key_allowed(wdev);
5288 		if (err)
5289 			return err;
5290 
5291 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5292 		if (err)
5293 			return err;
5294 
5295 		err = rdev_set_default_key(rdev, wdev->netdev, link_id, key.idx,
5296 					   key.def_uni, key.def_multi);
5297 
5298 		if (err)
5299 			return err;
5300 
5301 #ifdef CONFIG_CFG80211_WEXT
5302 		wdev->wext.default_key = key.idx;
5303 #endif
5304 		return 0;
5305 	} else if (key.defmgmt) {
5306 		if (key.def_uni || !key.def_multi)
5307 			return -EINVAL;
5308 
5309 		if (!rdev->ops->set_default_mgmt_key)
5310 			return -EOPNOTSUPP;
5311 
5312 		err = nl80211_key_allowed(wdev);
5313 		if (err)
5314 			return err;
5315 
5316 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5317 		if (err)
5318 			return err;
5319 
5320 		err = rdev_set_default_mgmt_key(rdev, wdev, link_id, key.idx);
5321 		if (err)
5322 			return err;
5323 
5324 #ifdef CONFIG_CFG80211_WEXT
5325 		wdev->wext.default_mgmt_key = key.idx;
5326 #endif
5327 		return 0;
5328 	} else if (key.defbeacon) {
5329 		if (key.def_uni || !key.def_multi)
5330 			return -EINVAL;
5331 
5332 		if (!rdev->ops->set_default_beacon_key)
5333 			return -EOPNOTSUPP;
5334 
5335 		err = nl80211_key_allowed(wdev);
5336 		if (err)
5337 			return err;
5338 
5339 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5340 		if (err)
5341 			return err;
5342 
5343 		return rdev_set_default_beacon_key(rdev, wdev, link_id,
5344 						   key.idx);
5345 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
5346 		   wiphy_ext_feature_isset(&rdev->wiphy,
5347 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
5348 		u8 *mac_addr = NULL;
5349 
5350 		if (info->attrs[NL80211_ATTR_MAC])
5351 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5352 
5353 		if (!mac_addr || key.idx < 0 || key.idx > 1)
5354 			return -EINVAL;
5355 
5356 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5357 		if (err)
5358 			return err;
5359 
5360 		return rdev_add_key(rdev, wdev, link_id, key.idx,
5361 				    NL80211_KEYTYPE_PAIRWISE,
5362 				    mac_addr, &key.p);
5363 	}
5364 
5365 	return -EINVAL;
5366 }
5367 
5368 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5369 {
5370 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5371 	int err;
5372 	struct wireless_dev *wdev = info->user_ptr[1];
5373 	struct key_parse key;
5374 	const u8 *mac_addr = NULL;
5375 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5376 
5377 	err = nl80211_parse_key(info, &key);
5378 	if (err)
5379 		return err;
5380 
5381 	if (!key.p.key) {
5382 		GENL_SET_ERR_MSG(info, "no key");
5383 		return -EINVAL;
5384 	}
5385 
5386 	if (info->attrs[NL80211_ATTR_MAC])
5387 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5388 
5389 	if (key.type == -1) {
5390 		if (mac_addr)
5391 			key.type = NL80211_KEYTYPE_PAIRWISE;
5392 		else
5393 			key.type = NL80211_KEYTYPE_GROUP;
5394 	}
5395 
5396 	/* for now */
5397 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5398 	    key.type != NL80211_KEYTYPE_GROUP) {
5399 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5400 		return -EINVAL;
5401 	}
5402 
5403 	if (key.type == NL80211_KEYTYPE_GROUP &&
5404 	    info->attrs[NL80211_ATTR_VLAN_ID])
5405 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5406 
5407 	if (!rdev->ops->add_key)
5408 		return -EOPNOTSUPP;
5409 
5410 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
5411 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5412 					   mac_addr)) {
5413 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5414 		return -EINVAL;
5415 	}
5416 
5417 	err = nl80211_key_allowed(wdev);
5418 	if (err)
5419 		GENL_SET_ERR_MSG(info, "key not allowed");
5420 
5421 	if (!err)
5422 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5423 				key.type == NL80211_KEYTYPE_PAIRWISE);
5424 
5425 	if (!err) {
5426 		err = rdev_add_key(rdev, wdev, link_id, key.idx,
5427 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5428 				    mac_addr, &key.p);
5429 		if (err)
5430 			GENL_SET_ERR_MSG(info, "key addition failed");
5431 	}
5432 
5433 	return err;
5434 }
5435 
5436 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5437 {
5438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5439 	int err;
5440 	struct wireless_dev *wdev = info->user_ptr[1];
5441 	u8 *mac_addr = NULL;
5442 	struct key_parse key;
5443 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5444 
5445 	err = nl80211_parse_key(info, &key);
5446 	if (err)
5447 		return err;
5448 
5449 	if (info->attrs[NL80211_ATTR_MAC])
5450 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5451 
5452 	if (key.type == -1) {
5453 		if (mac_addr)
5454 			key.type = NL80211_KEYTYPE_PAIRWISE;
5455 		else
5456 			key.type = NL80211_KEYTYPE_GROUP;
5457 	}
5458 
5459 	/* for now */
5460 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5461 	    key.type != NL80211_KEYTYPE_GROUP)
5462 		return -EINVAL;
5463 
5464 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5465 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5466 		return -EINVAL;
5467 
5468 	if (!rdev->ops->del_key)
5469 		return -EOPNOTSUPP;
5470 
5471 	err = nl80211_key_allowed(wdev);
5472 
5473 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5474 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5475 		err = -ENOENT;
5476 
5477 	if (!err)
5478 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5479 				key.type == NL80211_KEYTYPE_PAIRWISE);
5480 
5481 	if (!err)
5482 		err = rdev_del_key(rdev, wdev, link_id, key.idx,
5483 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5484 				   mac_addr);
5485 
5486 #ifdef CONFIG_CFG80211_WEXT
5487 	if (!err) {
5488 		if (key.idx == wdev->wext.default_key)
5489 			wdev->wext.default_key = -1;
5490 		else if (key.idx == wdev->wext.default_mgmt_key)
5491 			wdev->wext.default_mgmt_key = -1;
5492 	}
5493 #endif
5494 
5495 	return err;
5496 }
5497 
5498 /* This function returns an error or the number of nested attributes */
5499 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5500 {
5501 	struct nlattr *attr;
5502 	int n_entries = 0, tmp;
5503 
5504 	nla_for_each_nested(attr, nl_attr, tmp) {
5505 		if (nla_len(attr) != ETH_ALEN)
5506 			return -EINVAL;
5507 
5508 		n_entries++;
5509 	}
5510 
5511 	return n_entries;
5512 }
5513 
5514 /*
5515  * This function parses ACL information and allocates memory for ACL data.
5516  * On successful return, the calling function is responsible to free the
5517  * ACL buffer returned by this function.
5518  */
5519 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5520 						struct genl_info *info)
5521 {
5522 	enum nl80211_acl_policy acl_policy;
5523 	struct nlattr *attr;
5524 	struct cfg80211_acl_data *acl;
5525 	int i = 0, n_entries, tmp;
5526 
5527 	if (!wiphy->max_acl_mac_addrs)
5528 		return ERR_PTR(-EOPNOTSUPP);
5529 
5530 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5531 		return ERR_PTR(-EINVAL);
5532 
5533 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5534 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5535 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5536 		return ERR_PTR(-EINVAL);
5537 
5538 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5539 		return ERR_PTR(-EINVAL);
5540 
5541 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5542 	if (n_entries < 0)
5543 		return ERR_PTR(n_entries);
5544 
5545 	if (n_entries > wiphy->max_acl_mac_addrs)
5546 		return ERR_PTR(-EOPNOTSUPP);
5547 
5548 	acl = kzalloc_flex(*acl, mac_addrs, n_entries);
5549 	if (!acl)
5550 		return ERR_PTR(-ENOMEM);
5551 	acl->n_acl_entries = n_entries;
5552 
5553 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5554 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5555 		i++;
5556 	}
5557 	acl->acl_policy = acl_policy;
5558 
5559 	return acl;
5560 }
5561 
5562 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5563 {
5564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5565 	struct net_device *dev = info->user_ptr[1];
5566 	struct cfg80211_acl_data *acl;
5567 	int err;
5568 
5569 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5570 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5571 		return -EOPNOTSUPP;
5572 
5573 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5574 		return -EINVAL;
5575 
5576 	acl = parse_acl_data(&rdev->wiphy, info);
5577 	if (IS_ERR(acl))
5578 		return PTR_ERR(acl);
5579 
5580 	err = rdev_set_mac_acl(rdev, dev, acl);
5581 
5582 	kfree(acl);
5583 
5584 	return err;
5585 }
5586 
5587 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5588 			   u8 *rates, u8 rates_len)
5589 {
5590 	u8 i;
5591 	u32 mask = 0;
5592 
5593 	for (i = 0; i < rates_len; i++) {
5594 		int rate = (rates[i] & 0x7f) * 5;
5595 		int ridx;
5596 
5597 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5598 			struct ieee80211_rate *srate =
5599 				&sband->bitrates[ridx];
5600 			if (rate == srate->bitrate) {
5601 				mask |= 1 << ridx;
5602 				break;
5603 			}
5604 		}
5605 		if (ridx == sband->n_bitrates)
5606 			return 0; /* rate not found */
5607 	}
5608 
5609 	return mask;
5610 }
5611 
5612 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5613 			       u8 *rates, u8 rates_len,
5614 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5615 {
5616 	u8 i;
5617 
5618 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5619 
5620 	for (i = 0; i < rates_len; i++) {
5621 		int ridx, rbit;
5622 
5623 		ridx = rates[i] / 8;
5624 		rbit = BIT(rates[i] % 8);
5625 
5626 		/* check validity */
5627 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5628 			return false;
5629 
5630 		/* check availability */
5631 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5632 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5633 			mcs[ridx] |= rbit;
5634 		else
5635 			return false;
5636 	}
5637 
5638 	return true;
5639 }
5640 
5641 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5642 {
5643 	u16 mcs_mask = 0;
5644 
5645 	switch (vht_mcs_map) {
5646 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5647 		break;
5648 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5649 		mcs_mask = 0x00FF;
5650 		break;
5651 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5652 		mcs_mask = 0x01FF;
5653 		break;
5654 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5655 		mcs_mask = 0x03FF;
5656 		break;
5657 	default:
5658 		break;
5659 	}
5660 
5661 	return mcs_mask;
5662 }
5663 
5664 static void vht_build_mcs_mask(u16 vht_mcs_map,
5665 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5666 {
5667 	u8 nss;
5668 
5669 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5670 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5671 		vht_mcs_map >>= 2;
5672 	}
5673 }
5674 
5675 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5676 			     struct nl80211_txrate_vht *txrate,
5677 			     u16 mcs[NL80211_VHT_NSS_MAX])
5678 {
5679 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5680 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5681 	u8 i;
5682 
5683 	if (!sband->vht_cap.vht_supported)
5684 		return false;
5685 
5686 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5687 
5688 	/* Build vht_mcs_mask from VHT capabilities */
5689 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5690 
5691 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5692 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5693 			mcs[i] = txrate->mcs[i];
5694 		else
5695 			return false;
5696 	}
5697 
5698 	return true;
5699 }
5700 
5701 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5702 {
5703 	switch (he_mcs_map) {
5704 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5705 		return 0;
5706 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5707 		return 0x00FF;
5708 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5709 		return 0x03FF;
5710 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5711 		return 0xFFF;
5712 	default:
5713 		break;
5714 	}
5715 	return 0;
5716 }
5717 
5718 static void he_build_mcs_mask(u16 he_mcs_map,
5719 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5720 {
5721 	u8 nss;
5722 
5723 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5724 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5725 		he_mcs_map >>= 2;
5726 	}
5727 }
5728 
5729 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5730 			   const struct ieee80211_sta_he_cap *he_cap)
5731 {
5732 	struct net_device *dev = info->user_ptr[1];
5733 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5734 	struct cfg80211_chan_def *chandef;
5735 	__le16 tx_mcs;
5736 
5737 	chandef = wdev_chandef(wdev, link_id);
5738 	if (!chandef) {
5739 		/*
5740 		 * This is probably broken, but we never maintained
5741 		 * a chandef in these cases, so it always was.
5742 		 */
5743 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5744 	}
5745 
5746 	switch (chandef->width) {
5747 	case NL80211_CHAN_WIDTH_80P80:
5748 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5749 		break;
5750 	case NL80211_CHAN_WIDTH_160:
5751 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5752 		break;
5753 	default:
5754 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5755 		break;
5756 	}
5757 
5758 	return le16_to_cpu(tx_mcs);
5759 }
5760 
5761 static bool he_set_mcs_mask(struct genl_info *info,
5762 			    struct wireless_dev *wdev,
5763 			    struct ieee80211_supported_band *sband,
5764 			    struct nl80211_txrate_he *txrate,
5765 			    u16 mcs[NL80211_HE_NSS_MAX],
5766 			    unsigned int link_id)
5767 {
5768 	const struct ieee80211_sta_he_cap *he_cap;
5769 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5770 	u16 tx_mcs_map = 0;
5771 	u8 i;
5772 
5773 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5774 	if (!he_cap)
5775 		return false;
5776 
5777 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5778 
5779 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5780 
5781 	/* Build he_mcs_mask from HE capabilities */
5782 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5783 
5784 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5785 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5786 			mcs[i] = txrate->mcs[i];
5787 		else
5788 			return false;
5789 	}
5790 
5791 	return true;
5792 }
5793 
5794 static void eht_build_mcs_mask(struct genl_info *info,
5795 			       const struct ieee80211_sta_eht_cap *eht_cap,
5796 			       u8 mcs_nss_len, u16 *mcs_mask)
5797 {
5798 	struct net_device *dev = info->user_ptr[1];
5799 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5800 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
5801 	unsigned int link_id = nl80211_link_id(info->attrs);
5802 
5803 	if (mcs_nss_len == 4) {
5804 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
5805 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
5806 
5807 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
5808 				    IEEE80211_EHT_MCS_NSS_TX);
5809 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5810 				    IEEE80211_EHT_MCS_NSS_TX);
5811 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5812 				     IEEE80211_EHT_MCS_NSS_TX);
5813 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5814 				     IEEE80211_EHT_MCS_NSS_TX);
5815 
5816 	} else {
5817 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
5818 		enum nl80211_chan_width width;
5819 
5820 		switch (wdev->iftype) {
5821 		case NL80211_IFTYPE_ADHOC:
5822 			width = wdev->u.ibss.chandef.width;
5823 			break;
5824 		case NL80211_IFTYPE_MESH_POINT:
5825 			width = wdev->u.mesh.chandef.width;
5826 			break;
5827 		case NL80211_IFTYPE_OCB:
5828 			width = wdev->u.ocb.chandef.width;
5829 			break;
5830 		default:
5831 			if (wdev->valid_links)
5832 				width = wdev->links[link_id].ap.chandef.width;
5833 			else
5834 				width = wdev->u.ap.preset_chandef.width;
5835 			break;
5836 		}
5837 
5838 		switch (width) {
5839 		case NL80211_CHAN_WIDTH_320:
5840 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
5841 			break;
5842 		case NL80211_CHAN_WIDTH_160:
5843 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
5844 			break;
5845 		default:
5846 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
5847 			break;
5848 		}
5849 
5850 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5851 				    IEEE80211_EHT_MCS_NSS_TX);
5852 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5853 				    IEEE80211_EHT_MCS_NSS_TX);
5854 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5855 				     IEEE80211_EHT_MCS_NSS_TX);
5856 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5857 				     IEEE80211_EHT_MCS_NSS_TX);
5858 	}
5859 
5860 	/* Enable MCS 14 for NSS 0 */
5861 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
5862 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
5863 		mcs_mask[0] |= 0x4000;
5864 
5865 	/* Enable MCS 15 for NSS 0 */
5866 	mcs_mask[0] |= 0x8000;
5867 
5868 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
5869 		if (!mcs_7)
5870 			continue;
5871 		mcs_mask[nss] |= 0x00FF;
5872 		mcs_7--;
5873 
5874 		if (!mcs_9)
5875 			continue;
5876 		mcs_mask[nss] |= 0x0300;
5877 		mcs_9--;
5878 
5879 		if (!mcs_11)
5880 			continue;
5881 		mcs_mask[nss] |= 0x0C00;
5882 		mcs_11--;
5883 
5884 		if (!mcs_13)
5885 			continue;
5886 		mcs_mask[nss] |= 0x3000;
5887 		mcs_13--;
5888 	}
5889 }
5890 
5891 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
5892 			     struct ieee80211_supported_band *sband,
5893 			     struct nl80211_txrate_eht *txrate,
5894 			     u16 mcs[NL80211_EHT_NSS_MAX])
5895 {
5896 	const struct ieee80211_sta_he_cap *he_cap;
5897 	const struct ieee80211_sta_eht_cap *eht_cap;
5898 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
5899 	u8 i, mcs_nss_len;
5900 
5901 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5902 	if (!he_cap)
5903 		return false;
5904 
5905 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5906 	if (!eht_cap)
5907 		return false;
5908 
5909 	/* Checks for MCS 14 */
5910 	if (txrate->mcs[0] & 0x4000) {
5911 		if (sband->band != NL80211_BAND_6GHZ)
5912 			return false;
5913 
5914 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
5915 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
5916 			return false;
5917 	}
5918 
5919 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5920 						 &eht_cap->eht_cap_elem,
5921 						 wdev->iftype ==
5922 							NL80211_IFTYPE_STATION);
5923 
5924 	if (mcs_nss_len == 3) {
5925 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
5926 		switch (wdev->iftype) {
5927 		case NL80211_IFTYPE_ADHOC:
5928 		case NL80211_IFTYPE_AP:
5929 		case NL80211_IFTYPE_P2P_GO:
5930 		case NL80211_IFTYPE_MESH_POINT:
5931 		case NL80211_IFTYPE_OCB:
5932 			break;
5933 		default:
5934 			return false;
5935 		}
5936 	}
5937 
5938 	/* Build eht_mcs_mask from EHT and HE capabilities */
5939 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
5940 
5941 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
5942 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5943 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5944 			mcs[i] = txrate->mcs[i];
5945 		else
5946 			return false;
5947 	}
5948 
5949 	return true;
5950 }
5951 
5952 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5953 					 struct nlattr *attrs[],
5954 					 enum nl80211_attrs attr,
5955 					 struct cfg80211_bitrate_mask *mask,
5956 					 struct net_device *dev,
5957 					 bool default_all_enabled,
5958 					 unsigned int link_id)
5959 {
5960 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5961 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5962 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5963 	int rem, i;
5964 	struct nlattr *tx_rates;
5965 	struct ieee80211_supported_band *sband;
5966 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5967 
5968 	memset(mask, 0, sizeof(*mask));
5969 	/* Default to all rates enabled */
5970 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5971 		const struct ieee80211_sta_he_cap *he_cap;
5972 		const struct ieee80211_sta_eht_cap *eht_cap;
5973 		u8 mcs_nss_len;
5974 
5975 		if (!default_all_enabled)
5976 			break;
5977 
5978 		sband = rdev->wiphy.bands[i];
5979 
5980 		if (!sband)
5981 			continue;
5982 
5983 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5984 		memcpy(mask->control[i].ht_mcs,
5985 		       sband->ht_cap.mcs.rx_mask,
5986 		       sizeof(mask->control[i].ht_mcs));
5987 
5988 		if (sband->vht_cap.vht_supported) {
5989 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5990 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5991 		}
5992 
5993 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5994 		if (!he_cap)
5995 			continue;
5996 
5997 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5998 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5999 
6000 		mask->control[i].he_gi = 0xFF;
6001 		mask->control[i].he_ltf = 0xFF;
6002 
6003 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
6004 		if (!eht_cap)
6005 			continue;
6006 
6007 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
6008 							 &eht_cap->eht_cap_elem,
6009 							 wdev->iftype ==
6010 							 NL80211_IFTYPE_STATION);
6011 
6012 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
6013 				   mask->control[i].eht_mcs);
6014 
6015 		mask->control[i].eht_gi = 0xFF;
6016 		mask->control[i].eht_ltf = 0xFF;
6017 	}
6018 
6019 	/* if no rates are given set it back to the defaults */
6020 	if (!attrs[attr])
6021 		goto out;
6022 
6023 	/* The nested attribute uses enum nl80211_band as the index. This maps
6024 	 * directly to the enum nl80211_band values used in cfg80211.
6025 	 */
6026 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
6027 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
6028 		int band = nla_type(tx_rates);
6029 		int err;
6030 
6031 		if (band < 0 || band >= NUM_NL80211_BANDS)
6032 			return -EINVAL;
6033 		sband = rdev->wiphy.bands[band];
6034 		if (sband == NULL)
6035 			return -EINVAL;
6036 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
6037 						  tx_rates,
6038 						  nl80211_txattr_policy,
6039 						  info->extack);
6040 		if (err)
6041 			return err;
6042 		if (tb[NL80211_TXRATE_LEGACY]) {
6043 			mask->control[band].legacy = rateset_to_mask(
6044 				sband,
6045 				nla_data(tb[NL80211_TXRATE_LEGACY]),
6046 				nla_len(tb[NL80211_TXRATE_LEGACY]));
6047 			if ((mask->control[band].legacy == 0) &&
6048 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
6049 				return -EINVAL;
6050 		}
6051 		if (tb[NL80211_TXRATE_HT]) {
6052 			if (!ht_rateset_to_mask(
6053 					sband,
6054 					nla_data(tb[NL80211_TXRATE_HT]),
6055 					nla_len(tb[NL80211_TXRATE_HT]),
6056 					mask->control[band].ht_mcs))
6057 				return -EINVAL;
6058 		}
6059 
6060 		if (tb[NL80211_TXRATE_VHT]) {
6061 			if (!vht_set_mcs_mask(
6062 					sband,
6063 					nla_data(tb[NL80211_TXRATE_VHT]),
6064 					mask->control[band].vht_mcs))
6065 				return -EINVAL;
6066 		}
6067 
6068 		if (tb[NL80211_TXRATE_GI]) {
6069 			mask->control[band].gi =
6070 				nla_get_u8(tb[NL80211_TXRATE_GI]);
6071 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
6072 				return -EINVAL;
6073 		}
6074 		if (tb[NL80211_TXRATE_HE] &&
6075 		    !he_set_mcs_mask(info, wdev, sband,
6076 				     nla_data(tb[NL80211_TXRATE_HE]),
6077 				     mask->control[band].he_mcs,
6078 				     link_id))
6079 			return -EINVAL;
6080 
6081 		if (tb[NL80211_TXRATE_HE_GI])
6082 			mask->control[band].he_gi =
6083 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
6084 		if (tb[NL80211_TXRATE_HE_LTF])
6085 			mask->control[band].he_ltf =
6086 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
6087 
6088 		if (tb[NL80211_TXRATE_EHT] &&
6089 		    !eht_set_mcs_mask(info, wdev, sband,
6090 				      nla_data(tb[NL80211_TXRATE_EHT]),
6091 				      mask->control[band].eht_mcs))
6092 			return -EINVAL;
6093 
6094 		if (tb[NL80211_TXRATE_EHT_GI])
6095 			mask->control[band].eht_gi =
6096 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
6097 		if (tb[NL80211_TXRATE_EHT_LTF])
6098 			mask->control[band].eht_ltf =
6099 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
6100 
6101 		if (mask->control[band].legacy == 0) {
6102 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
6103 			 * are not even supported.
6104 			 */
6105 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
6106 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
6107 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
6108 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
6109 				return -EINVAL;
6110 
6111 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
6112 				if (mask->control[band].ht_mcs[i])
6113 					goto out;
6114 
6115 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
6116 				if (mask->control[band].vht_mcs[i])
6117 					goto out;
6118 
6119 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
6120 				if (mask->control[band].he_mcs[i])
6121 					goto out;
6122 
6123 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
6124 				if (mask->control[band].eht_mcs[i])
6125 					goto out;
6126 
6127 			/* legacy and mcs rates may not be both empty */
6128 			return -EINVAL;
6129 		}
6130 	}
6131 
6132 out:
6133 	return 0;
6134 }
6135 
6136 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
6137 				   enum nl80211_band band,
6138 				   struct cfg80211_bitrate_mask *beacon_rate)
6139 {
6140 	u32 count_ht, count_vht, count_he, count_eht, i;
6141 	u32 rate = beacon_rate->control[band].legacy;
6142 
6143 	/* Allow only one rate */
6144 	if (hweight32(rate) > 1)
6145 		return -EINVAL;
6146 
6147 	count_ht = 0;
6148 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
6149 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
6150 			return -EINVAL;
6151 		} else if (beacon_rate->control[band].ht_mcs[i]) {
6152 			count_ht++;
6153 			if (count_ht > 1)
6154 				return -EINVAL;
6155 		}
6156 		if (count_ht && rate)
6157 			return -EINVAL;
6158 	}
6159 
6160 	count_vht = 0;
6161 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
6162 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
6163 			return -EINVAL;
6164 		} else if (beacon_rate->control[band].vht_mcs[i]) {
6165 			count_vht++;
6166 			if (count_vht > 1)
6167 				return -EINVAL;
6168 		}
6169 		if (count_vht && rate)
6170 			return -EINVAL;
6171 	}
6172 
6173 	count_he = 0;
6174 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
6175 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
6176 			return -EINVAL;
6177 		} else if (beacon_rate->control[band].he_mcs[i]) {
6178 			count_he++;
6179 			if (count_he > 1)
6180 				return -EINVAL;
6181 		}
6182 		if (count_he && rate)
6183 			return -EINVAL;
6184 	}
6185 
6186 	count_eht = 0;
6187 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
6188 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
6189 			return -EINVAL;
6190 		} else if (beacon_rate->control[band].eht_mcs[i]) {
6191 			count_eht++;
6192 			if (count_eht > 1)
6193 				return -EINVAL;
6194 		}
6195 		if (count_eht && rate)
6196 			return -EINVAL;
6197 	}
6198 
6199 	if ((count_ht && count_vht && count_he && count_eht) ||
6200 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
6201 		return -EINVAL;
6202 
6203 	if (rate &&
6204 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6205 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
6206 		return -EINVAL;
6207 	if (count_ht &&
6208 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6209 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
6210 		return -EINVAL;
6211 	if (count_vht &&
6212 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6213 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
6214 		return -EINVAL;
6215 	if (count_he &&
6216 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6217 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
6218 		return -EINVAL;
6219 
6220 	if (count_eht &&
6221 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6222 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
6223 		return -EINVAL;
6224 
6225 	return 0;
6226 }
6227 
6228 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
6229 				       struct net_device *dev,
6230 				       unsigned int link_id,
6231 				       struct nlattr *attrs,
6232 				       struct cfg80211_mbssid_config *config,
6233 				       u8 num_elems)
6234 {
6235 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
6236 	int tx_link_id = -1;
6237 
6238 	if (!wiphy->mbssid_max_interfaces)
6239 		return -EOPNOTSUPP;
6240 
6241 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
6242 			     NULL) ||
6243 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
6244 		return -EINVAL;
6245 
6246 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
6247 	if (config->ema) {
6248 		if (!wiphy->ema_max_profile_periodicity)
6249 			return -EOPNOTSUPP;
6250 
6251 		if (num_elems > wiphy->ema_max_profile_periodicity)
6252 			return -EINVAL;
6253 	}
6254 
6255 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
6256 	if (config->index >= wiphy->mbssid_max_interfaces ||
6257 	    (!config->index && !num_elems))
6258 		return -EINVAL;
6259 
6260 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
6261 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
6262 
6263 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
6264 		u32 tx_ifindex =
6265 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
6266 
6267 		if ((!config->index && tx_ifindex != dev->ifindex) ||
6268 		    (config->index && tx_ifindex == dev->ifindex))
6269 			return -EINVAL;
6270 
6271 		if (tx_ifindex != dev->ifindex) {
6272 			struct net_device *tx_netdev =
6273 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
6274 
6275 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
6276 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
6277 			    tx_netdev->ieee80211_ptr->iftype !=
6278 							NL80211_IFTYPE_AP) {
6279 				dev_put(tx_netdev);
6280 				return -EINVAL;
6281 			}
6282 
6283 			config->tx_wdev = tx_netdev->ieee80211_ptr;
6284 			/* Caller should call dev_put(config->tx_wdev) from this point */
6285 
6286 			if (config->tx_wdev->valid_links) {
6287 				if (tx_link_id == -1 ||
6288 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
6289 					return -ENOLINK;
6290 
6291 				config->tx_link_id = tx_link_id;
6292 			}
6293 		} else {
6294 			if (tx_link_id >= 0 && tx_link_id != link_id)
6295 				return -EINVAL;
6296 
6297 			config->tx_wdev = dev->ieee80211_ptr;
6298 		}
6299 	} else if (!config->index) {
6300 		if (tx_link_id >= 0 && tx_link_id != link_id)
6301 			return -EINVAL;
6302 
6303 		config->tx_wdev = dev->ieee80211_ptr;
6304 	} else {
6305 		return -EINVAL;
6306 	}
6307 
6308 	return 0;
6309 }
6310 
6311 static struct cfg80211_mbssid_elems *
6312 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
6313 {
6314 	struct nlattr *nl_elems;
6315 	struct cfg80211_mbssid_elems *elems;
6316 	int rem_elems;
6317 	u8 i = 0, num_elems = 0;
6318 
6319 	if (!wiphy->mbssid_max_interfaces)
6320 		return ERR_PTR(-EINVAL);
6321 
6322 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6323 		if (num_elems >= 255)
6324 			return ERR_PTR(-EINVAL);
6325 		num_elems++;
6326 	}
6327 
6328 	elems = kzalloc_flex(*elems, elem, num_elems);
6329 	if (!elems)
6330 		return ERR_PTR(-ENOMEM);
6331 	elems->cnt = num_elems;
6332 
6333 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6334 		elems->elem[i].data = nla_data(nl_elems);
6335 		elems->elem[i].len = nla_len(nl_elems);
6336 		i++;
6337 	}
6338 	return elems;
6339 }
6340 
6341 static struct cfg80211_rnr_elems *
6342 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
6343 			struct netlink_ext_ack *extack)
6344 {
6345 	struct nlattr *nl_elems;
6346 	struct cfg80211_rnr_elems *elems;
6347 	int rem_elems;
6348 	u8 i = 0, num_elems = 0;
6349 
6350 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6351 		int ret;
6352 
6353 		ret = validate_ie_attr(nl_elems, extack);
6354 		if (ret)
6355 			return ERR_PTR(ret);
6356 
6357 		num_elems++;
6358 	}
6359 
6360 	elems = kzalloc_flex(*elems, elem, num_elems);
6361 	if (!elems)
6362 		return ERR_PTR(-ENOMEM);
6363 	elems->cnt = num_elems;
6364 
6365 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6366 		elems->elem[i].data = nla_data(nl_elems);
6367 		elems->elem[i].len = nla_len(nl_elems);
6368 		i++;
6369 	}
6370 	return elems;
6371 }
6372 
6373 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6374 				      struct cfg80211_he_bss_color *he_bss_color)
6375 {
6376 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6377 	int err;
6378 
6379 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6380 			       he_bss_color_policy, NULL);
6381 	if (err)
6382 		return err;
6383 
6384 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6385 		return -EINVAL;
6386 
6387 	he_bss_color->color =
6388 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6389 	he_bss_color->enabled =
6390 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6391 	he_bss_color->partial =
6392 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6393 
6394 	return 0;
6395 }
6396 
6397 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6398 				struct nlattr *attrs[],
6399 				struct cfg80211_beacon_data *bcn,
6400 				struct netlink_ext_ack *extack)
6401 {
6402 	bool haveinfo = false;
6403 	int err;
6404 
6405 	memset(bcn, 0, sizeof(*bcn));
6406 
6407 	bcn->link_id = nl80211_link_id(attrs);
6408 
6409 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6410 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6411 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6412 		if (!bcn->head_len)
6413 			return -EINVAL;
6414 		haveinfo = true;
6415 	}
6416 
6417 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6418 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6419 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6420 		haveinfo = true;
6421 	}
6422 
6423 	if (!haveinfo)
6424 		return -EINVAL;
6425 
6426 	if (attrs[NL80211_ATTR_IE]) {
6427 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6428 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6429 	}
6430 
6431 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6432 		bcn->proberesp_ies =
6433 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6434 		bcn->proberesp_ies_len =
6435 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6436 	}
6437 
6438 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6439 		bcn->assocresp_ies =
6440 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6441 		bcn->assocresp_ies_len =
6442 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6443 	}
6444 
6445 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6446 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6447 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6448 	}
6449 
6450 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6451 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6452 
6453 		err = nla_parse_nested_deprecated(tb,
6454 						  NL80211_FTM_RESP_ATTR_MAX,
6455 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6456 						  NULL, NULL);
6457 		if (err)
6458 			return err;
6459 
6460 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6461 		    wiphy_ext_feature_isset(&rdev->wiphy,
6462 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6463 			bcn->ftm_responder = 1;
6464 		else
6465 			return -EOPNOTSUPP;
6466 
6467 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6468 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6469 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6470 		}
6471 
6472 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6473 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6474 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6475 		}
6476 	} else {
6477 		bcn->ftm_responder = -1;
6478 	}
6479 
6480 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6481 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6482 						 &bcn->he_bss_color);
6483 		if (err)
6484 			return err;
6485 		bcn->he_bss_color_valid = true;
6486 	}
6487 
6488 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6489 		struct cfg80211_mbssid_elems *mbssid =
6490 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6491 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6492 
6493 		if (IS_ERR(mbssid))
6494 			return PTR_ERR(mbssid);
6495 
6496 		bcn->mbssid_ies = mbssid;
6497 
6498 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6499 			struct cfg80211_rnr_elems *rnr =
6500 				nl80211_parse_rnr_elems(&rdev->wiphy,
6501 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6502 							extack);
6503 
6504 			if (IS_ERR(rnr))
6505 				return PTR_ERR(rnr);
6506 
6507 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6508 				return -EINVAL;
6509 
6510 			bcn->rnr_ies = rnr;
6511 		}
6512 	}
6513 
6514 	return 0;
6515 }
6516 
6517 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6518 				    struct ieee80211_he_obss_pd *he_obss_pd)
6519 {
6520 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6521 	int err;
6522 
6523 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6524 			       he_obss_pd_policy, NULL);
6525 	if (err)
6526 		return err;
6527 
6528 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6529 		return -EINVAL;
6530 
6531 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6532 
6533 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6534 		he_obss_pd->min_offset =
6535 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6536 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6537 		he_obss_pd->max_offset =
6538 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6539 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6540 		he_obss_pd->non_srg_max_offset =
6541 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6542 
6543 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6544 		return -EINVAL;
6545 
6546 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6547 		memcpy(he_obss_pd->bss_color_bitmap,
6548 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6549 		       sizeof(he_obss_pd->bss_color_bitmap));
6550 
6551 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6552 		memcpy(he_obss_pd->partial_bssid_bitmap,
6553 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6554 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6555 
6556 	he_obss_pd->enable = true;
6557 
6558 	return 0;
6559 }
6560 
6561 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6562 					struct nlattr *attrs,
6563 					struct cfg80211_fils_discovery *fd)
6564 {
6565 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6566 	int ret;
6567 
6568 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6569 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6570 		return -EINVAL;
6571 
6572 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6573 			       NULL, NULL);
6574 	if (ret)
6575 		return ret;
6576 
6577 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6578 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6579 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6580 		fd->update = true;
6581 		return 0;
6582 	}
6583 
6584 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6585 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6586 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6587 		return -EINVAL;
6588 
6589 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6590 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6591 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6592 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6593 	fd->update = true;
6594 	return 0;
6595 }
6596 
6597 static int
6598 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6599 				     struct nlattr *attrs,
6600 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6601 {
6602 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6603 	int ret;
6604 
6605 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6606 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6607 		return -EINVAL;
6608 
6609 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6610 			       attrs, NULL, NULL);
6611 	if (ret)
6612 		return ret;
6613 
6614 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6615 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6616 		presp->update = true;
6617 		return 0;
6618 	}
6619 
6620 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6621 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6622 		return -EINVAL;
6623 
6624 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6625 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6626 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6627 	presp->update = true;
6628 	return 0;
6629 }
6630 
6631 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6632 					    const struct element *rates)
6633 {
6634 	int i;
6635 
6636 	if (!rates)
6637 		return;
6638 
6639 	for (i = 0; i < rates->datalen; i++) {
6640 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6641 			params->ht_required = true;
6642 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6643 			params->vht_required = true;
6644 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6645 			params->he_required = true;
6646 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6647 			params->sae_h2e_required = true;
6648 	}
6649 }
6650 
6651 /*
6652  * Since the nl80211 API didn't include, from the beginning, attributes about
6653  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6654  * benefit of drivers that rebuild IEs in the firmware.
6655  */
6656 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6657 {
6658 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6659 	size_t ies_len = bcn->tail_len;
6660 	const u8 *ies = bcn->tail;
6661 	const struct element *rates;
6662 	const struct element *cap;
6663 
6664 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6665 	nl80211_check_ap_rate_selectors(params, rates);
6666 
6667 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6668 	nl80211_check_ap_rate_selectors(params, rates);
6669 
6670 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6671 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6672 		params->ht_cap = (void *)cap->data;
6673 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6674 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6675 		params->vht_cap = (void *)cap->data;
6676 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6677 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6678 		params->he_cap = (void *)(cap->data + 1);
6679 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6680 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6681 		params->he_oper = (void *)(cap->data + 1);
6682 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6683 	if (cap) {
6684 		if (!cap->datalen)
6685 			return -EINVAL;
6686 		params->eht_cap = (void *)(cap->data + 1);
6687 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6688 						(const u8 *)params->eht_cap,
6689 						cap->datalen - 1, true))
6690 			return -EINVAL;
6691 	}
6692 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6693 	if (cap) {
6694 		if (!cap->datalen)
6695 			return -EINVAL;
6696 		params->eht_oper = (void *)(cap->data + 1);
6697 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6698 						cap->datalen - 1))
6699 			return -EINVAL;
6700 	}
6701 
6702 	return 0;
6703 }
6704 
6705 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6706 				   struct cfg80211_ap_settings *params)
6707 {
6708 	struct wireless_dev *wdev;
6709 
6710 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6711 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6712 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6713 			continue;
6714 
6715 		if (!wdev->u.ap.preset_chandef.chan)
6716 			continue;
6717 
6718 		params->chandef = wdev->u.ap.preset_chandef;
6719 		return true;
6720 	}
6721 
6722 	return false;
6723 }
6724 
6725 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6726 				    enum nl80211_auth_type auth_type,
6727 				    enum nl80211_commands cmd)
6728 {
6729 	if (auth_type > NL80211_AUTHTYPE_MAX)
6730 		return false;
6731 
6732 	switch (cmd) {
6733 	case NL80211_CMD_AUTHENTICATE:
6734 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6735 		    auth_type == NL80211_AUTHTYPE_SAE)
6736 			return false;
6737 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6738 					     NL80211_EXT_FEATURE_FILS_STA) &&
6739 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6740 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6741 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6742 			return false;
6743 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6744 					     NL80211_EXT_FEATURE_EPPKE) &&
6745 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6746 			return false;
6747 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6748 					     NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
6749 		    auth_type == NL80211_AUTHTYPE_IEEE8021X)
6750 			return false;
6751 		return true;
6752 	case NL80211_CMD_CONNECT:
6753 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6754 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6755 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6756 		    auth_type == NL80211_AUTHTYPE_SAE)
6757 			return false;
6758 
6759 		/* FILS with SK PFS or PK not supported yet */
6760 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6761 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6762 			return false;
6763 		if (!wiphy_ext_feature_isset(
6764 			    &rdev->wiphy,
6765 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6766 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6767 			return false;
6768 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6769 					     NL80211_EXT_FEATURE_EPPKE) &&
6770 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6771 			return false;
6772 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6773 					     NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
6774 		    auth_type == NL80211_AUTHTYPE_IEEE8021X)
6775 			return false;
6776 		return true;
6777 	case NL80211_CMD_START_AP:
6778 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6779 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6780 		    auth_type == NL80211_AUTHTYPE_SAE)
6781 			return false;
6782 		/* FILS not supported yet */
6783 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6784 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6785 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6786 			return false;
6787 		return true;
6788 	default:
6789 		return false;
6790 	}
6791 }
6792 
6793 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6794 				    unsigned int link_id)
6795 {
6796 	struct wiphy *wiphy = wdev->wiphy;
6797 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6798 	struct sk_buff *msg;
6799 	void *hdr;
6800 
6801 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6802 	if (!msg)
6803 		return;
6804 
6805 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6806 	if (!hdr)
6807 		goto out;
6808 
6809 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6810 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6811 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6812 			      NL80211_ATTR_PAD) ||
6813 	    (wdev->u.ap.ssid_len &&
6814 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6815 		     wdev->u.ap.ssid)) ||
6816 	    (wdev->valid_links &&
6817 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6818 		goto out;
6819 
6820 	genlmsg_end(msg, hdr);
6821 
6822 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6823 				NL80211_MCGRP_MLME, GFP_KERNEL);
6824 	return;
6825 out:
6826 	nlmsg_free(msg);
6827 }
6828 
6829 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6830 {
6831 	struct ieee80211_channel *channel = params->chandef.chan;
6832 
6833 	if ((params->he_cap ||  params->he_oper) &&
6834 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6835 		return -EOPNOTSUPP;
6836 
6837 	if ((params->eht_cap || params->eht_oper) &&
6838 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6839 		return -EOPNOTSUPP;
6840 
6841 	if (params->uhr_oper && (channel->flags & IEEE80211_CHAN_NO_UHR))
6842 		return -EOPNOTSUPP;
6843 
6844 	return 0;
6845 }
6846 
6847 static int
6848 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
6849 			       struct nlattr *attrs,
6850 			       struct cfg80211_s1g_short_beacon *sb)
6851 {
6852 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
6853 	int ret;
6854 
6855 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
6856 		return -EINVAL;
6857 
6858 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
6859 			       NULL, NULL);
6860 	if (ret)
6861 		return ret;
6862 
6863 	/* Short beacon tail is optional (i.e might only include the TIM) */
6864 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
6865 		return -EINVAL;
6866 
6867 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6868 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6869 	sb->short_tail_len = 0;
6870 
6871 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
6872 		sb->short_tail =
6873 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6874 		sb->short_tail_len =
6875 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6876 	}
6877 
6878 	sb->update = true;
6879 	return 0;
6880 }
6881 
6882 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6883 {
6884 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6885 	struct cfg80211_beaconing_check_config beacon_check = {};
6886 	unsigned int link_id = nl80211_link_id(info->attrs);
6887 	struct net_device *dev = info->user_ptr[1];
6888 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6889 	struct cfg80211_ap_settings *params;
6890 	int err;
6891 
6892 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6893 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6894 		return -EOPNOTSUPP;
6895 
6896 	if (!rdev->ops->start_ap)
6897 		return -EOPNOTSUPP;
6898 
6899 	if (wdev->links[link_id].cac_started)
6900 		return -EBUSY;
6901 
6902 	if (wdev->links[link_id].ap.beacon_interval)
6903 		return -EALREADY;
6904 
6905 	/* these are required for START_AP */
6906 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6907 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6908 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6909 		return -EINVAL;
6910 
6911 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6912 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6913 		return -EOPNOTSUPP;
6914 
6915 	params = kzalloc_obj(*params);
6916 	if (!params)
6917 		return -ENOMEM;
6918 
6919 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6920 				   info->extack);
6921 	if (err)
6922 		goto out;
6923 
6924 	params->beacon_interval =
6925 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6926 	params->dtim_period =
6927 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6928 
6929 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6930 					   params->beacon_interval);
6931 	if (err)
6932 		goto out;
6933 
6934 	/*
6935 	 * In theory, some of these attributes should be required here
6936 	 * but since they were not used when the command was originally
6937 	 * added, keep them optional for old user space programs to let
6938 	 * them continue to work with drivers that do not need the
6939 	 * additional information -- drivers must check!
6940 	 */
6941 	if (info->attrs[NL80211_ATTR_SSID]) {
6942 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6943 		params->ssid_len =
6944 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6945 		if (params->ssid_len == 0) {
6946 			err = -EINVAL;
6947 			goto out;
6948 		}
6949 
6950 		if (wdev->u.ap.ssid_len &&
6951 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6952 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6953 			/* require identical SSID for MLO */
6954 			err = -EINVAL;
6955 			goto out;
6956 		}
6957 	} else if (wdev->valid_links) {
6958 		/* require SSID for MLO */
6959 		err = -EINVAL;
6960 		goto out;
6961 	}
6962 
6963 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6964 		params->hidden_ssid = nla_get_u32(
6965 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6966 
6967 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6968 
6969 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6970 		params->auth_type = nla_get_u32(
6971 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6972 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6973 					     NL80211_CMD_START_AP)) {
6974 			err = -EINVAL;
6975 			goto out;
6976 		}
6977 	} else
6978 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6979 
6980 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6981 				      NL80211_MAX_NR_CIPHER_SUITES);
6982 	if (err)
6983 		goto out;
6984 
6985 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6986 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6987 			err = -EOPNOTSUPP;
6988 			goto out;
6989 		}
6990 		params->inactivity_timeout = nla_get_u16(
6991 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6992 	}
6993 
6994 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6995 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6996 			err = -EINVAL;
6997 			goto out;
6998 		}
6999 		params->p2p_ctwindow =
7000 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7001 		if (params->p2p_ctwindow != 0 &&
7002 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
7003 			err = -EINVAL;
7004 			goto out;
7005 		}
7006 	}
7007 
7008 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7009 		u8 tmp;
7010 
7011 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7012 			err = -EINVAL;
7013 			goto out;
7014 		}
7015 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7016 		params->p2p_opp_ps = tmp;
7017 		if (params->p2p_opp_ps != 0 &&
7018 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
7019 			err = -EINVAL;
7020 			goto out;
7021 		}
7022 	}
7023 
7024 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7025 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
7026 					    &params->chandef);
7027 		if (err)
7028 			goto out;
7029 	} else if (wdev->valid_links) {
7030 		/* with MLD need to specify the channel configuration */
7031 		err = -EINVAL;
7032 		goto out;
7033 	} else if (wdev->u.ap.preset_chandef.chan) {
7034 		params->chandef = wdev->u.ap.preset_chandef;
7035 	} else if (!nl80211_get_ap_channel(rdev, params)) {
7036 		err = -EINVAL;
7037 		goto out;
7038 	}
7039 
7040 	beacon_check.iftype = wdev->iftype;
7041 	beacon_check.relax = true;
7042 	beacon_check.reg_power =
7043 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7044 					     params->beacon.tail_len, 0);
7045 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
7046 					  &beacon_check)) {
7047 		err = -EINVAL;
7048 		goto out;
7049 	}
7050 
7051 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
7052 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
7053 						    NL80211_ATTR_TX_RATES,
7054 						    &params->beacon_rate,
7055 						    dev, false, link_id);
7056 		if (err)
7057 			goto out;
7058 
7059 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
7060 					      &params->beacon_rate);
7061 		if (err)
7062 			goto out;
7063 	}
7064 
7065 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
7066 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
7067 		err = -EOPNOTSUPP;
7068 		goto out;
7069 	}
7070 
7071 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
7072 		params->acl = parse_acl_data(&rdev->wiphy, info);
7073 		if (IS_ERR(params->acl)) {
7074 			err = PTR_ERR(params->acl);
7075 			params->acl = NULL;
7076 			goto out;
7077 		}
7078 	}
7079 
7080 	params->twt_responder =
7081 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
7082 
7083 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
7084 		err = nl80211_parse_he_obss_pd(
7085 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
7086 					&params->he_obss_pd);
7087 		if (err)
7088 			goto out;
7089 	}
7090 
7091 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
7092 		err = nl80211_parse_fils_discovery(rdev,
7093 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
7094 						   &params->fils_discovery);
7095 		if (err)
7096 			goto out;
7097 	}
7098 
7099 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
7100 		err = nl80211_parse_unsol_bcast_probe_resp(
7101 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
7102 			&params->unsol_bcast_probe_resp);
7103 		if (err)
7104 			goto out;
7105 	}
7106 
7107 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
7108 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
7109 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
7110 						  &params->mbssid_config,
7111 						  params->beacon.mbssid_ies ?
7112 							params->beacon.mbssid_ies->cnt :
7113 							0);
7114 		if (err)
7115 			goto out;
7116 	}
7117 
7118 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
7119 		err = -EINVAL;
7120 		goto out;
7121 	}
7122 
7123 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
7124 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
7125 			err = -EINVAL;
7126 			goto out;
7127 		}
7128 
7129 		params->s1g_long_beacon_period = nla_get_u8(
7130 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
7131 
7132 		err = nl80211_parse_s1g_short_beacon(
7133 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
7134 			&params->s1g_short_beacon);
7135 		if (err)
7136 			goto out;
7137 	}
7138 
7139 	err = nl80211_calculate_ap_params(params);
7140 	if (err)
7141 		goto out;
7142 
7143 	if (info->attrs[NL80211_ATTR_UHR_OPERATION])
7144 		params->uhr_oper = nla_data(info->attrs[NL80211_ATTR_UHR_OPERATION]);
7145 
7146 	err = nl80211_validate_ap_phy_operation(params);
7147 	if (err)
7148 		goto out;
7149 
7150 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
7151 		params->flags = nla_get_u32(
7152 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
7153 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
7154 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
7155 
7156 	if (wdev->conn_owner_nlportid &&
7157 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
7158 	    wdev->conn_owner_nlportid != info->snd_portid) {
7159 		err = -EINVAL;
7160 		goto out;
7161 	}
7162 
7163 	/* FIXME: validate MLO/link-id against driver capabilities */
7164 
7165 	err = rdev_start_ap(rdev, dev, params);
7166 	if (!err) {
7167 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
7168 		wdev->links[link_id].ap.chandef = params->chandef;
7169 		wdev->u.ap.ssid_len = params->ssid_len;
7170 		memcpy(wdev->u.ap.ssid, params->ssid,
7171 		       params->ssid_len);
7172 
7173 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
7174 			wdev->conn_owner_nlportid = info->snd_portid;
7175 
7176 		nl80211_send_ap_started(wdev, link_id);
7177 	}
7178 out:
7179 	kfree(params->acl);
7180 	kfree(params->beacon.mbssid_ies);
7181 	if (params->mbssid_config.tx_wdev &&
7182 	    params->mbssid_config.tx_wdev->netdev &&
7183 	    params->mbssid_config.tx_wdev->netdev != dev)
7184 		dev_put(params->mbssid_config.tx_wdev->netdev);
7185 	kfree(params->beacon.rnr_ies);
7186 	kfree(params);
7187 
7188 	return err;
7189 }
7190 
7191 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
7192 {
7193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7194 	struct cfg80211_beaconing_check_config beacon_check = {};
7195 	unsigned int link_id = nl80211_link_id(info->attrs);
7196 	struct net_device *dev = info->user_ptr[1];
7197 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7198 	struct cfg80211_ap_update *params;
7199 	struct nlattr *attr;
7200 	int err;
7201 
7202 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7203 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7204 		return -EOPNOTSUPP;
7205 
7206 	if (!rdev->ops->change_beacon)
7207 		return -EOPNOTSUPP;
7208 
7209 	if (!wdev->links[link_id].ap.beacon_interval)
7210 		return -EINVAL;
7211 
7212 	params = kzalloc_obj(*params);
7213 	if (!params)
7214 		return -ENOMEM;
7215 
7216 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
7217 				   info->extack);
7218 	if (err)
7219 		goto out;
7220 
7221 	/* recheck beaconing is permitted with possibly changed power type */
7222 	beacon_check.iftype = wdev->iftype;
7223 	beacon_check.relax = true;
7224 	beacon_check.reg_power =
7225 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7226 					     params->beacon.tail_len, 0);
7227 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
7228 					  &wdev->links[link_id].ap.chandef,
7229 					  &beacon_check)) {
7230 		err = -EINVAL;
7231 		goto out;
7232 	}
7233 
7234 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
7235 	if (attr) {
7236 		err = nl80211_parse_fils_discovery(rdev, attr,
7237 						   &params->fils_discovery);
7238 		if (err)
7239 			goto out;
7240 	}
7241 
7242 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
7243 	if (attr) {
7244 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
7245 							   &params->unsol_bcast_probe_resp);
7246 		if (err)
7247 			goto out;
7248 	}
7249 
7250 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
7251 	if (attr) {
7252 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
7253 						     &params->s1g_short_beacon);
7254 		if (err)
7255 			goto out;
7256 	}
7257 
7258 	err = rdev_change_beacon(rdev, dev, params);
7259 
7260 out:
7261 	kfree(params->beacon.mbssid_ies);
7262 	kfree(params->beacon.rnr_ies);
7263 	kfree(params);
7264 	return err;
7265 }
7266 
7267 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
7268 {
7269 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7270 	unsigned int link_id = nl80211_link_id(info->attrs);
7271 	struct net_device *dev = info->user_ptr[1];
7272 
7273 	return cfg80211_stop_ap(rdev, dev, link_id, false);
7274 }
7275 
7276 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
7277 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
7278 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
7279 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
7280 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
7281 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
7282 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
7283 };
7284 
7285 static int parse_station_flags(struct genl_info *info,
7286 			       enum nl80211_iftype iftype,
7287 			       struct station_parameters *params)
7288 {
7289 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
7290 	struct nlattr *nla;
7291 	int flag;
7292 
7293 	/*
7294 	 * Try parsing the new attribute first so userspace
7295 	 * can specify both for older kernels.
7296 	 */
7297 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
7298 	if (nla) {
7299 		struct nl80211_sta_flag_update *sta_flags;
7300 
7301 		sta_flags = nla_data(nla);
7302 		params->sta_flags_mask = sta_flags->mask;
7303 		params->sta_flags_set = sta_flags->set;
7304 		params->sta_flags_set &= params->sta_flags_mask;
7305 		if ((params->sta_flags_mask |
7306 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
7307 			return -EINVAL;
7308 
7309 		if ((iftype == NL80211_IFTYPE_NAN ||
7310 		     iftype == NL80211_IFTYPE_NAN_DATA) &&
7311 		    params->sta_flags_mask &
7312 		    ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7313 		      BIT(NL80211_STA_FLAG_ASSOCIATED) |
7314 		      BIT(NL80211_STA_FLAG_AUTHORIZED) |
7315 		      BIT(NL80211_STA_FLAG_MFP)))
7316 				return -EINVAL;
7317 
7318 		/* WME is always used in NAN */
7319 		if (iftype == NL80211_IFTYPE_NAN_DATA) {
7320 			/* but don't let userspace control it */
7321 			if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_WME))
7322 				return -EINVAL;
7323 
7324 			params->sta_flags_mask |= BIT(NL80211_STA_FLAG_WME);
7325 			params->sta_flags_set |= BIT(NL80211_STA_FLAG_WME);
7326 		}
7327 
7328 		return 0;
7329 	}
7330 
7331 	/* if present, parse the old attribute */
7332 
7333 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
7334 	if (!nla)
7335 		return 0;
7336 
7337 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
7338 		return -EINVAL;
7339 
7340 	/*
7341 	 * Only allow certain flags for interface types so that
7342 	 * other attributes are silently ignored. Remember that
7343 	 * this is backward compatibility code with old userspace
7344 	 * and shouldn't be hit in other cases anyway.
7345 	 */
7346 	switch (iftype) {
7347 	case NL80211_IFTYPE_AP:
7348 	case NL80211_IFTYPE_AP_VLAN:
7349 	case NL80211_IFTYPE_P2P_GO:
7350 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7351 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7352 					 BIT(NL80211_STA_FLAG_WME) |
7353 					 BIT(NL80211_STA_FLAG_MFP);
7354 		break;
7355 	case NL80211_IFTYPE_P2P_CLIENT:
7356 	case NL80211_IFTYPE_STATION:
7357 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7358 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
7359 		break;
7360 	case NL80211_IFTYPE_MESH_POINT:
7361 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7362 					 BIT(NL80211_STA_FLAG_MFP) |
7363 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
7364 		break;
7365 	default:
7366 		return -EINVAL;
7367 	}
7368 
7369 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
7370 		if (flags[flag]) {
7371 			params->sta_flags_set |= (1<<flag);
7372 
7373 			/* no longer support new API additions in old API */
7374 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
7375 				return -EINVAL;
7376 		}
7377 	}
7378 
7379 	return 0;
7380 }
7381 
7382 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
7383 {
7384 	struct nlattr *rate;
7385 	u32 bitrate;
7386 	u16 bitrate_compat;
7387 	enum nl80211_rate_info rate_flg;
7388 
7389 	rate = nla_nest_start_noflag(msg, attr);
7390 	if (!rate)
7391 		return false;
7392 
7393 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
7394 	bitrate = cfg80211_calculate_bitrate(info);
7395 	/* report 16-bit bitrate only if we can */
7396 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
7397 	if (bitrate > 0 &&
7398 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7399 		return false;
7400 	if (bitrate_compat > 0 &&
7401 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7402 		return false;
7403 
7404 	switch (info->bw) {
7405 	case RATE_INFO_BW_1:
7406 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7407 		break;
7408 	case RATE_INFO_BW_2:
7409 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7410 		break;
7411 	case RATE_INFO_BW_4:
7412 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7413 		break;
7414 	case RATE_INFO_BW_5:
7415 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7416 		break;
7417 	case RATE_INFO_BW_8:
7418 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7419 		break;
7420 	case RATE_INFO_BW_10:
7421 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7422 		break;
7423 	case RATE_INFO_BW_16:
7424 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7425 		break;
7426 	default:
7427 		WARN_ON(1);
7428 		fallthrough;
7429 	case RATE_INFO_BW_20:
7430 		rate_flg = 0;
7431 		break;
7432 	case RATE_INFO_BW_40:
7433 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7434 		break;
7435 	case RATE_INFO_BW_80:
7436 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7437 		break;
7438 	case RATE_INFO_BW_160:
7439 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7440 		break;
7441 	case RATE_INFO_BW_HE_RU:
7442 		rate_flg = 0;
7443 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7444 		break;
7445 	case RATE_INFO_BW_320:
7446 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7447 		break;
7448 	case RATE_INFO_BW_EHT_RU:
7449 		rate_flg = 0;
7450 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS) &&
7451 			!(info->flags & RATE_INFO_FLAGS_UHR_MCS));
7452 		break;
7453 	}
7454 
7455 	if (rate_flg && nla_put_flag(msg, rate_flg))
7456 		return false;
7457 
7458 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7459 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7460 			return false;
7461 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7462 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7463 			return false;
7464 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7465 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7466 			return false;
7467 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7468 			return false;
7469 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7470 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7471 			return false;
7472 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7473 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7474 			return false;
7475 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7476 			return false;
7477 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7478 			return false;
7479 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7480 			return false;
7481 		if (info->bw == RATE_INFO_BW_HE_RU &&
7482 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7483 			       info->he_ru_alloc))
7484 			return false;
7485 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7486 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7487 			return false;
7488 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7489 			return false;
7490 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7491 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7492 			return false;
7493 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7494 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7495 			return false;
7496 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7497 			return false;
7498 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7499 			return false;
7500 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7501 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7502 			       info->eht_ru_alloc))
7503 			return false;
7504 	} else if (info->flags & RATE_INFO_FLAGS_UHR_MCS) {
7505 		if (nla_put_u8(msg, NL80211_RATE_INFO_UHR_MCS, info->mcs))
7506 			return false;
7507 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7508 			return false;
7509 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7510 			return false;
7511 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7512 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7513 			       info->eht_ru_alloc))
7514 			return false;
7515 		if (info->flags & RATE_INFO_FLAGS_UHR_ELR_MCS &&
7516 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_ELR))
7517 			return false;
7518 		if (info->flags & RATE_INFO_FLAGS_UHR_IM &&
7519 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_IM))
7520 			return false;
7521 	}
7522 
7523 	nla_nest_end(msg, rate);
7524 	return true;
7525 }
7526 
7527 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7528 			       int id)
7529 {
7530 	void *attr;
7531 	int i = 0;
7532 
7533 	if (!mask)
7534 		return true;
7535 
7536 	attr = nla_nest_start_noflag(msg, id);
7537 	if (!attr)
7538 		return false;
7539 
7540 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7541 		if (!(mask & BIT(i)))
7542 			continue;
7543 
7544 		if (nla_put_u8(msg, i, signal[i]))
7545 			return false;
7546 	}
7547 
7548 	nla_nest_end(msg, attr);
7549 
7550 	return true;
7551 }
7552 
7553 static int nl80211_fill_link_station(struct sk_buff *msg,
7554 				     struct cfg80211_registered_device *rdev,
7555 				     struct link_station_info *link_sinfo)
7556 {
7557 	struct nlattr *bss_param, *link_sinfoattr;
7558 
7559 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7560 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7561 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7562 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7563 			     link_sinfo->memb))				\
7564 		goto nla_put_failure;					\
7565 	} while (0)
7566 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7567 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7568 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7569 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7570 		goto nla_put_failure;					\
7571 	} while (0)
7572 
7573 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7574 	if (!link_sinfoattr)
7575 		goto nla_put_failure;
7576 
7577 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7578 
7579 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7580 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7581 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7582 			(u32)link_sinfo->rx_bytes))
7583 		goto nla_put_failure;
7584 
7585 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7586 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7587 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7588 			(u32)link_sinfo->tx_bytes))
7589 		goto nla_put_failure;
7590 
7591 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7592 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7593 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7594 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7595 
7596 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7597 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7598 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7599 
7600 	switch (rdev->wiphy.signal_type) {
7601 	case CFG80211_SIGNAL_TYPE_MBM:
7602 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7603 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7604 		break;
7605 	default:
7606 		break;
7607 	}
7608 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7609 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7610 					link_sinfo->chain_signal,
7611 					NL80211_STA_INFO_CHAIN_SIGNAL))
7612 			goto nla_put_failure;
7613 	}
7614 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7615 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7616 					link_sinfo->chain_signal_avg,
7617 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7618 			goto nla_put_failure;
7619 	}
7620 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7621 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7622 					  NL80211_STA_INFO_TX_BITRATE))
7623 			goto nla_put_failure;
7624 	}
7625 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7626 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7627 					  NL80211_STA_INFO_RX_BITRATE))
7628 			goto nla_put_failure;
7629 	}
7630 
7631 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7632 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7633 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7634 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7635 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7636 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7637 
7638 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7639 		bss_param = nla_nest_start_noflag(msg,
7640 						  NL80211_STA_INFO_BSS_PARAM);
7641 		if (!bss_param)
7642 			goto nla_put_failure;
7643 
7644 		if (((link_sinfo->bss_param.flags &
7645 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7646 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7647 		    ((link_sinfo->bss_param.flags &
7648 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7649 		     nla_put_flag(msg,
7650 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7651 		    ((link_sinfo->bss_param.flags &
7652 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7653 		     nla_put_flag(msg,
7654 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7655 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7656 			       link_sinfo->bss_param.dtim_period) ||
7657 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7658 				link_sinfo->bss_param.beacon_interval))
7659 			goto nla_put_failure;
7660 
7661 		nla_nest_end(msg, bss_param);
7662 	}
7663 
7664 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7665 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7666 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7667 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7668 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7669 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7670 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7671 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7672 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7673 	}
7674 
7675 #undef PUT_LINK_SINFO
7676 #undef PUT_LINK_SINFO_U64
7677 
7678 	if (link_sinfo->pertid) {
7679 		struct nlattr *tidsattr;
7680 		int tid;
7681 
7682 		tidsattr = nla_nest_start_noflag(msg,
7683 						 NL80211_STA_INFO_TID_STATS);
7684 		if (!tidsattr)
7685 			goto nla_put_failure;
7686 
7687 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7688 			struct cfg80211_tid_stats *tidstats;
7689 			struct nlattr *tidattr;
7690 
7691 			tidstats = &link_sinfo->pertid[tid];
7692 
7693 			if (!tidstats->filled)
7694 				continue;
7695 
7696 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7697 			if (!tidattr)
7698 				goto nla_put_failure;
7699 
7700 #define PUT_TIDVAL_U64(attr, memb) do {					\
7701 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7702 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7703 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7704 		goto nla_put_failure;					\
7705 	} while (0)
7706 
7707 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7708 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7709 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7710 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7711 
7712 #undef PUT_TIDVAL_U64
7713 			if ((tidstats->filled &
7714 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7715 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7716 						   NL80211_TID_STATS_TXQ_STATS))
7717 				goto nla_put_failure;
7718 
7719 			nla_nest_end(msg, tidattr);
7720 		}
7721 
7722 		nla_nest_end(msg, tidsattr);
7723 	}
7724 
7725 	nla_nest_end(msg, link_sinfoattr);
7726 	return 0;
7727 
7728 nla_put_failure:
7729 	return -EMSGSIZE;
7730 }
7731 
7732 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
7733 				u32 seq, int flags,
7734 				struct cfg80211_registered_device *rdev,
7735 				struct wireless_dev *wdev,
7736 				const u8 *mac_addr, struct station_info *sinfo,
7737 				bool link_stats)
7738 {
7739 	void *hdr;
7740 	struct nlattr *sinfoattr, *bss_param;
7741 	struct link_station_info *link_sinfo;
7742 	struct nlattr *links, *link;
7743 	int link_id;
7744 
7745 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7746 	if (!hdr) {
7747 		cfg80211_sinfo_release_content(sinfo);
7748 		return -1;
7749 	}
7750 
7751 	if ((wdev->netdev &&
7752 	     nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex)) ||
7753 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
7754 			      NL80211_ATTR_PAD) ||
7755 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7756 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7757 		goto nla_put_failure;
7758 
7759 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7760 	if (!sinfoattr)
7761 		goto nla_put_failure;
7762 
7763 #define PUT_SINFO(attr, memb, type) do {				\
7764 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7765 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7766 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7767 			     sinfo->memb))				\
7768 		goto nla_put_failure;					\
7769 	} while (0)
7770 #define PUT_SINFO_U64(attr, memb) do {					\
7771 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7772 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7773 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7774 		goto nla_put_failure;					\
7775 	} while (0)
7776 
7777 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7778 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7779 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7780 
7781 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7782 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7783 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7784 			(u32)sinfo->rx_bytes))
7785 		goto nla_put_failure;
7786 
7787 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7788 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7789 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7790 			(u32)sinfo->tx_bytes))
7791 		goto nla_put_failure;
7792 
7793 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7794 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7795 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7796 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7797 
7798 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7799 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7800 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7801 
7802 	switch (rdev->wiphy.signal_type) {
7803 	case CFG80211_SIGNAL_TYPE_MBM:
7804 		PUT_SINFO(SIGNAL, signal, u8);
7805 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7806 		break;
7807 	default:
7808 		break;
7809 	}
7810 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7811 		if (!nl80211_put_signal(msg, sinfo->chains,
7812 					sinfo->chain_signal,
7813 					NL80211_STA_INFO_CHAIN_SIGNAL))
7814 			goto nla_put_failure;
7815 	}
7816 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7817 		if (!nl80211_put_signal(msg, sinfo->chains,
7818 					sinfo->chain_signal_avg,
7819 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7820 			goto nla_put_failure;
7821 	}
7822 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7823 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7824 					  NL80211_STA_INFO_TX_BITRATE))
7825 			goto nla_put_failure;
7826 	}
7827 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7828 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7829 					  NL80211_STA_INFO_RX_BITRATE))
7830 			goto nla_put_failure;
7831 	}
7832 
7833 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7834 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7835 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7836 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7837 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7838 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7839 
7840 	PUT_SINFO(LLID, llid, u16);
7841 	PUT_SINFO(PLID, plid, u16);
7842 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7843 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7844 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7845 	PUT_SINFO(PEER_PM, peer_pm, u32);
7846 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7847 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7848 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7849 	PUT_SINFO_U64(T_OFFSET, t_offset);
7850 
7851 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7852 		bss_param = nla_nest_start_noflag(msg,
7853 						  NL80211_STA_INFO_BSS_PARAM);
7854 		if (!bss_param)
7855 			goto nla_put_failure;
7856 
7857 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7858 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7859 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7860 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7861 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7862 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7863 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7864 			       sinfo->bss_param.dtim_period) ||
7865 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7866 				sinfo->bss_param.beacon_interval))
7867 			goto nla_put_failure;
7868 
7869 		nla_nest_end(msg, bss_param);
7870 	}
7871 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7872 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7873 		    sizeof(struct nl80211_sta_flag_update),
7874 		    &sinfo->sta_flags))
7875 		goto nla_put_failure;
7876 
7877 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7878 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7879 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7880 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7881 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7882 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7883 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7884 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7885 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7886 	}
7887 
7888 #undef PUT_SINFO
7889 #undef PUT_SINFO_U64
7890 
7891 	if (sinfo->pertid) {
7892 		struct nlattr *tidsattr;
7893 		int tid;
7894 
7895 		tidsattr = nla_nest_start_noflag(msg,
7896 						 NL80211_STA_INFO_TID_STATS);
7897 		if (!tidsattr)
7898 			goto nla_put_failure;
7899 
7900 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7901 			struct cfg80211_tid_stats *tidstats;
7902 			struct nlattr *tidattr;
7903 
7904 			tidstats = &sinfo->pertid[tid];
7905 
7906 			if (!tidstats->filled)
7907 				continue;
7908 
7909 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7910 			if (!tidattr)
7911 				goto nla_put_failure;
7912 
7913 #define PUT_TIDVAL_U64(attr, memb) do {					\
7914 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7915 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7916 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7917 		goto nla_put_failure;					\
7918 	} while (0)
7919 
7920 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7921 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7922 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7923 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7924 
7925 #undef PUT_TIDVAL_U64
7926 			if ((tidstats->filled &
7927 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7928 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7929 						   NL80211_TID_STATS_TXQ_STATS))
7930 				goto nla_put_failure;
7931 
7932 			nla_nest_end(msg, tidattr);
7933 		}
7934 
7935 		nla_nest_end(msg, tidsattr);
7936 	}
7937 
7938 	nla_nest_end(msg, sinfoattr);
7939 
7940 	if (sinfo->assoc_req_ies_len &&
7941 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7942 		    sinfo->assoc_req_ies))
7943 		goto nla_put_failure;
7944 
7945 	if (sinfo->assoc_resp_ies_len &&
7946 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7947 		    sinfo->assoc_resp_ies))
7948 		goto nla_put_failure;
7949 
7950 	if (sinfo->mlo_params_valid) {
7951 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7952 			       sinfo->assoc_link_id))
7953 			goto nla_put_failure;
7954 
7955 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7956 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7957 			    sinfo->mld_addr))
7958 			goto nla_put_failure;
7959 	}
7960 
7961 	if (link_stats && sinfo->valid_links) {
7962 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7963 		if (!links)
7964 			goto nla_put_failure;
7965 
7966 		for_each_valid_link(sinfo, link_id) {
7967 			link_sinfo = sinfo->links[link_id];
7968 
7969 			if (WARN_ON_ONCE(!link_sinfo))
7970 				continue;
7971 
7972 			if (!is_valid_ether_addr(link_sinfo->addr))
7973 				continue;
7974 
7975 			link = nla_nest_start(msg, link_id + 1);
7976 			if (!link)
7977 				goto nla_put_failure;
7978 
7979 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7980 				       link_id))
7981 				goto nla_put_failure;
7982 
7983 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7984 				    link_sinfo->addr))
7985 				goto nla_put_failure;
7986 
7987 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
7988 				goto nla_put_failure;
7989 
7990 			nla_nest_end(msg, link);
7991 		}
7992 		nla_nest_end(msg, links);
7993 	}
7994 
7995 	cfg80211_sinfo_release_content(sinfo);
7996 	genlmsg_end(msg, hdr);
7997 	return 0;
7998 
7999  nla_put_failure:
8000 	cfg80211_sinfo_release_content(sinfo);
8001 	genlmsg_cancel(msg, hdr);
8002 	return -EMSGSIZE;
8003 }
8004 
8005 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
8006 {
8007 	struct link_station_info *link_sinfo;
8008 	int link_id, init = 0;
8009 	u32 link_inactive_time;
8010 
8011 	sinfo->signal = -99;
8012 
8013 	for_each_valid_link(sinfo, link_id) {
8014 		link_sinfo = sinfo->links[link_id];
8015 		if (!link_sinfo)
8016 			continue;
8017 
8018 		if ((link_sinfo->filled &
8019 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
8020 			sinfo->tx_packets += link_sinfo->tx_packets;
8021 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
8022 		}
8023 
8024 		if ((link_sinfo->filled &
8025 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
8026 			sinfo->rx_packets += link_sinfo->rx_packets;
8027 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
8028 		}
8029 
8030 		if (link_sinfo->filled &
8031 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
8032 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
8033 			sinfo->tx_bytes += link_sinfo->tx_bytes;
8034 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
8035 		}
8036 
8037 		if (link_sinfo->filled &
8038 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
8039 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
8040 			sinfo->rx_bytes += link_sinfo->rx_bytes;
8041 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
8042 		}
8043 
8044 		if (link_sinfo->filled &
8045 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
8046 			sinfo->tx_retries += link_sinfo->tx_retries;
8047 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
8048 		}
8049 
8050 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
8051 			sinfo->tx_failed += link_sinfo->tx_failed;
8052 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
8053 		}
8054 
8055 		if (link_sinfo->filled &
8056 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
8057 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
8058 			sinfo->filled |=
8059 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
8060 		}
8061 
8062 		if (link_sinfo->filled &
8063 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
8064 			sinfo->beacon_loss_count +=
8065 				link_sinfo->beacon_loss_count;
8066 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
8067 		}
8068 
8069 		if (link_sinfo->filled &
8070 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
8071 			sinfo->expected_throughput +=
8072 				link_sinfo->expected_throughput;
8073 			sinfo->filled |=
8074 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
8075 		}
8076 
8077 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
8078 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
8079 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
8080 		}
8081 
8082 		if (link_sinfo->filled &
8083 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
8084 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
8085 			sinfo->filled |=
8086 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
8087 		}
8088 
8089 		if (link_sinfo->filled &
8090 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
8091 			sinfo->rx_beacon += link_sinfo->rx_beacon;
8092 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
8093 		}
8094 
8095 		/* Update MLO signal, signal_avg as best among links */
8096 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
8097 		    link_sinfo->signal > sinfo->signal) {
8098 			sinfo->signal = link_sinfo->signal;
8099 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
8100 		}
8101 
8102 		if ((link_sinfo->filled &
8103 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
8104 		    link_sinfo->signal_avg > sinfo->signal_avg) {
8105 			sinfo->signal_avg = link_sinfo->signal_avg;
8106 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
8107 		}
8108 
8109 		/* Update MLO inactive_time, bss_param based on least
8110 		 * value for corresponding field of link.
8111 		 */
8112 		if ((link_sinfo->filled &
8113 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
8114 		    (!init ||
8115 		     link_inactive_time > link_sinfo->inactive_time)) {
8116 			link_inactive_time = link_sinfo->inactive_time;
8117 			sinfo->inactive_time = link_sinfo->inactive_time;
8118 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
8119 		}
8120 
8121 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
8122 		    (!init ||
8123 		     sinfo->bss_param.dtim_period >
8124 		      link_sinfo->bss_param.dtim_period)) {
8125 			sinfo->bss_param.dtim_period =
8126 				link_sinfo->bss_param.dtim_period;
8127 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
8128 			sinfo->bss_param.beacon_interval =
8129 				link_sinfo->bss_param.beacon_interval;
8130 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
8131 		}
8132 
8133 		/* Update MLO rates as per last updated link rate */
8134 		if ((link_sinfo->filled &
8135 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
8136 		    (!init ||
8137 		     link_inactive_time > link_sinfo->inactive_time)) {
8138 			sinfo->txrate = link_sinfo->txrate;
8139 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
8140 		}
8141 		if ((link_sinfo->filled &
8142 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
8143 		    (!init ||
8144 		     link_inactive_time > link_sinfo->inactive_time)) {
8145 			sinfo->rxrate = link_sinfo->rxrate;
8146 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
8147 		}
8148 
8149 		if (link_sinfo->filled &
8150 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
8151 		    (!init ||
8152 		     link_inactive_time > link_sinfo->inactive_time)) {
8153 			sinfo->tx_duration += link_sinfo->tx_duration;
8154 			sinfo->filled |=
8155 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
8156 		}
8157 		if (link_sinfo->filled &
8158 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
8159 		    (!init ||
8160 		     link_inactive_time > link_sinfo->inactive_time)) {
8161 			sinfo->rx_duration += link_sinfo->rx_duration;
8162 			sinfo->filled |=
8163 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
8164 		}
8165 		init++;
8166 
8167 		/* pertid stats accumulate for rx/tx fields */
8168 		if (sinfo->pertid) {
8169 			sinfo->pertid->rx_msdu +=
8170 				link_sinfo->pertid->rx_msdu;
8171 			sinfo->pertid->tx_msdu +=
8172 				link_sinfo->pertid->tx_msdu;
8173 			sinfo->pertid->tx_msdu_retries +=
8174 				link_sinfo->pertid->tx_msdu_retries;
8175 			sinfo->pertid->tx_msdu_failed +=
8176 				link_sinfo->pertid->tx_msdu_failed;
8177 
8178 			sinfo->pertid->filled |=
8179 				BIT(NL80211_TID_STATS_RX_MSDU) |
8180 				BIT(NL80211_TID_STATS_TX_MSDU) |
8181 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
8182 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
8183 		}
8184 	}
8185 
8186 	/* Reset sinfo->filled bits to exclude fields which don't make
8187 	 * much sense at the MLO level.
8188 	 */
8189 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
8190 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
8191 }
8192 
8193 static int nl80211_dump_station(struct sk_buff *skb,
8194 				struct netlink_callback *cb)
8195 {
8196 	struct station_info sinfo;
8197 	struct cfg80211_registered_device *rdev;
8198 	struct wireless_dev *wdev;
8199 	u8 mac_addr[ETH_ALEN];
8200 	int sta_idx = cb->args[2];
8201 	bool sinfo_alloc = false;
8202 	int err, i;
8203 
8204 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8205 	if (err)
8206 		return err;
8207 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8208 	__acquire(&rdev->wiphy.mtx);
8209 
8210 	if (!wdev->netdev && wdev->iftype != NL80211_IFTYPE_NAN) {
8211 		err = -EINVAL;
8212 		goto out_err;
8213 	}
8214 
8215 	if (!rdev->ops->dump_station) {
8216 		err = -EOPNOTSUPP;
8217 		goto out_err;
8218 	}
8219 
8220 	while (1) {
8221 		memset(&sinfo, 0, sizeof(sinfo));
8222 
8223 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8224 			sinfo.links[i] =
8225 				kzalloc_obj(*sinfo.links[0]);
8226 			if (!sinfo.links[i]) {
8227 				err = -ENOMEM;
8228 				goto out_err;
8229 			}
8230 			sinfo_alloc = true;
8231 		}
8232 
8233 		err = rdev_dump_station(rdev, wdev, sta_idx,
8234 					mac_addr, &sinfo);
8235 		if (err == -ENOENT)
8236 			break;
8237 		if (err)
8238 			goto out_err;
8239 
8240 		if (sinfo.valid_links)
8241 			cfg80211_sta_set_mld_sinfo(&sinfo);
8242 
8243 		/* reset the sinfo_alloc flag as nl80211_send_station()
8244 		 * always releases sinfo
8245 		 */
8246 		sinfo_alloc = false;
8247 
8248 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
8249 				NETLINK_CB(cb->skb).portid,
8250 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8251 				rdev, wdev, mac_addr,
8252 				&sinfo, false) < 0)
8253 			goto out;
8254 
8255 		sta_idx++;
8256 	}
8257 
8258  out:
8259 	cb->args[2] = sta_idx;
8260 	err = skb->len;
8261  out_err:
8262 	if (sinfo_alloc)
8263 		cfg80211_sinfo_release_content(&sinfo);
8264 	wiphy_unlock(&rdev->wiphy);
8265 
8266 	return err;
8267 }
8268 
8269 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
8270 {
8271 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8272 	struct wireless_dev *wdev = info->user_ptr[1];
8273 	struct station_info sinfo;
8274 	struct sk_buff *msg;
8275 	u8 *mac_addr = NULL;
8276 	int err, i;
8277 
8278 	memset(&sinfo, 0, sizeof(sinfo));
8279 
8280 	if (!wdev->netdev)
8281 		return -EINVAL;
8282 
8283 	if (!info->attrs[NL80211_ATTR_MAC])
8284 		return -EINVAL;
8285 
8286 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8287 
8288 	if (!rdev->ops->get_station)
8289 		return -EOPNOTSUPP;
8290 
8291 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8292 		sinfo.links[i] = kzalloc_obj(*sinfo.links[0]);
8293 		if (!sinfo.links[i]) {
8294 			cfg80211_sinfo_release_content(&sinfo);
8295 			return -ENOMEM;
8296 		}
8297 	}
8298 
8299 	err = rdev_get_station(rdev, wdev, mac_addr, &sinfo);
8300 	if (err) {
8301 		cfg80211_sinfo_release_content(&sinfo);
8302 		return err;
8303 	}
8304 
8305 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8306 	if (!msg) {
8307 		cfg80211_sinfo_release_content(&sinfo);
8308 		return -ENOMEM;
8309 	}
8310 
8311 	if (sinfo.valid_links)
8312 		cfg80211_sta_set_mld_sinfo(&sinfo);
8313 
8314 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
8315 				 info->snd_portid, info->snd_seq, 0,
8316 				 rdev, wdev, mac_addr, &sinfo, false) < 0) {
8317 		nlmsg_free(msg);
8318 		return -ENOBUFS;
8319 	}
8320 
8321 	return genlmsg_reply(msg, info);
8322 }
8323 
8324 int cfg80211_check_station_change(struct wiphy *wiphy,
8325 				  struct station_parameters *params,
8326 				  enum cfg80211_station_type statype)
8327 {
8328 	if (params->listen_interval != -1 &&
8329 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8330 		return -EINVAL;
8331 
8332 	if (params->support_p2p_ps != -1 &&
8333 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8334 		return -EINVAL;
8335 
8336 	if (params->aid &&
8337 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
8338 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8339 		return -EINVAL;
8340 
8341 	/* When you run into this, adjust the code below for the new flag */
8342 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8343 
8344 	switch (statype) {
8345 	case CFG80211_STA_MESH_PEER_KERNEL:
8346 	case CFG80211_STA_MESH_PEER_USER:
8347 		/*
8348 		 * No ignoring the TDLS flag here -- the userspace mesh
8349 		 * code doesn't have the bug of including TDLS in the
8350 		 * mask everywhere.
8351 		 */
8352 		if (params->sta_flags_mask &
8353 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8354 				  BIT(NL80211_STA_FLAG_MFP) |
8355 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
8356 			return -EINVAL;
8357 		break;
8358 	case CFG80211_STA_TDLS_PEER_SETUP:
8359 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8360 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8361 			return -EINVAL;
8362 		/* ignore since it can't change */
8363 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8364 		break;
8365 	default:
8366 		/* disallow mesh-specific things */
8367 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
8368 			return -EINVAL;
8369 		if (params->local_pm)
8370 			return -EINVAL;
8371 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8372 			return -EINVAL;
8373 	}
8374 
8375 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8376 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
8377 		/* TDLS can't be set, ... */
8378 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
8379 			return -EINVAL;
8380 		/*
8381 		 * ... but don't bother the driver with it. This works around
8382 		 * a hostapd/wpa_supplicant issue -- it always includes the
8383 		 * TLDS_PEER flag in the mask even for AP mode.
8384 		 */
8385 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8386 	}
8387 
8388 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8389 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8390 		/* reject other things that can't change */
8391 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
8392 			return -EINVAL;
8393 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
8394 			return -EINVAL;
8395 		if (params->link_sta_params.supported_rates)
8396 			return -EINVAL;
8397 		if (statype != CFG80211_STA_NAN_MGMT &&
8398 		    (params->link_sta_params.ht_capa ||
8399 		     params->link_sta_params.vht_capa ||
8400 		     params->link_sta_params.he_capa))
8401 			return -EINVAL;
8402 		if (params->ext_capab || params->link_sta_params.eht_capa ||
8403 		    params->link_sta_params.uhr_capa)
8404 			return -EINVAL;
8405 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8406 			return -EINVAL;
8407 	}
8408 
8409 	if (statype != CFG80211_STA_AP_CLIENT &&
8410 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8411 		if (params->vlan)
8412 			return -EINVAL;
8413 	}
8414 
8415 	/* Accept EMLSR capabilities only for AP client before association */
8416 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8417 	    params->eml_cap_present)
8418 		return -EINVAL;
8419 
8420 	switch (statype) {
8421 	case CFG80211_STA_AP_MLME_CLIENT:
8422 		/* Use this only for authorizing/unauthorizing a station */
8423 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
8424 			return -EOPNOTSUPP;
8425 		break;
8426 	case CFG80211_STA_AP_CLIENT:
8427 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8428 		/* accept only the listed bits */
8429 		if (params->sta_flags_mask &
8430 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8431 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8432 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8433 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8434 				  BIT(NL80211_STA_FLAG_WME) |
8435 				  BIT(NL80211_STA_FLAG_MFP) |
8436 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8437 			return -EINVAL;
8438 
8439 		/* but authenticated/associated only if driver handles it */
8440 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8441 		    params->sta_flags_mask &
8442 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8443 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8444 			return -EINVAL;
8445 		break;
8446 	case CFG80211_STA_IBSS:
8447 	case CFG80211_STA_AP_STA:
8448 		/* reject any changes other than AUTHORIZED */
8449 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8450 			return -EINVAL;
8451 		break;
8452 	case CFG80211_STA_TDLS_PEER_SETUP:
8453 		/* reject any changes other than AUTHORIZED or WME */
8454 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8455 					       BIT(NL80211_STA_FLAG_WME)))
8456 			return -EINVAL;
8457 		/* force (at least) rates when authorizing */
8458 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8459 		    !params->link_sta_params.supported_rates)
8460 			return -EINVAL;
8461 		break;
8462 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8463 		/* reject any changes */
8464 		return -EINVAL;
8465 	case CFG80211_STA_MESH_PEER_KERNEL:
8466 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8467 			return -EINVAL;
8468 		break;
8469 	case CFG80211_STA_MESH_PEER_USER:
8470 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8471 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8472 			return -EINVAL;
8473 		break;
8474 	case CFG80211_STA_NAN_MGMT:
8475 		if (params->sta_flags_mask &
8476 		    ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8477 		      BIT(NL80211_STA_FLAG_MFP)))
8478 			return -EINVAL;
8479 		break;
8480 	case CFG80211_STA_NAN_DATA:
8481 		if (params->sta_flags_mask &
8482 		    ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8483 		      BIT(NL80211_STA_FLAG_MFP) |
8484 		      BIT(NL80211_STA_FLAG_WME)))
8485 			return -EINVAL;
8486 		break;
8487 	}
8488 
8489 	/*
8490 	 * Older kernel versions ignored this attribute entirely, so don't
8491 	 * reject attempts to update it but mark it as unused instead so the
8492 	 * driver won't look at the data.
8493 	 */
8494 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8495 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8496 		params->link_sta_params.opmode_notif_used = false;
8497 
8498 	return 0;
8499 }
8500 EXPORT_SYMBOL(cfg80211_check_station_change);
8501 
8502 /*
8503  * Get vlan interface making sure it is running and on the right wiphy.
8504  */
8505 static struct net_device *get_vlan(struct genl_info *info,
8506 				   struct cfg80211_registered_device *rdev)
8507 {
8508 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8509 	struct net_device *v;
8510 	int ret;
8511 
8512 	if (!vlanattr)
8513 		return NULL;
8514 
8515 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8516 	if (!v)
8517 		return ERR_PTR(-ENODEV);
8518 
8519 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8520 		ret = -EINVAL;
8521 		goto error;
8522 	}
8523 
8524 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8525 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8526 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8527 		ret = -EINVAL;
8528 		goto error;
8529 	}
8530 
8531 	if (!netif_running(v)) {
8532 		ret = -ENETDOWN;
8533 		goto error;
8534 	}
8535 
8536 	return v;
8537  error:
8538 	dev_put(v);
8539 	return ERR_PTR(ret);
8540 }
8541 
8542 static int nl80211_parse_sta_wme(struct genl_info *info,
8543 				 struct station_parameters *params)
8544 {
8545 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8546 	struct nlattr *nla;
8547 	int err;
8548 
8549 	/* parse WME attributes if present */
8550 	if (!info->attrs[NL80211_ATTR_STA_WME])
8551 		return 0;
8552 
8553 	nla = info->attrs[NL80211_ATTR_STA_WME];
8554 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8555 					  nl80211_sta_wme_policy,
8556 					  info->extack);
8557 	if (err)
8558 		return err;
8559 
8560 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8561 		params->uapsd_queues = nla_get_u8(
8562 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8563 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8564 		return -EINVAL;
8565 
8566 	if (tb[NL80211_STA_WME_MAX_SP])
8567 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8568 
8569 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8570 		return -EINVAL;
8571 
8572 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8573 
8574 	return 0;
8575 }
8576 
8577 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8578 				      struct station_parameters *params)
8579 {
8580 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8581 		params->supported_channels =
8582 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8583 		params->supported_channels_len =
8584 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8585 		/*
8586 		 * Need to include at least one (first channel, number of
8587 		 * channels) tuple for each subband (checked in policy),
8588 		 * and must have proper tuples for the rest of the data as well.
8589 		 */
8590 		if (params->supported_channels_len % 2)
8591 			return -EINVAL;
8592 	}
8593 
8594 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8595 		params->supported_oper_classes =
8596 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8597 		params->supported_oper_classes_len =
8598 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8599 	}
8600 	return 0;
8601 }
8602 
8603 static int nl80211_set_station_tdls(struct genl_info *info,
8604 				    struct station_parameters *params)
8605 {
8606 	int err;
8607 	/* Dummy STA entry gets updated once the peer capabilities are known */
8608 	if (info->attrs[NL80211_ATTR_PEER_AID])
8609 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8610 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8611 		params->link_sta_params.ht_capa =
8612 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8613 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8614 		params->link_sta_params.vht_capa =
8615 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8616 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8617 		params->link_sta_params.he_capa =
8618 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8619 		params->link_sta_params.he_capa_len =
8620 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8621 
8622 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8623 			params->link_sta_params.eht_capa =
8624 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8625 			params->link_sta_params.eht_capa_len =
8626 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8627 
8628 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8629 							(const u8 *)params->link_sta_params.eht_capa,
8630 							params->link_sta_params.eht_capa_len,
8631 							false))
8632 				return -EINVAL;
8633 		}
8634 	}
8635 
8636 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8637 		if (!params->link_sta_params.eht_capa)
8638 			return -EINVAL;
8639 
8640 		params->link_sta_params.uhr_capa =
8641 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8642 		params->link_sta_params.uhr_capa_len =
8643 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8644 	}
8645 
8646 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8647 		params->link_sta_params.s1g_capa =
8648 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8649 
8650 	err = nl80211_parse_sta_channel_info(info, params);
8651 	if (err)
8652 		return err;
8653 
8654 	return nl80211_parse_sta_wme(info, params);
8655 }
8656 
8657 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8658 					     struct sta_txpwr *txpwr,
8659 					     bool *txpwr_set)
8660 {
8661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8662 	int idx;
8663 
8664 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8665 		if (!rdev->ops->set_tx_power ||
8666 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8667 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8668 			return -EOPNOTSUPP;
8669 
8670 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8671 		txpwr->type = nla_get_u8(info->attrs[idx]);
8672 
8673 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8674 			idx = NL80211_ATTR_STA_TX_POWER;
8675 
8676 			if (info->attrs[idx])
8677 				txpwr->power = nla_get_s16(info->attrs[idx]);
8678 			else
8679 				return -EINVAL;
8680 		}
8681 
8682 		*txpwr_set = true;
8683 	} else {
8684 		*txpwr_set = false;
8685 	}
8686 
8687 	return 0;
8688 }
8689 
8690 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8691 {
8692 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8693 	struct wireless_dev *wdev = info->user_ptr[1];
8694 	struct net_device *dev = wdev->netdev;
8695 	struct station_parameters params;
8696 	u8 *mac_addr;
8697 	int err;
8698 
8699 	memset(&params, 0, sizeof(params));
8700 
8701 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN &&
8702 	    wdev->iftype != NL80211_IFTYPE_NAN_DATA)
8703 		return -EINVAL;
8704 
8705 	if (!rdev->ops->change_station)
8706 		return -EOPNOTSUPP;
8707 
8708 	/*
8709 	 * AID and listen_interval properties can be set only for unassociated
8710 	 * station. Include these parameters here and will check them in
8711 	 * cfg80211_check_station_change().
8712 	 */
8713 	if (info->attrs[NL80211_ATTR_STA_AID])
8714 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8715 
8716 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8717 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8718 
8719 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8720 		params.listen_interval =
8721 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8722 	else
8723 		params.listen_interval = -1;
8724 
8725 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
8726 		params.support_p2p_ps =
8727 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8728 	else
8729 		params.support_p2p_ps = -1;
8730 
8731 	if (!info->attrs[NL80211_ATTR_MAC])
8732 		return -EINVAL;
8733 
8734 	params.link_sta_params.link_id =
8735 		nl80211_link_id_or_invalid(info->attrs);
8736 
8737 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8738 		/* If MLD_ADDR attribute is set then this is an MLD station
8739 		 * and the MLD_ADDR attribute holds the MLD address and the
8740 		 * MAC attribute holds for the LINK address.
8741 		 * In that case, the link_id is also expected to be valid.
8742 		 */
8743 		if (params.link_sta_params.link_id < 0)
8744 			return -EINVAL;
8745 
8746 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8747 		params.link_sta_params.mld_mac = mac_addr;
8748 		params.link_sta_params.link_mac =
8749 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8750 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8751 			return -EINVAL;
8752 	} else {
8753 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8754 	}
8755 
8756 
8757 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8758 		params.link_sta_params.supported_rates =
8759 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8760 		params.link_sta_params.supported_rates_len =
8761 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8762 	}
8763 
8764 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8765 		params.capability =
8766 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8767 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8768 	}
8769 
8770 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8771 		params.ext_capab =
8772 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8773 		params.ext_capab_len =
8774 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8775 	}
8776 
8777 	if (parse_station_flags(info, wdev->iftype, &params))
8778 		return -EINVAL;
8779 
8780 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8781 		params.plink_action =
8782 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8783 
8784 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8785 		params.plink_state =
8786 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8787 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8788 			params.peer_aid = nla_get_u16(
8789 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8790 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8791 	}
8792 
8793 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8794 		params.local_pm = nla_get_u32(
8795 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8796 
8797 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8798 		params.link_sta_params.opmode_notif_used = true;
8799 		params.link_sta_params.opmode_notif =
8800 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8801 	}
8802 
8803 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8804 		params.link_sta_params.he_6ghz_capa =
8805 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8806 
8807 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8808 		params.eml_cap_present = true;
8809 		params.eml_cap =
8810 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8811 	}
8812 
8813 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8814 		params.airtime_weight =
8815 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8816 
8817 	if (params.airtime_weight &&
8818 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8819 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8820 		return -EOPNOTSUPP;
8821 
8822 	err = nl80211_parse_sta_txpower_setting(info,
8823 						&params.link_sta_params.txpwr,
8824 						&params.link_sta_params.txpwr_set);
8825 	if (err)
8826 		return err;
8827 
8828 	/* Include parameters for TDLS peer (will check later) */
8829 	err = nl80211_set_station_tdls(info, &params);
8830 	if (err)
8831 		return err;
8832 
8833 	params.vlan = get_vlan(info, rdev);
8834 	if (IS_ERR(params.vlan))
8835 		return PTR_ERR(params.vlan);
8836 
8837 	switch (wdev->iftype) {
8838 	case NL80211_IFTYPE_AP:
8839 	case NL80211_IFTYPE_AP_VLAN:
8840 	case NL80211_IFTYPE_P2P_GO:
8841 	case NL80211_IFTYPE_P2P_CLIENT:
8842 	case NL80211_IFTYPE_STATION:
8843 	case NL80211_IFTYPE_ADHOC:
8844 	case NL80211_IFTYPE_MESH_POINT:
8845 	case NL80211_IFTYPE_NAN:
8846 	case NL80211_IFTYPE_NAN_DATA:
8847 		break;
8848 	default:
8849 		err = -EOPNOTSUPP;
8850 		goto out_put_vlan;
8851 	}
8852 
8853 	/* driver will call cfg80211_check_station_change() */
8854 	err = rdev_change_station(rdev, wdev, mac_addr, &params);
8855 
8856  out_put_vlan:
8857 	dev_put(params.vlan);
8858 
8859 	return err;
8860 }
8861 
8862 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8863 {
8864 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8865 	int err;
8866 	struct wireless_dev *wdev = info->user_ptr[1];
8867 	struct net_device *dev = wdev->netdev;
8868 	struct station_parameters params;
8869 	u8 *mac_addr = NULL;
8870 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8871 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8872 
8873 	memset(&params, 0, sizeof(params));
8874 
8875 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN)
8876 		return -EINVAL;
8877 
8878 	if (!rdev->ops->add_station)
8879 		return -EOPNOTSUPP;
8880 
8881 	if (!info->attrs[NL80211_ATTR_MAC])
8882 		return -EINVAL;
8883 
8884 	if (wdev->iftype == NL80211_IFTYPE_NAN ||
8885 	    wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
8886 		if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8887 			return -EINVAL;
8888 		if (wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
8889 			if (!info->attrs[NL80211_ATTR_NAN_NMI_MAC])
8890 				return -EINVAL;
8891 
8892 			/* Only NMI stations receive the HT/VHT/HE capabilities */
8893 			if (info->attrs[NL80211_ATTR_HT_CAPABILITY] ||
8894 			    info->attrs[NL80211_ATTR_VHT_CAPABILITY] ||
8895 			    info->attrs[NL80211_ATTR_HE_CAPABILITY])
8896 				return -EINVAL;
8897 		}
8898 	} else {
8899 		if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8900 			return -EINVAL;
8901 
8902 		if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8903 			return -EINVAL;
8904 
8905 		if (!info->attrs[NL80211_ATTR_STA_AID] &&
8906 		    !info->attrs[NL80211_ATTR_PEER_AID])
8907 			return -EINVAL;
8908 	}
8909 
8910 	params.link_sta_params.link_id =
8911 		nl80211_link_id_or_invalid(info->attrs);
8912 
8913 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8914 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8915 		params.link_sta_params.mld_mac = mac_addr;
8916 		params.link_sta_params.link_mac =
8917 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8918 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8919 			return -EINVAL;
8920 	} else {
8921 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8922 	}
8923 
8924 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8925 		params.link_sta_params.supported_rates =
8926 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8927 		params.link_sta_params.supported_rates_len =
8928 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8929 	}
8930 
8931 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8932 		params.listen_interval =
8933 			nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8934 
8935 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8936 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8937 
8938 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8939 		params.support_p2p_ps =
8940 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8941 	} else {
8942 		/*
8943 		 * if not specified, assume it's supported for P2P GO interface,
8944 		 * and is NOT supported for AP interface
8945 		 */
8946 		params.support_p2p_ps =
8947 			wdev->iftype == NL80211_IFTYPE_P2P_GO;
8948 	}
8949 
8950 	if (info->attrs[NL80211_ATTR_PEER_AID])
8951 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8952 	else if (info->attrs[NL80211_ATTR_STA_AID])
8953 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8954 
8955 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8956 		params.capability =
8957 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8958 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8959 	}
8960 
8961 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8962 		params.ext_capab =
8963 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8964 		params.ext_capab_len =
8965 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8966 	}
8967 
8968 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8969 		params.link_sta_params.ht_capa =
8970 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8971 
8972 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8973 		params.link_sta_params.vht_capa =
8974 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8975 
8976 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8977 		params.link_sta_params.he_capa =
8978 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8979 		params.link_sta_params.he_capa_len =
8980 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8981 
8982 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8983 			params.link_sta_params.eht_capa =
8984 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8985 			params.link_sta_params.eht_capa_len =
8986 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8987 
8988 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
8989 							(const u8 *)params.link_sta_params.eht_capa,
8990 							params.link_sta_params.eht_capa_len,
8991 							false))
8992 				return -EINVAL;
8993 		}
8994 	}
8995 
8996 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8997 		if (!params.link_sta_params.eht_capa)
8998 			return -EINVAL;
8999 
9000 		params.link_sta_params.uhr_capa =
9001 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
9002 		params.link_sta_params.uhr_capa_len =
9003 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
9004 	}
9005 
9006 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
9007 		params.eml_cap_present = true;
9008 		params.eml_cap =
9009 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
9010 	}
9011 
9012 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
9013 		params.link_sta_params.he_6ghz_capa =
9014 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
9015 
9016 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
9017 		params.link_sta_params.s1g_capa =
9018 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
9019 
9020 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
9021 		params.link_sta_params.opmode_notif_used = true;
9022 		params.link_sta_params.opmode_notif =
9023 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
9024 	}
9025 
9026 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
9027 		params.plink_action =
9028 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
9029 
9030 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
9031 		params.airtime_weight =
9032 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
9033 
9034 	if (params.airtime_weight &&
9035 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9036 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
9037 		return -EOPNOTSUPP;
9038 
9039 	err = nl80211_parse_sta_txpower_setting(info,
9040 						&params.link_sta_params.txpwr,
9041 						&params.link_sta_params.txpwr_set);
9042 	if (err)
9043 		return err;
9044 
9045 	err = nl80211_parse_sta_channel_info(info, &params);
9046 	if (err)
9047 		return err;
9048 
9049 	err = nl80211_parse_sta_wme(info, &params);
9050 	if (err)
9051 		return err;
9052 
9053 	if (parse_station_flags(info, wdev->iftype, &params))
9054 		return -EINVAL;
9055 
9056 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
9057 	 * as userspace might just pass through the capabilities from the IEs
9058 	 * directly, rather than enforcing this restriction and returning an
9059 	 * error in this case.
9060 	 */
9061 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
9062 		params.link_sta_params.ht_capa = NULL;
9063 		params.link_sta_params.vht_capa = NULL;
9064 
9065 		/* HE, EHT and UHR require WME */
9066 		if (params.link_sta_params.he_capa_len ||
9067 		    params.link_sta_params.he_6ghz_capa ||
9068 		    params.link_sta_params.eht_capa_len ||
9069 		    params.link_sta_params.uhr_capa_len)
9070 			return -EINVAL;
9071 	}
9072 
9073 	if (wdev->iftype == NL80211_IFTYPE_NAN ||
9074 	    wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
9075 		if (params.sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
9076 			return -EINVAL;
9077 		/* NAN NMI station must be added in associated or authorized state */
9078 		if (!(params.sta_flags_set & (BIT(NL80211_STA_FLAG_ASSOCIATED) |
9079 					      BIT(NL80211_STA_FLAG_AUTHENTICATED))))
9080 			return -EINVAL;
9081 	}
9082 
9083 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
9084 	if (params.link_sta_params.he_6ghz_capa &&
9085 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
9086 		return -EINVAL;
9087 
9088 	/* When you run into this, adjust the code below for the new flag */
9089 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
9090 
9091 	switch (wdev->iftype) {
9092 	case NL80211_IFTYPE_AP:
9093 	case NL80211_IFTYPE_AP_VLAN:
9094 	case NL80211_IFTYPE_P2P_GO:
9095 		/* ignore WME attributes if iface/sta is not capable */
9096 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
9097 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
9098 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9099 
9100 		/* TDLS peers cannot be added */
9101 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
9102 		    info->attrs[NL80211_ATTR_PEER_AID])
9103 			return -EINVAL;
9104 		/* but don't bother the driver with it */
9105 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
9106 
9107 		/* allow authenticated/associated only if driver handles it */
9108 		if (!(rdev->wiphy.features &
9109 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
9110 		    params.sta_flags_mask & auth_assoc)
9111 			return -EINVAL;
9112 
9113 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9114 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
9115 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
9116 			return -EINVAL;
9117 
9118 		/* Older userspace, or userspace wanting to be compatible with
9119 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
9120 		 * and assoc flags in the mask, but assumes the station will be
9121 		 * added as associated anyway since this was the required driver
9122 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
9123 		 * introduced.
9124 		 * In order to not bother drivers with this quirk in the API
9125 		 * set the flags in both the mask and set for new stations in
9126 		 * this case.
9127 		 */
9128 		if (!(params.sta_flags_mask & auth_assoc)) {
9129 			params.sta_flags_mask |= auth_assoc;
9130 			params.sta_flags_set |= auth_assoc;
9131 		}
9132 
9133 		/* must be last in here for error handling */
9134 		params.vlan = get_vlan(info, rdev);
9135 		if (IS_ERR(params.vlan))
9136 			return PTR_ERR(params.vlan);
9137 		break;
9138 	case NL80211_IFTYPE_MESH_POINT:
9139 		/* ignore uAPSD data */
9140 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9141 
9142 		/* associated is disallowed */
9143 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
9144 			return -EINVAL;
9145 		/* TDLS peers cannot be added */
9146 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
9147 		    info->attrs[NL80211_ATTR_PEER_AID])
9148 			return -EINVAL;
9149 		break;
9150 	case NL80211_IFTYPE_STATION:
9151 	case NL80211_IFTYPE_P2P_CLIENT:
9152 		/* ignore uAPSD data */
9153 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9154 
9155 		/* these are disallowed */
9156 		if (params.sta_flags_mask &
9157 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
9158 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
9159 			return -EINVAL;
9160 		/* Only TDLS peers can be added */
9161 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
9162 			return -EINVAL;
9163 		/* Can only add if TDLS ... */
9164 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
9165 			return -EOPNOTSUPP;
9166 		/* ... with external setup is supported */
9167 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
9168 			return -EOPNOTSUPP;
9169 		/*
9170 		 * Older wpa_supplicant versions always mark the TDLS peer
9171 		 * as authorized, but it shouldn't yet be.
9172 		 */
9173 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
9174 		break;
9175 	case NL80211_IFTYPE_NAN:
9176 		break;
9177 	case NL80211_IFTYPE_NAN_DATA:
9178 		params.nmi_mac = nla_data(info->attrs[NL80211_ATTR_NAN_NMI_MAC]);
9179 		break;
9180 	default:
9181 		return -EOPNOTSUPP;
9182 	}
9183 
9184 	/* be aware of params.vlan when changing code here */
9185 
9186 	if (wdev->valid_links) {
9187 		if (params.link_sta_params.link_id < 0) {
9188 			err = -EINVAL;
9189 			goto out;
9190 		}
9191 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
9192 			err = -ENOLINK;
9193 			goto out;
9194 		}
9195 	} else {
9196 		if (params.link_sta_params.link_id >= 0) {
9197 			err = -EINVAL;
9198 			goto out;
9199 		}
9200 	}
9201 
9202 	params.epp_peer =
9203 		nla_get_flag(info->attrs[NL80211_ATTR_EPP_PEER]);
9204 
9205 	err = rdev_add_station(rdev, wdev, mac_addr, &params);
9206 out:
9207 	dev_put(params.vlan);
9208 	return err;
9209 }
9210 
9211 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
9212 {
9213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9214 	struct wireless_dev *wdev = info->user_ptr[1];
9215 	struct net_device *dev = wdev->netdev;
9216 	struct station_del_parameters params;
9217 	int link_id = nl80211_link_id_or_invalid(info->attrs);
9218 
9219 	memset(&params, 0, sizeof(params));
9220 
9221 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN)
9222 		return -EINVAL;
9223 
9224 	if (info->attrs[NL80211_ATTR_MAC])
9225 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
9226 
9227 	switch (wdev->iftype) {
9228 	case NL80211_IFTYPE_AP:
9229 	case NL80211_IFTYPE_AP_VLAN:
9230 	case NL80211_IFTYPE_MESH_POINT:
9231 	case NL80211_IFTYPE_P2P_GO:
9232 	case NL80211_IFTYPE_NAN:
9233 	case NL80211_IFTYPE_NAN_DATA:
9234 		/* always accept these */
9235 		break;
9236 	case NL80211_IFTYPE_ADHOC:
9237 		/* conditionally accept */
9238 		if (wiphy_ext_feature_isset(&rdev->wiphy,
9239 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
9240 			break;
9241 		return -EINVAL;
9242 	default:
9243 		return -EINVAL;
9244 	}
9245 
9246 	if (!rdev->ops->del_station)
9247 		return -EOPNOTSUPP;
9248 
9249 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
9250 		params.subtype =
9251 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
9252 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
9253 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
9254 			return -EINVAL;
9255 	} else {
9256 		/* Default to Deauthentication frame */
9257 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
9258 	}
9259 
9260 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
9261 		params.reason_code =
9262 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9263 		if (params.reason_code == 0)
9264 			return -EINVAL; /* 0 is reserved */
9265 	} else {
9266 		/* Default to reason code 2 */
9267 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
9268 	}
9269 
9270 	/* Link ID not expected in case of non-ML operation */
9271 	if (!wdev->valid_links && link_id != -1)
9272 		return -EINVAL;
9273 
9274 	/* If given, a valid link ID should be passed during MLO */
9275 	if (wdev->valid_links && link_id >= 0 &&
9276 	    !(wdev->valid_links & BIT(link_id)))
9277 		return -EINVAL;
9278 
9279 	params.link_id = link_id;
9280 
9281 	return rdev_del_station(rdev, wdev, &params);
9282 }
9283 
9284 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
9285 				int flags, struct net_device *dev,
9286 				u8 *dst, u8 *next_hop,
9287 				struct mpath_info *pinfo)
9288 {
9289 	void *hdr;
9290 	struct nlattr *pinfoattr;
9291 
9292 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
9293 	if (!hdr)
9294 		return -1;
9295 
9296 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9297 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
9298 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
9299 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
9300 		goto nla_put_failure;
9301 
9302 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
9303 	if (!pinfoattr)
9304 		goto nla_put_failure;
9305 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
9306 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
9307 			pinfo->frame_qlen))
9308 		goto nla_put_failure;
9309 	if (((pinfo->filled & MPATH_INFO_SN) &&
9310 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
9311 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
9312 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
9313 			 pinfo->metric)) ||
9314 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
9315 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
9316 			 pinfo->exptime)) ||
9317 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
9318 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
9319 			pinfo->flags)) ||
9320 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
9321 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
9322 			 pinfo->discovery_timeout)) ||
9323 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
9324 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
9325 			pinfo->discovery_retries)) ||
9326 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
9327 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
9328 			pinfo->hop_count)) ||
9329 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
9330 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
9331 			 pinfo->path_change_count)))
9332 		goto nla_put_failure;
9333 
9334 	nla_nest_end(msg, pinfoattr);
9335 
9336 	genlmsg_end(msg, hdr);
9337 	return 0;
9338 
9339  nla_put_failure:
9340 	genlmsg_cancel(msg, hdr);
9341 	return -EMSGSIZE;
9342 }
9343 
9344 static int nl80211_dump_mpath(struct sk_buff *skb,
9345 			      struct netlink_callback *cb)
9346 {
9347 	struct mpath_info pinfo;
9348 	struct cfg80211_registered_device *rdev;
9349 	struct wireless_dev *wdev;
9350 	u8 dst[ETH_ALEN];
9351 	u8 next_hop[ETH_ALEN];
9352 	int path_idx = cb->args[2];
9353 	int err;
9354 
9355 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9356 	if (err)
9357 		return err;
9358 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9359 	__acquire(&rdev->wiphy.mtx);
9360 
9361 	if (!rdev->ops->dump_mpath) {
9362 		err = -EOPNOTSUPP;
9363 		goto out_err;
9364 	}
9365 
9366 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9367 		err = -EOPNOTSUPP;
9368 		goto out_err;
9369 	}
9370 
9371 	while (1) {
9372 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
9373 				      next_hop, &pinfo);
9374 		if (err == -ENOENT)
9375 			break;
9376 		if (err)
9377 			goto out_err;
9378 
9379 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9380 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9381 				       wdev->netdev, dst, next_hop,
9382 				       &pinfo) < 0)
9383 			goto out;
9384 
9385 		path_idx++;
9386 	}
9387 
9388  out:
9389 	cb->args[2] = path_idx;
9390 	err = skb->len;
9391  out_err:
9392 	wiphy_unlock(&rdev->wiphy);
9393 	return err;
9394 }
9395 
9396 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
9397 {
9398 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9399 	int err;
9400 	struct net_device *dev = info->user_ptr[1];
9401 	struct mpath_info pinfo;
9402 	struct sk_buff *msg;
9403 	u8 *dst = NULL;
9404 	u8 next_hop[ETH_ALEN];
9405 
9406 	memset(&pinfo, 0, sizeof(pinfo));
9407 
9408 	if (!info->attrs[NL80211_ATTR_MAC])
9409 		return -EINVAL;
9410 
9411 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9412 
9413 	if (!rdev->ops->get_mpath)
9414 		return -EOPNOTSUPP;
9415 
9416 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9417 		return -EOPNOTSUPP;
9418 
9419 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
9420 	if (err)
9421 		return err;
9422 
9423 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9424 	if (!msg)
9425 		return -ENOMEM;
9426 
9427 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9428 				 dev, dst, next_hop, &pinfo) < 0) {
9429 		nlmsg_free(msg);
9430 		return -ENOBUFS;
9431 	}
9432 
9433 	return genlmsg_reply(msg, info);
9434 }
9435 
9436 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
9437 {
9438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9439 	struct net_device *dev = info->user_ptr[1];
9440 	u8 *dst = NULL;
9441 	u8 *next_hop = NULL;
9442 
9443 	if (!info->attrs[NL80211_ATTR_MAC])
9444 		return -EINVAL;
9445 
9446 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9447 		return -EINVAL;
9448 
9449 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9450 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9451 
9452 	if (!rdev->ops->change_mpath)
9453 		return -EOPNOTSUPP;
9454 
9455 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9456 		return -EOPNOTSUPP;
9457 
9458 	return rdev_change_mpath(rdev, dev, dst, next_hop);
9459 }
9460 
9461 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
9462 {
9463 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9464 	struct net_device *dev = info->user_ptr[1];
9465 	u8 *dst = NULL;
9466 	u8 *next_hop = NULL;
9467 
9468 	if (!info->attrs[NL80211_ATTR_MAC])
9469 		return -EINVAL;
9470 
9471 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9472 		return -EINVAL;
9473 
9474 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9475 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9476 
9477 	if (!rdev->ops->add_mpath)
9478 		return -EOPNOTSUPP;
9479 
9480 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9481 		return -EOPNOTSUPP;
9482 
9483 	return rdev_add_mpath(rdev, dev, dst, next_hop);
9484 }
9485 
9486 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
9487 {
9488 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9489 	struct net_device *dev = info->user_ptr[1];
9490 	u8 *dst = NULL;
9491 
9492 	if (info->attrs[NL80211_ATTR_MAC])
9493 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9494 
9495 	if (!rdev->ops->del_mpath)
9496 		return -EOPNOTSUPP;
9497 
9498 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9499 		return -EOPNOTSUPP;
9500 
9501 	return rdev_del_mpath(rdev, dev, dst);
9502 }
9503 
9504 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
9505 {
9506 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9507 	int err;
9508 	struct net_device *dev = info->user_ptr[1];
9509 	struct mpath_info pinfo;
9510 	struct sk_buff *msg;
9511 	u8 *dst = NULL;
9512 	u8 mpp[ETH_ALEN];
9513 
9514 	memset(&pinfo, 0, sizeof(pinfo));
9515 
9516 	if (!info->attrs[NL80211_ATTR_MAC])
9517 		return -EINVAL;
9518 
9519 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9520 
9521 	if (!rdev->ops->get_mpp)
9522 		return -EOPNOTSUPP;
9523 
9524 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9525 		return -EOPNOTSUPP;
9526 
9527 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9528 	if (err)
9529 		return err;
9530 
9531 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9532 	if (!msg)
9533 		return -ENOMEM;
9534 
9535 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9536 			       dev, dst, mpp, &pinfo) < 0) {
9537 		nlmsg_free(msg);
9538 		return -ENOBUFS;
9539 	}
9540 
9541 	return genlmsg_reply(msg, info);
9542 }
9543 
9544 static int nl80211_dump_mpp(struct sk_buff *skb,
9545 			    struct netlink_callback *cb)
9546 {
9547 	struct mpath_info pinfo;
9548 	struct cfg80211_registered_device *rdev;
9549 	struct wireless_dev *wdev;
9550 	u8 dst[ETH_ALEN];
9551 	u8 mpp[ETH_ALEN];
9552 	int path_idx = cb->args[2];
9553 	int err;
9554 
9555 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9556 	if (err)
9557 		return err;
9558 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9559 	__acquire(&rdev->wiphy.mtx);
9560 
9561 	if (!rdev->ops->dump_mpp) {
9562 		err = -EOPNOTSUPP;
9563 		goto out_err;
9564 	}
9565 
9566 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9567 		err = -EOPNOTSUPP;
9568 		goto out_err;
9569 	}
9570 
9571 	while (1) {
9572 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9573 				    mpp, &pinfo);
9574 		if (err == -ENOENT)
9575 			break;
9576 		if (err)
9577 			goto out_err;
9578 
9579 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9580 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9581 				       wdev->netdev, dst, mpp,
9582 				       &pinfo) < 0)
9583 			goto out;
9584 
9585 		path_idx++;
9586 	}
9587 
9588  out:
9589 	cb->args[2] = path_idx;
9590 	err = skb->len;
9591  out_err:
9592 	wiphy_unlock(&rdev->wiphy);
9593 	return err;
9594 }
9595 
9596 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9597 {
9598 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9599 	struct net_device *dev = info->user_ptr[1];
9600 	struct bss_parameters params;
9601 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9602 	u32 changed = 0;
9603 	bool strict;
9604 
9605 	memset(&params, 0, sizeof(params));
9606 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9607 	/* default to not changing parameters */
9608 	params.use_cts_prot = -1;
9609 	params.use_short_preamble = -1;
9610 	params.use_short_slot_time = -1;
9611 	params.ap_isolate = -1;
9612 	params.ht_opmode = -1;
9613 	params.p2p_ctwindow = -1;
9614 	params.p2p_opp_ps = -1;
9615 
9616 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9617 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9618 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9619 			return -EINVAL;
9620 		params.use_cts_prot =
9621 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9622 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9623 	}
9624 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9625 		if (strict &&
9626 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9627 			return -EINVAL;
9628 		params.use_short_preamble =
9629 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9630 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9631 	}
9632 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9633 		if (strict &&
9634 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9635 			return -EINVAL;
9636 		params.use_short_slot_time =
9637 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9638 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9639 	}
9640 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9641 		if (strict &&
9642 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9643 			return -EINVAL;
9644 		params.basic_rates =
9645 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9646 		params.basic_rates_len =
9647 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9648 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9649 	}
9650 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9651 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9652 			return -EINVAL;
9653 		params.ap_isolate =
9654 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9655 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9656 	}
9657 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9658 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9659 			return -EINVAL;
9660 		params.ht_opmode =
9661 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9662 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9663 	}
9664 
9665 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9666 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9667 			return -EINVAL;
9668 		params.p2p_ctwindow =
9669 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9670 		if (params.p2p_ctwindow != 0 &&
9671 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9672 			return -EINVAL;
9673 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9674 	}
9675 
9676 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9677 		u8 tmp;
9678 
9679 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9680 			return -EINVAL;
9681 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9682 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9683 			return -EINVAL;
9684 		params.p2p_opp_ps = tmp;
9685 		if (params.p2p_opp_ps &&
9686 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9687 			return -EINVAL;
9688 	}
9689 
9690 	if (!rdev->ops->change_bss)
9691 		return -EOPNOTSUPP;
9692 
9693 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9694 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9695 		return -EOPNOTSUPP;
9696 
9697 	changed &= rdev->wiphy.bss_param_support;
9698 	if (!changed)
9699 		return 0;
9700 
9701 	return rdev_change_bss(rdev, dev, &params);
9702 }
9703 
9704 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
9705 {
9706 	char *data = NULL;
9707 	bool is_indoor;
9708 	enum nl80211_user_reg_hint_type user_reg_hint_type;
9709 	u32 owner_nlportid;
9710 
9711 	/*
9712 	 * You should only get this when cfg80211 hasn't yet initialized
9713 	 * completely when built-in to the kernel right between the time
9714 	 * window between nl80211_init() and regulatory_init(), if that is
9715 	 * even possible.
9716 	 */
9717 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
9718 		return -EINPROGRESS;
9719 
9720 	user_reg_hint_type =
9721 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
9722 				    NL80211_USER_REG_HINT_USER);
9723 
9724 	switch (user_reg_hint_type) {
9725 	case NL80211_USER_REG_HINT_USER:
9726 	case NL80211_USER_REG_HINT_CELL_BASE:
9727 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9728 			return -EINVAL;
9729 
9730 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9731 		return regulatory_hint_user(data, user_reg_hint_type);
9732 	case NL80211_USER_REG_HINT_INDOOR:
9733 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9734 			owner_nlportid = info->snd_portid;
9735 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
9736 		} else {
9737 			owner_nlportid = 0;
9738 			is_indoor = true;
9739 		}
9740 
9741 		regulatory_hint_indoor(is_indoor, owner_nlportid);
9742 		return 0;
9743 	default:
9744 		return -EINVAL;
9745 	}
9746 }
9747 
9748 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
9749 {
9750 	return reg_reload_regdb();
9751 }
9752 
9753 static int nl80211_get_mesh_config(struct sk_buff *skb,
9754 				   struct genl_info *info)
9755 {
9756 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9757 	struct net_device *dev = info->user_ptr[1];
9758 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9759 	struct mesh_config cur_params;
9760 	int err = 0;
9761 	void *hdr;
9762 	struct nlattr *pinfoattr;
9763 	struct sk_buff *msg;
9764 
9765 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9766 		return -EOPNOTSUPP;
9767 
9768 	if (!rdev->ops->get_mesh_config)
9769 		return -EOPNOTSUPP;
9770 
9771 	/* If not connected, get default parameters */
9772 	if (!wdev->u.mesh.id_len)
9773 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
9774 	else
9775 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
9776 
9777 	if (err)
9778 		return err;
9779 
9780 	/* Draw up a netlink message to send back */
9781 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9782 	if (!msg)
9783 		return -ENOMEM;
9784 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9785 			     NL80211_CMD_GET_MESH_CONFIG);
9786 	if (!hdr)
9787 		goto out;
9788 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
9789 	if (!pinfoattr)
9790 		goto nla_put_failure;
9791 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9792 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
9793 			cur_params.dot11MeshRetryTimeout) ||
9794 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
9795 			cur_params.dot11MeshConfirmTimeout) ||
9796 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
9797 			cur_params.dot11MeshHoldingTimeout) ||
9798 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
9799 			cur_params.dot11MeshMaxPeerLinks) ||
9800 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
9801 		       cur_params.dot11MeshMaxRetries) ||
9802 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
9803 		       cur_params.dot11MeshTTL) ||
9804 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
9805 		       cur_params.element_ttl) ||
9806 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9807 		       cur_params.auto_open_plinks) ||
9808 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9809 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
9810 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9811 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
9812 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
9813 			cur_params.path_refresh_time) ||
9814 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9815 			cur_params.min_discovery_timeout) ||
9816 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9817 			cur_params.dot11MeshHWMPactivePathTimeout) ||
9818 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9819 			cur_params.dot11MeshHWMPpreqMinInterval) ||
9820 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9821 			cur_params.dot11MeshHWMPperrMinInterval) ||
9822 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9823 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
9824 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
9825 		       cur_params.dot11MeshHWMPRootMode) ||
9826 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9827 			cur_params.dot11MeshHWMPRannInterval) ||
9828 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9829 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
9830 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
9831 		       cur_params.dot11MeshForwarding) ||
9832 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
9833 			cur_params.rssi_threshold) ||
9834 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
9835 			cur_params.ht_opmode) ||
9836 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9837 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
9838 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9839 			cur_params.dot11MeshHWMProotInterval) ||
9840 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9841 			cur_params.dot11MeshHWMPconfirmationInterval) ||
9842 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
9843 			cur_params.power_mode) ||
9844 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
9845 			cur_params.dot11MeshAwakeWindowDuration) ||
9846 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
9847 			cur_params.plink_timeout) ||
9848 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
9849 		       cur_params.dot11MeshConnectedToMeshGate) ||
9850 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
9851 		       cur_params.dot11MeshNolearn) ||
9852 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
9853 		       cur_params.dot11MeshConnectedToAuthServer))
9854 		goto nla_put_failure;
9855 	nla_nest_end(msg, pinfoattr);
9856 	genlmsg_end(msg, hdr);
9857 	return genlmsg_reply(msg, info);
9858 
9859  nla_put_failure:
9860  out:
9861 	nlmsg_free(msg);
9862 	return -ENOBUFS;
9863 }
9864 
9865 static const struct nla_policy
9866 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
9867 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
9868 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9869 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
9870 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9871 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
9872 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9873 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
9874 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
9875 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
9876 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9877 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9878 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9879 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9880 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9881 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9882 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9883 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9884 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9885 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9886 		NLA_POLICY_MIN(NLA_U16, 1),
9887 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9888 		NLA_POLICY_MIN(NLA_U16, 1),
9889 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9890 		NLA_POLICY_MIN(NLA_U16, 1),
9891 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9892 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9893 		NLA_POLICY_MIN(NLA_U16, 1),
9894 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9895 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9896 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9897 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9898 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9899 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9900 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9901 		NLA_POLICY_MIN(NLA_U16, 1),
9902 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9903 		NLA_POLICY_MIN(NLA_U16, 1),
9904 	[NL80211_MESHCONF_POWER_MODE] =
9905 		NLA_POLICY_RANGE(NLA_U32,
9906 				 NL80211_MESH_POWER_ACTIVE,
9907 				 NL80211_MESH_POWER_MAX),
9908 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9909 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9910 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9911 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9912 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9913 };
9914 
9915 static const struct nla_policy
9916 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9917 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9918 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9919 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9920 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9921 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9922 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9923 	[NL80211_MESH_SETUP_IE] =
9924 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9925 				       IEEE80211_MAX_DATA_LEN),
9926 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9927 };
9928 
9929 static int nl80211_parse_mesh_config(struct genl_info *info,
9930 				     struct mesh_config *cfg,
9931 				     u32 *mask_out)
9932 {
9933 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9934 	u32 mask = 0;
9935 	u16 ht_opmode;
9936 
9937 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9938 do {									\
9939 	if (tb[attr]) {							\
9940 		cfg->param = fn(tb[attr]);				\
9941 		mask |= BIT((attr) - 1);				\
9942 	}								\
9943 } while (0)
9944 
9945 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9946 		return -EINVAL;
9947 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9948 		return -EINVAL;
9949 
9950 	/* This makes sure that there aren't more than 32 mesh config
9951 	 * parameters (otherwise our bitfield scheme would not work.) */
9952 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9953 
9954 	/* Fill in the params struct */
9955 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9956 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9957 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9958 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9959 				  nla_get_u16);
9960 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9961 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9962 				  nla_get_u16);
9963 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9964 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9965 				  nla_get_u16);
9966 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9967 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9968 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9969 				  NL80211_MESHCONF_TTL, nla_get_u8);
9970 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9971 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9972 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9973 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9974 				  nla_get_u8);
9975 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9976 				  mask,
9977 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9978 				  nla_get_u32);
9979 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9980 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9981 				  nla_get_u8);
9982 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9983 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9984 				  nla_get_u32);
9985 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9986 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9987 		return -EINVAL;
9988 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
9989 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9990 				  nla_get_u16);
9991 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
9992 				  mask,
9993 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9994 				  nla_get_u32);
9995 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
9996 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
9997 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
9998 		return -EINVAL;
9999 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
10000 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
10001 				  nla_get_u16);
10002 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
10003 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
10004 				  nla_get_u16);
10005 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
10006 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
10007 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
10008 				  nla_get_u16);
10009 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
10010 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
10011 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
10012 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
10013 				  nla_get_u16);
10014 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
10015 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
10016 				  nla_get_u8);
10017 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
10018 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
10019 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
10020 				  NL80211_MESHCONF_RSSI_THRESHOLD,
10021 				  nla_get_s32);
10022 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
10023 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
10024 				  nla_get_u8);
10025 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
10026 				  NL80211_MESHCONF_CONNECTED_TO_AS,
10027 				  nla_get_u8);
10028 	/*
10029 	 * Check HT operation mode based on
10030 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
10031 	 */
10032 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
10033 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
10034 
10035 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
10036 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
10037 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
10038 			return -EINVAL;
10039 
10040 		/* NON_HT_STA bit is reserved, but some programs set it */
10041 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
10042 
10043 		cfg->ht_opmode = ht_opmode;
10044 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
10045 	}
10046 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
10047 				  dot11MeshHWMPactivePathToRootTimeout, mask,
10048 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
10049 				  nla_get_u32);
10050 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
10051 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
10052 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
10053 		return -EINVAL;
10054 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
10055 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
10056 				  nla_get_u16);
10057 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
10058 				  mask,
10059 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
10060 				  nla_get_u16);
10061 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
10062 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
10063 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
10064 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
10065 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
10066 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
10067 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
10068 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
10069 	if (mask_out)
10070 		*mask_out = mask;
10071 
10072 	return 0;
10073 
10074 #undef FILL_IN_MESH_PARAM_IF_SET
10075 }
10076 
10077 static int nl80211_parse_mesh_setup(struct genl_info *info,
10078 				     struct mesh_setup *setup)
10079 {
10080 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10081 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
10082 
10083 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
10084 		return -EINVAL;
10085 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
10086 		return -EINVAL;
10087 
10088 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
10089 		setup->sync_method =
10090 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
10091 		 IEEE80211_SYNC_METHOD_VENDOR :
10092 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
10093 
10094 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
10095 		setup->path_sel_proto =
10096 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
10097 		 IEEE80211_PATH_PROTOCOL_VENDOR :
10098 		 IEEE80211_PATH_PROTOCOL_HWMP;
10099 
10100 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
10101 		setup->path_metric =
10102 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
10103 		 IEEE80211_PATH_METRIC_VENDOR :
10104 		 IEEE80211_PATH_METRIC_AIRTIME;
10105 
10106 	if (tb[NL80211_MESH_SETUP_IE]) {
10107 		struct nlattr *ieattr =
10108 			tb[NL80211_MESH_SETUP_IE];
10109 		setup->ie = nla_data(ieattr);
10110 		setup->ie_len = nla_len(ieattr);
10111 	}
10112 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
10113 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
10114 		return -EINVAL;
10115 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
10116 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
10117 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
10118 	if (setup->is_secure)
10119 		setup->user_mpm = true;
10120 
10121 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
10122 		if (!setup->user_mpm)
10123 			return -EINVAL;
10124 		setup->auth_id =
10125 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
10126 	}
10127 
10128 	return 0;
10129 }
10130 
10131 static int nl80211_update_mesh_config(struct sk_buff *skb,
10132 				      struct genl_info *info)
10133 {
10134 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10135 	struct net_device *dev = info->user_ptr[1];
10136 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10137 	struct mesh_config cfg = {};
10138 	u32 mask;
10139 	int err;
10140 
10141 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
10142 		return -EOPNOTSUPP;
10143 
10144 	if (!rdev->ops->update_mesh_config)
10145 		return -EOPNOTSUPP;
10146 
10147 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
10148 	if (err)
10149 		return err;
10150 
10151 	if (!wdev->u.mesh.id_len)
10152 		err = -ENOLINK;
10153 
10154 	if (!err)
10155 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
10156 
10157 	return err;
10158 }
10159 
10160 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
10161 			      struct sk_buff *msg)
10162 {
10163 	struct nlattr *nl_reg_rules;
10164 	unsigned int i;
10165 
10166 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
10167 	    (regdom->dfs_region &&
10168 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
10169 		goto nla_put_failure;
10170 
10171 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
10172 	if (!nl_reg_rules)
10173 		goto nla_put_failure;
10174 
10175 	for (i = 0; i < regdom->n_reg_rules; i++) {
10176 		struct nlattr *nl_reg_rule;
10177 		const struct ieee80211_reg_rule *reg_rule;
10178 		const struct ieee80211_freq_range *freq_range;
10179 		const struct ieee80211_power_rule *power_rule;
10180 		unsigned int max_bandwidth_khz;
10181 
10182 		reg_rule = &regdom->reg_rules[i];
10183 		freq_range = &reg_rule->freq_range;
10184 		power_rule = &reg_rule->power_rule;
10185 
10186 		nl_reg_rule = nla_nest_start_noflag(msg, i);
10187 		if (!nl_reg_rule)
10188 			goto nla_put_failure;
10189 
10190 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
10191 		if (!max_bandwidth_khz)
10192 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
10193 								  reg_rule);
10194 
10195 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
10196 				reg_rule->flags) ||
10197 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
10198 				freq_range->start_freq_khz) ||
10199 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
10200 				freq_range->end_freq_khz) ||
10201 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
10202 				max_bandwidth_khz) ||
10203 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
10204 				power_rule->max_antenna_gain) ||
10205 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
10206 				power_rule->max_eirp) ||
10207 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
10208 				reg_rule->dfs_cac_ms))
10209 			goto nla_put_failure;
10210 
10211 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
10212 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
10213 			       reg_rule->psd))
10214 			goto nla_put_failure;
10215 
10216 		nla_nest_end(msg, nl_reg_rule);
10217 	}
10218 
10219 	nla_nest_end(msg, nl_reg_rules);
10220 	return 0;
10221 
10222 nla_put_failure:
10223 	return -EMSGSIZE;
10224 }
10225 
10226 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
10227 {
10228 	const struct ieee80211_regdomain *regdom = NULL;
10229 	struct cfg80211_registered_device *rdev;
10230 	struct wiphy *wiphy = NULL;
10231 	struct sk_buff *msg;
10232 	int err = -EMSGSIZE;
10233 	void *hdr;
10234 
10235 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10236 	if (!msg)
10237 		return -ENOBUFS;
10238 
10239 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10240 			     NL80211_CMD_GET_REG);
10241 	if (!hdr)
10242 		goto put_failure;
10243 
10244 	rtnl_lock();
10245 
10246 	if (info->attrs[NL80211_ATTR_WIPHY]) {
10247 		bool self_managed;
10248 
10249 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
10250 		if (IS_ERR(rdev)) {
10251 			err = PTR_ERR(rdev);
10252 			goto nla_put_failure;
10253 		}
10254 
10255 		wiphy = &rdev->wiphy;
10256 		self_managed = wiphy->regulatory_flags &
10257 			       REGULATORY_WIPHY_SELF_MANAGED;
10258 
10259 		rcu_read_lock();
10260 
10261 		regdom = get_wiphy_regdom(wiphy);
10262 
10263 		/* a self-managed-reg device must have a private regdom */
10264 		if (WARN_ON(!regdom && self_managed)) {
10265 			err = -EINVAL;
10266 			goto nla_put_failure_rcu;
10267 		}
10268 
10269 		if (regdom &&
10270 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10271 			goto nla_put_failure_rcu;
10272 	} else {
10273 		rcu_read_lock();
10274 	}
10275 
10276 	if (!wiphy && reg_last_request_cell_base() &&
10277 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10278 			NL80211_USER_REG_HINT_CELL_BASE))
10279 		goto nla_put_failure_rcu;
10280 
10281 	if (!regdom)
10282 		regdom = rcu_dereference(cfg80211_regdomain);
10283 
10284 	if (nl80211_put_regdom(regdom, msg))
10285 		goto nla_put_failure_rcu;
10286 
10287 	rcu_read_unlock();
10288 
10289 	genlmsg_end(msg, hdr);
10290 	rtnl_unlock();
10291 	return genlmsg_reply(msg, info);
10292 
10293 nla_put_failure_rcu:
10294 	rcu_read_unlock();
10295 nla_put_failure:
10296 	rtnl_unlock();
10297 put_failure:
10298 	nlmsg_free(msg);
10299 	return err;
10300 }
10301 
10302 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
10303 			       u32 seq, int flags, struct wiphy *wiphy,
10304 			       const struct ieee80211_regdomain *regdom)
10305 {
10306 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10307 				   NL80211_CMD_GET_REG);
10308 
10309 	if (!hdr)
10310 		return -1;
10311 
10312 	genl_dump_check_consistent(cb, hdr);
10313 
10314 	if (nl80211_put_regdom(regdom, msg))
10315 		goto nla_put_failure;
10316 
10317 	if (!wiphy && reg_last_request_cell_base() &&
10318 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10319 			NL80211_USER_REG_HINT_CELL_BASE))
10320 		goto nla_put_failure;
10321 
10322 	if (wiphy &&
10323 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10324 		goto nla_put_failure;
10325 
10326 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
10327 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
10328 		goto nla_put_failure;
10329 
10330 	genlmsg_end(msg, hdr);
10331 	return 0;
10332 
10333 nla_put_failure:
10334 	genlmsg_cancel(msg, hdr);
10335 	return -EMSGSIZE;
10336 }
10337 
10338 static int nl80211_get_reg_dump(struct sk_buff *skb,
10339 				struct netlink_callback *cb)
10340 {
10341 	const struct ieee80211_regdomain *regdom = NULL;
10342 	struct cfg80211_registered_device *rdev;
10343 	int err, reg_idx, start = cb->args[2];
10344 
10345 	rcu_read_lock();
10346 
10347 	if (cfg80211_regdomain && start == 0) {
10348 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10349 					  NLM_F_MULTI, NULL,
10350 					  rcu_dereference(cfg80211_regdomain));
10351 		if (err < 0)
10352 			goto out_err;
10353 	}
10354 
10355 	/* the global regdom is idx 0 */
10356 	reg_idx = 1;
10357 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10358 		regdom = get_wiphy_regdom(&rdev->wiphy);
10359 		if (!regdom)
10360 			continue;
10361 
10362 		if (++reg_idx <= start)
10363 			continue;
10364 
10365 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10366 					  NLM_F_MULTI, &rdev->wiphy, regdom);
10367 		if (err < 0) {
10368 			reg_idx--;
10369 			break;
10370 		}
10371 	}
10372 
10373 	cb->args[2] = reg_idx;
10374 	err = skb->len;
10375 out_err:
10376 	rcu_read_unlock();
10377 	return err;
10378 }
10379 
10380 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
10381 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
10382 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
10383 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
10384 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
10385 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
10386 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
10387 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
10388 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
10389 };
10390 
10391 static int parse_reg_rule(struct nlattr *tb[],
10392 	struct ieee80211_reg_rule *reg_rule)
10393 {
10394 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
10395 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
10396 
10397 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
10398 		return -EINVAL;
10399 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
10400 		return -EINVAL;
10401 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
10402 		return -EINVAL;
10403 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
10404 		return -EINVAL;
10405 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
10406 		return -EINVAL;
10407 
10408 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
10409 
10410 	freq_range->start_freq_khz =
10411 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
10412 	freq_range->end_freq_khz =
10413 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
10414 	freq_range->max_bandwidth_khz =
10415 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
10416 
10417 	power_rule->max_eirp =
10418 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
10419 
10420 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
10421 		power_rule->max_antenna_gain =
10422 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
10423 
10424 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
10425 		reg_rule->dfs_cac_ms =
10426 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
10427 
10428 	return 0;
10429 }
10430 
10431 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
10432 {
10433 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
10434 	struct nlattr *nl_reg_rule;
10435 	char *alpha2;
10436 	int rem_reg_rules, r;
10437 	u32 num_rules = 0, rule_idx = 0;
10438 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
10439 	struct ieee80211_regdomain *rd;
10440 
10441 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10442 		return -EINVAL;
10443 
10444 	if (!info->attrs[NL80211_ATTR_REG_RULES])
10445 		return -EINVAL;
10446 
10447 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10448 
10449 	if (info->attrs[NL80211_ATTR_DFS_REGION])
10450 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
10451 
10452 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10453 			    rem_reg_rules) {
10454 		num_rules++;
10455 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
10456 			return -EINVAL;
10457 	}
10458 
10459 	rtnl_lock();
10460 	if (!reg_is_valid_request(alpha2)) {
10461 		r = -EINVAL;
10462 		goto out;
10463 	}
10464 
10465 	rd = kzalloc_flex(*rd, reg_rules, num_rules);
10466 	if (!rd) {
10467 		r = -ENOMEM;
10468 		goto out;
10469 	}
10470 
10471 	rd->n_reg_rules = num_rules;
10472 	rd->alpha2[0] = alpha2[0];
10473 	rd->alpha2[1] = alpha2[1];
10474 
10475 	/*
10476 	 * Disable DFS master mode if the DFS region was
10477 	 * not supported or known on this kernel.
10478 	 */
10479 	if (reg_supported_dfs_region(dfs_region))
10480 		rd->dfs_region = dfs_region;
10481 
10482 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10483 			    rem_reg_rules) {
10484 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
10485 						nl_reg_rule, reg_rule_policy,
10486 						info->extack);
10487 		if (r)
10488 			goto bad_reg;
10489 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
10490 		if (r)
10491 			goto bad_reg;
10492 
10493 		rule_idx++;
10494 
10495 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
10496 			r = -EINVAL;
10497 			goto bad_reg;
10498 		}
10499 	}
10500 
10501 	r = set_regdom(rd, REGD_SOURCE_CRDA);
10502 	/* set_regdom takes ownership of rd */
10503 	rd = NULL;
10504  bad_reg:
10505 	kfree(rd);
10506  out:
10507 	rtnl_unlock();
10508 	return r;
10509 }
10510 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
10511 
10512 static int validate_scan_freqs(struct nlattr *freqs)
10513 {
10514 	struct nlattr *attr1, *attr2;
10515 	int n_channels = 0, tmp1, tmp2;
10516 
10517 	nla_for_each_nested(attr1, freqs, tmp1)
10518 		if (nla_len(attr1) != sizeof(u32))
10519 			return 0;
10520 
10521 	nla_for_each_nested(attr1, freqs, tmp1) {
10522 		n_channels++;
10523 		/*
10524 		 * Some hardware has a limited channel list for
10525 		 * scanning, and it is pretty much nonsensical
10526 		 * to scan for a channel twice, so disallow that
10527 		 * and don't require drivers to check that the
10528 		 * channel list they get isn't longer than what
10529 		 * they can scan, as long as they can scan all
10530 		 * the channels they registered at once.
10531 		 */
10532 		nla_for_each_nested(attr2, freqs, tmp2)
10533 			if (attr1 != attr2 &&
10534 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10535 				return 0;
10536 	}
10537 
10538 	return n_channels;
10539 }
10540 
10541 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10542 {
10543 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10544 }
10545 
10546 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10547 			    struct cfg80211_bss_selection *bss_select)
10548 {
10549 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10550 	struct nlattr *nest;
10551 	int err;
10552 	bool found = false;
10553 	int i;
10554 
10555 	/* only process one nested attribute */
10556 	nest = nla_data(nla);
10557 	if (!nla_ok(nest, nla_len(nest)))
10558 		return -EINVAL;
10559 
10560 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10561 					  nest, nl80211_bss_select_policy,
10562 					  NULL);
10563 	if (err)
10564 		return err;
10565 
10566 	/* only one attribute may be given */
10567 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10568 		if (attr[i]) {
10569 			if (found)
10570 				return -EINVAL;
10571 			found = true;
10572 		}
10573 	}
10574 
10575 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10576 
10577 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10578 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10579 
10580 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10581 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10582 		bss_select->param.band_pref =
10583 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10584 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10585 			return -EINVAL;
10586 	}
10587 
10588 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10589 		struct nl80211_bss_select_rssi_adjust *adj_param;
10590 
10591 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10592 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10593 		bss_select->param.adjust.band = adj_param->band;
10594 		bss_select->param.adjust.delta = adj_param->delta;
10595 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10596 			return -EINVAL;
10597 	}
10598 
10599 	/* user-space did not provide behaviour attribute */
10600 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10601 		return -EINVAL;
10602 
10603 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10604 		return -EINVAL;
10605 
10606 	return 0;
10607 }
10608 
10609 int nl80211_parse_random_mac(struct nlattr **attrs,
10610 			     u8 *mac_addr, u8 *mac_addr_mask)
10611 {
10612 	int i;
10613 
10614 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10615 		eth_zero_addr(mac_addr);
10616 		eth_zero_addr(mac_addr_mask);
10617 		mac_addr[0] = 0x2;
10618 		mac_addr_mask[0] = 0x3;
10619 
10620 		return 0;
10621 	}
10622 
10623 	/* need both or none */
10624 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10625 		return -EINVAL;
10626 
10627 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10628 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10629 
10630 	/* don't allow or configure an mcast address */
10631 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10632 	    is_multicast_ether_addr(mac_addr))
10633 		return -EINVAL;
10634 
10635 	/*
10636 	 * allow users to pass a MAC address that has bits set outside
10637 	 * of the mask, but don't bother drivers with having to deal
10638 	 * with such bits
10639 	 */
10640 	for (i = 0; i < ETH_ALEN; i++)
10641 		mac_addr[i] &= mac_addr_mask[i];
10642 
10643 	return 0;
10644 }
10645 
10646 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10647 					      struct ieee80211_channel *chan)
10648 {
10649 	unsigned int link_id;
10650 	bool all_ok = true;
10651 	int radio_idx;
10652 
10653 	lockdep_assert_wiphy(wdev->wiphy);
10654 
10655 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10656 		return false;
10657 
10658 	if (!cfg80211_beaconing_iface_active(wdev))
10659 		return true;
10660 
10661 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10662 
10663 	/*
10664 	 * FIXME: check if we have a free radio/link for chan
10665 	 *
10666 	 * This, as well as the FIXME below, requires knowing the link
10667 	 * capabilities of the hardware.
10668 	 */
10669 
10670 	/* we cannot leave radar channels */
10671 	for_each_valid_link(wdev, link_id) {
10672 		struct cfg80211_chan_def *chandef;
10673 		int link_radio_idx;
10674 
10675 		chandef = wdev_chandef(wdev, link_id);
10676 		if (!chandef || !chandef->chan)
10677 			continue;
10678 
10679 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10680 			continue;
10681 
10682 		/*
10683 		 * chandef->chan is a radar channel. If the radio/link onto
10684 		 * which this radar channel falls is the same radio/link onto
10685 		 * which the input 'chan' falls, off-channel operation should
10686 		 * not be allowed. Hence, set 'all_ok' to false.
10687 		 */
10688 
10689 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10690 								chandef->chan);
10691 		if (link_radio_idx == radio_idx) {
10692 			all_ok = false;
10693 			break;
10694 		}
10695 	}
10696 
10697 	if (all_ok)
10698 		return true;
10699 
10700 	return regulatory_pre_cac_allowed(wdev->wiphy);
10701 }
10702 
10703 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
10704 				    enum nl80211_ext_feature_index feat)
10705 {
10706 	if (!(flags & flag))
10707 		return true;
10708 	if (wiphy_ext_feature_isset(wiphy, feat))
10709 		return true;
10710 	return false;
10711 }
10712 
10713 static int
10714 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
10715 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
10716 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
10717 {
10718 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
10719 		return 0;
10720 
10721 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
10722 
10723 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
10724 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
10725 	    !nl80211_check_scan_feat(wiphy, *flags,
10726 				     NL80211_SCAN_FLAG_LOW_SPAN,
10727 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
10728 	    !nl80211_check_scan_feat(wiphy, *flags,
10729 				     NL80211_SCAN_FLAG_LOW_POWER,
10730 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
10731 	    !nl80211_check_scan_feat(wiphy, *flags,
10732 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
10733 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
10734 	    !nl80211_check_scan_feat(wiphy, *flags,
10735 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
10736 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
10737 	    !nl80211_check_scan_feat(wiphy, *flags,
10738 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
10739 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
10740 	    !nl80211_check_scan_feat(wiphy, *flags,
10741 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
10742 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
10743 	    !nl80211_check_scan_feat(wiphy, *flags,
10744 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
10745 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
10746 	    !nl80211_check_scan_feat(wiphy, *flags,
10747 				     NL80211_SCAN_FLAG_RANDOM_SN,
10748 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
10749 	    !nl80211_check_scan_feat(wiphy, *flags,
10750 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
10751 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
10752 		return -EOPNOTSUPP;
10753 
10754 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
10755 		int err;
10756 
10757 		if (!(wiphy->features & randomness_flag) ||
10758 		    (wdev && wdev->connected))
10759 			return -EOPNOTSUPP;
10760 
10761 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
10762 		if (err)
10763 			return err;
10764 	}
10765 
10766 	return 0;
10767 }
10768 
10769 static int
10770 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
10771 			       struct nlattr **attrs,
10772 			       struct cfg80211_sched_scan_request *req)
10773 {
10774 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10775 					req->mac_addr, req->mac_addr_mask,
10776 					&req->flags,
10777 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
10778 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
10779 }
10780 
10781 static int
10782 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
10783 			     struct nlattr **attrs,
10784 			     struct cfg80211_scan_request_int *req)
10785 {
10786 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10787 					req->req.mac_addr,
10788 					req->req.mac_addr_mask,
10789 					&req->req.flags,
10790 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
10791 }
10792 
10793 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
10794 {
10795 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10796 	struct wireless_dev *wdev = info->user_ptr[1];
10797 	struct cfg80211_scan_request_int *request;
10798 	struct nlattr *scan_freqs = NULL;
10799 	bool scan_freqs_khz = false;
10800 	struct nlattr *attr;
10801 	struct wiphy *wiphy;
10802 	int err, tmp, n_ssids = 0, n_channels, i;
10803 	size_t ie_len, size;
10804 	size_t ssids_offset, ie_offset;
10805 
10806 	wiphy = &rdev->wiphy;
10807 
10808 	if (wdev->iftype == NL80211_IFTYPE_NAN)
10809 		return -EOPNOTSUPP;
10810 
10811 	if (!rdev->ops->scan)
10812 		return -EOPNOTSUPP;
10813 
10814 	if (rdev->scan_req || rdev->scan_msg)
10815 		return -EBUSY;
10816 
10817 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
10818 		if (!wiphy_ext_feature_isset(wiphy,
10819 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
10820 			return -EOPNOTSUPP;
10821 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
10822 		scan_freqs_khz = true;
10823 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
10824 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
10825 
10826 	if (scan_freqs) {
10827 		n_channels = validate_scan_freqs(scan_freqs);
10828 		if (!n_channels)
10829 			return -EINVAL;
10830 	} else {
10831 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10832 	}
10833 
10834 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
10835 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
10836 			n_ssids++;
10837 
10838 	if (n_ssids > wiphy->max_scan_ssids)
10839 		return -EINVAL;
10840 
10841 	if (info->attrs[NL80211_ATTR_IE])
10842 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10843 	else
10844 		ie_len = 0;
10845 
10846 	if (ie_len > wiphy->max_scan_ie_len)
10847 		return -EINVAL;
10848 
10849 	size = struct_size(request, req.channels, n_channels);
10850 	ssids_offset = size;
10851 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
10852 	ie_offset = size;
10853 	size = size_add(size, ie_len);
10854 	request = kzalloc(size, GFP_KERNEL);
10855 	if (!request)
10856 		return -ENOMEM;
10857 
10858 	if (n_ssids)
10859 		request->req.ssids = (void *)request + ssids_offset;
10860 	request->req.n_ssids = n_ssids;
10861 	if (ie_len)
10862 		request->req.ie = (void *)request + ie_offset;
10863 
10864 	i = 0;
10865 	if (scan_freqs) {
10866 		/* user specified, bail out if channel not found */
10867 		nla_for_each_nested(attr, scan_freqs, tmp) {
10868 			struct ieee80211_channel *chan;
10869 			int freq = nla_get_u32(attr);
10870 
10871 			if (!scan_freqs_khz)
10872 				freq = MHZ_TO_KHZ(freq);
10873 
10874 			chan = ieee80211_get_channel_khz(wiphy, freq);
10875 			if (!chan) {
10876 				err = -EINVAL;
10877 				goto out_free;
10878 			}
10879 
10880 			/* Ignore disabled / no primary channels */
10881 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10882 			    chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY ||
10883 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10884 				continue;
10885 
10886 			request->req.channels[i] = chan;
10887 			i++;
10888 		}
10889 	} else {
10890 		enum nl80211_band band;
10891 
10892 		/* all channels */
10893 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10894 			int j;
10895 
10896 			if (!wiphy->bands[band])
10897 				continue;
10898 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10899 				struct ieee80211_channel *chan;
10900 
10901 				chan = &wiphy->bands[band]->channels[j];
10902 
10903 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10904 				    chan->flags &
10905 					    IEEE80211_CHAN_S1G_NO_PRIMARY ||
10906 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10907 					continue;
10908 
10909 				request->req.channels[i] = chan;
10910 				i++;
10911 			}
10912 		}
10913 	}
10914 
10915 	if (!i) {
10916 		err = -EINVAL;
10917 		goto out_free;
10918 	}
10919 
10920 	request->req.n_channels = i;
10921 
10922 	for (i = 0; i < request->req.n_channels; i++) {
10923 		struct ieee80211_channel *chan = request->req.channels[i];
10924 
10925 		/* if we can go off-channel to the target channel we're good */
10926 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10927 			continue;
10928 
10929 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10930 			err = -EBUSY;
10931 			goto out_free;
10932 		}
10933 	}
10934 
10935 	i = 0;
10936 	if (n_ssids) {
10937 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10938 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10939 				err = -EINVAL;
10940 				goto out_free;
10941 			}
10942 			request->req.ssids[i].ssid_len = nla_len(attr);
10943 			memcpy(request->req.ssids[i].ssid,
10944 			       nla_data(attr), nla_len(attr));
10945 			i++;
10946 		}
10947 	}
10948 
10949 	if (info->attrs[NL80211_ATTR_IE]) {
10950 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10951 		memcpy((void *)request->req.ie,
10952 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10953 		       request->req.ie_len);
10954 	}
10955 
10956 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10957 		if (wiphy->bands[i])
10958 			request->req.rates[i] =
10959 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10960 
10961 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10962 		nla_for_each_nested(attr,
10963 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10964 				    tmp) {
10965 			int band = nla_type(attr);
10966 
10967 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10968 				err = -EINVAL;
10969 				goto out_free;
10970 			}
10971 
10972 			if (!wiphy->bands[band])
10973 				continue;
10974 
10975 			err = ieee80211_get_ratemask(wiphy->bands[band],
10976 						     nla_data(attr),
10977 						     nla_len(attr),
10978 						     &request->req.rates[band]);
10979 			if (err)
10980 				goto out_free;
10981 		}
10982 	}
10983 
10984 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10985 		request->req.duration =
10986 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10987 		request->req.duration_mandatory =
10988 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
10989 	}
10990 
10991 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
10992 	if (err)
10993 		goto out_free;
10994 
10995 	request->req.no_cck =
10996 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10997 
10998 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
10999 	 * BSSID to scan for. This was problematic because that same attribute
11000 	 * was already used for another purpose (local random MAC address). The
11001 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
11002 	 * compatibility with older userspace components, also use the
11003 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
11004 	 * the specific BSSID use case instead of the random MAC address
11005 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
11006 	 */
11007 	if (info->attrs[NL80211_ATTR_BSSID])
11008 		memcpy(request->req.bssid,
11009 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
11010 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
11011 		 info->attrs[NL80211_ATTR_MAC])
11012 		memcpy(request->req.bssid,
11013 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
11014 		       ETH_ALEN);
11015 	else
11016 		eth_broadcast_addr(request->req.bssid);
11017 
11018 	request->req.tsf_report_link_id =
11019 		nl80211_link_id_or_invalid(info->attrs);
11020 	request->req.wdev = wdev;
11021 	request->req.wiphy = &rdev->wiphy;
11022 	request->req.scan_start = jiffies;
11023 
11024 	rdev->scan_req = request;
11025 	err = cfg80211_scan(rdev);
11026 
11027 	if (err)
11028 		goto out_free;
11029 
11030 	nl80211_send_scan_start(rdev, wdev);
11031 	dev_hold(wdev->netdev);
11032 
11033 	return 0;
11034 
11035  out_free:
11036 	rdev->scan_req = NULL;
11037 	kfree(request);
11038 
11039 	return err;
11040 }
11041 
11042 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
11043 {
11044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11045 	struct wireless_dev *wdev = info->user_ptr[1];
11046 
11047 	if (!rdev->ops->abort_scan)
11048 		return -EOPNOTSUPP;
11049 
11050 	if (rdev->scan_msg)
11051 		return 0;
11052 
11053 	if (!rdev->scan_req)
11054 		return -ENOENT;
11055 
11056 	rdev_abort_scan(rdev, wdev);
11057 	return 0;
11058 }
11059 
11060 static int
11061 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
11062 			       struct cfg80211_sched_scan_request *request,
11063 			       struct nlattr **attrs)
11064 {
11065 	int tmp, err, i = 0;
11066 	struct nlattr *attr;
11067 
11068 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
11069 		u32 interval;
11070 
11071 		/*
11072 		 * If scan plans are not specified,
11073 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
11074 		 * case one scan plan will be set with the specified scan
11075 		 * interval and infinite number of iterations.
11076 		 */
11077 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
11078 		if (!interval)
11079 			return -EINVAL;
11080 
11081 		request->scan_plans[0].interval =
11082 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
11083 		if (!request->scan_plans[0].interval)
11084 			return -EINVAL;
11085 
11086 		if (request->scan_plans[0].interval >
11087 		    wiphy->max_sched_scan_plan_interval)
11088 			request->scan_plans[0].interval =
11089 				wiphy->max_sched_scan_plan_interval;
11090 
11091 		return 0;
11092 	}
11093 
11094 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
11095 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
11096 
11097 		if (WARN_ON(i >= n_plans))
11098 			return -EINVAL;
11099 
11100 		err = nla_parse_nested_deprecated(plan,
11101 						  NL80211_SCHED_SCAN_PLAN_MAX,
11102 						  attr, nl80211_plan_policy,
11103 						  NULL);
11104 		if (err)
11105 			return err;
11106 
11107 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
11108 			return -EINVAL;
11109 
11110 		request->scan_plans[i].interval =
11111 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
11112 		if (!request->scan_plans[i].interval ||
11113 		    request->scan_plans[i].interval >
11114 		    wiphy->max_sched_scan_plan_interval)
11115 			return -EINVAL;
11116 
11117 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
11118 			request->scan_plans[i].iterations =
11119 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
11120 			if (!request->scan_plans[i].iterations ||
11121 			    (request->scan_plans[i].iterations >
11122 			     wiphy->max_sched_scan_plan_iterations))
11123 				return -EINVAL;
11124 		} else if (i < n_plans - 1) {
11125 			/*
11126 			 * All scan plans but the last one must specify
11127 			 * a finite number of iterations
11128 			 */
11129 			return -EINVAL;
11130 		}
11131 
11132 		i++;
11133 	}
11134 
11135 	/*
11136 	 * The last scan plan must not specify the number of
11137 	 * iterations, it is supposed to run infinitely
11138 	 */
11139 	if (request->scan_plans[n_plans - 1].iterations)
11140 		return  -EINVAL;
11141 
11142 	return 0;
11143 }
11144 
11145 static struct cfg80211_sched_scan_request *
11146 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
11147 			 struct nlattr **attrs, int max_match_sets)
11148 {
11149 	struct cfg80211_sched_scan_request *request;
11150 	struct nlattr *attr;
11151 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
11152 	enum nl80211_band band;
11153 	size_t ie_len, size;
11154 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
11155 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
11156 
11157 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11158 		n_channels = validate_scan_freqs(
11159 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
11160 		if (!n_channels)
11161 			return ERR_PTR(-EINVAL);
11162 	} else {
11163 		n_channels = ieee80211_get_num_supported_channels(wiphy);
11164 	}
11165 
11166 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
11167 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11168 				    tmp)
11169 			n_ssids++;
11170 
11171 	if (n_ssids > wiphy->max_sched_scan_ssids)
11172 		return ERR_PTR(-EINVAL);
11173 
11174 	/*
11175 	 * First, count the number of 'real' matchsets. Due to an issue with
11176 	 * the old implementation, matchsets containing only the RSSI attribute
11177 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
11178 	 * RSSI for all matchsets, rather than their own matchset for reporting
11179 	 * all APs with a strong RSSI. This is needed to be compatible with
11180 	 * older userspace that treated a matchset with only the RSSI as the
11181 	 * global RSSI for all other matchsets - if there are other matchsets.
11182 	 */
11183 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11184 		nla_for_each_nested(attr,
11185 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11186 				    tmp) {
11187 			struct nlattr *rssi;
11188 
11189 			err = nla_parse_nested_deprecated(tb,
11190 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11191 							  attr,
11192 							  nl80211_match_policy,
11193 							  NULL);
11194 			if (err)
11195 				return ERR_PTR(err);
11196 
11197 			/* SSID and BSSID are mutually exclusive */
11198 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
11199 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
11200 				return ERR_PTR(-EINVAL);
11201 
11202 			/* add other standalone attributes here */
11203 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
11204 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
11205 				n_match_sets++;
11206 				continue;
11207 			}
11208 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11209 			if (rssi)
11210 				default_match_rssi = nla_get_s32(rssi);
11211 		}
11212 	}
11213 
11214 	/* However, if there's no other matchset, add the RSSI one */
11215 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
11216 		n_match_sets = 1;
11217 
11218 	if (n_match_sets > max_match_sets)
11219 		return ERR_PTR(-EINVAL);
11220 
11221 	if (attrs[NL80211_ATTR_IE])
11222 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
11223 	else
11224 		ie_len = 0;
11225 
11226 	if (ie_len > wiphy->max_sched_scan_ie_len)
11227 		return ERR_PTR(-EINVAL);
11228 
11229 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
11230 		/*
11231 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
11232 		 * each scan plan already specifies its own interval
11233 		 */
11234 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
11235 			return ERR_PTR(-EINVAL);
11236 
11237 		nla_for_each_nested(attr,
11238 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
11239 			n_plans++;
11240 	} else {
11241 		/*
11242 		 * The scan interval attribute is kept for backward
11243 		 * compatibility. If no scan plans are specified and sched scan
11244 		 * interval is specified, one scan plan will be set with this
11245 		 * scan interval and infinite number of iterations.
11246 		 */
11247 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
11248 			return ERR_PTR(-EINVAL);
11249 
11250 		n_plans = 1;
11251 	}
11252 
11253 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
11254 		return ERR_PTR(-EINVAL);
11255 
11256 	if (!wiphy_ext_feature_isset(
11257 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
11258 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
11259 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
11260 		return ERR_PTR(-EINVAL);
11261 
11262 	size = struct_size(request, channels, n_channels);
11263 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
11264 	size = size_add(size, array_size(sizeof(*request->match_sets),
11265 					 n_match_sets));
11266 	size = size_add(size, array_size(sizeof(*request->scan_plans),
11267 					 n_plans));
11268 	size = size_add(size, ie_len);
11269 	request = kzalloc(size, GFP_KERNEL);
11270 	if (!request)
11271 		return ERR_PTR(-ENOMEM);
11272 	request->n_channels = n_channels;
11273 
11274 	if (n_ssids)
11275 		request->ssids = (void *)request +
11276 			struct_size(request, channels, n_channels);
11277 	request->n_ssids = n_ssids;
11278 	if (ie_len) {
11279 		if (n_ssids)
11280 			request->ie = (void *)(request->ssids + n_ssids);
11281 		else
11282 			request->ie = (void *)(request->channels + n_channels);
11283 	}
11284 
11285 	if (n_match_sets) {
11286 		if (request->ie)
11287 			request->match_sets = (void *)(request->ie + ie_len);
11288 		else if (n_ssids)
11289 			request->match_sets =
11290 				(void *)(request->ssids + n_ssids);
11291 		else
11292 			request->match_sets =
11293 				(void *)(request->channels + n_channels);
11294 	}
11295 	request->n_match_sets = n_match_sets;
11296 
11297 	if (n_match_sets)
11298 		request->scan_plans = (void *)(request->match_sets +
11299 					       n_match_sets);
11300 	else if (request->ie)
11301 		request->scan_plans = (void *)(request->ie + ie_len);
11302 	else if (n_ssids)
11303 		request->scan_plans = (void *)(request->ssids + n_ssids);
11304 	else
11305 		request->scan_plans = (void *)(request->channels + n_channels);
11306 
11307 	request->n_scan_plans = n_plans;
11308 
11309 	i = 0;
11310 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11311 		/* user specified, bail out if channel not found */
11312 		nla_for_each_nested(attr,
11313 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
11314 				    tmp) {
11315 			struct ieee80211_channel *chan;
11316 
11317 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
11318 
11319 			if (!chan) {
11320 				err = -EINVAL;
11321 				goto out_free;
11322 			}
11323 
11324 			/* ignore disabled channels */
11325 			if (chan->flags & IEEE80211_CHAN_DISABLED)
11326 				continue;
11327 
11328 			request->channels[i] = chan;
11329 			i++;
11330 		}
11331 	} else {
11332 		/* all channels */
11333 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
11334 			int j;
11335 
11336 			if (!wiphy->bands[band])
11337 				continue;
11338 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
11339 				struct ieee80211_channel *chan;
11340 
11341 				chan = &wiphy->bands[band]->channels[j];
11342 
11343 				if (chan->flags & IEEE80211_CHAN_DISABLED)
11344 					continue;
11345 
11346 				request->channels[i] = chan;
11347 				i++;
11348 			}
11349 		}
11350 	}
11351 
11352 	if (!i) {
11353 		err = -EINVAL;
11354 		goto out_free;
11355 	}
11356 
11357 	request->n_channels = i;
11358 
11359 	i = 0;
11360 	if (n_ssids) {
11361 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11362 				    tmp) {
11363 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
11364 				err = -EINVAL;
11365 				goto out_free;
11366 			}
11367 			request->ssids[i].ssid_len = nla_len(attr);
11368 			memcpy(request->ssids[i].ssid, nla_data(attr),
11369 			       nla_len(attr));
11370 			i++;
11371 		}
11372 	}
11373 
11374 	i = 0;
11375 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11376 		nla_for_each_nested(attr,
11377 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11378 				    tmp) {
11379 			struct nlattr *ssid, *bssid, *rssi;
11380 
11381 			err = nla_parse_nested_deprecated(tb,
11382 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11383 							  attr,
11384 							  nl80211_match_policy,
11385 							  NULL);
11386 			if (err)
11387 				goto out_free;
11388 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
11389 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
11390 
11391 			if (!ssid && !bssid) {
11392 				i++;
11393 				continue;
11394 			}
11395 
11396 			if (WARN_ON(i >= n_match_sets)) {
11397 				/* this indicates a programming error,
11398 				 * the loop above should have verified
11399 				 * things properly
11400 				 */
11401 				err = -EINVAL;
11402 				goto out_free;
11403 			}
11404 
11405 			if (ssid) {
11406 				memcpy(request->match_sets[i].ssid.ssid,
11407 				       nla_data(ssid), nla_len(ssid));
11408 				request->match_sets[i].ssid.ssid_len =
11409 					nla_len(ssid);
11410 			}
11411 			if (bssid)
11412 				memcpy(request->match_sets[i].bssid,
11413 				       nla_data(bssid), ETH_ALEN);
11414 
11415 			/* special attribute - old implementation w/a */
11416 			request->match_sets[i].rssi_thold = default_match_rssi;
11417 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11418 			if (rssi)
11419 				request->match_sets[i].rssi_thold =
11420 					nla_get_s32(rssi);
11421 			i++;
11422 		}
11423 
11424 		/* there was no other matchset, so the RSSI one is alone */
11425 		if (i == 0 && n_match_sets)
11426 			request->match_sets[0].rssi_thold = default_match_rssi;
11427 
11428 		request->min_rssi_thold = INT_MAX;
11429 		for (i = 0; i < n_match_sets; i++)
11430 			request->min_rssi_thold =
11431 				min(request->match_sets[i].rssi_thold,
11432 				    request->min_rssi_thold);
11433 	} else {
11434 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
11435 	}
11436 
11437 	if (ie_len) {
11438 		request->ie_len = ie_len;
11439 		memcpy((void *)request->ie,
11440 		       nla_data(attrs[NL80211_ATTR_IE]),
11441 		       request->ie_len);
11442 	}
11443 
11444 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
11445 	if (err)
11446 		goto out_free;
11447 
11448 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
11449 		request->delay =
11450 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
11451 
11452 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
11453 		request->relative_rssi = nla_get_s8(
11454 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
11455 		request->relative_rssi_set = true;
11456 	}
11457 
11458 	if (request->relative_rssi_set &&
11459 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
11460 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
11461 
11462 		rssi_adjust = nla_data(
11463 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
11464 		request->rssi_adjust.band = rssi_adjust->band;
11465 		request->rssi_adjust.delta = rssi_adjust->delta;
11466 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
11467 			err = -EINVAL;
11468 			goto out_free;
11469 		}
11470 	}
11471 
11472 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
11473 	if (err)
11474 		goto out_free;
11475 
11476 	request->scan_start = jiffies;
11477 
11478 	return request;
11479 
11480 out_free:
11481 	kfree(request);
11482 	return ERR_PTR(err);
11483 }
11484 
11485 static int nl80211_start_sched_scan(struct sk_buff *skb,
11486 				    struct genl_info *info)
11487 {
11488 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11489 	struct net_device *dev = info->user_ptr[1];
11490 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11491 	struct cfg80211_sched_scan_request *sched_scan_req;
11492 	bool want_multi;
11493 	int err;
11494 
11495 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
11496 		return -EOPNOTSUPP;
11497 
11498 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
11499 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
11500 	if (err)
11501 		return err;
11502 
11503 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
11504 						  info->attrs,
11505 						  rdev->wiphy.max_match_sets);
11506 
11507 	err = PTR_ERR_OR_ZERO(sched_scan_req);
11508 	if (err)
11509 		goto out_err;
11510 
11511 	/* leave request id zero for legacy request
11512 	 * or if driver does not support multi-scheduled scan
11513 	 */
11514 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
11515 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
11516 
11517 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11518 	if (err)
11519 		goto out_free;
11520 
11521 	sched_scan_req->dev = dev;
11522 	sched_scan_req->wiphy = &rdev->wiphy;
11523 
11524 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11525 		sched_scan_req->owner_nlportid = info->snd_portid;
11526 
11527 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11528 
11529 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11530 	return 0;
11531 
11532 out_free:
11533 	kfree(sched_scan_req);
11534 out_err:
11535 	return err;
11536 }
11537 
11538 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11539 				   struct genl_info *info)
11540 {
11541 	struct cfg80211_sched_scan_request *req;
11542 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11543 	u64 cookie;
11544 
11545 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11546 		return -EOPNOTSUPP;
11547 
11548 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11549 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11550 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11551 	}
11552 
11553 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11554 				     struct cfg80211_sched_scan_request,
11555 				     list);
11556 	if (!req || req->reqid ||
11557 	    (req->owner_nlportid &&
11558 	     req->owner_nlportid != info->snd_portid))
11559 		return -ENOENT;
11560 
11561 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11562 }
11563 
11564 static int nl80211_start_radar_detection(struct sk_buff *skb,
11565 					 struct genl_info *info)
11566 {
11567 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11568 	struct net_device *dev = info->user_ptr[1];
11569 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11570 	int link_id = nl80211_link_id(info->attrs);
11571 	struct wiphy *wiphy = wdev->wiphy;
11572 	struct cfg80211_chan_def chandef;
11573 	enum nl80211_dfs_regions dfs_region;
11574 	unsigned int cac_time_ms;
11575 	int err;
11576 
11577 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11578 
11579 	switch (wdev->iftype) {
11580 	case NL80211_IFTYPE_AP:
11581 	case NL80211_IFTYPE_P2P_GO:
11582 	case NL80211_IFTYPE_MESH_POINT:
11583 	case NL80211_IFTYPE_ADHOC:
11584 		break;
11585 	default:
11586 		/* caution - see cfg80211_beaconing_iface_active() below */
11587 		return -EINVAL;
11588 	}
11589 
11590 	guard(wiphy)(wiphy);
11591 
11592 	dfs_region = reg_get_dfs_region(wiphy);
11593 	if (dfs_region == NL80211_DFS_UNSET)
11594 		return -EINVAL;
11595 
11596 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
11597 	if (err)
11598 		return err;
11599 
11600 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11601 	if (err < 0)
11602 		return err;
11603 
11604 	if (err == 0)
11605 		return -EINVAL;
11606 
11607 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11608 		return -EINVAL;
11609 
11610 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11611 		return cfg80211_start_background_radar_detection(rdev, wdev,
11612 								 &chandef);
11613 
11614 	if (cfg80211_beaconing_iface_active(wdev)) {
11615 		/* During MLO other link(s) can beacon, only the current link
11616 		 * can not already beacon
11617 		 */
11618 		if (wdev->valid_links &&
11619 		    !wdev->links[link_id].ap.beacon_interval) {
11620 			/* nothing */
11621 		} else {
11622 			return -EBUSY;
11623 		}
11624 	}
11625 
11626 	if (wdev->links[link_id].cac_started)
11627 		return -EBUSY;
11628 
11629 	/* CAC start is offloaded to HW and can't be started manually */
11630 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11631 		return -EOPNOTSUPP;
11632 
11633 	if (!rdev->ops->start_radar_detection)
11634 		return -EOPNOTSUPP;
11635 
11636 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11637 	if (WARN_ON(!cac_time_ms))
11638 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11639 
11640 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11641 					 link_id);
11642 	if (err)
11643 		return err;
11644 
11645 	switch (wdev->iftype) {
11646 	case NL80211_IFTYPE_AP:
11647 	case NL80211_IFTYPE_P2P_GO:
11648 		wdev->links[link_id].ap.chandef = chandef;
11649 		break;
11650 	case NL80211_IFTYPE_ADHOC:
11651 		wdev->u.ibss.chandef = chandef;
11652 		break;
11653 	case NL80211_IFTYPE_MESH_POINT:
11654 		wdev->u.mesh.chandef = chandef;
11655 		break;
11656 	default:
11657 		break;
11658 	}
11659 	wdev->links[link_id].cac_started = true;
11660 	wdev->links[link_id].cac_start_time = jiffies;
11661 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11662 	cfg80211_set_cac_state(wiphy, &chandef, true);
11663 
11664 	return 0;
11665 }
11666 
11667 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11668 					  struct genl_info *info)
11669 {
11670 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11671 	struct net_device *dev = info->user_ptr[1];
11672 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11673 	struct wiphy *wiphy = wdev->wiphy;
11674 	struct cfg80211_chan_def chandef;
11675 	enum nl80211_dfs_regions dfs_region;
11676 	int err;
11677 
11678 	dfs_region = reg_get_dfs_region(wiphy);
11679 	if (dfs_region == NL80211_DFS_UNSET) {
11680 		GENL_SET_ERR_MSG(info,
11681 				 "DFS Region is not set. Unexpected Radar indication");
11682 		return -EINVAL;
11683 	}
11684 
11685 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
11686 	if (err) {
11687 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11688 		return err;
11689 	}
11690 
11691 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11692 	if (err < 0) {
11693 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11694 		return err;
11695 	}
11696 
11697 	if (err == 0) {
11698 		GENL_SET_ERR_MSG(info,
11699 				 "Unexpected Radar indication for chandef/iftype");
11700 		return -EINVAL;
11701 	}
11702 
11703 	/* Do not process this notification if radar is already detected
11704 	 * by kernel on this channel, and return success.
11705 	 */
11706 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
11707 		return 0;
11708 
11709 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
11710 
11711 	cfg80211_sched_dfs_chan_update(rdev);
11712 
11713 	rdev->radar_chandef = chandef;
11714 
11715 	/* Propagate this notification to other radios as well */
11716 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
11717 
11718 	return 0;
11719 }
11720 
11721 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
11722 					 const u8 *data, size_t datalen,
11723 					 int first_count, struct nlattr *attr,
11724 					 const u16 **offsets, unsigned int *n_offsets)
11725 {
11726 	int i;
11727 
11728 	*n_offsets = 0;
11729 
11730 	if (!attr)
11731 		return 0;
11732 
11733 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
11734 		return -EINVAL;
11735 
11736 	*n_offsets = nla_len(attr) / sizeof(u16);
11737 	if (rdev->wiphy.max_num_csa_counters &&
11738 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
11739 		return -EINVAL;
11740 
11741 	*offsets = nla_data(attr);
11742 
11743 	/* sanity checks - counters should fit and be the same */
11744 	for (i = 0; i < *n_offsets; i++) {
11745 		u16 offset = (*offsets)[i];
11746 
11747 		if (offset >= datalen)
11748 			return -EINVAL;
11749 
11750 		if (first_count != -1 && data[offset] != first_count)
11751 			return -EINVAL;
11752 	}
11753 
11754 	return 0;
11755 }
11756 
11757 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
11758 {
11759 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11760 	unsigned int link_id = nl80211_link_id(info->attrs);
11761 	struct net_device *dev = info->user_ptr[1];
11762 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11763 	struct cfg80211_csa_settings params;
11764 	struct nlattr **csa_attrs = NULL;
11765 	int err;
11766 	bool need_new_beacon = false;
11767 	bool need_handle_dfs_flag = true;
11768 	u32 cs_count;
11769 
11770 	if (!rdev->ops->channel_switch ||
11771 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
11772 		return -EOPNOTSUPP;
11773 
11774 	switch (dev->ieee80211_ptr->iftype) {
11775 	case NL80211_IFTYPE_AP:
11776 	case NL80211_IFTYPE_P2P_GO:
11777 		need_new_beacon = true;
11778 		/* For all modes except AP the handle_dfs flag needs to be
11779 		 * supplied to tell the kernel that userspace will handle radar
11780 		 * events when they happen. Otherwise a switch to a channel
11781 		 * requiring DFS will be rejected.
11782 		 */
11783 		need_handle_dfs_flag = false;
11784 
11785 		/* useless if AP is not running */
11786 		if (!wdev->links[link_id].ap.beacon_interval)
11787 			return -ENOTCONN;
11788 		break;
11789 	case NL80211_IFTYPE_ADHOC:
11790 		if (!wdev->u.ibss.ssid_len)
11791 			return -ENOTCONN;
11792 		break;
11793 	case NL80211_IFTYPE_MESH_POINT:
11794 		if (!wdev->u.mesh.id_len)
11795 			return -ENOTCONN;
11796 		break;
11797 	default:
11798 		return -EOPNOTSUPP;
11799 	}
11800 
11801 	memset(&params, 0, sizeof(params));
11802 	params.beacon_csa.ftm_responder = -1;
11803 
11804 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11805 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
11806 		return -EINVAL;
11807 
11808 	/* only important for AP, IBSS and mesh create IEs internally */
11809 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
11810 		return -EINVAL;
11811 
11812 	/* Even though the attribute is u32, the specification says
11813 	 * u8, so let's make sure we don't overflow.
11814 	 */
11815 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
11816 	if (cs_count > 255)
11817 		return -EINVAL;
11818 
11819 	params.count = cs_count;
11820 
11821 	if (!need_new_beacon)
11822 		goto skip_beacons;
11823 
11824 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
11825 				   info->extack);
11826 	if (err)
11827 		goto free;
11828 
11829 	csa_attrs = kzalloc_objs(*csa_attrs, NL80211_ATTR_MAX + 1);
11830 	if (!csa_attrs) {
11831 		err = -ENOMEM;
11832 		goto free;
11833 	}
11834 
11835 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
11836 					  info->attrs[NL80211_ATTR_CSA_IES],
11837 					  nl80211_policy, info->extack);
11838 	if (err)
11839 		goto free;
11840 
11841 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
11842 				   info->extack);
11843 	if (err)
11844 		goto free;
11845 
11846 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
11847 		err = -EINVAL;
11848 		goto free;
11849 	}
11850 
11851 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
11852 					    params.beacon_csa.tail_len,
11853 					    params.count,
11854 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
11855 					    &params.counter_offsets_beacon,
11856 					    &params.n_counter_offsets_beacon);
11857 	if (err)
11858 		goto free;
11859 
11860 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
11861 					    params.beacon_csa.probe_resp_len,
11862 					    params.count,
11863 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
11864 					    &params.counter_offsets_presp,
11865 					    &params.n_counter_offsets_presp);
11866 	if (err)
11867 		goto free;
11868 
11869 skip_beacons:
11870 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
11871 				    &params.chandef);
11872 	if (err)
11873 		goto free;
11874 
11875 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
11876 					   wdev->iftype)) {
11877 		err = -EINVAL;
11878 		goto free;
11879 	}
11880 
11881 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11882 					    &params.chandef,
11883 					    wdev->iftype);
11884 	if (err < 0)
11885 		goto free;
11886 
11887 	if (err > 0) {
11888 		params.radar_required = true;
11889 		if (need_handle_dfs_flag &&
11890 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11891 			err = -EINVAL;
11892 			goto free;
11893 		}
11894 	}
11895 
11896 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11897 		params.block_tx = true;
11898 
11899 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11900 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11901 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11902 		err = nl80211_parse_unsol_bcast_probe_resp(
11903 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11904 			&params.unsol_bcast_probe_resp);
11905 		if (err)
11906 			goto free;
11907 	}
11908 
11909 	params.link_id = link_id;
11910 	err = rdev_channel_switch(rdev, dev, &params);
11911 
11912 free:
11913 	kfree(params.beacon_after.mbssid_ies);
11914 	kfree(params.beacon_csa.mbssid_ies);
11915 	kfree(params.beacon_after.rnr_ies);
11916 	kfree(params.beacon_csa.rnr_ies);
11917 	kfree(csa_attrs);
11918 	return err;
11919 }
11920 
11921 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11922 			    u32 seq, int flags,
11923 			    struct cfg80211_registered_device *rdev,
11924 			    struct wireless_dev *wdev,
11925 			    struct cfg80211_internal_bss *intbss)
11926 {
11927 	struct cfg80211_bss *res = &intbss->pub;
11928 	const struct cfg80211_bss_ies *ies;
11929 	unsigned int link_id;
11930 	void *hdr;
11931 	struct nlattr *bss;
11932 
11933 	lockdep_assert_wiphy(wdev->wiphy);
11934 
11935 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11936 			     NL80211_CMD_NEW_SCAN_RESULTS);
11937 	if (!hdr)
11938 		return -1;
11939 
11940 	genl_dump_check_consistent(cb, hdr);
11941 
11942 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11943 		goto nla_put_failure;
11944 	if (wdev->netdev &&
11945 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11946 		goto nla_put_failure;
11947 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11948 			      NL80211_ATTR_PAD))
11949 		goto nla_put_failure;
11950 
11951 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11952 	if (!bss)
11953 		goto nla_put_failure;
11954 	if ((!is_zero_ether_addr(res->bssid) &&
11955 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11956 		goto nla_put_failure;
11957 
11958 	rcu_read_lock();
11959 	/* indicate whether we have probe response data or not */
11960 	if (rcu_access_pointer(res->proberesp_ies) &&
11961 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11962 		goto fail_unlock_rcu;
11963 
11964 	/* this pointer prefers to be pointed to probe response data
11965 	 * but is always valid
11966 	 */
11967 	ies = rcu_dereference(res->ies);
11968 	if (ies) {
11969 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11970 				      NL80211_BSS_PAD))
11971 			goto fail_unlock_rcu;
11972 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11973 					ies->len, ies->data))
11974 			goto fail_unlock_rcu;
11975 	}
11976 
11977 	/* and this pointer is always (unless driver didn't know) beacon data */
11978 	ies = rcu_dereference(res->beacon_ies);
11979 	if (ies && ies->from_beacon) {
11980 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11981 				      NL80211_BSS_PAD))
11982 			goto fail_unlock_rcu;
11983 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11984 					ies->len, ies->data))
11985 			goto fail_unlock_rcu;
11986 	}
11987 	rcu_read_unlock();
11988 
11989 	if (res->beacon_interval &&
11990 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
11991 		goto nla_put_failure;
11992 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
11993 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
11994 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
11995 			res->channel->freq_offset) ||
11996 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
11997 			jiffies_to_msecs(jiffies - intbss->ts)))
11998 		goto nla_put_failure;
11999 
12000 	if (intbss->parent_tsf &&
12001 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
12002 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
12003 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
12004 		     intbss->parent_bssid)))
12005 		goto nla_put_failure;
12006 
12007 	if (res->ts_boottime &&
12008 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
12009 			      res->ts_boottime, NL80211_BSS_PAD))
12010 		goto nla_put_failure;
12011 
12012 	if (!nl80211_put_signal(msg, intbss->pub.chains,
12013 				intbss->pub.chain_signal,
12014 				NL80211_BSS_CHAIN_SIGNAL))
12015 		goto nla_put_failure;
12016 
12017 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
12018 		switch (rdev->wiphy.signal_type) {
12019 		case CFG80211_SIGNAL_TYPE_MBM:
12020 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
12021 					res->signal))
12022 				goto nla_put_failure;
12023 			break;
12024 		case CFG80211_SIGNAL_TYPE_UNSPEC:
12025 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
12026 				       res->signal))
12027 				goto nla_put_failure;
12028 			break;
12029 		default:
12030 			break;
12031 		}
12032 	}
12033 
12034 	switch (wdev->iftype) {
12035 	case NL80211_IFTYPE_P2P_CLIENT:
12036 	case NL80211_IFTYPE_STATION:
12037 		for_each_valid_link(wdev, link_id) {
12038 			if (intbss == wdev->links[link_id].client.current_bss &&
12039 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
12040 					 NL80211_BSS_STATUS_ASSOCIATED) ||
12041 			     (wdev->valid_links &&
12042 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
12043 					  link_id) ||
12044 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
12045 				       wdev->u.client.connected_addr)))))
12046 				goto nla_put_failure;
12047 		}
12048 		break;
12049 	case NL80211_IFTYPE_ADHOC:
12050 		if (intbss == wdev->u.ibss.current_bss &&
12051 		    nla_put_u32(msg, NL80211_BSS_STATUS,
12052 				NL80211_BSS_STATUS_IBSS_JOINED))
12053 			goto nla_put_failure;
12054 		break;
12055 	default:
12056 		break;
12057 	}
12058 
12059 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
12060 		goto nla_put_failure;
12061 
12062 	if (res->cannot_use_reasons &&
12063 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
12064 			      res->cannot_use_reasons,
12065 			      NL80211_BSS_PAD))
12066 		goto nla_put_failure;
12067 
12068 	nla_nest_end(msg, bss);
12069 
12070 	genlmsg_end(msg, hdr);
12071 	return 0;
12072 
12073  fail_unlock_rcu:
12074 	rcu_read_unlock();
12075  nla_put_failure:
12076 	genlmsg_cancel(msg, hdr);
12077 	return -EMSGSIZE;
12078 }
12079 
12080 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
12081 {
12082 	struct cfg80211_registered_device *rdev;
12083 	struct cfg80211_internal_bss *scan;
12084 	struct wireless_dev *wdev;
12085 	struct nlattr **attrbuf;
12086 	int start = cb->args[2], idx = 0;
12087 	bool dump_include_use_data;
12088 	int err;
12089 
12090 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
12091 	if (!attrbuf)
12092 		return -ENOMEM;
12093 
12094 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
12095 	if (err) {
12096 		kfree(attrbuf);
12097 		return err;
12098 	}
12099 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
12100 	__acquire(&rdev->wiphy.mtx);
12101 
12102 	dump_include_use_data =
12103 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
12104 	kfree(attrbuf);
12105 
12106 	spin_lock_bh(&rdev->bss_lock);
12107 
12108 	/*
12109 	 * dump_scan will be called multiple times to break up the scan results
12110 	 * into multiple messages.  It is unlikely that any more bss-es will be
12111 	 * expired after the first call, so only call only call this on the
12112 	 * first dump_scan invocation.
12113 	 */
12114 	if (start == 0)
12115 		cfg80211_bss_expire(rdev);
12116 
12117 	cb->seq = rdev->bss_generation;
12118 
12119 	list_for_each_entry(scan, &rdev->bss_list, list) {
12120 		if (++idx <= start)
12121 			continue;
12122 		if (!dump_include_use_data &&
12123 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
12124 			continue;
12125 		if (nl80211_send_bss(skb, cb,
12126 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
12127 				rdev, wdev, scan) < 0) {
12128 			idx--;
12129 			break;
12130 		}
12131 	}
12132 
12133 	spin_unlock_bh(&rdev->bss_lock);
12134 
12135 	cb->args[2] = idx;
12136 	wiphy_unlock(&rdev->wiphy);
12137 
12138 	return skb->len;
12139 }
12140 
12141 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
12142 			       int flags, struct net_device *dev,
12143 			       bool allow_radio_stats,
12144 			       struct survey_info *survey)
12145 {
12146 	void *hdr;
12147 	struct nlattr *infoattr;
12148 
12149 	/* skip radio stats if userspace didn't request them */
12150 	if (!survey->channel && !allow_radio_stats)
12151 		return 0;
12152 
12153 	hdr = nl80211hdr_put(msg, portid, seq, flags,
12154 			     NL80211_CMD_NEW_SURVEY_RESULTS);
12155 	if (!hdr)
12156 		return -ENOMEM;
12157 
12158 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
12159 		goto nla_put_failure;
12160 
12161 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
12162 	if (!infoattr)
12163 		goto nla_put_failure;
12164 
12165 	if (survey->channel &&
12166 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
12167 			survey->channel->center_freq))
12168 		goto nla_put_failure;
12169 
12170 	if (survey->channel && survey->channel->freq_offset &&
12171 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
12172 			survey->channel->freq_offset))
12173 		goto nla_put_failure;
12174 
12175 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
12176 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
12177 		goto nla_put_failure;
12178 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
12179 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
12180 		goto nla_put_failure;
12181 	if ((survey->filled & SURVEY_INFO_TIME) &&
12182 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
12183 			survey->time, NL80211_SURVEY_INFO_PAD))
12184 		goto nla_put_failure;
12185 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
12186 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
12187 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
12188 		goto nla_put_failure;
12189 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
12190 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
12191 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
12192 		goto nla_put_failure;
12193 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
12194 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
12195 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
12196 		goto nla_put_failure;
12197 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
12198 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
12199 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
12200 		goto nla_put_failure;
12201 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
12202 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
12203 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
12204 		goto nla_put_failure;
12205 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
12206 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
12207 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
12208 		goto nla_put_failure;
12209 
12210 	nla_nest_end(msg, infoattr);
12211 
12212 	genlmsg_end(msg, hdr);
12213 	return 0;
12214 
12215  nla_put_failure:
12216 	genlmsg_cancel(msg, hdr);
12217 	return -EMSGSIZE;
12218 }
12219 
12220 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
12221 {
12222 	struct nlattr **attrbuf;
12223 	struct survey_info survey;
12224 	struct cfg80211_registered_device *rdev;
12225 	struct wireless_dev *wdev;
12226 	int survey_idx = cb->args[2];
12227 	int res;
12228 	bool radio_stats;
12229 
12230 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
12231 	if (!attrbuf)
12232 		return -ENOMEM;
12233 
12234 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
12235 	if (res) {
12236 		kfree(attrbuf);
12237 		return res;
12238 	}
12239 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
12240 	__acquire(&rdev->wiphy.mtx);
12241 
12242 	/* prepare_wdev_dump parsed the attributes */
12243 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
12244 
12245 	if (!wdev->netdev) {
12246 		res = -EINVAL;
12247 		goto out_err;
12248 	}
12249 
12250 	if (!rdev->ops->dump_survey) {
12251 		res = -EOPNOTSUPP;
12252 		goto out_err;
12253 	}
12254 
12255 	while (1) {
12256 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
12257 		if (res == -ENOENT)
12258 			break;
12259 		if (res)
12260 			goto out_err;
12261 
12262 		/* don't send disabled channels, but do send non-channel data */
12263 		if (survey.channel &&
12264 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
12265 			survey_idx++;
12266 			continue;
12267 		}
12268 
12269 		if (nl80211_send_survey(skb,
12270 				NETLINK_CB(cb->skb).portid,
12271 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
12272 				wdev->netdev, radio_stats, &survey) < 0)
12273 			goto out;
12274 		survey_idx++;
12275 	}
12276 
12277  out:
12278 	cb->args[2] = survey_idx;
12279 	res = skb->len;
12280  out_err:
12281 	kfree(attrbuf);
12282 	wiphy_unlock(&rdev->wiphy);
12283 	return res;
12284 }
12285 
12286 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
12287 {
12288 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12289 	struct net_device *dev = info->user_ptr[1];
12290 	struct ieee80211_channel *chan;
12291 	const u8 *bssid, *ssid;
12292 	int err, ssid_len;
12293 	enum nl80211_auth_type auth_type;
12294 	struct key_parse key;
12295 	bool local_state_change;
12296 	struct cfg80211_auth_request req = {};
12297 	u32 freq;
12298 
12299 	if (!info->attrs[NL80211_ATTR_MAC])
12300 		return -EINVAL;
12301 
12302 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
12303 		return -EINVAL;
12304 
12305 	if (!info->attrs[NL80211_ATTR_SSID])
12306 		return -EINVAL;
12307 
12308 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12309 		return -EINVAL;
12310 
12311 	err = nl80211_parse_key(info, &key);
12312 	if (err)
12313 		return err;
12314 
12315 	if (key.idx >= 0) {
12316 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
12317 			return -EINVAL;
12318 		if (!key.p.key || !key.p.key_len)
12319 			return -EINVAL;
12320 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
12321 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
12322 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
12323 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
12324 			return -EINVAL;
12325 		if (key.idx > 3)
12326 			return -EINVAL;
12327 	} else {
12328 		key.p.key_len = 0;
12329 		key.p.key = NULL;
12330 	}
12331 
12332 	if (key.idx >= 0) {
12333 		int i;
12334 		bool ok = false;
12335 
12336 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
12337 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
12338 				ok = true;
12339 				break;
12340 			}
12341 		}
12342 		if (!ok)
12343 			return -EINVAL;
12344 	}
12345 
12346 	if (!rdev->ops->auth)
12347 		return -EOPNOTSUPP;
12348 
12349 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12350 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12351 		return -EOPNOTSUPP;
12352 
12353 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12354 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12355 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12356 		freq +=
12357 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12358 
12359 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12360 	if (!chan)
12361 		return -EINVAL;
12362 
12363 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12364 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12365 
12366 	if (info->attrs[NL80211_ATTR_IE]) {
12367 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12368 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12369 	}
12370 
12371 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12372 		req.supported_selectors =
12373 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12374 		req.supported_selectors_len =
12375 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12376 	}
12377 
12378 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12379 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
12380 		return -EINVAL;
12381 
12382 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
12383 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
12384 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
12385 	     auth_type == NL80211_AUTHTYPE_FILS_PK ||
12386 	     auth_type == NL80211_AUTHTYPE_EPPKE ||
12387 	     auth_type == NL80211_AUTHTYPE_IEEE8021X) &&
12388 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
12389 		return -EINVAL;
12390 
12391 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
12392 		if (auth_type != NL80211_AUTHTYPE_SAE &&
12393 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
12394 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
12395 		    auth_type != NL80211_AUTHTYPE_FILS_PK &&
12396 		    auth_type != NL80211_AUTHTYPE_EPPKE &&
12397 		    auth_type != NL80211_AUTHTYPE_IEEE8021X)
12398 			return -EINVAL;
12399 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
12400 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
12401 	}
12402 
12403 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12404 
12405 	/*
12406 	 * Since we no longer track auth state, ignore
12407 	 * requests to only change local state.
12408 	 */
12409 	if (local_state_change)
12410 		return 0;
12411 
12412 	req.auth_type = auth_type;
12413 	req.key = key.p.key;
12414 	req.key_len = key.p.key_len;
12415 	req.key_idx = key.idx;
12416 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12417 	if (req.link_id >= 0) {
12418 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12419 			return -EINVAL;
12420 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
12421 			return -EINVAL;
12422 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12423 		if (!is_valid_ether_addr(req.ap_mld_addr))
12424 			return -EINVAL;
12425 	}
12426 
12427 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
12428 				   IEEE80211_BSS_TYPE_ESS,
12429 				   IEEE80211_PRIVACY_ANY);
12430 	if (!req.bss)
12431 		return -ENOENT;
12432 
12433 	err = cfg80211_mlme_auth(rdev, dev, &req);
12434 
12435 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12436 
12437 	return err;
12438 }
12439 
12440 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
12441 				     struct genl_info *info)
12442 {
12443 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12444 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
12445 		return -EINVAL;
12446 	}
12447 
12448 	if (!rdev->ops->tx_control_port ||
12449 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12450 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12451 		return -EOPNOTSUPP;
12452 
12453 	return 0;
12454 }
12455 
12456 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
12457 				   struct genl_info *info,
12458 				   struct cfg80211_crypto_settings *settings,
12459 				   int cipher_limit)
12460 {
12461 	memset(settings, 0, sizeof(*settings));
12462 
12463 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
12464 
12465 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12466 		u16 proto;
12467 
12468 		proto = nla_get_u16(
12469 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12470 		settings->control_port_ethertype = cpu_to_be16(proto);
12471 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
12472 		    proto != ETH_P_PAE)
12473 			return -EINVAL;
12474 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
12475 			settings->control_port_no_encrypt = true;
12476 	} else
12477 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
12478 
12479 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12480 		int r = validate_pae_over_nl80211(rdev, info);
12481 
12482 		if (r < 0)
12483 			return r;
12484 
12485 		settings->control_port_over_nl80211 = true;
12486 
12487 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
12488 			settings->control_port_no_preauth = true;
12489 	}
12490 
12491 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
12492 		void *data;
12493 		int len, i;
12494 
12495 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12496 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12497 		settings->n_ciphers_pairwise = len / sizeof(u32);
12498 
12499 		if (len % sizeof(u32))
12500 			return -EINVAL;
12501 
12502 		if (settings->n_ciphers_pairwise > cipher_limit)
12503 			return -EINVAL;
12504 
12505 		memcpy(settings->ciphers_pairwise, data, len);
12506 
12507 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
12508 			if (!cfg80211_supported_cipher_suite(
12509 					&rdev->wiphy,
12510 					settings->ciphers_pairwise[i]))
12511 				return -EINVAL;
12512 	}
12513 
12514 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
12515 		settings->cipher_group =
12516 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
12517 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
12518 						     settings->cipher_group))
12519 			return -EINVAL;
12520 	}
12521 
12522 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12523 		settings->wpa_versions =
12524 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12525 
12526 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12527 		void *data;
12528 		int len;
12529 
12530 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12531 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12532 		settings->n_akm_suites = len / sizeof(u32);
12533 
12534 		if (len % sizeof(u32))
12535 			return -EINVAL;
12536 
12537 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12538 			return -EINVAL;
12539 
12540 		memcpy(settings->akm_suites, data, len);
12541 	}
12542 
12543 	if (info->attrs[NL80211_ATTR_PMK]) {
12544 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12545 			return -EINVAL;
12546 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12547 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12548 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12549 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12550 			return -EINVAL;
12551 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12552 	}
12553 
12554 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12555 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12556 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12557 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12558 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12559 			return -EINVAL;
12560 		settings->sae_pwd =
12561 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12562 		settings->sae_pwd_len =
12563 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12564 	}
12565 
12566 	settings->sae_pwe =
12567 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12568 				   NL80211_SAE_PWE_UNSPECIFIED);
12569 
12570 	return 0;
12571 }
12572 
12573 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12574 					      const u8 *ssid, int ssid_len,
12575 					      struct nlattr **attrs,
12576 					      int assoc_link_id, int link_id)
12577 {
12578 	struct ieee80211_channel *chan;
12579 	struct cfg80211_bss *bss;
12580 	const u8 *bssid;
12581 	u32 freq, use_for = 0;
12582 
12583 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12584 		return ERR_PTR(-EINVAL);
12585 
12586 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12587 
12588 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12589 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12590 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12591 
12592 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12593 	if (!chan)
12594 		return ERR_PTR(-EINVAL);
12595 
12596 	if (assoc_link_id >= 0)
12597 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12598 	if (assoc_link_id == link_id)
12599 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12600 
12601 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12602 				 ssid, ssid_len,
12603 				 IEEE80211_BSS_TYPE_ESS,
12604 				 IEEE80211_PRIVACY_ANY,
12605 				 use_for);
12606 	if (!bss)
12607 		return ERR_PTR(-ENOENT);
12608 
12609 	return bss;
12610 }
12611 
12612 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12613 				 struct cfg80211_assoc_link *links,
12614 				 int assoc_link_id,
12615 				 const u8 *ssid, int ssid_len,
12616 				 struct genl_info *info)
12617 {
12618 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12619 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12620 	struct nlattr *link;
12621 	unsigned int link_id;
12622 	int rem, err;
12623 
12624 	if (!attrs)
12625 		return -ENOMEM;
12626 
12627 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12628 		memset(attrs, 0, attrsize);
12629 
12630 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12631 
12632 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12633 			NL_SET_BAD_ATTR(info->extack, link);
12634 			return -EINVAL;
12635 		}
12636 
12637 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12638 		/* cannot use the same link ID again */
12639 		if (links[link_id].bss) {
12640 			NL_SET_BAD_ATTR(info->extack, link);
12641 			return -EINVAL;
12642 		}
12643 		links[link_id].bss =
12644 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12645 					  assoc_link_id, link_id);
12646 		if (IS_ERR(links[link_id].bss)) {
12647 			err = PTR_ERR(links[link_id].bss);
12648 			links[link_id].bss = NULL;
12649 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12650 					    "Error fetching BSS for link");
12651 			return err;
12652 		}
12653 
12654 		if (attrs[NL80211_ATTR_IE]) {
12655 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12656 			links[link_id].elems_len =
12657 				nla_len(attrs[NL80211_ATTR_IE]);
12658 
12659 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12660 					       links[link_id].elems,
12661 					       links[link_id].elems_len)) {
12662 				NL_SET_ERR_MSG_ATTR(info->extack,
12663 						    attrs[NL80211_ATTR_IE],
12664 						    "cannot deal with fragmentation");
12665 				return -EINVAL;
12666 			}
12667 
12668 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12669 						   links[link_id].elems,
12670 						   links[link_id].elems_len)) {
12671 				NL_SET_ERR_MSG_ATTR(info->extack,
12672 						    attrs[NL80211_ATTR_IE],
12673 						    "cannot deal with non-inheritance");
12674 				return -EINVAL;
12675 			}
12676 		}
12677 	}
12678 
12679 	return 0;
12680 }
12681 
12682 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12683 {
12684 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12685 	struct net_device *dev = info->user_ptr[1];
12686 	struct cfg80211_assoc_request req = {};
12687 	const u8 *ap_addr, *ssid;
12688 	unsigned int link_id;
12689 	int err, ssid_len;
12690 
12691 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12692 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12693 		return -EPERM;
12694 
12695 	if (!info->attrs[NL80211_ATTR_SSID])
12696 		return -EINVAL;
12697 
12698 	if (!rdev->ops->assoc)
12699 		return -EOPNOTSUPP;
12700 
12701 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12702 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12703 		return -EOPNOTSUPP;
12704 
12705 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12706 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12707 
12708 	if (info->attrs[NL80211_ATTR_IE]) {
12709 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12710 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12711 
12712 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12713 					   req.ie, req.ie_len)) {
12714 			NL_SET_ERR_MSG_ATTR(info->extack,
12715 					    info->attrs[NL80211_ATTR_IE],
12716 					    "non-inheritance makes no sense");
12717 			return -EINVAL;
12718 		}
12719 	}
12720 
12721 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12722 		enum nl80211_mfp mfp =
12723 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12724 		if (mfp == NL80211_MFP_REQUIRED)
12725 			req.use_mfp = true;
12726 		else if (mfp != NL80211_MFP_NO)
12727 			return -EINVAL;
12728 	}
12729 
12730 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12731 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12732 
12733 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12734 		req.supported_selectors =
12735 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12736 		req.supported_selectors_len =
12737 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12738 	}
12739 
12740 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12741 		req.flags |= ASSOC_REQ_DISABLE_HT;
12742 
12743 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12744 		memcpy(&req.ht_capa_mask,
12745 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12746 		       sizeof(req.ht_capa_mask));
12747 
12748 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12749 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12750 			return -EINVAL;
12751 		memcpy(&req.ht_capa,
12752 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12753 		       sizeof(req.ht_capa));
12754 	}
12755 
12756 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12757 		req.flags |= ASSOC_REQ_DISABLE_VHT;
12758 
12759 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12760 		req.flags |= ASSOC_REQ_DISABLE_HE;
12761 
12762 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12763 		req.flags |= ASSOC_REQ_DISABLE_EHT;
12764 
12765 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
12766 		req.flags |= ASSOC_REQ_DISABLE_UHR;
12767 
12768 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12769 		memcpy(&req.vht_capa_mask,
12770 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12771 		       sizeof(req.vht_capa_mask));
12772 
12773 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12774 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12775 			return -EINVAL;
12776 		memcpy(&req.vht_capa,
12777 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12778 		       sizeof(req.vht_capa));
12779 	}
12780 
12781 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12782 		if (!((rdev->wiphy.features &
12783 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12784 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12785 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12786 					     NL80211_EXT_FEATURE_RRM))
12787 			return -EINVAL;
12788 		req.flags |= ASSOC_REQ_USE_RRM;
12789 	}
12790 
12791 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
12792 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
12793 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
12794 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
12795 			return -EINVAL;
12796 		req.fils_nonces =
12797 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
12798 	}
12799 
12800 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
12801 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
12802 			return -EINVAL;
12803 		memcpy(&req.s1g_capa_mask,
12804 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
12805 		       sizeof(req.s1g_capa_mask));
12806 	}
12807 
12808 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
12809 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
12810 			return -EINVAL;
12811 		memcpy(&req.s1g_capa,
12812 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
12813 		       sizeof(req.s1g_capa));
12814 	}
12815 
12816 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
12817 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12818 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
12819 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
12820 			return -EINVAL;
12821 		}
12822 		req.flags |= ASSOC_REQ_SPP_AMSDU;
12823 	}
12824 
12825 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12826 
12827 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12828 		if (req.link_id < 0)
12829 			return -EINVAL;
12830 
12831 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12832 			return -EINVAL;
12833 
12834 		if (info->attrs[NL80211_ATTR_MAC] ||
12835 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12836 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
12837 			return -EINVAL;
12838 
12839 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12840 		ap_addr = req.ap_mld_addr;
12841 
12842 		err = nl80211_process_links(rdev, req.links, req.link_id,
12843 					    ssid, ssid_len, info);
12844 		if (err)
12845 			goto free;
12846 
12847 		if (!req.links[req.link_id].bss) {
12848 			err = -EINVAL;
12849 			goto free;
12850 		}
12851 
12852 		if (req.links[req.link_id].elems_len) {
12853 			GENL_SET_ERR_MSG(info,
12854 					 "cannot have per-link elems on assoc link");
12855 			err = -EINVAL;
12856 			goto free;
12857 		}
12858 
12859 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12860 			req.ext_mld_capa_ops =
12861 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
12862 	} else {
12863 		if (req.link_id >= 0)
12864 			return -EINVAL;
12865 
12866 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
12867 					    -1, -1);
12868 		if (IS_ERR(req.bss))
12869 			return PTR_ERR(req.bss);
12870 		ap_addr = req.bss->bssid;
12871 
12872 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12873 			return -EINVAL;
12874 	}
12875 
12876 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
12877 	if (!err) {
12878 		struct nlattr *link;
12879 		int rem = 0;
12880 
12881 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12882 					  info->extack);
12883 
12884 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12885 			dev->ieee80211_ptr->conn_owner_nlportid =
12886 				info->snd_portid;
12887 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12888 			       ap_addr, ETH_ALEN);
12889 		}
12890 
12891 		/* Report error from first problematic link */
12892 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12893 			nla_for_each_nested(link,
12894 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12895 					    rem) {
12896 				struct nlattr *link_id_attr =
12897 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12898 
12899 				if (!link_id_attr)
12900 					continue;
12901 
12902 				link_id = nla_get_u8(link_id_attr);
12903 
12904 				if (link_id == req.link_id)
12905 					continue;
12906 
12907 				if (!req.links[link_id].error ||
12908 				    WARN_ON(req.links[link_id].error > 0))
12909 					continue;
12910 
12911 				WARN_ON(err >= 0);
12912 
12913 				NL_SET_BAD_ATTR(info->extack, link);
12914 				err = req.links[link_id].error;
12915 				break;
12916 			}
12917 		}
12918 	}
12919 
12920 free:
12921 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12922 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12923 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12924 
12925 	return err;
12926 }
12927 
12928 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12929 {
12930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12931 	struct net_device *dev = info->user_ptr[1];
12932 	const u8 *ie = NULL, *bssid;
12933 	int ie_len = 0;
12934 	u16 reason_code;
12935 	bool local_state_change;
12936 
12937 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12938 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12939 		return -EPERM;
12940 
12941 	if (!info->attrs[NL80211_ATTR_MAC])
12942 		return -EINVAL;
12943 
12944 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12945 		return -EINVAL;
12946 
12947 	if (!rdev->ops->deauth)
12948 		return -EOPNOTSUPP;
12949 
12950 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12951 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12952 		return -EOPNOTSUPP;
12953 
12954 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12955 
12956 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12957 	if (reason_code == 0) {
12958 		/* Reason Code 0 is reserved */
12959 		return -EINVAL;
12960 	}
12961 
12962 	if (info->attrs[NL80211_ATTR_IE]) {
12963 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12964 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12965 	}
12966 
12967 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12968 
12969 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12970 				    local_state_change);
12971 }
12972 
12973 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12974 {
12975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12976 	struct net_device *dev = info->user_ptr[1];
12977 	const u8 *ie = NULL, *bssid;
12978 	int ie_len = 0;
12979 	u16 reason_code;
12980 	bool local_state_change;
12981 
12982 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12983 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12984 		return -EPERM;
12985 
12986 	if (!info->attrs[NL80211_ATTR_MAC])
12987 		return -EINVAL;
12988 
12989 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12990 		return -EINVAL;
12991 
12992 	if (!rdev->ops->disassoc)
12993 		return -EOPNOTSUPP;
12994 
12995 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12996 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12997 		return -EOPNOTSUPP;
12998 
12999 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13000 
13001 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
13002 	if (reason_code == 0) {
13003 		/* Reason Code 0 is reserved */
13004 		return -EINVAL;
13005 	}
13006 
13007 	if (info->attrs[NL80211_ATTR_IE]) {
13008 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13009 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13010 	}
13011 
13012 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
13013 
13014 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
13015 				      local_state_change);
13016 }
13017 
13018 static bool
13019 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
13020 			 int mcast_rate[NUM_NL80211_BANDS],
13021 			 int rateval)
13022 {
13023 	struct wiphy *wiphy = &rdev->wiphy;
13024 	bool found = false;
13025 	int band, i;
13026 
13027 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
13028 		struct ieee80211_supported_band *sband;
13029 
13030 		sband = wiphy->bands[band];
13031 		if (!sband)
13032 			continue;
13033 
13034 		for (i = 0; i < sband->n_bitrates; i++) {
13035 			if (sband->bitrates[i].bitrate == rateval) {
13036 				mcast_rate[band] = i + 1;
13037 				found = true;
13038 				break;
13039 			}
13040 		}
13041 	}
13042 
13043 	return found;
13044 }
13045 
13046 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
13047 {
13048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13049 	struct net_device *dev = info->user_ptr[1];
13050 	struct cfg80211_ibss_params ibss;
13051 	struct wiphy *wiphy;
13052 	struct cfg80211_cached_keys *connkeys = NULL;
13053 	int err;
13054 
13055 	memset(&ibss, 0, sizeof(ibss));
13056 
13057 	if (!info->attrs[NL80211_ATTR_SSID] ||
13058 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13059 		return -EINVAL;
13060 
13061 	ibss.beacon_interval = 100;
13062 
13063 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
13064 		ibss.beacon_interval =
13065 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13066 
13067 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
13068 					   ibss.beacon_interval);
13069 	if (err)
13070 		return err;
13071 
13072 	if (!rdev->ops->join_ibss)
13073 		return -EOPNOTSUPP;
13074 
13075 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
13076 		return -EOPNOTSUPP;
13077 
13078 	wiphy = &rdev->wiphy;
13079 
13080 	if (info->attrs[NL80211_ATTR_MAC]) {
13081 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13082 
13083 		if (!is_valid_ether_addr(ibss.bssid))
13084 			return -EINVAL;
13085 	}
13086 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13087 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13088 
13089 	if (info->attrs[NL80211_ATTR_IE]) {
13090 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13091 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13092 	}
13093 
13094 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
13095 				    &ibss.chandef);
13096 	if (err)
13097 		return err;
13098 
13099 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
13100 				     NL80211_IFTYPE_ADHOC))
13101 		return -EINVAL;
13102 
13103 	switch (ibss.chandef.width) {
13104 	case NL80211_CHAN_WIDTH_5:
13105 	case NL80211_CHAN_WIDTH_10:
13106 	case NL80211_CHAN_WIDTH_20_NOHT:
13107 		break;
13108 	case NL80211_CHAN_WIDTH_20:
13109 	case NL80211_CHAN_WIDTH_40:
13110 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
13111 			return -EINVAL;
13112 		break;
13113 	case NL80211_CHAN_WIDTH_80:
13114 	case NL80211_CHAN_WIDTH_80P80:
13115 	case NL80211_CHAN_WIDTH_160:
13116 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
13117 			return -EINVAL;
13118 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13119 					     NL80211_EXT_FEATURE_VHT_IBSS))
13120 			return -EINVAL;
13121 		break;
13122 	case NL80211_CHAN_WIDTH_320:
13123 		return -EINVAL;
13124 	default:
13125 		return -EINVAL;
13126 	}
13127 
13128 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
13129 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
13130 
13131 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13132 		u8 *rates =
13133 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13134 		int n_rates =
13135 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13136 		struct ieee80211_supported_band *sband =
13137 			wiphy->bands[ibss.chandef.chan->band];
13138 
13139 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13140 					     &ibss.basic_rates);
13141 		if (err)
13142 			return err;
13143 	}
13144 
13145 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13146 		memcpy(&ibss.ht_capa_mask,
13147 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13148 		       sizeof(ibss.ht_capa_mask));
13149 
13150 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13151 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13152 			return -EINVAL;
13153 		memcpy(&ibss.ht_capa,
13154 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13155 		       sizeof(ibss.ht_capa));
13156 	}
13157 
13158 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13159 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
13160 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13161 		return -EINVAL;
13162 
13163 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13164 		bool no_ht = false;
13165 
13166 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
13167 		if (IS_ERR(connkeys))
13168 			return PTR_ERR(connkeys);
13169 
13170 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
13171 		    no_ht) {
13172 			kfree_sensitive(connkeys);
13173 			return -EINVAL;
13174 		}
13175 	}
13176 
13177 	ibss.control_port =
13178 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
13179 
13180 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13181 		int r = validate_pae_over_nl80211(rdev, info);
13182 
13183 		if (r < 0) {
13184 			kfree_sensitive(connkeys);
13185 			return r;
13186 		}
13187 
13188 		ibss.control_port_over_nl80211 = true;
13189 	}
13190 
13191 	ibss.userspace_handles_dfs =
13192 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13193 
13194 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
13195 	if (err)
13196 		kfree_sensitive(connkeys);
13197 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
13198 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13199 
13200 	return err;
13201 }
13202 
13203 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
13204 {
13205 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13206 	struct net_device *dev = info->user_ptr[1];
13207 
13208 	if (!rdev->ops->leave_ibss)
13209 		return -EOPNOTSUPP;
13210 
13211 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
13212 		return -EOPNOTSUPP;
13213 
13214 	return cfg80211_leave_ibss(rdev, dev, false);
13215 }
13216 
13217 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
13218 {
13219 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13220 	struct net_device *dev = info->user_ptr[1];
13221 	int mcast_rate[NUM_NL80211_BANDS];
13222 	u32 nla_rate;
13223 
13224 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
13225 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
13226 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
13227 		return -EOPNOTSUPP;
13228 
13229 	if (!rdev->ops->set_mcast_rate)
13230 		return -EOPNOTSUPP;
13231 
13232 	memset(mcast_rate, 0, sizeof(mcast_rate));
13233 
13234 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
13235 		return -EINVAL;
13236 
13237 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
13238 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
13239 		return -EINVAL;
13240 
13241 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
13242 }
13243 
13244 static struct sk_buff *
13245 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
13246 			    struct wireless_dev *wdev, int approxlen,
13247 			    u32 portid, u32 seq, enum nl80211_commands cmd,
13248 			    enum nl80211_attrs attr,
13249 			    const struct nl80211_vendor_cmd_info *info,
13250 			    gfp_t gfp)
13251 {
13252 	struct sk_buff *skb;
13253 	void *hdr;
13254 	struct nlattr *data;
13255 
13256 	skb = nlmsg_new(approxlen + 100, gfp);
13257 	if (!skb)
13258 		return NULL;
13259 
13260 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
13261 	if (!hdr) {
13262 		kfree_skb(skb);
13263 		return NULL;
13264 	}
13265 
13266 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
13267 		goto nla_put_failure;
13268 
13269 	if (info) {
13270 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
13271 				info->vendor_id))
13272 			goto nla_put_failure;
13273 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
13274 				info->subcmd))
13275 			goto nla_put_failure;
13276 	}
13277 
13278 	if (wdev) {
13279 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13280 				      wdev_id(wdev), NL80211_ATTR_PAD))
13281 			goto nla_put_failure;
13282 		if (wdev->netdev &&
13283 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
13284 				wdev->netdev->ifindex))
13285 			goto nla_put_failure;
13286 	}
13287 
13288 	data = nla_nest_start_noflag(skb, attr);
13289 	if (!data)
13290 		goto nla_put_failure;
13291 
13292 	((void **)skb->cb)[0] = rdev;
13293 	((void **)skb->cb)[1] = hdr;
13294 	((void **)skb->cb)[2] = data;
13295 
13296 	return skb;
13297 
13298  nla_put_failure:
13299 	kfree_skb(skb);
13300 	return NULL;
13301 }
13302 
13303 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
13304 					   struct wireless_dev *wdev,
13305 					   enum nl80211_commands cmd,
13306 					   enum nl80211_attrs attr,
13307 					   unsigned int portid,
13308 					   int vendor_event_idx,
13309 					   int approxlen, gfp_t gfp)
13310 {
13311 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13312 	const struct nl80211_vendor_cmd_info *info;
13313 
13314 	switch (cmd) {
13315 	case NL80211_CMD_TESTMODE:
13316 		if (WARN_ON(vendor_event_idx != -1))
13317 			return NULL;
13318 		info = NULL;
13319 		break;
13320 	case NL80211_CMD_VENDOR:
13321 		if (WARN_ON(vendor_event_idx < 0 ||
13322 			    vendor_event_idx >= wiphy->n_vendor_events))
13323 			return NULL;
13324 		info = &wiphy->vendor_events[vendor_event_idx];
13325 		break;
13326 	default:
13327 		WARN_ON(1);
13328 		return NULL;
13329 	}
13330 
13331 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
13332 					   cmd, attr, info, gfp);
13333 }
13334 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
13335 
13336 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
13337 {
13338 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13339 	void *hdr = ((void **)skb->cb)[1];
13340 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
13341 	struct nlattr *data = ((void **)skb->cb)[2];
13342 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
13343 
13344 	/* clear CB data for netlink core to own from now on */
13345 	memset(skb->cb, 0, sizeof(skb->cb));
13346 
13347 	nla_nest_end(skb, data);
13348 	genlmsg_end(skb, hdr);
13349 
13350 	if (nlhdr->nlmsg_pid) {
13351 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
13352 				nlhdr->nlmsg_pid);
13353 	} else {
13354 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
13355 			mcgrp = NL80211_MCGRP_VENDOR;
13356 
13357 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13358 					skb, 0, mcgrp, gfp);
13359 	}
13360 }
13361 EXPORT_SYMBOL(__cfg80211_send_event_skb);
13362 
13363 #ifdef CONFIG_NL80211_TESTMODE
13364 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
13365 {
13366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13367 	struct wireless_dev *wdev;
13368 	int err;
13369 
13370 	lockdep_assert_held(&rdev->wiphy.mtx);
13371 
13372 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13373 					  info->attrs);
13374 
13375 	if (!rdev->ops->testmode_cmd)
13376 		return -EOPNOTSUPP;
13377 
13378 	if (IS_ERR(wdev)) {
13379 		err = PTR_ERR(wdev);
13380 		if (err != -EINVAL)
13381 			return err;
13382 		wdev = NULL;
13383 	} else if (wdev->wiphy != &rdev->wiphy) {
13384 		return -EINVAL;
13385 	}
13386 
13387 	if (!info->attrs[NL80211_ATTR_TESTDATA])
13388 		return -EINVAL;
13389 
13390 	rdev->cur_cmd_info = info;
13391 	err = rdev_testmode_cmd(rdev, wdev,
13392 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
13393 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
13394 	rdev->cur_cmd_info = NULL;
13395 
13396 	return err;
13397 }
13398 
13399 static int nl80211_testmode_dump(struct sk_buff *skb,
13400 				 struct netlink_callback *cb)
13401 {
13402 	struct cfg80211_registered_device *rdev;
13403 	struct nlattr **attrbuf = NULL;
13404 	int err;
13405 	long phy_idx;
13406 	void *data = NULL;
13407 	int data_len = 0;
13408 
13409 	rtnl_lock();
13410 
13411 	if (cb->args[0]) {
13412 		/*
13413 		 * 0 is a valid index, but not valid for args[0],
13414 		 * so we need to offset by 1.
13415 		 */
13416 		phy_idx = cb->args[0] - 1;
13417 
13418 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
13419 		if (!rdev) {
13420 			err = -ENOENT;
13421 			goto out_err;
13422 		}
13423 	} else {
13424 		attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
13425 		if (!attrbuf) {
13426 			err = -ENOMEM;
13427 			goto out_err;
13428 		}
13429 
13430 		err = nlmsg_parse_deprecated(cb->nlh,
13431 					     GENL_HDRLEN + nl80211_fam.hdrsize,
13432 					     attrbuf, nl80211_fam.maxattr,
13433 					     nl80211_policy, NULL);
13434 		if (err)
13435 			goto out_err;
13436 
13437 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13438 		if (IS_ERR(rdev)) {
13439 			err = PTR_ERR(rdev);
13440 			goto out_err;
13441 		}
13442 		phy_idx = rdev->wiphy_idx;
13443 
13444 		if (attrbuf[NL80211_ATTR_TESTDATA])
13445 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
13446 	}
13447 
13448 	if (cb->args[1]) {
13449 		data = nla_data((void *)cb->args[1]);
13450 		data_len = nla_len((void *)cb->args[1]);
13451 	}
13452 
13453 	if (!rdev->ops->testmode_dump) {
13454 		err = -EOPNOTSUPP;
13455 		goto out_err;
13456 	}
13457 
13458 	while (1) {
13459 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13460 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13461 					   NL80211_CMD_TESTMODE);
13462 		struct nlattr *tmdata;
13463 
13464 		if (!hdr)
13465 			break;
13466 
13467 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
13468 			genlmsg_cancel(skb, hdr);
13469 			break;
13470 		}
13471 
13472 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
13473 		if (!tmdata) {
13474 			genlmsg_cancel(skb, hdr);
13475 			break;
13476 		}
13477 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
13478 		nla_nest_end(skb, tmdata);
13479 
13480 		if (err == -ENOBUFS || err == -ENOENT) {
13481 			genlmsg_cancel(skb, hdr);
13482 			break;
13483 		} else if (err) {
13484 			genlmsg_cancel(skb, hdr);
13485 			goto out_err;
13486 		}
13487 
13488 		genlmsg_end(skb, hdr);
13489 	}
13490 
13491 	err = skb->len;
13492 	/* see above */
13493 	cb->args[0] = phy_idx + 1;
13494  out_err:
13495 	kfree(attrbuf);
13496 	rtnl_unlock();
13497 	return err;
13498 }
13499 #endif
13500 
13501 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
13502 {
13503 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13504 	struct net_device *dev = info->user_ptr[1];
13505 	struct cfg80211_connect_params connect;
13506 	struct wiphy *wiphy;
13507 	struct cfg80211_cached_keys *connkeys = NULL;
13508 	u32 freq = 0;
13509 	int err;
13510 
13511 	memset(&connect, 0, sizeof(connect));
13512 
13513 	if (!info->attrs[NL80211_ATTR_SSID] ||
13514 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13515 		return -EINVAL;
13516 
13517 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13518 		connect.auth_type =
13519 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13520 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13521 					     NL80211_CMD_CONNECT))
13522 			return -EINVAL;
13523 	} else
13524 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13525 
13526 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13527 
13528 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13529 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13530 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13531 		return -EINVAL;
13532 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13533 
13534 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13535 				      NL80211_MAX_NR_CIPHER_SUITES);
13536 	if (err)
13537 		return err;
13538 
13539 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13540 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13541 		return -EOPNOTSUPP;
13542 
13543 	wiphy = &rdev->wiphy;
13544 
13545 	connect.bg_scan_period = -1;
13546 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13547 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13548 		connect.bg_scan_period =
13549 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13550 	}
13551 
13552 	if (info->attrs[NL80211_ATTR_MAC])
13553 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13554 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13555 		connect.bssid_hint =
13556 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13557 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13558 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13559 
13560 	if (info->attrs[NL80211_ATTR_IE]) {
13561 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13562 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13563 	}
13564 
13565 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13566 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13567 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13568 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13569 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13570 			return -EOPNOTSUPP;
13571 	} else {
13572 		connect.mfp = NL80211_MFP_NO;
13573 	}
13574 
13575 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13576 		connect.prev_bssid =
13577 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13578 
13579 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13580 		freq = MHZ_TO_KHZ(nla_get_u32(
13581 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13582 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13583 		freq +=
13584 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13585 
13586 	if (freq) {
13587 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13588 		if (!connect.channel)
13589 			return -EINVAL;
13590 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13591 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13592 		freq = MHZ_TO_KHZ(freq);
13593 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13594 		if (!connect.channel_hint)
13595 			return -EINVAL;
13596 	}
13597 
13598 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13599 		connect.edmg.channels =
13600 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13601 
13602 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13603 			connect.edmg.bw_config =
13604 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13605 	}
13606 
13607 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13608 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
13609 		if (IS_ERR(connkeys))
13610 			return PTR_ERR(connkeys);
13611 	}
13612 
13613 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13614 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13615 
13616 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13617 		memcpy(&connect.ht_capa_mask,
13618 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13619 		       sizeof(connect.ht_capa_mask));
13620 
13621 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13622 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13623 			kfree_sensitive(connkeys);
13624 			return -EINVAL;
13625 		}
13626 		memcpy(&connect.ht_capa,
13627 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13628 		       sizeof(connect.ht_capa));
13629 	}
13630 
13631 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13632 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13633 
13634 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13635 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13636 
13637 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13638 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13639 
13640 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
13641 		connect.flags |= ASSOC_REQ_DISABLE_UHR;
13642 
13643 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13644 		memcpy(&connect.vht_capa_mask,
13645 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13646 		       sizeof(connect.vht_capa_mask));
13647 
13648 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13649 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13650 			kfree_sensitive(connkeys);
13651 			return -EINVAL;
13652 		}
13653 		memcpy(&connect.vht_capa,
13654 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13655 		       sizeof(connect.vht_capa));
13656 	}
13657 
13658 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13659 		if (!((rdev->wiphy.features &
13660 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13661 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13662 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13663 					     NL80211_EXT_FEATURE_RRM)) {
13664 			kfree_sensitive(connkeys);
13665 			return -EINVAL;
13666 		}
13667 		connect.flags |= ASSOC_REQ_USE_RRM;
13668 	}
13669 
13670 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13671 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13672 		kfree_sensitive(connkeys);
13673 		return -EOPNOTSUPP;
13674 	}
13675 
13676 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13677 		/* bss selection makes no sense if bssid is set */
13678 		if (connect.bssid) {
13679 			kfree_sensitive(connkeys);
13680 			return -EINVAL;
13681 		}
13682 
13683 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13684 				       wiphy, &connect.bss_select);
13685 		if (err) {
13686 			kfree_sensitive(connkeys);
13687 			return err;
13688 		}
13689 	}
13690 
13691 	if (wiphy_ext_feature_isset(&rdev->wiphy,
13692 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
13693 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13694 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13695 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13696 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13697 		connect.fils_erp_username =
13698 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13699 		connect.fils_erp_username_len =
13700 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13701 		connect.fils_erp_realm =
13702 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13703 		connect.fils_erp_realm_len =
13704 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13705 		connect.fils_erp_next_seq_num =
13706 			nla_get_u16(
13707 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13708 		connect.fils_erp_rrk =
13709 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13710 		connect.fils_erp_rrk_len =
13711 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13712 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13713 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13714 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13715 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13716 		kfree_sensitive(connkeys);
13717 		return -EINVAL;
13718 	}
13719 
13720 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
13721 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13722 			kfree_sensitive(connkeys);
13723 			GENL_SET_ERR_MSG(info,
13724 					 "external auth requires connection ownership");
13725 			return -EINVAL;
13726 		}
13727 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
13728 	}
13729 
13730 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
13731 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
13732 
13733 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
13734 			       connect.prev_bssid);
13735 	if (err)
13736 		kfree_sensitive(connkeys);
13737 
13738 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13739 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13740 		if (connect.bssid)
13741 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13742 			       connect.bssid, ETH_ALEN);
13743 		else
13744 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
13745 	}
13746 
13747 	return err;
13748 }
13749 
13750 static int nl80211_update_connect_params(struct sk_buff *skb,
13751 					 struct genl_info *info)
13752 {
13753 	struct cfg80211_connect_params connect = {};
13754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13755 	struct net_device *dev = info->user_ptr[1];
13756 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13757 	bool fils_sk_offload;
13758 	u32 auth_type;
13759 	u32 changed = 0;
13760 
13761 	if (!rdev->ops->update_connect_params)
13762 		return -EOPNOTSUPP;
13763 
13764 	if (info->attrs[NL80211_ATTR_IE]) {
13765 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13766 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13767 		changed |= UPDATE_ASSOC_IES;
13768 	}
13769 
13770 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
13771 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
13772 
13773 	/*
13774 	 * when driver supports fils-sk offload all attributes must be
13775 	 * provided. So the else covers "fils-sk-not-all" and
13776 	 * "no-fils-sk-any".
13777 	 */
13778 	if (fils_sk_offload &&
13779 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13780 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13781 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13782 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13783 		connect.fils_erp_username =
13784 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13785 		connect.fils_erp_username_len =
13786 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13787 		connect.fils_erp_realm =
13788 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13789 		connect.fils_erp_realm_len =
13790 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13791 		connect.fils_erp_next_seq_num =
13792 			nla_get_u16(
13793 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13794 		connect.fils_erp_rrk =
13795 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13796 		connect.fils_erp_rrk_len =
13797 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13798 		changed |= UPDATE_FILS_ERP_INFO;
13799 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13800 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13801 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13802 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13803 		return -EINVAL;
13804 	}
13805 
13806 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13807 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13808 		if (!nl80211_valid_auth_type(rdev, auth_type,
13809 					     NL80211_CMD_CONNECT))
13810 			return -EINVAL;
13811 
13812 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
13813 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
13814 			return -EINVAL;
13815 
13816 		connect.auth_type = auth_type;
13817 		changed |= UPDATE_AUTH_TYPE;
13818 	}
13819 
13820 	if (!wdev->connected)
13821 		return -ENOLINK;
13822 
13823 	return rdev_update_connect_params(rdev, dev, &connect, changed);
13824 }
13825 
13826 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
13827 {
13828 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13829 	struct net_device *dev = info->user_ptr[1];
13830 	u16 reason;
13831 
13832 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13833 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13834 		return -EPERM;
13835 
13836 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
13837 				     WLAN_REASON_DEAUTH_LEAVING);
13838 
13839 	if (reason == 0)
13840 		return -EINVAL;
13841 
13842 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13843 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13844 		return -EOPNOTSUPP;
13845 
13846 	return cfg80211_disconnect(rdev, dev, reason, true);
13847 }
13848 
13849 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
13850 {
13851 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13852 	struct net *net;
13853 	int err;
13854 
13855 	if (info->attrs[NL80211_ATTR_PID]) {
13856 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
13857 
13858 		net = get_net_ns_by_pid(pid);
13859 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
13860 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
13861 
13862 		net = get_net_ns_by_fd(fd);
13863 	} else {
13864 		return -EINVAL;
13865 	}
13866 
13867 	if (IS_ERR(net))
13868 		return PTR_ERR(net);
13869 
13870 	err = 0;
13871 
13872 	/* check if anything to do */
13873 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
13874 		err = cfg80211_switch_netns(rdev, net);
13875 
13876 	put_net(net);
13877 	return err;
13878 }
13879 
13880 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
13881 {
13882 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13883 	struct net_device *dev = info->user_ptr[1];
13884 	struct cfg80211_pmksa pmksa;
13885 	bool ap_pmksa_caching_support = false;
13886 
13887 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13888 
13889 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13890 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13891 
13892 	if (!info->attrs[NL80211_ATTR_PMKID])
13893 		return -EINVAL;
13894 
13895 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13896 
13897 	if (info->attrs[NL80211_ATTR_MAC]) {
13898 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13899 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13900 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13901 	           info->attrs[NL80211_ATTR_PMK]) {
13902 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13903 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13904 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13905 	} else {
13906 		return -EINVAL;
13907 	}
13908 
13909 	if (info->attrs[NL80211_ATTR_PMK]) {
13910 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13911 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13912 	}
13913 
13914 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13915 		pmksa.pmk_lifetime =
13916 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13917 
13918 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13919 		pmksa.pmk_reauth_threshold =
13920 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13921 
13922 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13923 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13924 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13925 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13926 	       ap_pmksa_caching_support))
13927 		return -EOPNOTSUPP;
13928 
13929 	if (!rdev->ops->set_pmksa)
13930 		return -EOPNOTSUPP;
13931 
13932 	return rdev_set_pmksa(rdev, dev, &pmksa);
13933 }
13934 
13935 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13936 {
13937 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13938 	struct net_device *dev = info->user_ptr[1];
13939 	struct cfg80211_pmksa pmksa;
13940 	bool sae_offload_support = false;
13941 	bool owe_offload_support = false;
13942 	bool ap_pmksa_caching_support = false;
13943 
13944 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13945 
13946 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13947 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13948 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13949 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13950 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13951 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13952 
13953 	if (info->attrs[NL80211_ATTR_PMKID])
13954 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13955 
13956 	if (info->attrs[NL80211_ATTR_MAC]) {
13957 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13958 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13959 		/* SSID based pmksa flush supported only for FILS,
13960 		 * OWE/SAE OFFLOAD cases
13961 		 */
13962 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13963 		    info->attrs[NL80211_ATTR_PMK]) {
13964 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13965 		} else if (!sae_offload_support && !owe_offload_support) {
13966 			return -EINVAL;
13967 		}
13968 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13969 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13970 	} else {
13971 		return -EINVAL;
13972 	}
13973 
13974 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13975 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13976 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13977 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13978 	       ap_pmksa_caching_support))
13979 		return -EOPNOTSUPP;
13980 
13981 	if (!rdev->ops->del_pmksa)
13982 		return -EOPNOTSUPP;
13983 
13984 	return rdev_del_pmksa(rdev, dev, &pmksa);
13985 }
13986 
13987 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
13988 {
13989 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13990 	struct net_device *dev = info->user_ptr[1];
13991 
13992 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13993 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13994 		return -EOPNOTSUPP;
13995 
13996 	if (!rdev->ops->flush_pmksa)
13997 		return -EOPNOTSUPP;
13998 
13999 	return rdev_flush_pmksa(rdev, dev);
14000 }
14001 
14002 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
14003 {
14004 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14005 	struct net_device *dev = info->user_ptr[1];
14006 	u8 action_code, dialog_token;
14007 	u32 peer_capability = 0;
14008 	u16 status_code;
14009 	u8 *peer;
14010 	int link_id;
14011 	bool initiator;
14012 
14013 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
14014 	    !rdev->ops->tdls_mgmt)
14015 		return -EOPNOTSUPP;
14016 
14017 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
14018 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
14019 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
14020 	    !info->attrs[NL80211_ATTR_IE] ||
14021 	    !info->attrs[NL80211_ATTR_MAC])
14022 		return -EINVAL;
14023 
14024 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14025 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
14026 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14027 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
14028 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
14029 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
14030 		peer_capability =
14031 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
14032 	link_id = nl80211_link_id_or_invalid(info->attrs);
14033 
14034 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
14035 			      dialog_token, status_code, peer_capability,
14036 			      initiator,
14037 			      nla_data(info->attrs[NL80211_ATTR_IE]),
14038 			      nla_len(info->attrs[NL80211_ATTR_IE]));
14039 }
14040 
14041 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
14042 {
14043 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14044 	struct net_device *dev = info->user_ptr[1];
14045 	enum nl80211_tdls_operation operation;
14046 	u8 *peer;
14047 
14048 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
14049 	    !rdev->ops->tdls_oper)
14050 		return -EOPNOTSUPP;
14051 
14052 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
14053 	    !info->attrs[NL80211_ATTR_MAC])
14054 		return -EINVAL;
14055 
14056 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
14057 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14058 
14059 	return rdev_tdls_oper(rdev, dev, peer, operation);
14060 }
14061 
14062 static int nl80211_remain_on_channel(struct sk_buff *skb,
14063 				     struct genl_info *info)
14064 {
14065 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14066 	unsigned int link_id = nl80211_link_id(info->attrs);
14067 	struct wireless_dev *wdev = info->user_ptr[1];
14068 	struct cfg80211_chan_def chandef;
14069 	struct sk_buff *msg;
14070 	void *hdr;
14071 	u64 cookie;
14072 	u32 duration;
14073 	int err;
14074 
14075 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
14076 	    !info->attrs[NL80211_ATTR_DURATION])
14077 		return -EINVAL;
14078 
14079 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
14080 
14081 	if (!rdev->ops->remain_on_channel ||
14082 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
14083 		return -EOPNOTSUPP;
14084 
14085 	/*
14086 	 * We should be on that channel for at least a minimum amount of
14087 	 * time (10ms) but no longer than the driver supports.
14088 	 */
14089 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
14090 	    duration > rdev->wiphy.max_remain_on_channel_duration)
14091 		return -EINVAL;
14092 
14093 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
14094 	if (err)
14095 		return err;
14096 
14097 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
14098 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
14099 
14100 		oper_chandef = wdev_chandef(wdev, link_id);
14101 
14102 		if (WARN_ON(!oper_chandef)) {
14103 			/* cannot happen since we must beacon to get here */
14104 			WARN_ON(1);
14105 			return -EBUSY;
14106 		}
14107 
14108 		/* note: returns first one if identical chandefs */
14109 		compat_chandef = cfg80211_chandef_compatible(&chandef,
14110 							     oper_chandef);
14111 
14112 		if (compat_chandef != &chandef)
14113 			return -EBUSY;
14114 	}
14115 
14116 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14117 	if (!msg)
14118 		return -ENOMEM;
14119 
14120 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14121 			     NL80211_CMD_REMAIN_ON_CHANNEL);
14122 	if (!hdr) {
14123 		err = -ENOBUFS;
14124 		goto free_msg;
14125 	}
14126 
14127 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
14128 				     duration, &cookie);
14129 
14130 	if (err)
14131 		goto free_msg;
14132 
14133 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14134 			      NL80211_ATTR_PAD))
14135 		goto nla_put_failure;
14136 
14137 	genlmsg_end(msg, hdr);
14138 
14139 	return genlmsg_reply(msg, info);
14140 
14141  nla_put_failure:
14142 	err = -ENOBUFS;
14143  free_msg:
14144 	nlmsg_free(msg);
14145 	return err;
14146 }
14147 
14148 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
14149 					    struct genl_info *info)
14150 {
14151 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14152 	struct wireless_dev *wdev = info->user_ptr[1];
14153 	u64 cookie;
14154 
14155 	if (!info->attrs[NL80211_ATTR_COOKIE])
14156 		return -EINVAL;
14157 
14158 	if (!rdev->ops->cancel_remain_on_channel)
14159 		return -EOPNOTSUPP;
14160 
14161 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14162 
14163 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
14164 }
14165 
14166 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
14167 				       struct genl_info *info)
14168 {
14169 	struct cfg80211_bitrate_mask mask;
14170 	unsigned int link_id = nl80211_link_id(info->attrs);
14171 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14172 	struct net_device *dev = info->user_ptr[1];
14173 	int err;
14174 
14175 	if (!rdev->ops->set_bitrate_mask)
14176 		return -EOPNOTSUPP;
14177 
14178 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14179 					    NL80211_ATTR_TX_RATES, &mask,
14180 					    dev, true, link_id);
14181 	if (err)
14182 		return err;
14183 
14184 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
14185 }
14186 
14187 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
14188 {
14189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14190 	struct wireless_dev *wdev = info->user_ptr[1];
14191 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
14192 
14193 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
14194 		return -EINVAL;
14195 
14196 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
14197 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
14198 
14199 	switch (wdev->iftype) {
14200 	case NL80211_IFTYPE_STATION:
14201 	case NL80211_IFTYPE_ADHOC:
14202 	case NL80211_IFTYPE_P2P_CLIENT:
14203 	case NL80211_IFTYPE_AP:
14204 	case NL80211_IFTYPE_AP_VLAN:
14205 	case NL80211_IFTYPE_MESH_POINT:
14206 	case NL80211_IFTYPE_P2P_GO:
14207 	case NL80211_IFTYPE_P2P_DEVICE:
14208 		break;
14209 	case NL80211_IFTYPE_NAN:
14210 	case NL80211_IFTYPE_NAN_DATA:
14211 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14212 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
14213 		    !(wdev->wiphy->nan_capa.flags &
14214 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
14215 			return -EOPNOTSUPP;
14216 		break;
14217 	default:
14218 		return -EOPNOTSUPP;
14219 	}
14220 
14221 	/* not much point in registering if we can't reply */
14222 	if (!rdev->ops->mgmt_tx)
14223 		return -EOPNOTSUPP;
14224 
14225 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
14226 	    !wiphy_ext_feature_isset(&rdev->wiphy,
14227 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
14228 		GENL_SET_ERR_MSG(info,
14229 				 "multicast RX registrations are not supported");
14230 		return -EOPNOTSUPP;
14231 	}
14232 
14233 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
14234 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
14235 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
14236 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
14237 					   info->extack);
14238 }
14239 
14240 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
14241 {
14242 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14243 	struct wireless_dev *wdev = info->user_ptr[1];
14244 	struct cfg80211_chan_def chandef;
14245 	int err;
14246 	void *hdr = NULL;
14247 	u64 cookie;
14248 	struct sk_buff *msg = NULL;
14249 	struct cfg80211_mgmt_tx_params params = {
14250 		.dont_wait_for_ack =
14251 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
14252 	};
14253 
14254 	if (!info->attrs[NL80211_ATTR_FRAME])
14255 		return -EINVAL;
14256 
14257 	if (!rdev->ops->mgmt_tx)
14258 		return -EOPNOTSUPP;
14259 
14260 	switch (wdev->iftype) {
14261 	case NL80211_IFTYPE_P2P_DEVICE:
14262 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
14263 			return -EINVAL;
14264 		break;
14265 	case NL80211_IFTYPE_STATION:
14266 	case NL80211_IFTYPE_ADHOC:
14267 	case NL80211_IFTYPE_P2P_CLIENT:
14268 	case NL80211_IFTYPE_AP:
14269 	case NL80211_IFTYPE_AP_VLAN:
14270 	case NL80211_IFTYPE_MESH_POINT:
14271 	case NL80211_IFTYPE_P2P_GO:
14272 		break;
14273 	case NL80211_IFTYPE_NAN:
14274 	case NL80211_IFTYPE_NAN_DATA:
14275 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14276 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
14277 		    !(wdev->wiphy->nan_capa.flags &
14278 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
14279 			return -EOPNOTSUPP;
14280 		break;
14281 	default:
14282 		return -EOPNOTSUPP;
14283 	}
14284 
14285 	if (info->attrs[NL80211_ATTR_DURATION]) {
14286 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
14287 			return -EINVAL;
14288 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
14289 
14290 		/*
14291 		 * We should wait on the channel for at least a minimum amount
14292 		 * of time (10ms) but no longer than the driver supports.
14293 		 */
14294 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
14295 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
14296 			return -EINVAL;
14297 	}
14298 
14299 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
14300 
14301 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
14302 		return -EINVAL;
14303 
14304 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
14305 
14306 	/* get the channel if any has been specified, otherwise pass NULL to
14307 	 * the driver. The latter will use the current one
14308 	 */
14309 	chandef.chan = NULL;
14310 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14311 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14312 					    &chandef);
14313 		if (err)
14314 			return err;
14315 	}
14316 
14317 	if (!chandef.chan && params.offchan)
14318 		return -EINVAL;
14319 
14320 	if (params.offchan &&
14321 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
14322 		return -EBUSY;
14323 
14324 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
14325 	/*
14326 	 * This now races due to the unlock, but we cannot check
14327 	 * the valid links for the _station_ anyway, so that's up
14328 	 * to the driver.
14329 	 */
14330 	if (params.link_id >= 0 &&
14331 	    !(wdev->valid_links & BIT(params.link_id)))
14332 		return -EINVAL;
14333 
14334 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14335 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14336 
14337 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
14338 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
14339 					    &params.csa_offsets,
14340 					    &params.n_csa_offsets);
14341 	if (err)
14342 		return err;
14343 
14344 	if (!params.dont_wait_for_ack) {
14345 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14346 		if (!msg)
14347 			return -ENOMEM;
14348 
14349 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14350 				     NL80211_CMD_FRAME);
14351 		if (!hdr) {
14352 			err = -ENOBUFS;
14353 			goto free_msg;
14354 		}
14355 	}
14356 
14357 	params.chan = chandef.chan;
14358 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
14359 	if (err)
14360 		goto free_msg;
14361 
14362 	if (msg) {
14363 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14364 				      NL80211_ATTR_PAD))
14365 			goto nla_put_failure;
14366 
14367 		genlmsg_end(msg, hdr);
14368 		return genlmsg_reply(msg, info);
14369 	}
14370 
14371 	return 0;
14372 
14373  nla_put_failure:
14374 	err = -ENOBUFS;
14375  free_msg:
14376 	nlmsg_free(msg);
14377 	return err;
14378 }
14379 
14380 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
14381 {
14382 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14383 	struct wireless_dev *wdev = info->user_ptr[1];
14384 	u64 cookie;
14385 
14386 	if (!info->attrs[NL80211_ATTR_COOKIE])
14387 		return -EINVAL;
14388 
14389 	if (!rdev->ops->mgmt_tx_cancel_wait)
14390 		return -EOPNOTSUPP;
14391 
14392 	switch (wdev->iftype) {
14393 	case NL80211_IFTYPE_STATION:
14394 	case NL80211_IFTYPE_ADHOC:
14395 	case NL80211_IFTYPE_P2P_CLIENT:
14396 	case NL80211_IFTYPE_AP:
14397 	case NL80211_IFTYPE_AP_VLAN:
14398 	case NL80211_IFTYPE_P2P_GO:
14399 	case NL80211_IFTYPE_P2P_DEVICE:
14400 		break;
14401 	case NL80211_IFTYPE_NAN:
14402 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14403 					     NL80211_EXT_FEATURE_SECURE_NAN))
14404 			return -EOPNOTSUPP;
14405 		break;
14406 	default:
14407 		return -EOPNOTSUPP;
14408 	}
14409 
14410 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14411 
14412 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
14413 }
14414 
14415 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
14416 {
14417 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14418 	struct wireless_dev *wdev;
14419 	struct net_device *dev = info->user_ptr[1];
14420 	u8 ps_state;
14421 	bool state;
14422 	int err;
14423 
14424 	if (!info->attrs[NL80211_ATTR_PS_STATE])
14425 		return -EINVAL;
14426 
14427 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
14428 
14429 	wdev = dev->ieee80211_ptr;
14430 
14431 	if (!rdev->ops->set_power_mgmt)
14432 		return -EOPNOTSUPP;
14433 
14434 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
14435 
14436 	if (state == wdev->ps)
14437 		return 0;
14438 
14439 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
14440 	if (!err)
14441 		wdev->ps = state;
14442 	return err;
14443 }
14444 
14445 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
14446 {
14447 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14448 	enum nl80211_ps_state ps_state;
14449 	struct wireless_dev *wdev;
14450 	struct net_device *dev = info->user_ptr[1];
14451 	struct sk_buff *msg;
14452 	void *hdr;
14453 	int err;
14454 
14455 	wdev = dev->ieee80211_ptr;
14456 
14457 	if (!rdev->ops->set_power_mgmt)
14458 		return -EOPNOTSUPP;
14459 
14460 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14461 	if (!msg)
14462 		return -ENOMEM;
14463 
14464 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14465 			     NL80211_CMD_GET_POWER_SAVE);
14466 	if (!hdr) {
14467 		err = -ENOBUFS;
14468 		goto free_msg;
14469 	}
14470 
14471 	if (wdev->ps)
14472 		ps_state = NL80211_PS_ENABLED;
14473 	else
14474 		ps_state = NL80211_PS_DISABLED;
14475 
14476 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
14477 		goto nla_put_failure;
14478 
14479 	genlmsg_end(msg, hdr);
14480 	return genlmsg_reply(msg, info);
14481 
14482  nla_put_failure:
14483 	err = -ENOBUFS;
14484  free_msg:
14485 	nlmsg_free(msg);
14486 	return err;
14487 }
14488 
14489 static const struct nla_policy
14490 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
14491 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
14492 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
14493 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
14494 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
14495 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
14496 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
14497 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
14498 };
14499 
14500 static int nl80211_set_cqm_txe(struct genl_info *info,
14501 			       u32 rate, u32 pkts, u32 intvl)
14502 {
14503 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14504 	struct net_device *dev = info->user_ptr[1];
14505 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14506 
14507 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
14508 		return -EINVAL;
14509 
14510 	if (!rdev->ops->set_cqm_txe_config)
14511 		return -EOPNOTSUPP;
14512 
14513 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14514 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14515 		return -EOPNOTSUPP;
14516 
14517 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
14518 }
14519 
14520 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
14521 				    struct net_device *dev,
14522 				    struct cfg80211_cqm_config *cqm_config)
14523 {
14524 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14525 	s32 last, low, high;
14526 	u32 hyst;
14527 	int i, n, low_index;
14528 	int err;
14529 
14530 	/*
14531 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14532 	 * event has been received yet, we should receive an event after a
14533 	 * connection is established and enough beacons received to calculate
14534 	 * the average.
14535 	 */
14536 	if (!cqm_config->last_rssi_event_value &&
14537 	    wdev->links[0].client.current_bss &&
14538 	    rdev->ops->get_station) {
14539 		struct station_info sinfo = {};
14540 		u8 *mac_addr;
14541 
14542 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14543 
14544 		err = rdev_get_station(rdev, wdev, mac_addr, &sinfo);
14545 		if (err)
14546 			return err;
14547 
14548 		cfg80211_sinfo_release_content(&sinfo);
14549 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14550 			cqm_config->last_rssi_event_value =
14551 				(s8) sinfo.rx_beacon_signal_avg;
14552 	}
14553 
14554 	last = cqm_config->last_rssi_event_value;
14555 	hyst = cqm_config->rssi_hyst;
14556 	n = cqm_config->n_rssi_thresholds;
14557 
14558 	for (i = 0; i < n; i++) {
14559 		i = array_index_nospec(i, n);
14560 		if (last < cqm_config->rssi_thresholds[i])
14561 			break;
14562 	}
14563 
14564 	low_index = i - 1;
14565 	if (low_index >= 0) {
14566 		low_index = array_index_nospec(low_index, n);
14567 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14568 	} else {
14569 		low = S32_MIN;
14570 	}
14571 	if (i < n) {
14572 		i = array_index_nospec(i, n);
14573 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14574 	} else {
14575 		high = S32_MAX;
14576 	}
14577 
14578 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14579 }
14580 
14581 static int nl80211_set_cqm_rssi(struct genl_info *info,
14582 				const s32 *thresholds, int n_thresholds,
14583 				u32 hysteresis)
14584 {
14585 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14586 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14587 	struct net_device *dev = info->user_ptr[1];
14588 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14589 	s32 prev = S32_MIN;
14590 	int i, err;
14591 
14592 	/* Check all values negative and sorted */
14593 	for (i = 0; i < n_thresholds; i++) {
14594 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14595 			return -EINVAL;
14596 
14597 		prev = thresholds[i];
14598 	}
14599 
14600 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14601 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14602 		return -EOPNOTSUPP;
14603 
14604 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14605 		n_thresholds = 0;
14606 
14607 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14608 
14609 	/* if already disabled just succeed */
14610 	if (!n_thresholds && !old)
14611 		return 0;
14612 
14613 	if (n_thresholds > 1) {
14614 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14615 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14616 		    !rdev->ops->set_cqm_rssi_range_config)
14617 			return -EOPNOTSUPP;
14618 	} else {
14619 		if (!rdev->ops->set_cqm_rssi_config)
14620 			return -EOPNOTSUPP;
14621 	}
14622 
14623 	if (n_thresholds) {
14624 		cqm_config = kzalloc_flex(*cqm_config, rssi_thresholds,
14625 					  n_thresholds);
14626 		if (!cqm_config)
14627 			return -ENOMEM;
14628 
14629 		cqm_config->rssi_hyst = hysteresis;
14630 		cqm_config->n_rssi_thresholds = n_thresholds;
14631 		memcpy(cqm_config->rssi_thresholds, thresholds,
14632 		       flex_array_size(cqm_config, rssi_thresholds,
14633 				       n_thresholds));
14634 		cqm_config->use_range_api = n_thresholds > 1 ||
14635 					    !rdev->ops->set_cqm_rssi_config;
14636 
14637 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14638 
14639 		if (cqm_config->use_range_api)
14640 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14641 		else
14642 			err = rdev_set_cqm_rssi_config(rdev, dev,
14643 						       thresholds[0],
14644 						       hysteresis);
14645 	} else {
14646 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14647 		/* if enabled as range also disable via range */
14648 		if (old->use_range_api)
14649 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14650 		else
14651 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
14652 	}
14653 
14654 	if (err) {
14655 		rcu_assign_pointer(wdev->cqm_config, old);
14656 		kfree_rcu(cqm_config, rcu_head);
14657 	} else {
14658 		kfree_rcu(old, rcu_head);
14659 	}
14660 
14661 	return err;
14662 }
14663 
14664 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
14665 {
14666 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
14667 	struct nlattr *cqm;
14668 	int err;
14669 
14670 	cqm = info->attrs[NL80211_ATTR_CQM];
14671 	if (!cqm)
14672 		return -EINVAL;
14673 
14674 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
14675 					  nl80211_attr_cqm_policy,
14676 					  info->extack);
14677 	if (err)
14678 		return err;
14679 
14680 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
14681 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
14682 		const s32 *thresholds =
14683 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14684 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14685 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
14686 
14687 		if (len % 4)
14688 			return -EINVAL;
14689 
14690 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
14691 					    hysteresis);
14692 	}
14693 
14694 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
14695 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
14696 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
14697 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
14698 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
14699 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
14700 
14701 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
14702 	}
14703 
14704 	return -EINVAL;
14705 }
14706 
14707 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
14708 {
14709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14710 	struct net_device *dev = info->user_ptr[1];
14711 	struct ocb_setup setup = {};
14712 	int err;
14713 
14714 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14715 				    &setup.chandef);
14716 	if (err)
14717 		return err;
14718 
14719 	return cfg80211_join_ocb(rdev, dev, &setup);
14720 }
14721 
14722 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
14723 {
14724 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14725 	struct net_device *dev = info->user_ptr[1];
14726 
14727 	return cfg80211_leave_ocb(rdev, dev);
14728 }
14729 
14730 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
14731 {
14732 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14733 	struct net_device *dev = info->user_ptr[1];
14734 	struct mesh_config cfg;
14735 	struct mesh_setup setup;
14736 	int err;
14737 
14738 	/* start with default */
14739 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
14740 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
14741 
14742 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
14743 		/* and parse parameters if given */
14744 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
14745 		if (err)
14746 			return err;
14747 	}
14748 
14749 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
14750 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
14751 		return -EINVAL;
14752 
14753 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
14754 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
14755 
14756 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
14757 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
14758 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
14759 			return -EINVAL;
14760 
14761 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
14762 		setup.beacon_interval =
14763 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
14764 
14765 		err = cfg80211_validate_beacon_int(rdev,
14766 						   NL80211_IFTYPE_MESH_POINT,
14767 						   setup.beacon_interval);
14768 		if (err)
14769 			return err;
14770 	}
14771 
14772 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
14773 		setup.dtim_period =
14774 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
14775 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
14776 			return -EINVAL;
14777 	}
14778 
14779 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
14780 		/* parse additional setup parameters if given */
14781 		err = nl80211_parse_mesh_setup(info, &setup);
14782 		if (err)
14783 			return err;
14784 	}
14785 
14786 	if (setup.user_mpm)
14787 		cfg.auto_open_plinks = false;
14788 
14789 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14790 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14791 					    &setup.chandef);
14792 		if (err)
14793 			return err;
14794 	} else {
14795 		/* __cfg80211_join_mesh() will sort it out */
14796 		setup.chandef.chan = NULL;
14797 	}
14798 
14799 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
14800 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14801 		int n_rates =
14802 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14803 		struct ieee80211_supported_band *sband;
14804 
14805 		if (!setup.chandef.chan)
14806 			return -EINVAL;
14807 
14808 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
14809 
14810 		err = ieee80211_get_ratemask(sband, rates, n_rates,
14811 					     &setup.basic_rates);
14812 		if (err)
14813 			return err;
14814 	}
14815 
14816 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
14817 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14818 						    NL80211_ATTR_TX_RATES,
14819 						    &setup.beacon_rate,
14820 						    dev, false, 0);
14821 		if (err)
14822 			return err;
14823 
14824 		if (!setup.chandef.chan)
14825 			return -EINVAL;
14826 
14827 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
14828 					      &setup.beacon_rate);
14829 		if (err)
14830 			return err;
14831 	}
14832 
14833 	setup.userspace_handles_dfs =
14834 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
14835 
14836 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
14837 		int r = validate_pae_over_nl80211(rdev, info);
14838 
14839 		if (r < 0)
14840 			return r;
14841 
14842 		setup.control_port_over_nl80211 = true;
14843 	}
14844 
14845 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
14846 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
14847 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14848 
14849 	return err;
14850 }
14851 
14852 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
14853 {
14854 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14855 	struct net_device *dev = info->user_ptr[1];
14856 
14857 	return cfg80211_leave_mesh(rdev, dev);
14858 }
14859 
14860 #ifdef CONFIG_PM
14861 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
14862 					struct cfg80211_registered_device *rdev)
14863 {
14864 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
14865 	struct nlattr *nl_pats, *nl_pat;
14866 	int i, pat_len;
14867 
14868 	if (!wowlan->n_patterns)
14869 		return 0;
14870 
14871 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
14872 	if (!nl_pats)
14873 		return -ENOBUFS;
14874 
14875 	for (i = 0; i < wowlan->n_patterns; i++) {
14876 		nl_pat = nla_nest_start_noflag(msg, i + 1);
14877 		if (!nl_pat)
14878 			return -ENOBUFS;
14879 		pat_len = wowlan->patterns[i].pattern_len;
14880 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
14881 			    wowlan->patterns[i].mask) ||
14882 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14883 			    wowlan->patterns[i].pattern) ||
14884 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14885 				wowlan->patterns[i].pkt_offset))
14886 			return -ENOBUFS;
14887 		nla_nest_end(msg, nl_pat);
14888 	}
14889 	nla_nest_end(msg, nl_pats);
14890 
14891 	return 0;
14892 }
14893 
14894 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14895 				   struct cfg80211_wowlan_tcp *tcp)
14896 {
14897 	struct nlattr *nl_tcp;
14898 
14899 	if (!tcp)
14900 		return 0;
14901 
14902 	nl_tcp = nla_nest_start_noflag(msg,
14903 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14904 	if (!nl_tcp)
14905 		return -ENOBUFS;
14906 
14907 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14908 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14909 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14910 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14911 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14912 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14913 		    tcp->payload_len, tcp->payload) ||
14914 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14915 			tcp->data_interval) ||
14916 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14917 		    tcp->wake_len, tcp->wake_data) ||
14918 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14919 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14920 		return -ENOBUFS;
14921 
14922 	if (tcp->payload_seq.len &&
14923 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14924 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14925 		return -ENOBUFS;
14926 
14927 	if (tcp->payload_tok.len &&
14928 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14929 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14930 		    &tcp->payload_tok))
14931 		return -ENOBUFS;
14932 
14933 	nla_nest_end(msg, nl_tcp);
14934 
14935 	return 0;
14936 }
14937 
14938 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14939 				  struct cfg80211_sched_scan_request *req)
14940 {
14941 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14942 	int i;
14943 
14944 	if (!req)
14945 		return 0;
14946 
14947 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14948 	if (!nd)
14949 		return -ENOBUFS;
14950 
14951 	if (req->n_scan_plans == 1 &&
14952 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14953 			req->scan_plans[0].interval * 1000))
14954 		return -ENOBUFS;
14955 
14956 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14957 		return -ENOBUFS;
14958 
14959 	if (req->relative_rssi_set) {
14960 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14961 
14962 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14963 			       req->relative_rssi))
14964 			return -ENOBUFS;
14965 
14966 		rssi_adjust.band = req->rssi_adjust.band;
14967 		rssi_adjust.delta = req->rssi_adjust.delta;
14968 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14969 			    sizeof(rssi_adjust), &rssi_adjust))
14970 			return -ENOBUFS;
14971 	}
14972 
14973 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14974 	if (!freqs)
14975 		return -ENOBUFS;
14976 
14977 	for (i = 0; i < req->n_channels; i++) {
14978 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14979 			return -ENOBUFS;
14980 	}
14981 
14982 	nla_nest_end(msg, freqs);
14983 
14984 	if (req->n_match_sets) {
14985 		matches = nla_nest_start_noflag(msg,
14986 						NL80211_ATTR_SCHED_SCAN_MATCH);
14987 		if (!matches)
14988 			return -ENOBUFS;
14989 
14990 		for (i = 0; i < req->n_match_sets; i++) {
14991 			match = nla_nest_start_noflag(msg, i);
14992 			if (!match)
14993 				return -ENOBUFS;
14994 
14995 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
14996 				    req->match_sets[i].ssid.ssid_len,
14997 				    req->match_sets[i].ssid.ssid))
14998 				return -ENOBUFS;
14999 			nla_nest_end(msg, match);
15000 		}
15001 		nla_nest_end(msg, matches);
15002 	}
15003 
15004 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
15005 	if (!scan_plans)
15006 		return -ENOBUFS;
15007 
15008 	for (i = 0; i < req->n_scan_plans; i++) {
15009 		scan_plan = nla_nest_start_noflag(msg, i + 1);
15010 		if (!scan_plan)
15011 			return -ENOBUFS;
15012 
15013 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
15014 				req->scan_plans[i].interval) ||
15015 		    (req->scan_plans[i].iterations &&
15016 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
15017 				 req->scan_plans[i].iterations)))
15018 			return -ENOBUFS;
15019 		nla_nest_end(msg, scan_plan);
15020 	}
15021 	nla_nest_end(msg, scan_plans);
15022 
15023 	nla_nest_end(msg, nd);
15024 
15025 	return 0;
15026 }
15027 
15028 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
15029 {
15030 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15031 	struct sk_buff *msg;
15032 	void *hdr;
15033 	u32 size = NLMSG_DEFAULT_SIZE;
15034 
15035 	if (!rdev->wiphy.wowlan)
15036 		return -EOPNOTSUPP;
15037 
15038 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
15039 		/* adjust size to have room for all the data */
15040 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
15041 			rdev->wiphy.wowlan_config->tcp->payload_len +
15042 			rdev->wiphy.wowlan_config->tcp->wake_len +
15043 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
15044 	}
15045 
15046 	msg = nlmsg_new(size, GFP_KERNEL);
15047 	if (!msg)
15048 		return -ENOMEM;
15049 
15050 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15051 			     NL80211_CMD_GET_WOWLAN);
15052 	if (!hdr)
15053 		goto nla_put_failure;
15054 
15055 	if (rdev->wiphy.wowlan_config) {
15056 		struct nlattr *nl_wowlan;
15057 
15058 		nl_wowlan = nla_nest_start_noflag(msg,
15059 						  NL80211_ATTR_WOWLAN_TRIGGERS);
15060 		if (!nl_wowlan)
15061 			goto nla_put_failure;
15062 
15063 		if ((rdev->wiphy.wowlan_config->any &&
15064 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
15065 		    (rdev->wiphy.wowlan_config->disconnect &&
15066 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
15067 		    (rdev->wiphy.wowlan_config->magic_pkt &&
15068 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
15069 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
15070 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
15071 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
15072 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
15073 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
15074 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
15075 		    (rdev->wiphy.wowlan_config->rfkill_release &&
15076 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
15077 			goto nla_put_failure;
15078 
15079 		if (nl80211_send_wowlan_patterns(msg, rdev))
15080 			goto nla_put_failure;
15081 
15082 		if (nl80211_send_wowlan_tcp(msg,
15083 					    rdev->wiphy.wowlan_config->tcp))
15084 			goto nla_put_failure;
15085 
15086 		if (nl80211_send_wowlan_nd(
15087 			    msg,
15088 			    rdev->wiphy.wowlan_config->nd_config))
15089 			goto nla_put_failure;
15090 
15091 		nla_nest_end(msg, nl_wowlan);
15092 	}
15093 
15094 	genlmsg_end(msg, hdr);
15095 	return genlmsg_reply(msg, info);
15096 
15097 nla_put_failure:
15098 	nlmsg_free(msg);
15099 	return -ENOBUFS;
15100 }
15101 
15102 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
15103 				    struct nlattr *attr,
15104 				    struct cfg80211_wowlan *trig)
15105 {
15106 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
15107 	struct cfg80211_wowlan_tcp *cfg;
15108 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
15109 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
15110 	u32 size;
15111 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
15112 	int err, port;
15113 
15114 	if (!rdev->wiphy.wowlan->tcp)
15115 		return -EINVAL;
15116 
15117 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
15118 					  nl80211_wowlan_tcp_policy, NULL);
15119 	if (err)
15120 		return err;
15121 
15122 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
15123 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
15124 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
15125 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
15126 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
15127 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
15128 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
15129 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
15130 		return -EINVAL;
15131 
15132 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
15133 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
15134 		return -EINVAL;
15135 
15136 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
15137 			rdev->wiphy.wowlan->tcp->data_interval_max ||
15138 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
15139 		return -EINVAL;
15140 
15141 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
15142 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
15143 		return -EINVAL;
15144 
15145 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
15146 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
15147 		return -EINVAL;
15148 
15149 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
15150 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
15151 
15152 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
15153 		tokens_size = tokln - sizeof(*tok);
15154 
15155 		if (!tok->len || tokens_size % tok->len)
15156 			return -EINVAL;
15157 		if (!rdev->wiphy.wowlan->tcp->tok)
15158 			return -EINVAL;
15159 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
15160 			return -EINVAL;
15161 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
15162 			return -EINVAL;
15163 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
15164 			return -EINVAL;
15165 		if (tok->offset + tok->len > data_size)
15166 			return -EINVAL;
15167 	}
15168 
15169 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
15170 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
15171 		if (!rdev->wiphy.wowlan->tcp->seq)
15172 			return -EINVAL;
15173 		if (seq->len == 0 || seq->len > 4)
15174 			return -EINVAL;
15175 		if (seq->len + seq->offset > data_size)
15176 			return -EINVAL;
15177 	}
15178 
15179 	size = sizeof(*cfg);
15180 	size += data_size;
15181 	size += wake_size + wake_mask_size;
15182 	size += tokens_size;
15183 
15184 	cfg = kzalloc(size, GFP_KERNEL);
15185 	if (!cfg)
15186 		return -ENOMEM;
15187 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
15188 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
15189 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
15190 	       ETH_ALEN);
15191 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
15192 #ifdef CONFIG_INET
15193 	/* allocate a socket and port for it and use it */
15194 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
15195 			    IPPROTO_TCP, &cfg->sock, 1);
15196 	if (err) {
15197 		kfree(cfg);
15198 		return err;
15199 	}
15200 	if (inet_csk_get_port(cfg->sock->sk, port)) {
15201 		sock_release(cfg->sock);
15202 		kfree(cfg);
15203 		return -EADDRINUSE;
15204 	}
15205 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
15206 #else
15207 	if (!port) {
15208 		kfree(cfg);
15209 		return -EINVAL;
15210 	}
15211 	cfg->src_port = port;
15212 #endif
15213 
15214 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
15215 	cfg->payload_len = data_size;
15216 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
15217 	memcpy((void *)cfg->payload,
15218 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
15219 	       data_size);
15220 	if (seq)
15221 		cfg->payload_seq = *seq;
15222 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
15223 	cfg->wake_len = wake_size;
15224 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
15225 	memcpy((void *)cfg->wake_data,
15226 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
15227 	       wake_size);
15228 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
15229 			 data_size + wake_size;
15230 	memcpy((void *)cfg->wake_mask,
15231 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
15232 	       wake_mask_size);
15233 	if (tok) {
15234 		cfg->tokens_size = tokens_size;
15235 		cfg->payload_tok = *tok;
15236 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
15237 		       tokens_size);
15238 	}
15239 
15240 	trig->tcp = cfg;
15241 
15242 	return 0;
15243 }
15244 
15245 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
15246 				   const struct wiphy_wowlan_support *wowlan,
15247 				   struct nlattr *attr,
15248 				   struct cfg80211_wowlan *trig)
15249 {
15250 	struct nlattr **tb;
15251 	int err;
15252 
15253 	tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
15254 	if (!tb)
15255 		return -ENOMEM;
15256 
15257 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
15258 		err = -EOPNOTSUPP;
15259 		goto out;
15260 	}
15261 
15262 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
15263 					  nl80211_policy, NULL);
15264 	if (err)
15265 		goto out;
15266 
15267 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
15268 						   wowlan->max_nd_match_sets);
15269 	err = PTR_ERR_OR_ZERO(trig->nd_config);
15270 	if (err)
15271 		trig->nd_config = NULL;
15272 
15273 out:
15274 	kfree(tb);
15275 	return err;
15276 }
15277 
15278 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
15279 {
15280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15281 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
15282 	struct cfg80211_wowlan new_triggers = {};
15283 	struct cfg80211_wowlan *ntrig;
15284 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
15285 	int err, i;
15286 	bool prev_enabled = rdev->wiphy.wowlan_config;
15287 	bool regular = false;
15288 
15289 	if (!wowlan)
15290 		return -EOPNOTSUPP;
15291 
15292 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
15293 		cfg80211_rdev_free_wowlan(rdev);
15294 		rdev->wiphy.wowlan_config = NULL;
15295 		goto set_wakeup;
15296 	}
15297 
15298 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
15299 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
15300 					  nl80211_wowlan_policy, info->extack);
15301 	if (err)
15302 		return err;
15303 
15304 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
15305 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
15306 			return -EINVAL;
15307 		new_triggers.any = true;
15308 	}
15309 
15310 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
15311 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
15312 			return -EINVAL;
15313 		new_triggers.disconnect = true;
15314 		regular = true;
15315 	}
15316 
15317 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
15318 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
15319 			return -EINVAL;
15320 		new_triggers.magic_pkt = true;
15321 		regular = true;
15322 	}
15323 
15324 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
15325 		return -EINVAL;
15326 
15327 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
15328 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
15329 			return -EINVAL;
15330 		new_triggers.gtk_rekey_failure = true;
15331 		regular = true;
15332 	}
15333 
15334 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
15335 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
15336 			return -EINVAL;
15337 		new_triggers.eap_identity_req = true;
15338 		regular = true;
15339 	}
15340 
15341 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
15342 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
15343 			return -EINVAL;
15344 		new_triggers.four_way_handshake = true;
15345 		regular = true;
15346 	}
15347 
15348 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
15349 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
15350 			return -EINVAL;
15351 		new_triggers.rfkill_release = true;
15352 		regular = true;
15353 	}
15354 
15355 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
15356 		struct nlattr *pat;
15357 		int n_patterns = 0;
15358 		int rem, pat_len, mask_len, pkt_offset;
15359 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15360 
15361 		regular = true;
15362 
15363 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15364 				    rem)
15365 			n_patterns++;
15366 		if (n_patterns > wowlan->n_patterns)
15367 			return -EINVAL;
15368 
15369 		new_triggers.patterns = kzalloc_objs(new_triggers.patterns[0],
15370 						     n_patterns);
15371 		if (!new_triggers.patterns)
15372 			return -ENOMEM;
15373 
15374 		new_triggers.n_patterns = n_patterns;
15375 		i = 0;
15376 
15377 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15378 				    rem) {
15379 			u8 *mask_pat;
15380 
15381 			err = nla_parse_nested_deprecated(pat_tb,
15382 							  MAX_NL80211_PKTPAT,
15383 							  pat,
15384 							  nl80211_packet_pattern_policy,
15385 							  info->extack);
15386 			if (err)
15387 				goto error;
15388 
15389 			err = -EINVAL;
15390 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
15391 			    !pat_tb[NL80211_PKTPAT_PATTERN])
15392 				goto error;
15393 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15394 			mask_len = DIV_ROUND_UP(pat_len, 8);
15395 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15396 				goto error;
15397 			if (pat_len > wowlan->pattern_max_len ||
15398 			    pat_len < wowlan->pattern_min_len)
15399 				goto error;
15400 
15401 			pkt_offset =
15402 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15403 						    0);
15404 			if (pkt_offset > wowlan->max_pkt_offset)
15405 				goto error;
15406 			new_triggers.patterns[i].pkt_offset = pkt_offset;
15407 
15408 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15409 			if (!mask_pat) {
15410 				err = -ENOMEM;
15411 				goto error;
15412 			}
15413 			new_triggers.patterns[i].mask = mask_pat;
15414 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15415 			       mask_len);
15416 			mask_pat += mask_len;
15417 			new_triggers.patterns[i].pattern = mask_pat;
15418 			new_triggers.patterns[i].pattern_len = pat_len;
15419 			memcpy(mask_pat,
15420 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15421 			       pat_len);
15422 			i++;
15423 		}
15424 	}
15425 
15426 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
15427 		regular = true;
15428 		err = nl80211_parse_wowlan_tcp(
15429 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
15430 			&new_triggers);
15431 		if (err)
15432 			goto error;
15433 	}
15434 
15435 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
15436 		regular = true;
15437 		err = nl80211_parse_wowlan_nd(
15438 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
15439 			&new_triggers);
15440 		if (err)
15441 			goto error;
15442 	}
15443 
15444 	/* The 'any' trigger means the device continues operating more or less
15445 	 * as in its normal operation mode and wakes up the host on most of the
15446 	 * normal interrupts (like packet RX, ...)
15447 	 * It therefore makes little sense to combine with the more constrained
15448 	 * wakeup trigger modes.
15449 	 */
15450 	if (new_triggers.any && regular) {
15451 		err = -EINVAL;
15452 		goto error;
15453 	}
15454 
15455 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
15456 	if (!ntrig) {
15457 		err = -ENOMEM;
15458 		goto error;
15459 	}
15460 	cfg80211_rdev_free_wowlan(rdev);
15461 	rdev->wiphy.wowlan_config = ntrig;
15462 
15463  set_wakeup:
15464 	if (rdev->ops->set_wakeup &&
15465 	    prev_enabled != !!rdev->wiphy.wowlan_config)
15466 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
15467 
15468 	return 0;
15469  error:
15470 	for (i = 0; i < new_triggers.n_patterns; i++)
15471 		kfree(new_triggers.patterns[i].mask);
15472 	kfree(new_triggers.patterns);
15473 	if (new_triggers.tcp && new_triggers.tcp->sock)
15474 		sock_release(new_triggers.tcp->sock);
15475 	kfree(new_triggers.tcp);
15476 	kfree(new_triggers.nd_config);
15477 	return err;
15478 }
15479 #endif
15480 
15481 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
15482 				       struct cfg80211_registered_device *rdev)
15483 {
15484 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
15485 	int i, j, pat_len;
15486 	struct cfg80211_coalesce_rules *rule;
15487 
15488 	if (!rdev->coalesce->n_rules)
15489 		return 0;
15490 
15491 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
15492 	if (!nl_rules)
15493 		return -ENOBUFS;
15494 
15495 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
15496 		nl_rule = nla_nest_start_noflag(msg, i + 1);
15497 		if (!nl_rule)
15498 			return -ENOBUFS;
15499 
15500 		rule = &rdev->coalesce->rules[i];
15501 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
15502 				rule->delay))
15503 			return -ENOBUFS;
15504 
15505 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
15506 				rule->condition))
15507 			return -ENOBUFS;
15508 
15509 		nl_pats = nla_nest_start_noflag(msg,
15510 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
15511 		if (!nl_pats)
15512 			return -ENOBUFS;
15513 
15514 		for (j = 0; j < rule->n_patterns; j++) {
15515 			nl_pat = nla_nest_start_noflag(msg, j + 1);
15516 			if (!nl_pat)
15517 				return -ENOBUFS;
15518 			pat_len = rule->patterns[j].pattern_len;
15519 			if (nla_put(msg, NL80211_PKTPAT_MASK,
15520 				    DIV_ROUND_UP(pat_len, 8),
15521 				    rule->patterns[j].mask) ||
15522 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15523 				    rule->patterns[j].pattern) ||
15524 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15525 					rule->patterns[j].pkt_offset))
15526 				return -ENOBUFS;
15527 			nla_nest_end(msg, nl_pat);
15528 		}
15529 		nla_nest_end(msg, nl_pats);
15530 		nla_nest_end(msg, nl_rule);
15531 	}
15532 	nla_nest_end(msg, nl_rules);
15533 
15534 	return 0;
15535 }
15536 
15537 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15538 {
15539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15540 	struct sk_buff *msg;
15541 	void *hdr;
15542 
15543 	if (!rdev->wiphy.coalesce)
15544 		return -EOPNOTSUPP;
15545 
15546 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15547 	if (!msg)
15548 		return -ENOMEM;
15549 
15550 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15551 			     NL80211_CMD_GET_COALESCE);
15552 	if (!hdr)
15553 		goto nla_put_failure;
15554 
15555 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15556 		goto nla_put_failure;
15557 
15558 	genlmsg_end(msg, hdr);
15559 	return genlmsg_reply(msg, info);
15560 
15561 nla_put_failure:
15562 	nlmsg_free(msg);
15563 	return -ENOBUFS;
15564 }
15565 
15566 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15567 {
15568 	int i, j;
15569 	struct cfg80211_coalesce_rules *rule;
15570 
15571 	if (!coalesce)
15572 		return;
15573 
15574 	for (i = 0; i < coalesce->n_rules; i++) {
15575 		rule = &coalesce->rules[i];
15576 		for (j = 0; j < rule->n_patterns; j++)
15577 			kfree(rule->patterns[j].mask);
15578 		kfree(rule->patterns);
15579 	}
15580 	kfree(coalesce);
15581 }
15582 
15583 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15584 				       struct nlattr *rule,
15585 				       struct cfg80211_coalesce_rules *new_rule)
15586 {
15587 	int err, i;
15588 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15589 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15590 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15591 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15592 
15593 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15594 					  rule, nl80211_coalesce_policy, NULL);
15595 	if (err)
15596 		return err;
15597 
15598 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15599 		new_rule->delay =
15600 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15601 	if (new_rule->delay > coalesce->max_delay)
15602 		return -EINVAL;
15603 
15604 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15605 		new_rule->condition =
15606 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15607 
15608 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15609 		return -EINVAL;
15610 
15611 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15612 			    rem)
15613 		n_patterns++;
15614 	if (n_patterns > coalesce->n_patterns)
15615 		return -EINVAL;
15616 
15617 	new_rule->patterns = kzalloc_objs(new_rule->patterns[0], n_patterns);
15618 	if (!new_rule->patterns)
15619 		return -ENOMEM;
15620 
15621 	new_rule->n_patterns = n_patterns;
15622 	i = 0;
15623 
15624 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15625 			    rem) {
15626 		u8 *mask_pat;
15627 
15628 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15629 						  pat,
15630 						  nl80211_packet_pattern_policy,
15631 						  NULL);
15632 		if (err)
15633 			return err;
15634 
15635 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15636 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15637 			return -EINVAL;
15638 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15639 		mask_len = DIV_ROUND_UP(pat_len, 8);
15640 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15641 			return -EINVAL;
15642 		if (pat_len > coalesce->pattern_max_len ||
15643 		    pat_len < coalesce->pattern_min_len)
15644 			return -EINVAL;
15645 
15646 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15647 						 0);
15648 		if (pkt_offset > coalesce->max_pkt_offset)
15649 			return -EINVAL;
15650 		new_rule->patterns[i].pkt_offset = pkt_offset;
15651 
15652 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15653 		if (!mask_pat)
15654 			return -ENOMEM;
15655 
15656 		new_rule->patterns[i].mask = mask_pat;
15657 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15658 		       mask_len);
15659 
15660 		mask_pat += mask_len;
15661 		new_rule->patterns[i].pattern = mask_pat;
15662 		new_rule->patterns[i].pattern_len = pat_len;
15663 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15664 		       pat_len);
15665 		i++;
15666 	}
15667 
15668 	return 0;
15669 }
15670 
15671 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
15672 {
15673 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15674 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15675 	struct cfg80211_coalesce *new_coalesce;
15676 	int err, rem_rule, n_rules = 0, i;
15677 	struct nlattr *rule;
15678 
15679 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
15680 		return -EOPNOTSUPP;
15681 
15682 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
15683 		cfg80211_free_coalesce(rdev->coalesce);
15684 		rdev->coalesce = NULL;
15685 		rdev_set_coalesce(rdev, NULL);
15686 		return 0;
15687 	}
15688 
15689 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15690 			    rem_rule)
15691 		n_rules++;
15692 	if (n_rules > coalesce->n_rules)
15693 		return -EINVAL;
15694 
15695 	new_coalesce = kzalloc_flex(*new_coalesce, rules, n_rules);
15696 	if (!new_coalesce)
15697 		return -ENOMEM;
15698 
15699 	new_coalesce->n_rules = n_rules;
15700 	i = 0;
15701 
15702 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15703 			    rem_rule) {
15704 		err = nl80211_parse_coalesce_rule(rdev, rule,
15705 						  &new_coalesce->rules[i]);
15706 		if (err)
15707 			goto error;
15708 
15709 		i++;
15710 	}
15711 
15712 	err = rdev_set_coalesce(rdev, new_coalesce);
15713 	if (err)
15714 		goto error;
15715 
15716 	cfg80211_free_coalesce(rdev->coalesce);
15717 	rdev->coalesce = new_coalesce;
15718 
15719 	return 0;
15720 error:
15721 	cfg80211_free_coalesce(new_coalesce);
15722 
15723 	return err;
15724 }
15725 
15726 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
15727 {
15728 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15729 	struct net_device *dev = info->user_ptr[1];
15730 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15731 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
15732 	struct cfg80211_gtk_rekey_data rekey_data = {};
15733 	int err;
15734 
15735 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
15736 		return -EINVAL;
15737 
15738 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
15739 					  info->attrs[NL80211_ATTR_REKEY_DATA],
15740 					  nl80211_rekey_policy, info->extack);
15741 	if (err)
15742 		return err;
15743 
15744 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
15745 	    !tb[NL80211_REKEY_DATA_KCK])
15746 		return -EINVAL;
15747 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
15748 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15749 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
15750 		return -ERANGE;
15751 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
15752 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15753 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
15754 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
15755 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
15756 		return -ERANGE;
15757 
15758 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
15759 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
15760 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
15761 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
15762 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
15763 	if (tb[NL80211_REKEY_DATA_AKM])
15764 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
15765 
15766 	if (!wdev->connected)
15767 		return -ENOTCONN;
15768 
15769 	if (!rdev->ops->set_rekey_data)
15770 		return -EOPNOTSUPP;
15771 
15772 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
15773 }
15774 
15775 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
15776 					     struct genl_info *info)
15777 {
15778 	struct net_device *dev = info->user_ptr[1];
15779 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15780 
15781 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15782 	    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
15783 	    wdev->iftype != NL80211_IFTYPE_NAN_DATA)
15784 		return -EINVAL;
15785 
15786 	if (wdev->unexpected_nlportid)
15787 		return -EBUSY;
15788 
15789 	wdev->unexpected_nlportid = info->snd_portid;
15790 	return 0;
15791 }
15792 
15793 static int nl80211_probe_client(struct sk_buff *skb,
15794 				struct genl_info *info)
15795 {
15796 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15797 	struct net_device *dev = info->user_ptr[1];
15798 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15799 	struct sk_buff *msg;
15800 	void *hdr;
15801 	const u8 *addr;
15802 	u64 cookie;
15803 	int err;
15804 
15805 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15806 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15807 		return -EOPNOTSUPP;
15808 
15809 	if (!info->attrs[NL80211_ATTR_MAC])
15810 		return -EINVAL;
15811 
15812 	if (!rdev->ops->probe_client)
15813 		return -EOPNOTSUPP;
15814 
15815 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15816 	if (!msg)
15817 		return -ENOMEM;
15818 
15819 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15820 			     NL80211_CMD_PROBE_CLIENT);
15821 	if (!hdr) {
15822 		err = -ENOBUFS;
15823 		goto free_msg;
15824 	}
15825 
15826 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15827 
15828 	err = rdev_probe_client(rdev, dev, addr, &cookie);
15829 	if (err)
15830 		goto free_msg;
15831 
15832 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15833 			      NL80211_ATTR_PAD))
15834 		goto nla_put_failure;
15835 
15836 	genlmsg_end(msg, hdr);
15837 
15838 	return genlmsg_reply(msg, info);
15839 
15840  nla_put_failure:
15841 	err = -ENOBUFS;
15842  free_msg:
15843 	nlmsg_free(msg);
15844 	return err;
15845 }
15846 
15847 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
15848 {
15849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15850 	struct cfg80211_beacon_registration *reg, *nreg;
15851 	int rv;
15852 
15853 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
15854 		return -EOPNOTSUPP;
15855 
15856 	nreg = kzalloc_obj(*nreg);
15857 	if (!nreg)
15858 		return -ENOMEM;
15859 
15860 	/* First, check if already registered. */
15861 	spin_lock_bh(&rdev->beacon_registrations_lock);
15862 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15863 		if (reg->nlportid == info->snd_portid) {
15864 			rv = -EALREADY;
15865 			goto out_err;
15866 		}
15867 	}
15868 	/* Add it to the list */
15869 	nreg->nlportid = info->snd_portid;
15870 	list_add(&nreg->list, &rdev->beacon_registrations);
15871 
15872 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15873 
15874 	return 0;
15875 out_err:
15876 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15877 	kfree(nreg);
15878 	return rv;
15879 }
15880 
15881 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
15882 {
15883 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15884 	struct wireless_dev *wdev = info->user_ptr[1];
15885 	int err;
15886 
15887 	if (!rdev->ops->start_p2p_device)
15888 		return -EOPNOTSUPP;
15889 
15890 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15891 		return -EOPNOTSUPP;
15892 
15893 	if (wdev_running(wdev))
15894 		return 0;
15895 
15896 	if (rfkill_blocked(rdev->wiphy.rfkill))
15897 		return -ERFKILL;
15898 
15899 	err = rdev_start_p2p_device(rdev, wdev);
15900 	if (err)
15901 		return err;
15902 
15903 	wdev->is_running = true;
15904 	rdev->opencount++;
15905 
15906 	return 0;
15907 }
15908 
15909 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15910 {
15911 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15912 	struct wireless_dev *wdev = info->user_ptr[1];
15913 
15914 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15915 		return -EOPNOTSUPP;
15916 
15917 	if (!rdev->ops->stop_p2p_device)
15918 		return -EOPNOTSUPP;
15919 
15920 	cfg80211_stop_p2p_device(rdev, wdev);
15921 
15922 	return 0;
15923 }
15924 
15925 static struct ieee80211_channel *nl80211_get_nan_channel(struct wiphy *wiphy,
15926 							 int freq)
15927 {
15928 	struct ieee80211_channel *chan;
15929 	struct cfg80211_chan_def def;
15930 
15931 	/* Check if the frequency is valid for NAN */
15932 	if (freq != 5220 && freq != 5745 && freq != 2437)
15933 		return NULL;
15934 
15935 	chan = ieee80211_get_channel(wiphy, freq);
15936 	if (!chan)
15937 		return NULL;
15938 
15939 	cfg80211_chandef_create(&def, chan, NL80211_CHAN_NO_HT);
15940 
15941 	/* Check if the channel is allowed */
15942 	if (cfg80211_reg_can_beacon(wiphy, &def, NL80211_IFTYPE_NAN))
15943 		return chan;
15944 
15945 	return NULL;
15946 }
15947 
15948 static int nl80211_parse_nan_band_config(struct wiphy *wiphy,
15949 					 struct nlattr **tb,
15950 					 struct cfg80211_nan_band_config *cfg,
15951 					 enum nl80211_band band)
15952 {
15953 	if (BIT(band) & ~(u32)wiphy->nan_supported_bands)
15954 		return -EINVAL;
15955 
15956 	if (tb[NL80211_NAN_BAND_CONF_FREQ]) {
15957 		u16 freq = nla_get_u16(tb[NL80211_NAN_BAND_CONF_FREQ]);
15958 
15959 		if (band != NL80211_BAND_5GHZ)
15960 			return -EINVAL;
15961 
15962 		cfg->chan = nl80211_get_nan_channel(wiphy, freq);
15963 		if (!cfg->chan)
15964 			return -EINVAL;
15965 	}
15966 
15967 	if (tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]) {
15968 		cfg->rssi_close =
15969 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]);
15970 		if (!tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE])
15971 			return -EINVAL;
15972 	}
15973 
15974 	if (tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]) {
15975 		cfg->rssi_middle =
15976 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]);
15977 		if (!cfg->rssi_close || cfg->rssi_middle >= cfg->rssi_close)
15978 			return -EINVAL;
15979 	}
15980 
15981 	if (tb[NL80211_NAN_BAND_CONF_WAKE_DW]) {
15982 		cfg->awake_dw_interval =
15983 			nla_get_u8(tb[NL80211_NAN_BAND_CONF_WAKE_DW]);
15984 
15985 		if (band == NL80211_BAND_2GHZ && cfg->awake_dw_interval == 0)
15986 			return -EINVAL;
15987 	}
15988 
15989 	cfg->disable_scan =
15990 		nla_get_flag(tb[NL80211_NAN_BAND_CONF_DISABLE_SCAN]);
15991 	return 0;
15992 }
15993 
15994 static int nl80211_parse_nan_conf(struct wiphy *wiphy,
15995 				  struct genl_info *info,
15996 				  struct cfg80211_nan_conf *conf,
15997 				  u32 *changed_flags,
15998 				  bool start)
15999 {
16000 	struct nlattr *attrs[NL80211_NAN_CONF_ATTR_MAX + 1];
16001 	int err, rem;
16002 	u32 changed = 0;
16003 	struct nlattr *band_config;
16004 
16005 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
16006 		conf->master_pref =
16007 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
16008 
16009 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
16010 	}
16011 
16012 	if (info->attrs[NL80211_ATTR_BANDS]) {
16013 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
16014 
16015 		if (bands & ~(u32)wiphy->nan_supported_bands)
16016 			return -EOPNOTSUPP;
16017 
16018 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
16019 			return -EINVAL;
16020 
16021 		conf->bands = bands;
16022 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
16023 	}
16024 
16025 	conf->band_cfgs[NL80211_BAND_2GHZ].awake_dw_interval = 1;
16026 	if (conf->bands & BIT(NL80211_BAND_5GHZ) || !conf->bands)
16027 		conf->band_cfgs[NL80211_BAND_5GHZ].awake_dw_interval = 1;
16028 
16029 	/* On 2.4 GHz band use channel 6 */
16030 	conf->band_cfgs[NL80211_BAND_2GHZ].chan =
16031 		nl80211_get_nan_channel(wiphy, 2437);
16032 	if (!conf->band_cfgs[NL80211_BAND_2GHZ].chan)
16033 		return -EINVAL;
16034 
16035 	if (!info->attrs[NL80211_ATTR_NAN_CONFIG])
16036 		goto out;
16037 
16038 	err = nla_parse_nested(attrs, NL80211_NAN_CONF_ATTR_MAX,
16039 			       info->attrs[NL80211_ATTR_NAN_CONFIG], NULL,
16040 			       info->extack);
16041 	if (err)
16042 		return err;
16043 
16044 	changed |= CFG80211_NAN_CONF_CHANGED_CONFIG;
16045 	if (attrs[NL80211_NAN_CONF_CLUSTER_ID] && start) {
16046 		ether_addr_copy(conf->cluster_id,
16047 				nla_data(attrs[NL80211_NAN_CONF_CLUSTER_ID]));
16048 	} else if (start) {
16049 		conf->cluster_id[0] = 0x50;
16050 		conf->cluster_id[1] = 0x6f;
16051 		conf->cluster_id[2] = 0x9a;
16052 		conf->cluster_id[3] = 0x01;
16053 		get_random_bytes(&conf->cluster_id[4], 2);
16054 	}
16055 
16056 	if (attrs[NL80211_NAN_CONF_EXTRA_ATTRS]) {
16057 		conf->extra_nan_attrs =
16058 			nla_data(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
16059 		conf->extra_nan_attrs_len =
16060 			nla_len(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
16061 	}
16062 
16063 	if (attrs[NL80211_NAN_CONF_VENDOR_ELEMS]) {
16064 		conf->vendor_elems =
16065 			nla_data(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
16066 		conf->vendor_elems_len =
16067 			nla_len(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
16068 	}
16069 
16070 	if (attrs[NL80211_NAN_CONF_BAND_CONFIGS]) {
16071 		nla_for_each_nested(band_config,
16072 				    attrs[NL80211_NAN_CONF_BAND_CONFIGS],
16073 				    rem) {
16074 			enum nl80211_band band;
16075 			struct cfg80211_nan_band_config *cfg;
16076 			struct nlattr *tb[NL80211_NAN_BAND_CONF_ATTR_MAX + 1];
16077 
16078 			err = nla_parse_nested(tb,
16079 					       NL80211_NAN_BAND_CONF_ATTR_MAX,
16080 					       band_config, NULL,
16081 					       info->extack);
16082 			if (err)
16083 				return err;
16084 
16085 			if (!tb[NL80211_NAN_BAND_CONF_BAND])
16086 				return -EINVAL;
16087 
16088 			band = nla_get_u8(tb[NL80211_NAN_BAND_CONF_BAND]);
16089 			if (conf->bands && !(conf->bands & BIT(band)))
16090 				return -EINVAL;
16091 
16092 			cfg = &conf->band_cfgs[band];
16093 
16094 			err = nl80211_parse_nan_band_config(wiphy, tb, cfg,
16095 							    band);
16096 			if (err)
16097 				return err;
16098 		}
16099 	}
16100 
16101 	if (attrs[NL80211_NAN_CONF_SCAN_PERIOD])
16102 		conf->scan_period =
16103 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_PERIOD]);
16104 
16105 	if (attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME])
16106 		conf->scan_dwell_time =
16107 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME]);
16108 
16109 	if (attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL])
16110 		conf->discovery_beacon_interval =
16111 			nla_get_u8(attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL]);
16112 
16113 	if (attrs[NL80211_NAN_CONF_NOTIFY_DW])
16114 		conf->enable_dw_notification =
16115 			nla_get_flag(attrs[NL80211_NAN_CONF_NOTIFY_DW]);
16116 
16117 out:
16118 	if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
16119 	    (!conf->bands || conf->bands & BIT(NL80211_BAND_5GHZ))) {
16120 		/* If no 5GHz channel is specified use default, if possible */
16121 		conf->band_cfgs[NL80211_BAND_5GHZ].chan =
16122 				nl80211_get_nan_channel(wiphy, 5745);
16123 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan)
16124 			conf->band_cfgs[NL80211_BAND_5GHZ].chan =
16125 					nl80211_get_nan_channel(wiphy, 5220);
16126 
16127 		/* Return error if user space asked explicitly for 5 GHz */
16128 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
16129 		    conf->bands & BIT(NL80211_BAND_5GHZ)) {
16130 			NL_SET_ERR_MSG_ATTR(info->extack,
16131 					    info->attrs[NL80211_ATTR_BANDS],
16132 					    "5 GHz band operation is not allowed");
16133 			return -EINVAL;
16134 		}
16135 	}
16136 
16137 	if (changed_flags)
16138 		*changed_flags = changed;
16139 
16140 	return 0;
16141 }
16142 
16143 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
16144 {
16145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16146 	struct wireless_dev *wdev = info->user_ptr[1];
16147 	struct cfg80211_nan_conf conf = {};
16148 	int err;
16149 
16150 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16151 		return -EOPNOTSUPP;
16152 
16153 	if (wdev_running(wdev))
16154 		return -EEXIST;
16155 
16156 	if (rfkill_blocked(rdev->wiphy.rfkill))
16157 		return -ERFKILL;
16158 
16159 	/* Master preference is mandatory for START_NAN */
16160 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
16161 		return -EINVAL;
16162 
16163 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, NULL, true);
16164 	if (err)
16165 		return err;
16166 
16167 	err = rdev_start_nan(rdev, wdev, &conf);
16168 	if (err)
16169 		return err;
16170 
16171 	wdev->is_running = true;
16172 	rdev->opencount++;
16173 
16174 	return 0;
16175 }
16176 
16177 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
16178 {
16179 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16180 	struct wireless_dev *wdev = info->user_ptr[1];
16181 
16182 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16183 		return -EOPNOTSUPP;
16184 
16185 	cfg80211_close_dependents(rdev, wdev);
16186 
16187 	guard(wiphy)(&rdev->wiphy);
16188 
16189 	cfg80211_stop_nan(rdev, wdev);
16190 
16191 	return 0;
16192 }
16193 
16194 static int validate_nan_filter(struct nlattr *filter_attr)
16195 {
16196 	struct nlattr *attr;
16197 	int len = 0, n_entries = 0, rem;
16198 
16199 	nla_for_each_nested(attr, filter_attr, rem) {
16200 		len += nla_len(attr);
16201 		n_entries++;
16202 	}
16203 
16204 	if (len >= U8_MAX)
16205 		return -EINVAL;
16206 
16207 	return n_entries;
16208 }
16209 
16210 static int handle_nan_filter(struct nlattr *attr_filter,
16211 			     struct cfg80211_nan_func *func,
16212 			     bool tx)
16213 {
16214 	struct nlattr *attr;
16215 	int n_entries, rem, i;
16216 	struct cfg80211_nan_func_filter *filter;
16217 
16218 	n_entries = validate_nan_filter(attr_filter);
16219 	if (n_entries < 0)
16220 		return n_entries;
16221 
16222 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
16223 
16224 	filter = kzalloc_objs(*func->rx_filters, n_entries);
16225 	if (!filter)
16226 		return -ENOMEM;
16227 
16228 	i = 0;
16229 	nla_for_each_nested(attr, attr_filter, rem) {
16230 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
16231 		if (!filter[i].filter)
16232 			goto err;
16233 
16234 		filter[i].len = nla_len(attr);
16235 		i++;
16236 	}
16237 	if (tx) {
16238 		func->num_tx_filters = n_entries;
16239 		func->tx_filters = filter;
16240 	} else {
16241 		func->num_rx_filters = n_entries;
16242 		func->rx_filters = filter;
16243 	}
16244 
16245 	return 0;
16246 
16247 err:
16248 	i = 0;
16249 	nla_for_each_nested(attr, attr_filter, rem) {
16250 		kfree(filter[i].filter);
16251 		i++;
16252 	}
16253 	kfree(filter);
16254 	return -ENOMEM;
16255 }
16256 
16257 static int nl80211_nan_add_func(struct sk_buff *skb,
16258 				struct genl_info *info)
16259 {
16260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16261 	struct wireless_dev *wdev = info->user_ptr[1];
16262 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
16263 	struct cfg80211_nan_func *func;
16264 	struct sk_buff *msg = NULL;
16265 	void *hdr = NULL;
16266 	int err = 0;
16267 
16268 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16269 		return -EOPNOTSUPP;
16270 
16271 	if (!wdev_running(wdev))
16272 		return -ENOTCONN;
16273 
16274 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
16275 		return -EINVAL;
16276 
16277 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
16278 					  info->attrs[NL80211_ATTR_NAN_FUNC],
16279 					  nl80211_nan_func_policy,
16280 					  info->extack);
16281 	if (err)
16282 		return err;
16283 
16284 	func = kzalloc_obj(*func);
16285 	if (!func)
16286 		return -ENOMEM;
16287 
16288 	func->cookie = cfg80211_assign_cookie(rdev);
16289 
16290 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
16291 		err = -EINVAL;
16292 		goto out;
16293 	}
16294 
16295 
16296 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
16297 
16298 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
16299 		err = -EINVAL;
16300 		goto out;
16301 	}
16302 
16303 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
16304 	       sizeof(func->service_id));
16305 
16306 	func->close_range =
16307 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
16308 
16309 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
16310 		func->serv_spec_info_len =
16311 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
16312 		func->serv_spec_info =
16313 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
16314 				func->serv_spec_info_len,
16315 				GFP_KERNEL);
16316 		if (!func->serv_spec_info) {
16317 			err = -ENOMEM;
16318 			goto out;
16319 		}
16320 	}
16321 
16322 	if (tb[NL80211_NAN_FUNC_TTL])
16323 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
16324 
16325 	switch (func->type) {
16326 	case NL80211_NAN_FUNC_PUBLISH:
16327 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
16328 			err = -EINVAL;
16329 			goto out;
16330 		}
16331 
16332 		func->publish_type =
16333 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
16334 		func->publish_bcast =
16335 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
16336 
16337 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
16338 			func->publish_bcast) {
16339 			err = -EINVAL;
16340 			goto out;
16341 		}
16342 		break;
16343 	case NL80211_NAN_FUNC_SUBSCRIBE:
16344 		func->subscribe_active =
16345 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
16346 		break;
16347 	case NL80211_NAN_FUNC_FOLLOW_UP:
16348 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
16349 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
16350 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
16351 			err = -EINVAL;
16352 			goto out;
16353 		}
16354 
16355 		func->followup_id =
16356 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
16357 		func->followup_reqid =
16358 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
16359 		memcpy(func->followup_dest.addr,
16360 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
16361 		       sizeof(func->followup_dest.addr));
16362 		if (func->ttl) {
16363 			err = -EINVAL;
16364 			goto out;
16365 		}
16366 		break;
16367 	default:
16368 		err = -EINVAL;
16369 		goto out;
16370 	}
16371 
16372 	if (tb[NL80211_NAN_FUNC_SRF]) {
16373 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
16374 
16375 		err = nla_parse_nested_deprecated(srf_tb,
16376 						  NL80211_NAN_SRF_ATTR_MAX,
16377 						  tb[NL80211_NAN_FUNC_SRF],
16378 						  nl80211_nan_srf_policy,
16379 						  info->extack);
16380 		if (err)
16381 			goto out;
16382 
16383 		func->srf_include =
16384 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
16385 
16386 		if (srf_tb[NL80211_NAN_SRF_BF]) {
16387 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
16388 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
16389 				err = -EINVAL;
16390 				goto out;
16391 			}
16392 
16393 			func->srf_bf_len =
16394 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
16395 			func->srf_bf =
16396 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
16397 					func->srf_bf_len, GFP_KERNEL);
16398 			if (!func->srf_bf) {
16399 				err = -ENOMEM;
16400 				goto out;
16401 			}
16402 
16403 			func->srf_bf_idx =
16404 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
16405 		} else {
16406 			struct nlattr *attr, *mac_attr =
16407 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
16408 			int n_entries, rem, i = 0;
16409 
16410 			if (!mac_attr) {
16411 				err = -EINVAL;
16412 				goto out;
16413 			}
16414 
16415 			n_entries = validate_acl_mac_addrs(mac_attr);
16416 			if (n_entries <= 0) {
16417 				err = -EINVAL;
16418 				goto out;
16419 			}
16420 
16421 			func->srf_num_macs = n_entries;
16422 			func->srf_macs =
16423 				kzalloc_objs(*func->srf_macs, n_entries);
16424 			if (!func->srf_macs) {
16425 				err = -ENOMEM;
16426 				goto out;
16427 			}
16428 
16429 			nla_for_each_nested(attr, mac_attr, rem)
16430 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
16431 				       sizeof(*func->srf_macs));
16432 		}
16433 	}
16434 
16435 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
16436 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
16437 					func, true);
16438 		if (err)
16439 			goto out;
16440 	}
16441 
16442 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
16443 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
16444 					func, false);
16445 		if (err)
16446 			goto out;
16447 	}
16448 
16449 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16450 	if (!msg) {
16451 		err = -ENOMEM;
16452 		goto out;
16453 	}
16454 
16455 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16456 			     NL80211_CMD_ADD_NAN_FUNCTION);
16457 	/* This can't really happen - we just allocated 4KB */
16458 	if (WARN_ON(!hdr)) {
16459 		err = -ENOMEM;
16460 		goto out;
16461 	}
16462 
16463 	err = rdev_add_nan_func(rdev, wdev, func);
16464 out:
16465 	if (err < 0) {
16466 		cfg80211_free_nan_func(func);
16467 		nlmsg_free(msg);
16468 		return err;
16469 	}
16470 
16471 	/* propagate the instance id and cookie to userspace  */
16472 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
16473 			      NL80211_ATTR_PAD))
16474 		goto nla_put_failure;
16475 
16476 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16477 	if (!func_attr)
16478 		goto nla_put_failure;
16479 
16480 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
16481 		       func->instance_id))
16482 		goto nla_put_failure;
16483 
16484 	nla_nest_end(msg, func_attr);
16485 
16486 	genlmsg_end(msg, hdr);
16487 	return genlmsg_reply(msg, info);
16488 
16489 nla_put_failure:
16490 	nlmsg_free(msg);
16491 	return -ENOBUFS;
16492 }
16493 
16494 static int nl80211_nan_del_func(struct sk_buff *skb,
16495 			       struct genl_info *info)
16496 {
16497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16498 	struct wireless_dev *wdev = info->user_ptr[1];
16499 	u64 cookie;
16500 
16501 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16502 		return -EOPNOTSUPP;
16503 
16504 	if (!wdev_running(wdev))
16505 		return -ENOTCONN;
16506 
16507 	if (!info->attrs[NL80211_ATTR_COOKIE])
16508 		return -EINVAL;
16509 
16510 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
16511 
16512 	rdev_del_nan_func(rdev, wdev, cookie);
16513 
16514 	return 0;
16515 }
16516 
16517 static int nl80211_nan_change_config(struct sk_buff *skb,
16518 				     struct genl_info *info)
16519 {
16520 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16521 	struct wireless_dev *wdev = info->user_ptr[1];
16522 	struct cfg80211_nan_conf conf = {};
16523 	u32 changed = 0;
16524 	int err;
16525 
16526 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16527 		return -EOPNOTSUPP;
16528 
16529 	if (!wdev_running(wdev))
16530 		return -ENOTCONN;
16531 
16532 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, &changed, false);
16533 	if (err)
16534 		return err;
16535 
16536 	if (!changed)
16537 		return -EINVAL;
16538 
16539 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
16540 }
16541 
16542 void cfg80211_nan_match(struct wireless_dev *wdev,
16543 			struct cfg80211_nan_match_params *match, gfp_t gfp)
16544 {
16545 	struct wiphy *wiphy = wdev->wiphy;
16546 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16547 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
16548 	struct sk_buff *msg;
16549 	void *hdr;
16550 
16551 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16552 		return;
16553 
16554 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
16555 		return;
16556 
16557 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16558 	if (!msg)
16559 		return;
16560 
16561 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
16562 	if (!hdr) {
16563 		nlmsg_free(msg);
16564 		return;
16565 	}
16566 
16567 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16568 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16569 					 wdev->netdev->ifindex)) ||
16570 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16571 			      NL80211_ATTR_PAD))
16572 		goto nla_put_failure;
16573 
16574 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
16575 			      NL80211_ATTR_PAD) ||
16576 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
16577 		goto nla_put_failure;
16578 
16579 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
16580 	if (!match_attr)
16581 		goto nla_put_failure;
16582 
16583 	local_func_attr = nla_nest_start_noflag(msg,
16584 						NL80211_NAN_MATCH_FUNC_LOCAL);
16585 	if (!local_func_attr)
16586 		goto nla_put_failure;
16587 
16588 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
16589 		goto nla_put_failure;
16590 
16591 	nla_nest_end(msg, local_func_attr);
16592 
16593 	peer_func_attr = nla_nest_start_noflag(msg,
16594 					       NL80211_NAN_MATCH_FUNC_PEER);
16595 	if (!peer_func_attr)
16596 		goto nla_put_failure;
16597 
16598 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
16599 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
16600 		goto nla_put_failure;
16601 
16602 	if (match->info && match->info_len &&
16603 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
16604 		    match->info))
16605 		goto nla_put_failure;
16606 
16607 	nla_nest_end(msg, peer_func_attr);
16608 	nla_nest_end(msg, match_attr);
16609 	genlmsg_end(msg, hdr);
16610 
16611 	if (!wdev->owner_nlportid)
16612 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16613 					msg, 0, NL80211_MCGRP_NAN, gfp);
16614 	else
16615 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16616 				wdev->owner_nlportid);
16617 
16618 	return;
16619 
16620 nla_put_failure:
16621 	nlmsg_free(msg);
16622 }
16623 EXPORT_SYMBOL(cfg80211_nan_match);
16624 
16625 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
16626 				  u8 inst_id,
16627 				  enum nl80211_nan_func_term_reason reason,
16628 				  u64 cookie, gfp_t gfp)
16629 {
16630 	struct wiphy *wiphy = wdev->wiphy;
16631 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16632 	struct sk_buff *msg;
16633 	struct nlattr *func_attr;
16634 	void *hdr;
16635 
16636 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16637 		return;
16638 
16639 	if (WARN_ON(!inst_id))
16640 		return;
16641 
16642 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16643 	if (!msg)
16644 		return;
16645 
16646 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
16647 	if (!hdr) {
16648 		nlmsg_free(msg);
16649 		return;
16650 	}
16651 
16652 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16653 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16654 					 wdev->netdev->ifindex)) ||
16655 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16656 			      NL80211_ATTR_PAD))
16657 		goto nla_put_failure;
16658 
16659 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16660 			      NL80211_ATTR_PAD))
16661 		goto nla_put_failure;
16662 
16663 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16664 	if (!func_attr)
16665 		goto nla_put_failure;
16666 
16667 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
16668 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
16669 		goto nla_put_failure;
16670 
16671 	nla_nest_end(msg, func_attr);
16672 	genlmsg_end(msg, hdr);
16673 
16674 	if (!wdev->owner_nlportid)
16675 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16676 					msg, 0, NL80211_MCGRP_NAN, gfp);
16677 	else
16678 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16679 				wdev->owner_nlportid);
16680 
16681 	return;
16682 
16683 nla_put_failure:
16684 	nlmsg_free(msg);
16685 }
16686 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
16687 
16688 void cfg80211_nan_sched_update_done(struct wireless_dev *wdev, bool success,
16689 				    gfp_t gfp)
16690 {
16691 	struct wiphy *wiphy = wdev->wiphy;
16692 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16693 	struct sk_buff *msg;
16694 	void *hdr;
16695 
16696 	trace_cfg80211_nan_sched_update_done(wiphy, wdev, success);
16697 
16698 	/* Can happen if we stopped NAN */
16699 	if (!wdev->u.nan.sched_update_pending)
16700 		return;
16701 
16702 	wdev->u.nan.sched_update_pending = false;
16703 
16704 	if (!wdev->owner_nlportid)
16705 		return;
16706 
16707 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16708 	if (!msg)
16709 		return;
16710 
16711 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_SCHED_UPDATE_DONE);
16712 	if (!hdr)
16713 		goto nla_put_failure;
16714 
16715 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16716 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16717 			      NL80211_ATTR_PAD) ||
16718 	    (success &&
16719 	     nla_put_flag(msg, NL80211_ATTR_NAN_SCHED_UPDATE_SUCCESS)))
16720 		goto nla_put_failure;
16721 
16722 	genlmsg_end(msg, hdr);
16723 
16724 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
16725 
16726 	return;
16727 
16728 nla_put_failure:
16729 	nlmsg_free(msg);
16730 }
16731 EXPORT_SYMBOL(cfg80211_nan_sched_update_done);
16732 
16733 static int nl80211_parse_nan_channel(struct cfg80211_registered_device *rdev,
16734 				     struct nlattr *channel,
16735 				     struct genl_info *info,
16736 				     struct cfg80211_nan_channel *nan_channels,
16737 				     u8 index, bool local)
16738 {
16739 	struct nlattr **channel_parsed __free(kfree) = NULL;
16740 	struct cfg80211_chan_def chandef;
16741 	u8 n_rx_nss;
16742 	int ret;
16743 
16744 	channel_parsed = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*channel_parsed),
16745 				 GFP_KERNEL);
16746 	if (!channel_parsed)
16747 		return -ENOMEM;
16748 
16749 	ret = nla_parse_nested(channel_parsed, NL80211_ATTR_MAX, channel, NULL,
16750 			       info->extack);
16751 	if (ret)
16752 		return ret;
16753 
16754 	ret = nl80211_parse_chandef(rdev, info->extack, channel_parsed,
16755 				    &chandef);
16756 	if (ret)
16757 		return ret;
16758 
16759 	if (chandef.chan->band == NL80211_BAND_6GHZ) {
16760 		NL_SET_ERR_MSG(info->extack,
16761 			       "6 GHz band is not supported");
16762 		return -EOPNOTSUPP;
16763 	}
16764 
16765 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef,
16766 				     NL80211_IFTYPE_NAN)) {
16767 		NL_SET_ERR_MSG_ATTR(info->extack, channel,
16768 				    "Channel in NAN schedule is not allowed for NAN operation");
16769 		return -EINVAL;
16770 	}
16771 
16772 	if (local) {
16773 		for (int i = 0; i < index; i++) {
16774 			if (cfg80211_chandef_compatible(&nan_channels[i].chandef,
16775 							&chandef)) {
16776 				NL_SET_ERR_MSG_ATTR(info->extack, channel,
16777 						    "Channels in NAN schedule must be mutually incompatible");
16778 				return -EINVAL;
16779 			}
16780 		}
16781 	}
16782 
16783 	if (!channel_parsed[NL80211_ATTR_NAN_CHANNEL_ENTRY]) {
16784 		NL_SET_ERR_MSG(info->extack,
16785 			       "Missing NAN channel entry attribute");
16786 		return -EINVAL;
16787 	}
16788 
16789 	nan_channels[index].channel_entry =
16790 		nla_data(channel_parsed[NL80211_ATTR_NAN_CHANNEL_ENTRY]);
16791 
16792 	if (!channel_parsed[NL80211_ATTR_NAN_RX_NSS]) {
16793 		NL_SET_ERR_MSG(info->extack,
16794 			       "Missing NAN RX NSS attribute");
16795 		return -EINVAL;
16796 	}
16797 
16798 	nan_channels[index].rx_nss =
16799 		nla_get_u8(channel_parsed[NL80211_ATTR_NAN_RX_NSS]);
16800 
16801 	n_rx_nss = u8_get_bits(rdev->wiphy.nan_capa.n_antennas, 0x03);
16802 	if ((local && nan_channels[index].rx_nss > n_rx_nss) ||
16803 	    !nan_channels[index].rx_nss) {
16804 		NL_SET_ERR_MSG_ATTR(info->extack, channel,
16805 				    "Invalid RX NSS in NAN channel definition");
16806 		return -EINVAL;
16807 	}
16808 
16809 	nan_channels[index].chandef = chandef;
16810 
16811 	return 0;
16812 }
16813 
16814 static int
16815 nl80211_parse_nan_schedule(struct genl_info *info, struct nlattr *slots_attr,
16816 			   u8 schedule[CFG80211_NAN_SCHED_NUM_TIME_SLOTS],
16817 			   u8 n_channels)
16818 {
16819 	if (WARN_ON(nla_len(slots_attr) != CFG80211_NAN_SCHED_NUM_TIME_SLOTS))
16820 		return -EINVAL;
16821 
16822 	memcpy(schedule, nla_data(slots_attr), nla_len(slots_attr));
16823 
16824 	for (int slot = 0; slot < CFG80211_NAN_SCHED_NUM_TIME_SLOTS; slot++) {
16825 		if (schedule[slot] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT &&
16826 		    schedule[slot] >= n_channels) {
16827 			NL_SET_ERR_MSG_FMT(info->extack,
16828 					   "Invalid time slot: slot %d refers to channel index %d, n_channels=%d",
16829 					   slot, schedule[slot], n_channels);
16830 			return -EINVAL;
16831 		}
16832 	}
16833 
16834 	return 0;
16835 }
16836 
16837 static int
16838 nl80211_parse_nan_peer_map(struct genl_info *info, struct nlattr *map_attr,
16839 			   struct cfg80211_nan_peer_map *map, u8 n_channels)
16840 {
16841 	struct nlattr *tb[NL80211_NAN_PEER_MAP_ATTR_MAX + 1];
16842 	int ret;
16843 
16844 	ret = nla_parse_nested(tb, NL80211_NAN_PEER_MAP_ATTR_MAX, map_attr,
16845 			       nl80211_nan_peer_map_policy, info->extack);
16846 	if (ret)
16847 		return ret;
16848 
16849 	if (!tb[NL80211_NAN_PEER_MAP_ATTR_MAP_ID] ||
16850 	    !tb[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS]) {
16851 		NL_SET_ERR_MSG(info->extack,
16852 			       "Missing required peer map attributes");
16853 		return -EINVAL;
16854 	}
16855 
16856 	map->map_id = nla_get_u8(tb[NL80211_NAN_PEER_MAP_ATTR_MAP_ID]);
16857 
16858 	/* Parse schedule */
16859 	return nl80211_parse_nan_schedule(info,
16860 					  tb[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS],
16861 					  map->schedule, n_channels);
16862 }
16863 
16864 static int nl80211_nan_validate_map_pair(struct wiphy *wiphy,
16865 					 struct genl_info *info,
16866 					 const struct cfg80211_nan_peer_map *map1,
16867 					 const struct cfg80211_nan_peer_map *map2,
16868 					 struct cfg80211_nan_channel *nan_channels)
16869 {
16870 	/* Check for duplicate map_id */
16871 	if (map1->map_id == map2->map_id) {
16872 		NL_SET_ERR_MSG_FMT(info->extack, "Duplicate map_id %u",
16873 				   map1->map_id);
16874 		return -EINVAL;
16875 	}
16876 
16877 	/* Check for compatible channels between maps */
16878 	for (int i = 0; i < ARRAY_SIZE(map1->schedule); i++) {
16879 		if (map1->schedule[i] == NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
16880 			continue;
16881 
16882 		for (int j = 0; j < ARRAY_SIZE(map2->schedule); j++) {
16883 			u8 ch1 = map1->schedule[i];
16884 			u8 ch2 = map2->schedule[j];
16885 
16886 			if (ch2 == NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
16887 				continue;
16888 
16889 			if (cfg80211_chandef_compatible(&nan_channels[ch1].chandef,
16890 							&nan_channels[ch2].chandef)) {
16891 				NL_SET_ERR_MSG_FMT(info->extack,
16892 						   "Maps %u and %u have compatible channels %d and %d",
16893 						   map1->map_id, map2->map_id,
16894 						   ch1, ch2);
16895 				return -EINVAL;
16896 			}
16897 		}
16898 	}
16899 
16900 	/*
16901 	 * Check for conflicting time slots between maps.
16902 	 * Only check for single-radio devices (n_radio <= 1) which cannot
16903 	 * operate on multiple channels simultaneously.
16904 	 */
16905 	if (wiphy->n_radio > 1)
16906 		return 0;
16907 
16908 	for (int i = 0; i < ARRAY_SIZE(map1->schedule); i++) {
16909 		if (map1->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT &&
16910 		    map2->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT) {
16911 			NL_SET_ERR_MSG_FMT(info->extack,
16912 					   "Maps %u and %u both schedule slot %d",
16913 					   map1->map_id, map2->map_id, i);
16914 			return -EINVAL;
16915 		}
16916 	}
16917 
16918 	return 0;
16919 }
16920 
16921 static int nl80211_nan_set_peer_sched(struct sk_buff *skb,
16922 				      struct genl_info *info)
16923 {
16924 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16925 	struct cfg80211_nan_channel *nan_channels __free(kfree) = NULL;
16926 	struct cfg80211_nan_peer_sched sched = {};
16927 	struct wireless_dev *wdev = info->user_ptr[1];
16928 	struct nlattr *map_attr, *channel;
16929 	int ret, n_maps = 0, n_channels = 0, i = 0, rem;
16930 
16931 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16932 		return -EOPNOTSUPP;
16933 
16934 	if (!info->attrs[NL80211_ATTR_MAC] ||
16935 	    !info->attrs[NL80211_ATTR_NAN_COMMITTED_DW]) {
16936 		NL_SET_ERR_MSG(info->extack,
16937 			       "Required NAN peer schedule attributes are missing");
16938 		return -EINVAL;
16939 	}
16940 
16941 	/* First count how many channel attributes we got */
16942 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
16943 				 info->nlhdr, GENL_HDRLEN, rem)
16944 		n_channels++;
16945 
16946 	if (!((info->attrs[NL80211_ATTR_NAN_SEQ_ID] &&
16947 	       info->attrs[NL80211_ATTR_NAN_PEER_MAPS] && n_channels) ||
16948 	      ((!info->attrs[NL80211_ATTR_NAN_SEQ_ID] &&
16949 		!info->attrs[NL80211_ATTR_NAN_PEER_MAPS] && !n_channels)))) {
16950 		NL_SET_ERR_MSG(info->extack,
16951 			       "Either provide all of: seq id, channels and maps, or none");
16952 		return -EINVAL;
16953 	}
16954 
16955 	/*
16956 	 * Limit the number of peer channels to:
16957 	 * local_channels * 4 (possible BWs) * 2 (possible NSS values)
16958 	 */
16959 	if (n_channels && n_channels > wdev->u.nan.n_channels * 4 * 2) {
16960 		NL_SET_ERR_MSG_FMT(info->extack,
16961 				   "Too many peer channels: %d (max %d)",
16962 				   n_channels,
16963 				   wdev->u.nan.n_channels * 4 * 2);
16964 		return -EINVAL;
16965 	}
16966 
16967 	if (n_channels) {
16968 		nan_channels = kcalloc(n_channels, sizeof(*nan_channels),
16969 				       GFP_KERNEL);
16970 		if (!nan_channels)
16971 			return -ENOMEM;
16972 	}
16973 
16974 	/* Parse peer channels */
16975 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
16976 				 info->nlhdr, GENL_HDRLEN, rem) {
16977 		bool compatible = false;
16978 
16979 		ret = nl80211_parse_nan_channel(rdev, channel, info,
16980 						nan_channels, i, false);
16981 		if (ret)
16982 			return ret;
16983 
16984 		/* Verify channel is compatible with at least one local channel */
16985 		for (int j = 0; j < wdev->u.nan.n_channels; j++) {
16986 			if (cfg80211_chandef_compatible(&nan_channels[i].chandef,
16987 							&wdev->u.nan.chandefs[j])) {
16988 				compatible = true;
16989 				break;
16990 			}
16991 		}
16992 		if (!compatible) {
16993 			NL_SET_ERR_MSG_FMT(info->extack,
16994 					   "Channel %d not compatible with any local channel",
16995 					   i);
16996 			return -EINVAL;
16997 		}
16998 		i++;
16999 	}
17000 
17001 	sched.n_channels = n_channels;
17002 	sched.nan_channels = nan_channels;
17003 	sched.peer_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17004 	sched.seq_id = nla_get_u8_default(info->attrs[NL80211_ATTR_NAN_SEQ_ID], 0);
17005 	sched.committed_dw = nla_get_u16(info->attrs[NL80211_ATTR_NAN_COMMITTED_DW]);
17006 	sched.max_chan_switch =
17007 		nla_get_u16_default(info->attrs[NL80211_ATTR_NAN_MAX_CHAN_SWITCH_TIME], 0);
17008 
17009 	if (info->attrs[NL80211_ATTR_NAN_ULW]) {
17010 		sched.ulw_size = nla_len(info->attrs[NL80211_ATTR_NAN_ULW]);
17011 		sched.init_ulw = nla_data(info->attrs[NL80211_ATTR_NAN_ULW]);
17012 	}
17013 
17014 	/* Initialize all maps as invalid */
17015 	for (int j = 0; j < ARRAY_SIZE(sched.maps); j++)
17016 		sched.maps[j].map_id = CFG80211_NAN_INVALID_MAP_ID;
17017 
17018 	if (info->attrs[NL80211_ATTR_NAN_PEER_MAPS]) {
17019 		/* Parse each map */
17020 		nla_for_each_nested(map_attr, info->attrs[NL80211_ATTR_NAN_PEER_MAPS],
17021 				    rem) {
17022 			if (n_maps >= ARRAY_SIZE(sched.maps)) {
17023 				NL_SET_ERR_MSG(info->extack, "Too many peer maps");
17024 				return -EINVAL;
17025 			}
17026 
17027 			ret = nl80211_parse_nan_peer_map(info, map_attr,
17028 							 &sched.maps[n_maps],
17029 							 n_channels);
17030 			if (ret)
17031 				return ret;
17032 
17033 			/* Validate against previous maps */
17034 			for (int j = 0; j < n_maps; j++) {
17035 				ret = nl80211_nan_validate_map_pair(&rdev->wiphy, info,
17036 								    &sched.maps[j],
17037 								    &sched.maps[n_maps],
17038 								    nan_channels);
17039 				if (ret)
17040 					return ret;
17041 			}
17042 
17043 			n_maps++;
17044 		}
17045 	}
17046 
17047 	/* Verify each channel is scheduled at least once */
17048 	for (int ch = 0; ch < n_channels; ch++) {
17049 		bool scheduled = false;
17050 
17051 		for (int m = 0; m < n_maps && !scheduled; m++) {
17052 			for (int s = 0; s < ARRAY_SIZE(sched.maps[m].schedule); s++) {
17053 				if (sched.maps[m].schedule[s] == ch) {
17054 					scheduled = true;
17055 					break;
17056 				}
17057 			}
17058 		}
17059 		if (!scheduled) {
17060 			NL_SET_ERR_MSG_FMT(info->extack,
17061 					   "Channel %d is not scheduled in any map",
17062 					   ch);
17063 			return -EINVAL;
17064 		}
17065 	}
17066 
17067 	return rdev_nan_set_peer_sched(rdev, wdev, &sched);
17068 }
17069 
17070 static bool nl80211_nan_is_sched_empty(struct cfg80211_nan_local_sched *sched)
17071 {
17072 	if (!sched->n_channels)
17073 		return true;
17074 
17075 	for (int i = 0; i < ARRAY_SIZE(sched->schedule); i++) {
17076 		if (sched->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
17077 			return false;
17078 	}
17079 
17080 	return true;
17081 }
17082 
17083 static int nl80211_nan_set_local_sched(struct sk_buff *skb,
17084 				       struct genl_info *info)
17085 {
17086 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17087 	struct cfg80211_nan_local_sched *sched __free(kfree) = NULL;
17088 	struct wireless_dev *wdev = info->user_ptr[1];
17089 	int rem, i = 0, n_channels = 0, ret;
17090 	struct nlattr *channel;
17091 	bool sched_empty;
17092 
17093 	if (wdev->iftype != NL80211_IFTYPE_NAN)
17094 		return -EOPNOTSUPP;
17095 
17096 	if (!wdev_running(wdev))
17097 		return -ENOTCONN;
17098 
17099 	if (!info->attrs[NL80211_ATTR_NAN_TIME_SLOTS])
17100 		return -EINVAL;
17101 
17102 	/* First count how many channel attributes we got */
17103 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17104 				 info->nlhdr, GENL_HDRLEN, rem)
17105 		n_channels++;
17106 
17107 	sched = kzalloc(struct_size(sched, nan_channels, n_channels),
17108 			GFP_KERNEL);
17109 	if (!sched)
17110 		return -ENOMEM;
17111 
17112 	sched->n_channels = n_channels;
17113 
17114 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17115 				 info->nlhdr, GENL_HDRLEN, rem) {
17116 		ret = nl80211_parse_nan_channel(rdev, channel, info,
17117 						sched->nan_channels, i, true);
17118 
17119 		if (ret)
17120 			return ret;
17121 		i++;
17122 	}
17123 
17124 	/* Parse and validate schedule */
17125 	ret = nl80211_parse_nan_schedule(info,
17126 					 info->attrs[NL80211_ATTR_NAN_TIME_SLOTS],
17127 					 sched->schedule, sched->n_channels);
17128 	if (ret)
17129 		return ret;
17130 
17131 	sched_empty = nl80211_nan_is_sched_empty(sched);
17132 
17133 	sched->deferred =
17134 		nla_get_flag(info->attrs[NL80211_ATTR_NAN_SCHED_DEFERRED]);
17135 
17136 	if (sched_empty) {
17137 		if (sched->deferred) {
17138 			NL_SET_ERR_MSG(info->extack,
17139 				       "Schedule cannot be deferred if all time slots are unavailable");
17140 			return -EINVAL;
17141 		}
17142 
17143 		if (info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]) {
17144 			NL_SET_ERR_MSG(info->extack,
17145 				       "NAN Availability blob must be empty if all time slots are unavailable");
17146 			return -EINVAL;
17147 		}
17148 	} else {
17149 		if (!info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]) {
17150 			NL_SET_ERR_MSG(info->extack,
17151 				       "NAN Availability blob attribute is required");
17152 			return -EINVAL;
17153 		}
17154 
17155 		sched->nan_avail_blob =
17156 			nla_data(info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]);
17157 		sched->nan_avail_blob_len =
17158 			nla_len(info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]);
17159 	}
17160 
17161 	return cfg80211_nan_set_local_schedule(rdev, wdev, sched);
17162 }
17163 
17164 static int nl80211_get_protocol_features(struct sk_buff *skb,
17165 					 struct genl_info *info)
17166 {
17167 	void *hdr;
17168 	struct sk_buff *msg;
17169 
17170 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17171 	if (!msg)
17172 		return -ENOMEM;
17173 
17174 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
17175 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
17176 	if (!hdr)
17177 		goto nla_put_failure;
17178 
17179 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
17180 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
17181 		goto nla_put_failure;
17182 
17183 	genlmsg_end(msg, hdr);
17184 	return genlmsg_reply(msg, info);
17185 
17186  nla_put_failure:
17187 	kfree_skb(msg);
17188 	return -ENOBUFS;
17189 }
17190 
17191 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
17192 {
17193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17194 	struct cfg80211_update_ft_ies_params ft_params;
17195 	struct net_device *dev = info->user_ptr[1];
17196 
17197 	if (!rdev->ops->update_ft_ies)
17198 		return -EOPNOTSUPP;
17199 
17200 	if (!info->attrs[NL80211_ATTR_MDID] ||
17201 	    !info->attrs[NL80211_ATTR_IE])
17202 		return -EINVAL;
17203 
17204 	memset(&ft_params, 0, sizeof(ft_params));
17205 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
17206 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
17207 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
17208 
17209 	return rdev_update_ft_ies(rdev, dev, &ft_params);
17210 }
17211 
17212 static int nl80211_crit_protocol_start(struct sk_buff *skb,
17213 				       struct genl_info *info)
17214 {
17215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17216 	struct wireless_dev *wdev = info->user_ptr[1];
17217 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
17218 	u16 duration;
17219 	int ret;
17220 
17221 	if (!rdev->ops->crit_proto_start)
17222 		return -EOPNOTSUPP;
17223 
17224 	if (WARN_ON(!rdev->ops->crit_proto_stop))
17225 		return -EINVAL;
17226 
17227 	if (rdev->crit_proto_nlportid)
17228 		return -EBUSY;
17229 
17230 	/* determine protocol if provided */
17231 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
17232 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
17233 
17234 	if (proto >= NUM_NL80211_CRIT_PROTO)
17235 		return -EINVAL;
17236 
17237 	/* timeout must be provided */
17238 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
17239 		return -EINVAL;
17240 
17241 	duration =
17242 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
17243 
17244 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
17245 	if (!ret)
17246 		rdev->crit_proto_nlportid = info->snd_portid;
17247 
17248 	return ret;
17249 }
17250 
17251 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
17252 				      struct genl_info *info)
17253 {
17254 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17255 	struct wireless_dev *wdev = info->user_ptr[1];
17256 
17257 	if (!rdev->ops->crit_proto_stop)
17258 		return -EOPNOTSUPP;
17259 
17260 	if (rdev->crit_proto_nlportid) {
17261 		rdev->crit_proto_nlportid = 0;
17262 		rdev_crit_proto_stop(rdev, wdev);
17263 	}
17264 	return 0;
17265 }
17266 
17267 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
17268 				       struct nlattr *attr,
17269 				       struct netlink_ext_ack *extack)
17270 {
17271 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
17272 		if (attr->nla_type & NLA_F_NESTED) {
17273 			NL_SET_ERR_MSG_ATTR(extack, attr,
17274 					    "unexpected nested data");
17275 			return -EINVAL;
17276 		}
17277 
17278 		return 0;
17279 	}
17280 
17281 	if (!(attr->nla_type & NLA_F_NESTED)) {
17282 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
17283 		return -EINVAL;
17284 	}
17285 
17286 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
17287 }
17288 
17289 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
17290 {
17291 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17292 	struct wireless_dev *wdev =
17293 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
17294 					   info->attrs);
17295 	int i, err;
17296 	u32 vid, subcmd;
17297 
17298 	if (!rdev->wiphy.vendor_commands)
17299 		return -EOPNOTSUPP;
17300 
17301 	if (IS_ERR(wdev)) {
17302 		err = PTR_ERR(wdev);
17303 		if (err != -EINVAL)
17304 			return err;
17305 		wdev = NULL;
17306 	} else if (wdev->wiphy != &rdev->wiphy) {
17307 		return -EINVAL;
17308 	}
17309 
17310 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
17311 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
17312 		return -EINVAL;
17313 
17314 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
17315 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
17316 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
17317 		const struct wiphy_vendor_command *vcmd;
17318 		void *data = NULL;
17319 		int len = 0;
17320 
17321 		vcmd = &rdev->wiphy.vendor_commands[i];
17322 
17323 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
17324 			continue;
17325 
17326 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
17327 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
17328 			if (!wdev)
17329 				return -EINVAL;
17330 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
17331 			    !wdev->netdev)
17332 				return -EINVAL;
17333 
17334 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
17335 				if (!wdev_running(wdev))
17336 					return -ENETDOWN;
17337 			}
17338 		} else {
17339 			wdev = NULL;
17340 		}
17341 
17342 		if (!vcmd->doit)
17343 			return -EOPNOTSUPP;
17344 
17345 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
17346 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
17347 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
17348 
17349 			err = nl80211_vendor_check_policy(vcmd,
17350 					info->attrs[NL80211_ATTR_VENDOR_DATA],
17351 					info->extack);
17352 			if (err)
17353 				return err;
17354 		}
17355 
17356 		rdev->cur_cmd_info = info;
17357 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
17358 		rdev->cur_cmd_info = NULL;
17359 		return err;
17360 	}
17361 
17362 	return -EOPNOTSUPP;
17363 }
17364 
17365 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
17366 				       struct netlink_callback *cb,
17367 				       struct cfg80211_registered_device **rdev,
17368 				       struct wireless_dev **wdev)
17369 {
17370 	struct nlattr **attrbuf;
17371 	u32 vid, subcmd;
17372 	unsigned int i;
17373 	int vcmd_idx = -1;
17374 	int err;
17375 	void *data = NULL;
17376 	unsigned int data_len = 0;
17377 
17378 	if (cb->args[0]) {
17379 		/* subtract the 1 again here */
17380 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
17381 		struct wireless_dev *tmp;
17382 
17383 		if (!wiphy)
17384 			return -ENODEV;
17385 		*rdev = wiphy_to_rdev(wiphy);
17386 		*wdev = NULL;
17387 
17388 		if (cb->args[1]) {
17389 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
17390 				if (tmp->identifier == cb->args[1] - 1) {
17391 					*wdev = tmp;
17392 					break;
17393 				}
17394 			}
17395 		}
17396 
17397 		/* keep rtnl locked in successful case */
17398 		return 0;
17399 	}
17400 
17401 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
17402 	if (!attrbuf)
17403 		return -ENOMEM;
17404 
17405 	err = nlmsg_parse_deprecated(cb->nlh,
17406 				     GENL_HDRLEN + nl80211_fam.hdrsize,
17407 				     attrbuf, nl80211_fam.maxattr,
17408 				     nl80211_policy, NULL);
17409 	if (err)
17410 		goto out;
17411 
17412 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
17413 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
17414 		err = -EINVAL;
17415 		goto out;
17416 	}
17417 
17418 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
17419 	if (IS_ERR(*wdev))
17420 		*wdev = NULL;
17421 
17422 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
17423 	if (IS_ERR(*rdev)) {
17424 		err = PTR_ERR(*rdev);
17425 		goto out;
17426 	}
17427 
17428 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
17429 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
17430 
17431 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
17432 		const struct wiphy_vendor_command *vcmd;
17433 
17434 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
17435 
17436 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
17437 			continue;
17438 
17439 		if (!vcmd->dumpit) {
17440 			err = -EOPNOTSUPP;
17441 			goto out;
17442 		}
17443 
17444 		vcmd_idx = i;
17445 		break;
17446 	}
17447 
17448 	if (vcmd_idx < 0) {
17449 		err = -EOPNOTSUPP;
17450 		goto out;
17451 	}
17452 
17453 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
17454 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
17455 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
17456 
17457 		err = nl80211_vendor_check_policy(
17458 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
17459 				attrbuf[NL80211_ATTR_VENDOR_DATA],
17460 				cb->extack);
17461 		if (err)
17462 			goto out;
17463 	}
17464 
17465 	/* 0 is the first index - add 1 to parse only once */
17466 	cb->args[0] = (*rdev)->wiphy_idx + 1;
17467 	/* add 1 to know if it was NULL */
17468 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
17469 	cb->args[2] = vcmd_idx;
17470 	cb->args[3] = (unsigned long)data;
17471 	cb->args[4] = data_len;
17472 
17473 	/* keep rtnl locked in successful case */
17474 	err = 0;
17475 out:
17476 	kfree(attrbuf);
17477 	return err;
17478 }
17479 
17480 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
17481 				   struct netlink_callback *cb)
17482 {
17483 	struct cfg80211_registered_device *rdev;
17484 	struct wireless_dev *wdev;
17485 	unsigned int vcmd_idx;
17486 	const struct wiphy_vendor_command *vcmd;
17487 	void *data;
17488 	int data_len;
17489 	int err;
17490 	struct nlattr *vendor_data;
17491 
17492 	rtnl_lock();
17493 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
17494 	if (err)
17495 		goto out;
17496 
17497 	vcmd_idx = cb->args[2];
17498 	data = (void *)cb->args[3];
17499 	data_len = cb->args[4];
17500 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
17501 
17502 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
17503 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
17504 		if (!wdev) {
17505 			err = -EINVAL;
17506 			goto out;
17507 		}
17508 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
17509 		    !wdev->netdev) {
17510 			err = -EINVAL;
17511 			goto out;
17512 		}
17513 
17514 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
17515 			if (!wdev_running(wdev)) {
17516 				err = -ENETDOWN;
17517 				goto out;
17518 			}
17519 		}
17520 	}
17521 
17522 	while (1) {
17523 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
17524 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
17525 					   NL80211_CMD_VENDOR);
17526 		if (!hdr)
17527 			break;
17528 
17529 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17530 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
17531 					       wdev_id(wdev),
17532 					       NL80211_ATTR_PAD))) {
17533 			genlmsg_cancel(skb, hdr);
17534 			break;
17535 		}
17536 
17537 		vendor_data = nla_nest_start_noflag(skb,
17538 						    NL80211_ATTR_VENDOR_DATA);
17539 		if (!vendor_data) {
17540 			genlmsg_cancel(skb, hdr);
17541 			break;
17542 		}
17543 
17544 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
17545 				   (unsigned long *)&cb->args[5]);
17546 		nla_nest_end(skb, vendor_data);
17547 
17548 		if (err == -ENOBUFS || err == -ENOENT) {
17549 			genlmsg_cancel(skb, hdr);
17550 			break;
17551 		} else if (err <= 0) {
17552 			genlmsg_cancel(skb, hdr);
17553 			goto out;
17554 		}
17555 
17556 		genlmsg_end(skb, hdr);
17557 	}
17558 
17559 	err = skb->len;
17560  out:
17561 	rtnl_unlock();
17562 	return err;
17563 }
17564 
17565 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
17566 					   enum nl80211_commands cmd,
17567 					   enum nl80211_attrs attr,
17568 					   int approxlen)
17569 {
17570 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17571 
17572 	if (WARN_ON(!rdev->cur_cmd_info))
17573 		return NULL;
17574 
17575 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
17576 					   rdev->cur_cmd_info->snd_portid,
17577 					   rdev->cur_cmd_info->snd_seq,
17578 					   cmd, attr, NULL, GFP_KERNEL);
17579 }
17580 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
17581 
17582 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
17583 {
17584 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
17585 	void *hdr = ((void **)skb->cb)[1];
17586 	struct nlattr *data = ((void **)skb->cb)[2];
17587 
17588 	/* clear CB data for netlink core to own from now on */
17589 	memset(skb->cb, 0, sizeof(skb->cb));
17590 
17591 	if (WARN_ON(!rdev->cur_cmd_info)) {
17592 		kfree_skb(skb);
17593 		return -EINVAL;
17594 	}
17595 
17596 	nla_nest_end(skb, data);
17597 	genlmsg_end(skb, hdr);
17598 	return genlmsg_reply(skb, rdev->cur_cmd_info);
17599 }
17600 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
17601 
17602 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
17603 {
17604 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17605 
17606 	if (WARN_ON(!rdev->cur_cmd_info))
17607 		return 0;
17608 
17609 	return rdev->cur_cmd_info->snd_portid;
17610 }
17611 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
17612 
17613 static int nl80211_set_qos_map(struct sk_buff *skb,
17614 			       struct genl_info *info)
17615 {
17616 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17617 	struct cfg80211_qos_map *qos_map = NULL;
17618 	struct net_device *dev = info->user_ptr[1];
17619 	u8 *pos, len, num_des, des_len, des;
17620 	int ret;
17621 
17622 	if (!rdev->ops->set_qos_map)
17623 		return -EOPNOTSUPP;
17624 
17625 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
17626 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
17627 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
17628 
17629 		if (len % 2)
17630 			return -EINVAL;
17631 
17632 		qos_map = kzalloc_obj(struct cfg80211_qos_map);
17633 		if (!qos_map)
17634 			return -ENOMEM;
17635 
17636 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
17637 		if (num_des) {
17638 			des_len = num_des *
17639 				sizeof(struct cfg80211_dscp_exception);
17640 			memcpy(qos_map->dscp_exception, pos, des_len);
17641 			qos_map->num_des = num_des;
17642 			for (des = 0; des < num_des; des++) {
17643 				if (qos_map->dscp_exception[des].up > 7) {
17644 					kfree(qos_map);
17645 					return -EINVAL;
17646 				}
17647 			}
17648 			pos += des_len;
17649 		}
17650 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
17651 	}
17652 
17653 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
17654 	if (!ret)
17655 		ret = rdev_set_qos_map(rdev, dev, qos_map);
17656 
17657 	kfree(qos_map);
17658 	return ret;
17659 }
17660 
17661 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
17662 {
17663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17664 	struct net_device *dev = info->user_ptr[1];
17665 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17666 	const u8 *peer;
17667 	u8 tsid, up;
17668 	u16 admitted_time = 0;
17669 
17670 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
17671 		return -EOPNOTSUPP;
17672 
17673 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
17674 	    !info->attrs[NL80211_ATTR_USER_PRIO])
17675 		return -EINVAL;
17676 
17677 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
17678 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
17679 
17680 	/* WMM uses TIDs 0-7 even for TSPEC */
17681 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
17682 		/* TODO: handle 802.11 TSPEC/admission control
17683 		 * need more attributes for that (e.g. BA session requirement);
17684 		 * change the WMM admission test above to allow both then
17685 		 */
17686 		return -EINVAL;
17687 	}
17688 
17689 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17690 
17691 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
17692 		admitted_time =
17693 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
17694 		if (!admitted_time)
17695 			return -EINVAL;
17696 	}
17697 
17698 	switch (wdev->iftype) {
17699 	case NL80211_IFTYPE_STATION:
17700 	case NL80211_IFTYPE_P2P_CLIENT:
17701 		if (wdev->connected)
17702 			break;
17703 		return -ENOTCONN;
17704 	default:
17705 		return -EOPNOTSUPP;
17706 	}
17707 
17708 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
17709 }
17710 
17711 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
17712 {
17713 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17714 	struct net_device *dev = info->user_ptr[1];
17715 	const u8 *peer;
17716 	u8 tsid;
17717 
17718 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
17719 		return -EINVAL;
17720 
17721 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
17722 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17723 
17724 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
17725 }
17726 
17727 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
17728 				       struct genl_info *info)
17729 {
17730 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17731 	struct net_device *dev = info->user_ptr[1];
17732 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17733 	struct cfg80211_chan_def chandef = {};
17734 	const u8 *addr;
17735 	u8 oper_class;
17736 	int err;
17737 
17738 	if (!rdev->ops->tdls_channel_switch ||
17739 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
17740 		return -EOPNOTSUPP;
17741 
17742 	switch (dev->ieee80211_ptr->iftype) {
17743 	case NL80211_IFTYPE_STATION:
17744 	case NL80211_IFTYPE_P2P_CLIENT:
17745 		break;
17746 	default:
17747 		return -EOPNOTSUPP;
17748 	}
17749 
17750 	if (!info->attrs[NL80211_ATTR_MAC] ||
17751 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
17752 		return -EINVAL;
17753 
17754 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
17755 	if (err)
17756 		return err;
17757 
17758 	/*
17759 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
17760 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
17761 	 * specification is not defined for them.
17762 	 */
17763 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
17764 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
17765 	    chandef.width != NL80211_CHAN_WIDTH_20)
17766 		return -EINVAL;
17767 
17768 	/* we will be active on the TDLS link */
17769 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
17770 					   wdev->iftype))
17771 		return -EINVAL;
17772 
17773 	/* don't allow switching to DFS channels */
17774 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
17775 		return -EINVAL;
17776 
17777 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17778 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
17779 
17780 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
17781 }
17782 
17783 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
17784 					      struct genl_info *info)
17785 {
17786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17787 	struct net_device *dev = info->user_ptr[1];
17788 	const u8 *addr;
17789 
17790 	if (!rdev->ops->tdls_channel_switch ||
17791 	    !rdev->ops->tdls_cancel_channel_switch ||
17792 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
17793 		return -EOPNOTSUPP;
17794 
17795 	switch (dev->ieee80211_ptr->iftype) {
17796 	case NL80211_IFTYPE_STATION:
17797 	case NL80211_IFTYPE_P2P_CLIENT:
17798 		break;
17799 	default:
17800 		return -EOPNOTSUPP;
17801 	}
17802 
17803 	if (!info->attrs[NL80211_ATTR_MAC])
17804 		return -EINVAL;
17805 
17806 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17807 
17808 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
17809 
17810 	return 0;
17811 }
17812 
17813 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
17814 					    struct genl_info *info)
17815 {
17816 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17817 	struct net_device *dev = info->user_ptr[1];
17818 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17819 	const struct nlattr *nla;
17820 	bool enabled;
17821 
17822 	if (!rdev->ops->set_multicast_to_unicast)
17823 		return -EOPNOTSUPP;
17824 
17825 	if (wdev->iftype != NL80211_IFTYPE_AP &&
17826 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
17827 		return -EOPNOTSUPP;
17828 
17829 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
17830 	enabled = nla_get_flag(nla);
17831 
17832 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
17833 }
17834 
17835 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
17836 {
17837 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17838 	struct net_device *dev = info->user_ptr[1];
17839 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17840 	struct cfg80211_pmk_conf pmk_conf = {};
17841 
17842 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17843 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17844 		return -EOPNOTSUPP;
17845 
17846 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17847 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17848 		return -EOPNOTSUPP;
17849 
17850 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
17851 		return -EINVAL;
17852 
17853 	if (!wdev->connected)
17854 		return -ENOTCONN;
17855 
17856 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17857 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
17858 		return -EINVAL;
17859 
17860 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
17861 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
17862 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
17863 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
17864 		return -EINVAL;
17865 
17866 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
17867 		pmk_conf.pmk_r0_name =
17868 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
17869 
17870 	return rdev_set_pmk(rdev, dev, &pmk_conf);
17871 }
17872 
17873 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
17874 {
17875 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17876 	struct net_device *dev = info->user_ptr[1];
17877 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17878 	const u8 *aa;
17879 
17880 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17881 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17882 		return -EOPNOTSUPP;
17883 
17884 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17885 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17886 		return -EOPNOTSUPP;
17887 
17888 	if (!info->attrs[NL80211_ATTR_MAC])
17889 		return -EINVAL;
17890 
17891 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17892 	return rdev_del_pmk(rdev, dev, aa);
17893 }
17894 
17895 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
17896 {
17897 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17898 	struct net_device *dev = info->user_ptr[1];
17899 	struct cfg80211_external_auth_params params;
17900 
17901 	if (!rdev->ops->external_auth)
17902 		return -EOPNOTSUPP;
17903 
17904 	if (!info->attrs[NL80211_ATTR_SSID] &&
17905 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
17906 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
17907 		return -EINVAL;
17908 
17909 	if (!info->attrs[NL80211_ATTR_BSSID])
17910 		return -EINVAL;
17911 
17912 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
17913 		return -EINVAL;
17914 
17915 	memset(&params, 0, sizeof(params));
17916 
17917 	if (info->attrs[NL80211_ATTR_SSID]) {
17918 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
17919 		if (params.ssid.ssid_len == 0)
17920 			return -EINVAL;
17921 		memcpy(params.ssid.ssid,
17922 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
17923 		       params.ssid.ssid_len);
17924 	}
17925 
17926 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
17927 	       ETH_ALEN);
17928 
17929 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17930 
17931 	if (info->attrs[NL80211_ATTR_PMKID])
17932 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
17933 
17934 	return rdev_external_auth(rdev, dev, &params);
17935 }
17936 
17937 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
17938 {
17939 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
17940 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17941 	struct net_device *dev = info->user_ptr[1];
17942 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17943 	const u8 *buf;
17944 	size_t len;
17945 	u8 *dest;
17946 	u16 proto;
17947 	bool noencrypt;
17948 	u64 cookie = 0;
17949 	int link_id;
17950 	int err;
17951 
17952 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17953 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
17954 		return -EOPNOTSUPP;
17955 
17956 	if (!rdev->ops->tx_control_port)
17957 		return -EOPNOTSUPP;
17958 
17959 	if (!info->attrs[NL80211_ATTR_FRAME] ||
17960 	    !info->attrs[NL80211_ATTR_MAC] ||
17961 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
17962 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
17963 		return -EINVAL;
17964 	}
17965 
17966 	switch (wdev->iftype) {
17967 	case NL80211_IFTYPE_AP:
17968 	case NL80211_IFTYPE_P2P_GO:
17969 	case NL80211_IFTYPE_MESH_POINT:
17970 		break;
17971 	case NL80211_IFTYPE_ADHOC:
17972 		if (wdev->u.ibss.current_bss)
17973 			break;
17974 		return -ENOTCONN;
17975 	case NL80211_IFTYPE_STATION:
17976 	case NL80211_IFTYPE_P2P_CLIENT:
17977 		if (wdev->connected)
17978 			break;
17979 		return -ENOTCONN;
17980 	default:
17981 		return -EOPNOTSUPP;
17982 	}
17983 
17984 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17985 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17986 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17987 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
17988 	noencrypt =
17989 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
17990 
17991 	link_id = nl80211_link_id_or_invalid(info->attrs);
17992 
17993 	err = rdev_tx_control_port(rdev, dev, buf, len,
17994 				   dest, cpu_to_be16(proto), noencrypt, link_id,
17995 				   dont_wait_for_ack ? NULL : &cookie);
17996 	if (!err && !dont_wait_for_ack)
17997 		nl_set_extack_cookie_u64(info->extack, cookie);
17998 	return err;
17999 }
18000 
18001 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
18002 					   struct genl_info *info)
18003 {
18004 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18005 	struct net_device *dev = info->user_ptr[1];
18006 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18007 	struct cfg80211_ftm_responder_stats ftm_stats = {};
18008 	unsigned int link_id = nl80211_link_id(info->attrs);
18009 	struct sk_buff *msg;
18010 	void *hdr;
18011 	struct nlattr *ftm_stats_attr;
18012 	int err;
18013 
18014 	if (wdev->iftype != NL80211_IFTYPE_AP ||
18015 	    !wdev->links[link_id].ap.beacon_interval)
18016 		return -EOPNOTSUPP;
18017 
18018 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
18019 	if (err)
18020 		return err;
18021 
18022 	if (!ftm_stats.filled)
18023 		return -ENODATA;
18024 
18025 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18026 	if (!msg)
18027 		return -ENOMEM;
18028 
18029 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
18030 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
18031 	if (!hdr)
18032 		goto nla_put_failure;
18033 
18034 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18035 		goto nla_put_failure;
18036 
18037 	ftm_stats_attr = nla_nest_start_noflag(msg,
18038 					       NL80211_ATTR_FTM_RESPONDER_STATS);
18039 	if (!ftm_stats_attr)
18040 		goto nla_put_failure;
18041 
18042 #define SET_FTM(field, name, type)					 \
18043 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
18044 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
18045 			     ftm_stats.field))				 \
18046 		goto nla_put_failure; } while (0)
18047 #define SET_FTM_U64(field, name)					 \
18048 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
18049 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
18050 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
18051 		goto nla_put_failure; } while (0)
18052 
18053 	SET_FTM(success_num, SUCCESS_NUM, u32);
18054 	SET_FTM(partial_num, PARTIAL_NUM, u32);
18055 	SET_FTM(failed_num, FAILED_NUM, u32);
18056 	SET_FTM(asap_num, ASAP_NUM, u32);
18057 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
18058 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
18059 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
18060 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
18061 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
18062 #undef SET_FTM
18063 
18064 	nla_nest_end(msg, ftm_stats_attr);
18065 
18066 	genlmsg_end(msg, hdr);
18067 	return genlmsg_reply(msg, info);
18068 
18069 nla_put_failure:
18070 	nlmsg_free(msg);
18071 	return -ENOBUFS;
18072 }
18073 
18074 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
18075 {
18076 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18077 	struct cfg80211_update_owe_info owe_info;
18078 	struct net_device *dev = info->user_ptr[1];
18079 
18080 	if (!rdev->ops->update_owe_info)
18081 		return -EOPNOTSUPP;
18082 
18083 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
18084 	    !info->attrs[NL80211_ATTR_MAC])
18085 		return -EINVAL;
18086 
18087 	memset(&owe_info, 0, sizeof(owe_info));
18088 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
18089 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
18090 
18091 	if (info->attrs[NL80211_ATTR_IE]) {
18092 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
18093 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
18094 	}
18095 
18096 	return rdev_update_owe_info(rdev, dev, &owe_info);
18097 }
18098 
18099 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
18100 {
18101 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18102 	struct net_device *dev = info->user_ptr[1];
18103 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18104 	struct station_info sinfo = {};
18105 	const u8 *buf;
18106 	size_t len;
18107 	u8 *dest;
18108 	int err;
18109 
18110 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
18111 		return -EOPNOTSUPP;
18112 
18113 	if (!info->attrs[NL80211_ATTR_MAC] ||
18114 	    !info->attrs[NL80211_ATTR_FRAME]) {
18115 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
18116 		return -EINVAL;
18117 	}
18118 
18119 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
18120 		return -EOPNOTSUPP;
18121 
18122 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
18123 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
18124 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
18125 
18126 	if (len < sizeof(struct ethhdr))
18127 		return -EINVAL;
18128 
18129 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
18130 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
18131 		return -EINVAL;
18132 
18133 	err = rdev_get_station(rdev, wdev, dest, &sinfo);
18134 	if (err)
18135 		return err;
18136 
18137 	cfg80211_sinfo_release_content(&sinfo);
18138 
18139 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
18140 }
18141 
18142 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
18143 			  struct nlattr *attrs[], struct net_device *dev,
18144 			  struct cfg80211_tid_cfg *tid_conf,
18145 			  struct genl_info *info, const u8 *peer,
18146 			  unsigned int link_id)
18147 {
18148 	struct netlink_ext_ack *extack = info->extack;
18149 	u64 mask;
18150 	int err;
18151 
18152 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
18153 		return -EINVAL;
18154 
18155 	tid_conf->config_override =
18156 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
18157 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
18158 
18159 	if (tid_conf->config_override) {
18160 		if (rdev->ops->reset_tid_config) {
18161 			err = rdev_reset_tid_config(rdev, dev, peer,
18162 						    tid_conf->tids);
18163 			if (err)
18164 				return err;
18165 		} else {
18166 			return -EINVAL;
18167 		}
18168 	}
18169 
18170 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
18171 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
18172 		tid_conf->noack =
18173 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
18174 	}
18175 
18176 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
18177 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
18178 		tid_conf->retry_short =
18179 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
18180 
18181 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
18182 			return -EINVAL;
18183 	}
18184 
18185 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
18186 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
18187 		tid_conf->retry_long =
18188 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
18189 
18190 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
18191 			return -EINVAL;
18192 	}
18193 
18194 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
18195 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
18196 		tid_conf->ampdu =
18197 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
18198 	}
18199 
18200 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
18201 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
18202 		tid_conf->rtscts =
18203 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
18204 	}
18205 
18206 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
18207 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
18208 		tid_conf->amsdu =
18209 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
18210 	}
18211 
18212 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
18213 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
18214 
18215 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
18216 
18217 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
18218 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
18219 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
18220 						    &tid_conf->txrate_mask, dev,
18221 						    true, link_id);
18222 			if (err)
18223 				return err;
18224 
18225 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
18226 		}
18227 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
18228 	}
18229 
18230 	if (peer)
18231 		mask = rdev->wiphy.tid_config_support.peer;
18232 	else
18233 		mask = rdev->wiphy.tid_config_support.vif;
18234 
18235 	if (tid_conf->mask & ~mask) {
18236 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
18237 		return -EOPNOTSUPP;
18238 	}
18239 
18240 	return 0;
18241 }
18242 
18243 static int nl80211_set_tid_config(struct sk_buff *skb,
18244 				  struct genl_info *info)
18245 {
18246 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18247 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
18248 	unsigned int link_id = nl80211_link_id(info->attrs);
18249 	struct net_device *dev = info->user_ptr[1];
18250 	struct cfg80211_tid_config *tid_config;
18251 	struct nlattr *tid;
18252 	int conf_idx = 0, rem_conf;
18253 	int ret = -EINVAL;
18254 	u32 num_conf = 0;
18255 
18256 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
18257 		return -EINVAL;
18258 
18259 	if (!rdev->ops->set_tid_config)
18260 		return -EOPNOTSUPP;
18261 
18262 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
18263 			    rem_conf)
18264 		num_conf++;
18265 
18266 	tid_config = kzalloc_flex(*tid_config, tid_conf, num_conf);
18267 	if (!tid_config)
18268 		return -ENOMEM;
18269 
18270 	tid_config->n_tid_conf = num_conf;
18271 
18272 	if (info->attrs[NL80211_ATTR_MAC])
18273 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
18274 
18275 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
18276 			    rem_conf) {
18277 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
18278 				       tid, NULL, NULL);
18279 
18280 		if (ret)
18281 			goto bad_tid_conf;
18282 
18283 		ret = parse_tid_conf(rdev, attrs, dev,
18284 				     &tid_config->tid_conf[conf_idx],
18285 				     info, tid_config->peer, link_id);
18286 		if (ret)
18287 			goto bad_tid_conf;
18288 
18289 		conf_idx++;
18290 	}
18291 
18292 	ret = rdev_set_tid_config(rdev, dev, tid_config);
18293 
18294 bad_tid_conf:
18295 	kfree(tid_config);
18296 	return ret;
18297 }
18298 
18299 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
18300 {
18301 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18302 	struct cfg80211_color_change_settings params = {};
18303 	struct net_device *dev = info->user_ptr[1];
18304 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18305 	struct nlattr **tb;
18306 	u16 offset;
18307 	int err;
18308 
18309 	if (!rdev->ops->color_change)
18310 		return -EOPNOTSUPP;
18311 
18312 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
18313 				     NL80211_EXT_FEATURE_BSS_COLOR))
18314 		return -EOPNOTSUPP;
18315 
18316 	if (wdev->iftype != NL80211_IFTYPE_AP)
18317 		return -EOPNOTSUPP;
18318 
18319 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
18320 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
18321 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
18322 		return -EINVAL;
18323 
18324 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
18325 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
18326 
18327 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
18328 				   info->extack);
18329 	if (err)
18330 		return err;
18331 
18332 	tb = kzalloc_objs(*tb, NL80211_ATTR_MAX + 1);
18333 	if (!tb)
18334 		return -ENOMEM;
18335 
18336 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
18337 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
18338 			       nl80211_policy, info->extack);
18339 	if (err)
18340 		goto out;
18341 
18342 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
18343 				   info->extack);
18344 	if (err)
18345 		goto out;
18346 
18347 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
18348 		err = -EINVAL;
18349 		goto out;
18350 	}
18351 
18352 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
18353 		err = -EINVAL;
18354 		goto out;
18355 	}
18356 
18357 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
18358 	if (offset >= params.beacon_color_change.tail_len) {
18359 		err = -EINVAL;
18360 		goto out;
18361 	}
18362 
18363 	if (params.beacon_color_change.tail[offset] != params.count) {
18364 		err = -EINVAL;
18365 		goto out;
18366 	}
18367 
18368 	params.counter_offset_beacon = offset;
18369 
18370 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
18371 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
18372 		    sizeof(u16)) {
18373 			err = -EINVAL;
18374 			goto out;
18375 		}
18376 
18377 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
18378 		if (offset >= params.beacon_color_change.probe_resp_len) {
18379 			err = -EINVAL;
18380 			goto out;
18381 		}
18382 
18383 		if (params.beacon_color_change.probe_resp[offset] !=
18384 		    params.count) {
18385 			err = -EINVAL;
18386 			goto out;
18387 		}
18388 
18389 		params.counter_offset_presp = offset;
18390 	}
18391 
18392 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
18393 		err = nl80211_parse_unsol_bcast_probe_resp(
18394 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
18395 			&params.unsol_bcast_probe_resp);
18396 		if (err)
18397 			goto out;
18398 	}
18399 
18400 	params.link_id = nl80211_link_id(info->attrs);
18401 	err = rdev_color_change(rdev, dev, &params);
18402 
18403 out:
18404 	kfree(params.beacon_next.mbssid_ies);
18405 	kfree(params.beacon_color_change.mbssid_ies);
18406 	kfree(params.beacon_next.rnr_ies);
18407 	kfree(params.beacon_color_change.rnr_ies);
18408 	kfree(tb);
18409 	return err;
18410 }
18411 
18412 static int nl80211_set_fils_aad(struct sk_buff *skb,
18413 				struct genl_info *info)
18414 {
18415 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18416 	struct net_device *dev = info->user_ptr[1];
18417 	struct cfg80211_fils_aad fils_aad = {};
18418 	u8 *nonces;
18419 
18420 	if (!info->attrs[NL80211_ATTR_MAC] ||
18421 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
18422 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
18423 		return -EINVAL;
18424 
18425 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
18426 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
18427 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
18428 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
18429 	fils_aad.snonce = nonces;
18430 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
18431 
18432 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
18433 }
18434 
18435 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
18436 {
18437 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18438 	unsigned int link_id = nl80211_link_id(info->attrs);
18439 	struct net_device *dev = info->user_ptr[1];
18440 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18441 	int ret;
18442 
18443 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
18444 		return -EINVAL;
18445 
18446 	switch (wdev->iftype) {
18447 	case NL80211_IFTYPE_AP:
18448 		break;
18449 	default:
18450 		return -EINVAL;
18451 	}
18452 
18453 	if (!info->attrs[NL80211_ATTR_MAC] ||
18454 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
18455 		return -EINVAL;
18456 
18457 	wdev->valid_links |= BIT(link_id);
18458 	ether_addr_copy(wdev->links[link_id].addr,
18459 			nla_data(info->attrs[NL80211_ATTR_MAC]));
18460 
18461 	ret = rdev_add_intf_link(rdev, wdev, link_id);
18462 	if (ret) {
18463 		wdev->valid_links &= ~BIT(link_id);
18464 		eth_zero_addr(wdev->links[link_id].addr);
18465 	}
18466 
18467 	return ret;
18468 }
18469 
18470 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
18471 {
18472 	unsigned int link_id = nl80211_link_id(info->attrs);
18473 	struct net_device *dev = info->user_ptr[1];
18474 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18475 
18476 	/* cannot remove if there's no link */
18477 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
18478 		return -EINVAL;
18479 
18480 	switch (wdev->iftype) {
18481 	case NL80211_IFTYPE_AP:
18482 		break;
18483 	default:
18484 		return -EINVAL;
18485 	}
18486 
18487 	cfg80211_remove_link(wdev, link_id);
18488 
18489 	return 0;
18490 }
18491 
18492 static int
18493 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
18494 			     bool add)
18495 {
18496 	struct link_station_parameters params = {};
18497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18498 	struct net_device *dev = info->user_ptr[1];
18499 	int err;
18500 
18501 	if ((add && !rdev->ops->add_link_station) ||
18502 	    (!add && !rdev->ops->mod_link_station))
18503 		return -EOPNOTSUPP;
18504 
18505 	if (add && !info->attrs[NL80211_ATTR_MAC])
18506 		return -EINVAL;
18507 
18508 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
18509 		return -EINVAL;
18510 
18511 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
18512 		return -EINVAL;
18513 
18514 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
18515 
18516 	if (info->attrs[NL80211_ATTR_MAC]) {
18517 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
18518 		if (!is_valid_ether_addr(params.link_mac))
18519 			return -EINVAL;
18520 	}
18521 
18522 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
18523 		return -EINVAL;
18524 
18525 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
18526 
18527 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
18528 		params.supported_rates =
18529 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
18530 		params.supported_rates_len =
18531 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
18532 	}
18533 
18534 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
18535 		params.ht_capa =
18536 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
18537 
18538 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
18539 		params.vht_capa =
18540 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
18541 
18542 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
18543 		params.he_capa =
18544 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
18545 		params.he_capa_len =
18546 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
18547 
18548 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
18549 			params.eht_capa =
18550 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
18551 			params.eht_capa_len =
18552 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
18553 
18554 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
18555 							(const u8 *)params.eht_capa,
18556 							params.eht_capa_len,
18557 							false))
18558 				return -EINVAL;
18559 		}
18560 	}
18561 
18562 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
18563 		if (!params.eht_capa)
18564 			return -EINVAL;
18565 
18566 		params.uhr_capa =
18567 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
18568 		params.uhr_capa_len =
18569 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
18570 	}
18571 
18572 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
18573 		params.he_6ghz_capa =
18574 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
18575 
18576 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
18577 		params.opmode_notif_used = true;
18578 		params.opmode_notif =
18579 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
18580 	}
18581 
18582 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
18583 						&params.txpwr_set);
18584 	if (err)
18585 		return err;
18586 
18587 	if (add)
18588 		return rdev_add_link_station(rdev, dev, &params);
18589 
18590 	return rdev_mod_link_station(rdev, dev, &params);
18591 }
18592 
18593 static int
18594 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
18595 {
18596 	return nl80211_add_mod_link_station(skb, info, true);
18597 }
18598 
18599 static int
18600 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
18601 {
18602 	return nl80211_add_mod_link_station(skb, info, false);
18603 }
18604 
18605 static int
18606 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
18607 {
18608 	struct link_station_del_parameters params = {};
18609 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18610 	struct net_device *dev = info->user_ptr[1];
18611 
18612 	if (!rdev->ops->del_link_station)
18613 		return -EOPNOTSUPP;
18614 
18615 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
18616 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
18617 		return -EINVAL;
18618 
18619 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
18620 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
18621 
18622 	return rdev_del_link_station(rdev, dev, &params);
18623 }
18624 
18625 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
18626 				    struct genl_info *info)
18627 {
18628 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18629 	struct net_device *dev = info->user_ptr[1];
18630 	struct cfg80211_set_hw_timestamp hwts = {};
18631 
18632 	if (!rdev->wiphy.hw_timestamp_max_peers)
18633 		return -EOPNOTSUPP;
18634 
18635 	if (!info->attrs[NL80211_ATTR_MAC] &&
18636 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
18637 		return -EOPNOTSUPP;
18638 
18639 	if (info->attrs[NL80211_ATTR_MAC])
18640 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
18641 
18642 	hwts.enable =
18643 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
18644 
18645 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
18646 }
18647 
18648 static int
18649 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
18650 {
18651 	struct cfg80211_ttlm_params params = {};
18652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18653 	struct net_device *dev = info->user_ptr[1];
18654 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18655 
18656 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
18657 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
18658 		return -EOPNOTSUPP;
18659 
18660 	if (!wdev->connected)
18661 		return -ENOLINK;
18662 
18663 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
18664 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
18665 		return -EINVAL;
18666 
18667 	nla_memcpy(params.dlink,
18668 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
18669 		   sizeof(params.dlink));
18670 	nla_memcpy(params.ulink,
18671 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
18672 		   sizeof(params.ulink));
18673 
18674 	return rdev_set_ttlm(rdev, dev, &params);
18675 }
18676 
18677 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
18678 {
18679 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18680 	struct net_device *dev = info->user_ptr[1];
18681 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18682 	struct cfg80211_ml_reconf_req req = {};
18683 	unsigned int link_id;
18684 	u16 add_links;
18685 	int err;
18686 
18687 	if (!wdev->valid_links)
18688 		return -EINVAL;
18689 
18690 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
18691 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
18692 		return -EPERM;
18693 
18694 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
18695 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
18696 		return -EOPNOTSUPP;
18697 
18698 	add_links = 0;
18699 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
18700 		err = nl80211_process_links(rdev, req.add_links,
18701 					    /* mark as MLO, but not assoc */
18702 					    IEEE80211_MLD_MAX_NUM_LINKS,
18703 					    NULL, 0, info);
18704 		if (err)
18705 			return err;
18706 
18707 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
18708 		     link_id++) {
18709 			if (!req.add_links[link_id].bss)
18710 				continue;
18711 			add_links |= BIT(link_id);
18712 		}
18713 	}
18714 
18715 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
18716 		req.rem_links =
18717 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
18718 
18719 	/* Validate that existing links are not added, removed links are valid
18720 	 * and don't allow adding and removing the same links
18721 	 */
18722 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
18723 	    (wdev->valid_links & add_links) ||
18724 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
18725 		err = -EINVAL;
18726 		goto out;
18727 	}
18728 
18729 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
18730 		req.ext_mld_capa_ops =
18731 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
18732 
18733 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
18734 
18735 out:
18736 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
18737 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
18738 
18739 	return err;
18740 }
18741 
18742 static int
18743 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
18744 {
18745 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18746 	struct net_device *dev = info->user_ptr[1];
18747 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18748 	bool val;
18749 
18750 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
18751 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
18752 		return -EOPNOTSUPP;
18753 
18754 	if (!wdev->connected)
18755 		return -ENOLINK;
18756 
18757 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
18758 
18759 	return rdev_set_epcs(rdev, dev, val);
18760 }
18761 
18762 #define NL80211_FLAG_NEED_WIPHY		0x01
18763 #define NL80211_FLAG_NEED_NETDEV	0x02
18764 #define NL80211_FLAG_NEED_RTNL		0x04
18765 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
18766 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
18767 					 NL80211_FLAG_CHECK_NETDEV_UP)
18768 #define NL80211_FLAG_NEED_WDEV		0x10
18769 /* If a netdev is associated, it must be UP, P2P must be started */
18770 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
18771 					 NL80211_FLAG_CHECK_NETDEV_UP)
18772 #define NL80211_FLAG_CLEAR_SKB		0x20
18773 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
18774 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
18775 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
18776 
18777 #define INTERNAL_FLAG_SELECTORS(__sel)			\
18778 	SELECTOR(__sel, NONE, 0) /* must be first */	\
18779 	SELECTOR(__sel, WIPHY,				\
18780 		 NL80211_FLAG_NEED_WIPHY)		\
18781 	SELECTOR(__sel, WDEV,				\
18782 		 NL80211_FLAG_NEED_WDEV)		\
18783 	SELECTOR(__sel, NETDEV,				\
18784 		 NL80211_FLAG_NEED_NETDEV)		\
18785 	SELECTOR(__sel, NETDEV_LINK,			\
18786 		 NL80211_FLAG_NEED_NETDEV |		\
18787 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18788 	SELECTOR(__sel, NETDEV_NO_MLO,			\
18789 		 NL80211_FLAG_NEED_NETDEV |		\
18790 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
18791 	SELECTOR(__sel, WIPHY_RTNL,			\
18792 		 NL80211_FLAG_NEED_WIPHY |		\
18793 		 NL80211_FLAG_NEED_RTNL)		\
18794 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
18795 		 NL80211_FLAG_NEED_WIPHY |		\
18796 		 NL80211_FLAG_NEED_RTNL |		\
18797 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18798 	SELECTOR(__sel, WDEV_RTNL,			\
18799 		 NL80211_FLAG_NEED_WDEV |		\
18800 		 NL80211_FLAG_NEED_RTNL)		\
18801 	SELECTOR(__sel, NETDEV_RTNL,			\
18802 		 NL80211_FLAG_NEED_NETDEV |		\
18803 		 NL80211_FLAG_NEED_RTNL)		\
18804 	SELECTOR(__sel, NETDEV_UP,			\
18805 		 NL80211_FLAG_NEED_NETDEV_UP)		\
18806 	SELECTOR(__sel, NETDEV_UP_LINK,			\
18807 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18808 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18809 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
18810 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18811 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18812 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
18813 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18814 		 NL80211_FLAG_CLEAR_SKB |		\
18815 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18816 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
18817 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18818 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18819 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
18820 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18821 		 NL80211_FLAG_NO_WIPHY_MTX |		\
18822 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18823 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
18824 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18825 		 NL80211_FLAG_CLEAR_SKB)		\
18826 	SELECTOR(__sel, WDEV_UP,			\
18827 		 NL80211_FLAG_NEED_WDEV_UP)		\
18828 	SELECTOR(__sel, WDEV_UP_CLEAR,			\
18829 		 NL80211_FLAG_NEED_WDEV_UP |		\
18830 		 NL80211_FLAG_CLEAR_SKB)		\
18831 	SELECTOR(__sel, WDEV_UP_LINK,			\
18832 		 NL80211_FLAG_NEED_WDEV_UP |		\
18833 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18834 	SELECTOR(__sel, WDEV_UP_RTNL,			\
18835 		 NL80211_FLAG_NEED_WDEV_UP |		\
18836 		 NL80211_FLAG_NEED_RTNL)		\
18837 	SELECTOR(__sel, WIPHY_CLEAR,			\
18838 		 NL80211_FLAG_NEED_WIPHY |		\
18839 		 NL80211_FLAG_CLEAR_SKB)		\
18840 	SELECTOR(__sel, WDEV_UP_RTNL_NOMTX,		\
18841 		 NL80211_FLAG_NEED_WDEV_UP |		\
18842 		 NL80211_FLAG_NO_WIPHY_MTX |		\
18843 		 NL80211_FLAG_NEED_RTNL)
18844 
18845 enum nl80211_internal_flags_selector {
18846 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
18847 	INTERNAL_FLAG_SELECTORS(_)
18848 #undef SELECTOR
18849 };
18850 
18851 static u32 nl80211_internal_flags[] = {
18852 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
18853 	INTERNAL_FLAG_SELECTORS(_)
18854 #undef SELECTOR
18855 };
18856 
18857 static int nl80211_pre_doit(const struct genl_split_ops *ops,
18858 			    struct sk_buff *skb,
18859 			    struct genl_info *info)
18860 {
18861 	struct cfg80211_registered_device *rdev = NULL;
18862 	struct wireless_dev *wdev = NULL;
18863 	struct net_device *dev = NULL;
18864 	u32 internal_flags;
18865 	int err;
18866 
18867 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
18868 		return -EINVAL;
18869 
18870 	internal_flags = nl80211_internal_flags[ops->internal_flags];
18871 
18872 	rtnl_lock();
18873 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
18874 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
18875 		if (IS_ERR(rdev)) {
18876 			err = PTR_ERR(rdev);
18877 			goto out_unlock;
18878 		}
18879 		info->user_ptr[0] = rdev;
18880 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
18881 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
18882 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
18883 						  info->attrs);
18884 		if (IS_ERR(wdev)) {
18885 			err = PTR_ERR(wdev);
18886 			goto out_unlock;
18887 		}
18888 
18889 		dev = wdev->netdev;
18890 		dev_hold(dev);
18891 		rdev = wiphy_to_rdev(wdev->wiphy);
18892 
18893 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
18894 			if (!dev) {
18895 				err = -EINVAL;
18896 				goto out_unlock;
18897 			}
18898 
18899 			info->user_ptr[1] = dev;
18900 		} else {
18901 			info->user_ptr[1] = wdev;
18902 		}
18903 
18904 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
18905 		    !wdev_running(wdev)) {
18906 			err = -ENETDOWN;
18907 			goto out_unlock;
18908 		}
18909 
18910 		info->user_ptr[0] = rdev;
18911 	}
18912 
18913 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
18914 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
18915 
18916 		if (!wdev) {
18917 			err = -EINVAL;
18918 			goto out_unlock;
18919 		}
18920 
18921 		/* MLO -> require valid link ID */
18922 		if (wdev->valid_links &&
18923 		    (!link_id ||
18924 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
18925 			err = -EINVAL;
18926 			goto out_unlock;
18927 		}
18928 
18929 		/* non-MLO -> no link ID attribute accepted */
18930 		if (!wdev->valid_links && link_id) {
18931 			err = -EINVAL;
18932 			goto out_unlock;
18933 		}
18934 	}
18935 
18936 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
18937 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
18938 		    (wdev && wdev->valid_links)) {
18939 			err = -EINVAL;
18940 			goto out_unlock;
18941 		}
18942 	}
18943 
18944 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18945 		wiphy_lock(&rdev->wiphy);
18946 		/* we keep the mutex locked until post_doit */
18947 		__release(&rdev->wiphy.mtx);
18948 	}
18949 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
18950 		rtnl_unlock();
18951 
18952 	return 0;
18953 out_unlock:
18954 	rtnl_unlock();
18955 	dev_put(dev);
18956 	return err;
18957 }
18958 
18959 static void nl80211_post_doit(const struct genl_split_ops *ops,
18960 			      struct sk_buff *skb,
18961 			      struct genl_info *info)
18962 {
18963 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
18964 
18965 	if (info->user_ptr[1]) {
18966 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
18967 			struct wireless_dev *wdev = info->user_ptr[1];
18968 
18969 			dev_put(wdev->netdev);
18970 		} else {
18971 			dev_put(info->user_ptr[1]);
18972 		}
18973 	}
18974 
18975 	if (info->user_ptr[0] &&
18976 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18977 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
18978 
18979 		/* we kept the mutex locked since pre_doit */
18980 		__acquire(&rdev->wiphy.mtx);
18981 		wiphy_unlock(&rdev->wiphy);
18982 	}
18983 
18984 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
18985 		rtnl_unlock();
18986 
18987 	/* If needed, clear the netlink message payload from the SKB
18988 	 * as it might contain key data that shouldn't stick around on
18989 	 * the heap after the SKB is freed. The netlink message header
18990 	 * is still needed for further processing, so leave it intact.
18991 	 */
18992 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
18993 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
18994 
18995 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
18996 	}
18997 }
18998 
18999 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
19000 				     struct cfg80211_sar_specs *sar_specs,
19001 				     struct nlattr *spec[], int index)
19002 {
19003 	u32 range_index, i;
19004 
19005 	if (!sar_specs || !spec)
19006 		return -EINVAL;
19007 
19008 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
19009 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
19010 		return -EINVAL;
19011 
19012 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
19013 
19014 	/* check if range_index exceeds num_freq_ranges */
19015 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
19016 		return -EINVAL;
19017 
19018 	/* check if range_index duplicates */
19019 	for (i = 0; i < index; i++) {
19020 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
19021 			return -EINVAL;
19022 	}
19023 
19024 	sar_specs->sub_specs[index].power =
19025 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
19026 
19027 	sar_specs->sub_specs[index].freq_range_index = range_index;
19028 
19029 	return 0;
19030 }
19031 
19032 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
19033 {
19034 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
19035 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
19036 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
19037 	struct cfg80211_sar_specs *sar_spec;
19038 	enum nl80211_sar_type type;
19039 	struct nlattr *spec_list;
19040 	u32 specs;
19041 	int rem, err;
19042 
19043 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
19044 		return -EOPNOTSUPP;
19045 
19046 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
19047 		return -EINVAL;
19048 
19049 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
19050 			 info->attrs[NL80211_ATTR_SAR_SPEC],
19051 			 NULL, NULL);
19052 
19053 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
19054 		return -EINVAL;
19055 
19056 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
19057 	if (type != rdev->wiphy.sar_capa->type)
19058 		return -EINVAL;
19059 
19060 	specs = 0;
19061 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
19062 		specs++;
19063 
19064 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
19065 		return -EINVAL;
19066 
19067 	sar_spec = kzalloc_flex(*sar_spec, sub_specs, specs);
19068 	if (!sar_spec)
19069 		return -ENOMEM;
19070 
19071 	sar_spec->num_sub_specs = specs;
19072 	sar_spec->type = type;
19073 	specs = 0;
19074 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
19075 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
19076 				 spec_list, NULL, NULL);
19077 
19078 		switch (type) {
19079 		case NL80211_SAR_TYPE_POWER:
19080 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
19081 						      spec, specs)) {
19082 				err = -EINVAL;
19083 				goto error;
19084 			}
19085 			break;
19086 		default:
19087 			err = -EINVAL;
19088 			goto error;
19089 		}
19090 		specs++;
19091 	}
19092 
19093 	sar_spec->num_sub_specs = specs;
19094 
19095 	rdev->cur_cmd_info = info;
19096 	err = rdev_set_sar_specs(rdev, sar_spec);
19097 	rdev->cur_cmd_info = NULL;
19098 error:
19099 	kfree(sar_spec);
19100 	return err;
19101 }
19102 
19103 #define SELECTOR(__sel, name, value) \
19104 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
19105 int __missing_selector(void);
19106 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
19107 
19108 static const struct genl_ops nl80211_ops[] = {
19109 	{
19110 		.cmd = NL80211_CMD_GET_WIPHY,
19111 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19112 		.doit = nl80211_get_wiphy,
19113 		.dumpit = nl80211_dump_wiphy,
19114 		.done = nl80211_dump_wiphy_done,
19115 		/* can be retrieved by unprivileged users */
19116 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19117 	},
19118 };
19119 
19120 static const struct genl_small_ops nl80211_small_ops[] = {
19121 	{
19122 		.cmd = NL80211_CMD_SET_WIPHY,
19123 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19124 		.doit = nl80211_set_wiphy,
19125 		.flags = GENL_UNS_ADMIN_PERM,
19126 	},
19127 	{
19128 		.cmd = NL80211_CMD_GET_INTERFACE,
19129 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19130 		.doit = nl80211_get_interface,
19131 		.dumpit = nl80211_dump_interface,
19132 		/* can be retrieved by unprivileged users */
19133 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19134 	},
19135 	{
19136 		.cmd = NL80211_CMD_SET_INTERFACE,
19137 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19138 		.doit = nl80211_set_interface,
19139 		.flags = GENL_UNS_ADMIN_PERM,
19140 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19141 					 NL80211_FLAG_NEED_RTNL),
19142 	},
19143 	{
19144 		.cmd = NL80211_CMD_NEW_INTERFACE,
19145 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19146 		.doit = nl80211_new_interface,
19147 		.flags = GENL_UNS_ADMIN_PERM,
19148 		.internal_flags =
19149 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
19150 			       NL80211_FLAG_NEED_RTNL |
19151 			       /* we take the wiphy mutex later ourselves */
19152 			       NL80211_FLAG_NO_WIPHY_MTX),
19153 	},
19154 	{
19155 		.cmd = NL80211_CMD_DEL_INTERFACE,
19156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19157 		.doit = nl80211_del_interface,
19158 		.flags = GENL_UNS_ADMIN_PERM,
19159 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
19160 					 NL80211_FLAG_NEED_RTNL),
19161 	},
19162 	{
19163 		.cmd = NL80211_CMD_GET_KEY,
19164 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19165 		.doit = nl80211_get_key,
19166 		.flags = GENL_UNS_ADMIN_PERM,
19167 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19168 	},
19169 	{
19170 		.cmd = NL80211_CMD_SET_KEY,
19171 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19172 		.doit = nl80211_set_key,
19173 		.flags = GENL_UNS_ADMIN_PERM,
19174 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
19175 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19176 					 NL80211_FLAG_CLEAR_SKB),
19177 	},
19178 	{
19179 		.cmd = NL80211_CMD_NEW_KEY,
19180 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19181 		.doit = nl80211_new_key,
19182 		.flags = GENL_UNS_ADMIN_PERM,
19183 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19184 					 NL80211_FLAG_CLEAR_SKB),
19185 	},
19186 	{
19187 		.cmd = NL80211_CMD_DEL_KEY,
19188 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19189 		.doit = nl80211_del_key,
19190 		.flags = GENL_UNS_ADMIN_PERM,
19191 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19192 	},
19193 	{
19194 		.cmd = NL80211_CMD_SET_BEACON,
19195 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19196 		.flags = GENL_UNS_ADMIN_PERM,
19197 		.doit = nl80211_set_beacon,
19198 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19199 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19200 	},
19201 	{
19202 		.cmd = NL80211_CMD_START_AP,
19203 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19204 		.flags = GENL_UNS_ADMIN_PERM,
19205 		.doit = nl80211_start_ap,
19206 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19207 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19208 	},
19209 	{
19210 		.cmd = NL80211_CMD_STOP_AP,
19211 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19212 		.flags = GENL_UNS_ADMIN_PERM,
19213 		.doit = nl80211_stop_ap,
19214 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19215 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19216 	},
19217 	{
19218 		.cmd = NL80211_CMD_GET_STATION,
19219 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19220 		.doit = nl80211_get_station,
19221 		.dumpit = nl80211_dump_station,
19222 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19223 	},
19224 	{
19225 		.cmd = NL80211_CMD_SET_STATION,
19226 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19227 		.doit = nl80211_set_station,
19228 		.flags = GENL_UNS_ADMIN_PERM,
19229 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19230 	},
19231 	{
19232 		.cmd = NL80211_CMD_NEW_STATION,
19233 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19234 		.doit = nl80211_new_station,
19235 		.flags = GENL_UNS_ADMIN_PERM,
19236 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19237 	},
19238 	{
19239 		.cmd = NL80211_CMD_DEL_STATION,
19240 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19241 		.doit = nl80211_del_station,
19242 		.flags = GENL_UNS_ADMIN_PERM,
19243 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
19244 		 * whether MAC address is passed or not. If MAC address is
19245 		 * passed, then even during MLO, link ID is not required.
19246 		 */
19247 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19248 	},
19249 	{
19250 		.cmd = NL80211_CMD_GET_MPATH,
19251 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19252 		.doit = nl80211_get_mpath,
19253 		.dumpit = nl80211_dump_mpath,
19254 		.flags = GENL_UNS_ADMIN_PERM,
19255 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19256 	},
19257 	{
19258 		.cmd = NL80211_CMD_GET_MPP,
19259 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19260 		.doit = nl80211_get_mpp,
19261 		.dumpit = nl80211_dump_mpp,
19262 		.flags = GENL_UNS_ADMIN_PERM,
19263 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19264 	},
19265 	{
19266 		.cmd = NL80211_CMD_SET_MPATH,
19267 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19268 		.doit = nl80211_set_mpath,
19269 		.flags = GENL_UNS_ADMIN_PERM,
19270 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19271 	},
19272 	{
19273 		.cmd = NL80211_CMD_NEW_MPATH,
19274 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19275 		.doit = nl80211_new_mpath,
19276 		.flags = GENL_UNS_ADMIN_PERM,
19277 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19278 	},
19279 	{
19280 		.cmd = NL80211_CMD_DEL_MPATH,
19281 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19282 		.doit = nl80211_del_mpath,
19283 		.flags = GENL_UNS_ADMIN_PERM,
19284 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19285 	},
19286 	{
19287 		.cmd = NL80211_CMD_SET_BSS,
19288 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19289 		.doit = nl80211_set_bss,
19290 		.flags = GENL_UNS_ADMIN_PERM,
19291 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19292 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19293 	},
19294 	{
19295 		.cmd = NL80211_CMD_GET_REG,
19296 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19297 		.doit = nl80211_get_reg_do,
19298 		.dumpit = nl80211_get_reg_dump,
19299 		/* can be retrieved by unprivileged users */
19300 	},
19301 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
19302 	{
19303 		.cmd = NL80211_CMD_SET_REG,
19304 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19305 		.doit = nl80211_set_reg,
19306 		.flags = GENL_ADMIN_PERM,
19307 	},
19308 #endif
19309 	{
19310 		.cmd = NL80211_CMD_REQ_SET_REG,
19311 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19312 		.doit = nl80211_req_set_reg,
19313 		.flags = GENL_ADMIN_PERM,
19314 	},
19315 	{
19316 		.cmd = NL80211_CMD_RELOAD_REGDB,
19317 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19318 		.doit = nl80211_reload_regdb,
19319 		.flags = GENL_ADMIN_PERM,
19320 	},
19321 	{
19322 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
19323 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19324 		.doit = nl80211_get_mesh_config,
19325 		/* can be retrieved by unprivileged users */
19326 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19327 	},
19328 	{
19329 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
19330 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19331 		.doit = nl80211_update_mesh_config,
19332 		.flags = GENL_UNS_ADMIN_PERM,
19333 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19334 	},
19335 	{
19336 		.cmd = NL80211_CMD_TRIGGER_SCAN,
19337 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19338 		.doit = nl80211_trigger_scan,
19339 		.flags = GENL_UNS_ADMIN_PERM,
19340 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19341 	},
19342 	{
19343 		.cmd = NL80211_CMD_ABORT_SCAN,
19344 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19345 		.doit = nl80211_abort_scan,
19346 		.flags = GENL_UNS_ADMIN_PERM,
19347 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19348 	},
19349 	{
19350 		.cmd = NL80211_CMD_GET_SCAN,
19351 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19352 		.dumpit = nl80211_dump_scan,
19353 	},
19354 	{
19355 		.cmd = NL80211_CMD_START_SCHED_SCAN,
19356 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19357 		.doit = nl80211_start_sched_scan,
19358 		.flags = GENL_UNS_ADMIN_PERM,
19359 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19360 	},
19361 	{
19362 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
19363 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19364 		.doit = nl80211_stop_sched_scan,
19365 		.flags = GENL_UNS_ADMIN_PERM,
19366 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19367 	},
19368 	{
19369 		.cmd = NL80211_CMD_AUTHENTICATE,
19370 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19371 		.doit = nl80211_authenticate,
19372 		.flags = GENL_UNS_ADMIN_PERM,
19373 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19374 					 NL80211_FLAG_CLEAR_SKB),
19375 	},
19376 	{
19377 		.cmd = NL80211_CMD_ASSOCIATE,
19378 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19379 		.doit = nl80211_associate,
19380 		.flags = GENL_UNS_ADMIN_PERM,
19381 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19382 					 NL80211_FLAG_CLEAR_SKB),
19383 	},
19384 	{
19385 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19386 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19387 		.doit = nl80211_deauthenticate,
19388 		.flags = GENL_UNS_ADMIN_PERM,
19389 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19390 	},
19391 	{
19392 		.cmd = NL80211_CMD_DISASSOCIATE,
19393 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19394 		.doit = nl80211_disassociate,
19395 		.flags = GENL_UNS_ADMIN_PERM,
19396 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19397 	},
19398 	{
19399 		.cmd = NL80211_CMD_JOIN_IBSS,
19400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19401 		.doit = nl80211_join_ibss,
19402 		.flags = GENL_UNS_ADMIN_PERM,
19403 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19404 	},
19405 	{
19406 		.cmd = NL80211_CMD_LEAVE_IBSS,
19407 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19408 		.doit = nl80211_leave_ibss,
19409 		.flags = GENL_UNS_ADMIN_PERM,
19410 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19411 	},
19412 #ifdef CONFIG_NL80211_TESTMODE
19413 	{
19414 		.cmd = NL80211_CMD_TESTMODE,
19415 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19416 		.doit = nl80211_testmode_do,
19417 		.dumpit = nl80211_testmode_dump,
19418 		.flags = GENL_UNS_ADMIN_PERM,
19419 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19420 	},
19421 #endif
19422 	{
19423 		.cmd = NL80211_CMD_CONNECT,
19424 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19425 		.doit = nl80211_connect,
19426 		.flags = GENL_UNS_ADMIN_PERM,
19427 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19428 					 NL80211_FLAG_CLEAR_SKB),
19429 	},
19430 	{
19431 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
19432 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19433 		.doit = nl80211_update_connect_params,
19434 		.flags = GENL_ADMIN_PERM,
19435 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19436 					 NL80211_FLAG_CLEAR_SKB),
19437 	},
19438 	{
19439 		.cmd = NL80211_CMD_DISCONNECT,
19440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19441 		.doit = nl80211_disconnect,
19442 		.flags = GENL_UNS_ADMIN_PERM,
19443 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19444 	},
19445 	{
19446 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
19447 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19448 		.doit = nl80211_wiphy_netns,
19449 		.flags = GENL_UNS_ADMIN_PERM,
19450 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19451 					 NL80211_FLAG_NEED_RTNL |
19452 					 NL80211_FLAG_NO_WIPHY_MTX),
19453 	},
19454 	{
19455 		.cmd = NL80211_CMD_GET_SURVEY,
19456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19457 		.dumpit = nl80211_dump_survey,
19458 	},
19459 	{
19460 		.cmd = NL80211_CMD_SET_PMKSA,
19461 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19462 		.doit = nl80211_set_pmksa,
19463 		.flags = GENL_UNS_ADMIN_PERM,
19464 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19465 					 NL80211_FLAG_CLEAR_SKB),
19466 	},
19467 	{
19468 		.cmd = NL80211_CMD_DEL_PMKSA,
19469 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19470 		.doit = nl80211_del_pmksa,
19471 		.flags = GENL_UNS_ADMIN_PERM,
19472 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19473 	},
19474 	{
19475 		.cmd = NL80211_CMD_FLUSH_PMKSA,
19476 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19477 		.doit = nl80211_flush_pmksa,
19478 		.flags = GENL_UNS_ADMIN_PERM,
19479 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19480 	},
19481 	{
19482 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
19483 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19484 		.doit = nl80211_remain_on_channel,
19485 		.flags = GENL_UNS_ADMIN_PERM,
19486 		/* FIXME: requiring a link ID here is probably not good */
19487 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19488 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19489 	},
19490 	{
19491 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
19492 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19493 		.doit = nl80211_cancel_remain_on_channel,
19494 		.flags = GENL_UNS_ADMIN_PERM,
19495 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19496 	},
19497 	{
19498 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
19499 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19500 		.doit = nl80211_set_tx_bitrate_mask,
19501 		.flags = GENL_UNS_ADMIN_PERM,
19502 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19503 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19504 	},
19505 	{
19506 		.cmd = NL80211_CMD_REGISTER_FRAME,
19507 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19508 		.doit = nl80211_register_mgmt,
19509 		.flags = GENL_UNS_ADMIN_PERM,
19510 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19511 	},
19512 	{
19513 		.cmd = NL80211_CMD_FRAME,
19514 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19515 		.doit = nl80211_tx_mgmt,
19516 		.flags = GENL_UNS_ADMIN_PERM,
19517 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19518 	},
19519 	{
19520 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
19521 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19522 		.doit = nl80211_tx_mgmt_cancel_wait,
19523 		.flags = GENL_UNS_ADMIN_PERM,
19524 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19525 	},
19526 	{
19527 		.cmd = NL80211_CMD_SET_POWER_SAVE,
19528 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19529 		.doit = nl80211_set_power_save,
19530 		.flags = GENL_UNS_ADMIN_PERM,
19531 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19532 	},
19533 	{
19534 		.cmd = NL80211_CMD_GET_POWER_SAVE,
19535 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19536 		.doit = nl80211_get_power_save,
19537 		/* can be retrieved by unprivileged users */
19538 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19539 	},
19540 	{
19541 		.cmd = NL80211_CMD_SET_CQM,
19542 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19543 		.doit = nl80211_set_cqm,
19544 		.flags = GENL_UNS_ADMIN_PERM,
19545 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19546 	},
19547 	{
19548 		.cmd = NL80211_CMD_SET_CHANNEL,
19549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19550 		.doit = nl80211_set_channel,
19551 		.flags = GENL_UNS_ADMIN_PERM,
19552 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19553 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19554 	},
19555 	{
19556 		.cmd = NL80211_CMD_JOIN_MESH,
19557 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19558 		.doit = nl80211_join_mesh,
19559 		.flags = GENL_UNS_ADMIN_PERM,
19560 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19561 	},
19562 	{
19563 		.cmd = NL80211_CMD_LEAVE_MESH,
19564 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19565 		.doit = nl80211_leave_mesh,
19566 		.flags = GENL_UNS_ADMIN_PERM,
19567 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19568 	},
19569 	{
19570 		.cmd = NL80211_CMD_JOIN_OCB,
19571 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19572 		.doit = nl80211_join_ocb,
19573 		.flags = GENL_UNS_ADMIN_PERM,
19574 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19575 	},
19576 	{
19577 		.cmd = NL80211_CMD_LEAVE_OCB,
19578 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19579 		.doit = nl80211_leave_ocb,
19580 		.flags = GENL_UNS_ADMIN_PERM,
19581 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19582 	},
19583 #ifdef CONFIG_PM
19584 	{
19585 		.cmd = NL80211_CMD_GET_WOWLAN,
19586 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19587 		.doit = nl80211_get_wowlan,
19588 		/* can be retrieved by unprivileged users */
19589 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19590 	},
19591 	{
19592 		.cmd = NL80211_CMD_SET_WOWLAN,
19593 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19594 		.doit = nl80211_set_wowlan,
19595 		.flags = GENL_UNS_ADMIN_PERM,
19596 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19597 	},
19598 #endif
19599 	{
19600 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
19601 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19602 		.doit = nl80211_set_rekey_data,
19603 		.flags = GENL_UNS_ADMIN_PERM,
19604 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19605 					 NL80211_FLAG_CLEAR_SKB),
19606 	},
19607 	{
19608 		.cmd = NL80211_CMD_TDLS_MGMT,
19609 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19610 		.doit = nl80211_tdls_mgmt,
19611 		.flags = GENL_UNS_ADMIN_PERM,
19612 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19613 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19614 	},
19615 	{
19616 		.cmd = NL80211_CMD_TDLS_OPER,
19617 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19618 		.doit = nl80211_tdls_oper,
19619 		.flags = GENL_UNS_ADMIN_PERM,
19620 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19621 	},
19622 	{
19623 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
19624 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19625 		.doit = nl80211_register_unexpected_frame,
19626 		.flags = GENL_UNS_ADMIN_PERM,
19627 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19628 	},
19629 	{
19630 		.cmd = NL80211_CMD_PROBE_CLIENT,
19631 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19632 		.doit = nl80211_probe_client,
19633 		.flags = GENL_UNS_ADMIN_PERM,
19634 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19635 	},
19636 	{
19637 		.cmd = NL80211_CMD_REGISTER_BEACONS,
19638 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19639 		.doit = nl80211_register_beacons,
19640 		.flags = GENL_UNS_ADMIN_PERM,
19641 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19642 	},
19643 	{
19644 		.cmd = NL80211_CMD_SET_NOACK_MAP,
19645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19646 		.doit = nl80211_set_noack_map,
19647 		.flags = GENL_UNS_ADMIN_PERM,
19648 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19649 	},
19650 	{
19651 		.cmd = NL80211_CMD_START_P2P_DEVICE,
19652 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19653 		.doit = nl80211_start_p2p_device,
19654 		.flags = GENL_UNS_ADMIN_PERM,
19655 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
19656 					 NL80211_FLAG_NEED_RTNL),
19657 	},
19658 	{
19659 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
19660 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19661 		.doit = nl80211_stop_p2p_device,
19662 		.flags = GENL_UNS_ADMIN_PERM,
19663 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19664 					 NL80211_FLAG_NEED_RTNL),
19665 	},
19666 	{
19667 		.cmd = NL80211_CMD_START_NAN,
19668 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19669 		.doit = nl80211_start_nan,
19670 		.flags = GENL_ADMIN_PERM,
19671 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
19672 					 NL80211_FLAG_NEED_RTNL),
19673 	},
19674 	{
19675 		.cmd = NL80211_CMD_STOP_NAN,
19676 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19677 		.doit = nl80211_stop_nan,
19678 		.flags = GENL_ADMIN_PERM,
19679 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19680 					 NL80211_FLAG_NO_WIPHY_MTX |
19681 					 NL80211_FLAG_NEED_RTNL),
19682 	},
19683 	{
19684 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
19685 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19686 		.doit = nl80211_nan_add_func,
19687 		.flags = GENL_ADMIN_PERM,
19688 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19689 	},
19690 	{
19691 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
19692 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19693 		.doit = nl80211_nan_del_func,
19694 		.flags = GENL_ADMIN_PERM,
19695 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19696 	},
19697 	{
19698 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
19699 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19700 		.doit = nl80211_nan_change_config,
19701 		.flags = GENL_ADMIN_PERM,
19702 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19703 	},
19704 	{
19705 		.cmd = NL80211_CMD_SET_MCAST_RATE,
19706 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19707 		.doit = nl80211_set_mcast_rate,
19708 		.flags = GENL_UNS_ADMIN_PERM,
19709 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19710 	},
19711 	{
19712 		.cmd = NL80211_CMD_SET_MAC_ACL,
19713 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19714 		.doit = nl80211_set_mac_acl,
19715 		.flags = GENL_UNS_ADMIN_PERM,
19716 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19717 					 NL80211_FLAG_MLO_UNSUPPORTED),
19718 	},
19719 	{
19720 		.cmd = NL80211_CMD_RADAR_DETECT,
19721 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19722 		.doit = nl80211_start_radar_detection,
19723 		.flags = GENL_UNS_ADMIN_PERM,
19724 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19725 					 NL80211_FLAG_NO_WIPHY_MTX |
19726 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19727 	},
19728 	{
19729 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
19730 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19731 		.doit = nl80211_get_protocol_features,
19732 	},
19733 	{
19734 		.cmd = NL80211_CMD_UPDATE_FT_IES,
19735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19736 		.doit = nl80211_update_ft_ies,
19737 		.flags = GENL_UNS_ADMIN_PERM,
19738 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19739 	},
19740 	{
19741 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
19742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19743 		.doit = nl80211_crit_protocol_start,
19744 		.flags = GENL_UNS_ADMIN_PERM,
19745 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19746 	},
19747 	{
19748 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
19749 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19750 		.doit = nl80211_crit_protocol_stop,
19751 		.flags = GENL_UNS_ADMIN_PERM,
19752 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19753 	},
19754 	{
19755 		.cmd = NL80211_CMD_GET_COALESCE,
19756 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19757 		.doit = nl80211_get_coalesce,
19758 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19759 	},
19760 	{
19761 		.cmd = NL80211_CMD_SET_COALESCE,
19762 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19763 		.doit = nl80211_set_coalesce,
19764 		.flags = GENL_UNS_ADMIN_PERM,
19765 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19766 	},
19767 	{
19768 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
19769 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19770 		.doit = nl80211_channel_switch,
19771 		.flags = GENL_UNS_ADMIN_PERM,
19772 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19773 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19774 	},
19775 	{
19776 		.cmd = NL80211_CMD_VENDOR,
19777 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19778 		.doit = nl80211_vendor_cmd,
19779 		.dumpit = nl80211_vendor_cmd_dump,
19780 		.flags = GENL_UNS_ADMIN_PERM,
19781 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19782 					 NL80211_FLAG_CLEAR_SKB),
19783 	},
19784 	{
19785 		.cmd = NL80211_CMD_SET_QOS_MAP,
19786 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19787 		.doit = nl80211_set_qos_map,
19788 		.flags = GENL_UNS_ADMIN_PERM,
19789 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19790 	},
19791 	{
19792 		.cmd = NL80211_CMD_ADD_TX_TS,
19793 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19794 		.doit = nl80211_add_tx_ts,
19795 		.flags = GENL_UNS_ADMIN_PERM,
19796 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19797 					 NL80211_FLAG_MLO_UNSUPPORTED),
19798 	},
19799 	{
19800 		.cmd = NL80211_CMD_DEL_TX_TS,
19801 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19802 		.doit = nl80211_del_tx_ts,
19803 		.flags = GENL_UNS_ADMIN_PERM,
19804 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19805 	},
19806 	{
19807 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
19808 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19809 		.doit = nl80211_tdls_channel_switch,
19810 		.flags = GENL_UNS_ADMIN_PERM,
19811 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19812 	},
19813 	{
19814 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
19815 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19816 		.doit = nl80211_tdls_cancel_channel_switch,
19817 		.flags = GENL_UNS_ADMIN_PERM,
19818 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19819 	},
19820 	{
19821 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
19822 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19823 		.doit = nl80211_set_multicast_to_unicast,
19824 		.flags = GENL_UNS_ADMIN_PERM,
19825 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19826 	},
19827 	{
19828 		.cmd = NL80211_CMD_SET_PMK,
19829 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19830 		.doit = nl80211_set_pmk,
19831 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19832 					 NL80211_FLAG_CLEAR_SKB),
19833 	},
19834 	{
19835 		.cmd = NL80211_CMD_DEL_PMK,
19836 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19837 		.doit = nl80211_del_pmk,
19838 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19839 	},
19840 	{
19841 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
19842 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19843 		.doit = nl80211_external_auth,
19844 		.flags = GENL_ADMIN_PERM,
19845 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19846 	},
19847 	{
19848 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
19849 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19850 		.doit = nl80211_tx_control_port,
19851 		.flags = GENL_UNS_ADMIN_PERM,
19852 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19853 	},
19854 	{
19855 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
19856 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19857 		.doit = nl80211_get_ftm_responder_stats,
19858 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19859 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19860 	},
19861 	{
19862 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
19863 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19864 		.doit = nl80211_pmsr_start,
19865 		.flags = GENL_UNS_ADMIN_PERM,
19866 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19867 	},
19868 	{
19869 		.cmd = NL80211_CMD_NOTIFY_RADAR,
19870 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19871 		.doit = nl80211_notify_radar_detection,
19872 		.flags = GENL_UNS_ADMIN_PERM,
19873 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19874 	},
19875 	{
19876 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
19877 		.doit = nl80211_update_owe_info,
19878 		.flags = GENL_ADMIN_PERM,
19879 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19880 	},
19881 	{
19882 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
19883 		.doit = nl80211_probe_mesh_link,
19884 		.flags = GENL_UNS_ADMIN_PERM,
19885 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19886 	},
19887 	{
19888 		.cmd = NL80211_CMD_SET_TID_CONFIG,
19889 		.doit = nl80211_set_tid_config,
19890 		.flags = GENL_UNS_ADMIN_PERM,
19891 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19892 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19893 	},
19894 	{
19895 		.cmd = NL80211_CMD_SET_SAR_SPECS,
19896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19897 		.doit = nl80211_set_sar_specs,
19898 		.flags = GENL_UNS_ADMIN_PERM,
19899 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19900 					 NL80211_FLAG_NEED_RTNL),
19901 	},
19902 	{
19903 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
19904 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19905 		.doit = nl80211_color_change,
19906 		.flags = GENL_UNS_ADMIN_PERM,
19907 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19908 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19909 	},
19910 	{
19911 		.cmd = NL80211_CMD_SET_FILS_AAD,
19912 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19913 		.doit = nl80211_set_fils_aad,
19914 		.flags = GENL_UNS_ADMIN_PERM,
19915 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19916 	},
19917 	{
19918 		.cmd = NL80211_CMD_ADD_LINK,
19919 		.doit = nl80211_add_link,
19920 		.flags = GENL_UNS_ADMIN_PERM,
19921 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19922 	},
19923 	{
19924 		.cmd = NL80211_CMD_REMOVE_LINK,
19925 		.doit = nl80211_remove_link,
19926 		.flags = GENL_UNS_ADMIN_PERM,
19927 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19928 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19929 	},
19930 	{
19931 		.cmd = NL80211_CMD_ADD_LINK_STA,
19932 		.doit = nl80211_add_link_station,
19933 		.flags = GENL_UNS_ADMIN_PERM,
19934 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19935 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19936 	},
19937 	{
19938 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
19939 		.doit = nl80211_modify_link_station,
19940 		.flags = GENL_UNS_ADMIN_PERM,
19941 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19942 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19943 	},
19944 	{
19945 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
19946 		.doit = nl80211_remove_link_station,
19947 		.flags = GENL_UNS_ADMIN_PERM,
19948 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19949 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19950 	},
19951 	{
19952 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
19953 		.doit = nl80211_set_hw_timestamp,
19954 		.flags = GENL_UNS_ADMIN_PERM,
19955 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19956 	},
19957 	{
19958 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
19959 		.doit = nl80211_set_ttlm,
19960 		.flags = GENL_UNS_ADMIN_PERM,
19961 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19962 	},
19963 	{
19964 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19965 		.doit = nl80211_assoc_ml_reconf,
19966 		.flags = GENL_UNS_ADMIN_PERM,
19967 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19968 	},
19969 	{
19970 		.cmd = NL80211_CMD_EPCS_CFG,
19971 		.doit = nl80211_epcs_cfg,
19972 		.flags = GENL_UNS_ADMIN_PERM,
19973 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19974 	},
19975 	{
19976 		.cmd = NL80211_CMD_NAN_SET_LOCAL_SCHED,
19977 		.doit = nl80211_nan_set_local_sched,
19978 		.flags = GENL_ADMIN_PERM,
19979 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19980 	},
19981 	{
19982 		.cmd = NL80211_CMD_NAN_SET_PEER_SCHED,
19983 		.doit = nl80211_nan_set_peer_sched,
19984 		.flags = GENL_ADMIN_PERM,
19985 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19986 	},
19987 };
19988 
19989 static struct genl_family nl80211_fam __ro_after_init = {
19990 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
19991 	.hdrsize = 0,			/* no private header */
19992 	.version = 1,			/* no particular meaning now */
19993 	.maxattr = NL80211_ATTR_MAX,
19994 	.policy = nl80211_policy,
19995 	.netnsok = true,
19996 	.pre_doit = nl80211_pre_doit,
19997 	.post_doit = nl80211_post_doit,
19998 	.module = THIS_MODULE,
19999 	.ops = nl80211_ops,
20000 	.n_ops = ARRAY_SIZE(nl80211_ops),
20001 	.small_ops = nl80211_small_ops,
20002 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
20003 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
20004 	.mcgrps = nl80211_mcgrps,
20005 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
20006 	.parallel_ops = true,
20007 };
20008 
20009 /* notification functions */
20010 
20011 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
20012 			  enum nl80211_commands cmd)
20013 {
20014 	struct sk_buff *msg;
20015 	struct nl80211_dump_wiphy_state state = {};
20016 
20017 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
20018 		cmd != NL80211_CMD_DEL_WIPHY);
20019 
20020 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20021 	if (!msg)
20022 		return;
20023 
20024 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
20025 		nlmsg_free(msg);
20026 		return;
20027 	}
20028 
20029 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20030 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
20031 }
20032 
20033 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
20034 				struct wireless_dev *wdev,
20035 				enum nl80211_commands cmd)
20036 {
20037 	struct sk_buff *msg;
20038 
20039 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20040 	if (!msg)
20041 		return;
20042 
20043 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
20044 		nlmsg_free(msg);
20045 		return;
20046 	}
20047 
20048 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20049 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
20050 }
20051 
20052 static int nl80211_add_scan_req(struct sk_buff *msg,
20053 				struct cfg80211_registered_device *rdev)
20054 {
20055 	struct cfg80211_scan_request_int *req = rdev->scan_req;
20056 	struct nlattr *nest;
20057 	int i;
20058 	struct cfg80211_scan_info *info;
20059 
20060 	if (WARN_ON(!req))
20061 		return 0;
20062 
20063 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
20064 	if (!nest)
20065 		goto nla_put_failure;
20066 	for (i = 0; i < req->req.n_ssids; i++) {
20067 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
20068 			    req->req.ssids[i].ssid))
20069 			goto nla_put_failure;
20070 	}
20071 	nla_nest_end(msg, nest);
20072 
20073 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
20074 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
20075 		if (!nest)
20076 			goto nla_put_failure;
20077 		for (i = 0; i < req->req.n_channels; i++) {
20078 			if (nla_put_u32(msg, i,
20079 					ieee80211_channel_to_khz(req->req.channels[i])))
20080 				goto nla_put_failure;
20081 		}
20082 		nla_nest_end(msg, nest);
20083 	} else {
20084 		nest = nla_nest_start_noflag(msg,
20085 					     NL80211_ATTR_SCAN_FREQUENCIES);
20086 		if (!nest)
20087 			goto nla_put_failure;
20088 		for (i = 0; i < req->req.n_channels; i++) {
20089 			if (nla_put_u32(msg, i,
20090 					req->req.channels[i]->center_freq))
20091 				goto nla_put_failure;
20092 		}
20093 		nla_nest_end(msg, nest);
20094 	}
20095 
20096 	if (req->req.ie &&
20097 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
20098 		goto nla_put_failure;
20099 
20100 	if (req->req.flags &&
20101 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
20102 		goto nla_put_failure;
20103 
20104 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
20105 		&rdev->scan_req->info;
20106 	if (info->scan_start_tsf &&
20107 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
20108 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
20109 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
20110 		     info->tsf_bssid)))
20111 		goto nla_put_failure;
20112 
20113 	return 0;
20114  nla_put_failure:
20115 	return -ENOBUFS;
20116 }
20117 
20118 static int nl80211_prep_scan_msg(struct sk_buff *msg,
20119 				 struct cfg80211_registered_device *rdev,
20120 				 struct wireless_dev *wdev,
20121 				 u32 portid, u32 seq, int flags,
20122 				 u32 cmd)
20123 {
20124 	void *hdr;
20125 
20126 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
20127 	if (!hdr)
20128 		return -1;
20129 
20130 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20131 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20132 					 wdev->netdev->ifindex)) ||
20133 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20134 			      NL80211_ATTR_PAD))
20135 		goto nla_put_failure;
20136 
20137 	/* ignore errors and send incomplete event anyway */
20138 	nl80211_add_scan_req(msg, rdev);
20139 
20140 	genlmsg_end(msg, hdr);
20141 	return 0;
20142 
20143  nla_put_failure:
20144 	genlmsg_cancel(msg, hdr);
20145 	return -EMSGSIZE;
20146 }
20147 
20148 static int
20149 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
20150 			    struct cfg80211_sched_scan_request *req, u32 cmd)
20151 {
20152 	void *hdr;
20153 
20154 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20155 	if (!hdr)
20156 		return -1;
20157 
20158 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
20159 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
20160 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
20161 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
20162 			      NL80211_ATTR_PAD))
20163 		goto nla_put_failure;
20164 
20165 	genlmsg_end(msg, hdr);
20166 	return 0;
20167 
20168  nla_put_failure:
20169 	genlmsg_cancel(msg, hdr);
20170 	return -EMSGSIZE;
20171 }
20172 
20173 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
20174 			     struct wireless_dev *wdev)
20175 {
20176 	struct sk_buff *msg;
20177 
20178 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20179 	if (!msg)
20180 		return;
20181 
20182 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
20183 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
20184 		nlmsg_free(msg);
20185 		return;
20186 	}
20187 
20188 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20189 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20190 }
20191 
20192 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
20193 				       struct wireless_dev *wdev, bool aborted)
20194 {
20195 	struct sk_buff *msg;
20196 
20197 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20198 	if (!msg)
20199 		return NULL;
20200 
20201 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
20202 				  aborted ? NL80211_CMD_SCAN_ABORTED :
20203 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
20204 		nlmsg_free(msg);
20205 		return NULL;
20206 	}
20207 
20208 	return msg;
20209 }
20210 
20211 /* send message created by nl80211_build_scan_msg() */
20212 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
20213 			   struct sk_buff *msg)
20214 {
20215 	if (!msg)
20216 		return;
20217 
20218 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20219 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20220 }
20221 
20222 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
20223 {
20224 	struct sk_buff *msg;
20225 
20226 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20227 	if (!msg)
20228 		return;
20229 
20230 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
20231 		nlmsg_free(msg);
20232 		return;
20233 	}
20234 
20235 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
20236 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20237 }
20238 
20239 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
20240 					  struct regulatory_request *request)
20241 {
20242 	/* Userspace can always count this one always being set */
20243 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
20244 		goto nla_put_failure;
20245 
20246 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
20247 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20248 			       NL80211_REGDOM_TYPE_WORLD))
20249 			goto nla_put_failure;
20250 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
20251 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20252 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
20253 			goto nla_put_failure;
20254 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
20255 		   request->intersect) {
20256 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20257 			       NL80211_REGDOM_TYPE_INTERSECTION))
20258 			goto nla_put_failure;
20259 	} else {
20260 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20261 			       NL80211_REGDOM_TYPE_COUNTRY) ||
20262 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
20263 				   request->alpha2))
20264 			goto nla_put_failure;
20265 	}
20266 
20267 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
20268 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
20269 
20270 		if (wiphy &&
20271 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
20272 			goto nla_put_failure;
20273 
20274 		if (wiphy &&
20275 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
20276 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
20277 			goto nla_put_failure;
20278 	}
20279 
20280 	return true;
20281 
20282 nla_put_failure:
20283 	return false;
20284 }
20285 
20286 /*
20287  * This can happen on global regulatory changes or device specific settings
20288  * based on custom regulatory domains.
20289  */
20290 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
20291 				     struct regulatory_request *request)
20292 {
20293 	struct sk_buff *msg;
20294 	void *hdr;
20295 
20296 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20297 	if (!msg)
20298 		return;
20299 
20300 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
20301 	if (!hdr)
20302 		goto nla_put_failure;
20303 
20304 	if (!nl80211_reg_change_event_fill(msg, request))
20305 		goto nla_put_failure;
20306 
20307 	genlmsg_end(msg, hdr);
20308 
20309 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
20310 				NL80211_MCGRP_REGULATORY);
20311 
20312 	return;
20313 
20314 nla_put_failure:
20315 	nlmsg_free(msg);
20316 }
20317 
20318 struct nl80211_mlme_event {
20319 	enum nl80211_commands cmd;
20320 	const u8 *buf;
20321 	size_t buf_len;
20322 	int uapsd_queues;
20323 	const u8 *req_ies;
20324 	size_t req_ies_len;
20325 	bool reconnect;
20326 };
20327 
20328 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
20329 				    struct net_device *netdev,
20330 				    const struct nl80211_mlme_event *event,
20331 				    gfp_t gfp)
20332 {
20333 	struct sk_buff *msg;
20334 	void *hdr;
20335 
20336 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
20337 	if (!msg)
20338 		return;
20339 
20340 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
20341 	if (!hdr) {
20342 		nlmsg_free(msg);
20343 		return;
20344 	}
20345 
20346 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20347 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20348 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
20349 	    (event->req_ies &&
20350 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
20351 		     event->req_ies)))
20352 		goto nla_put_failure;
20353 
20354 	if (event->reconnect &&
20355 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
20356 		goto nla_put_failure;
20357 
20358 	if (event->uapsd_queues >= 0) {
20359 		struct nlattr *nla_wmm =
20360 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
20361 		if (!nla_wmm)
20362 			goto nla_put_failure;
20363 
20364 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
20365 			       event->uapsd_queues))
20366 			goto nla_put_failure;
20367 
20368 		nla_nest_end(msg, nla_wmm);
20369 	}
20370 
20371 	genlmsg_end(msg, hdr);
20372 
20373 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20374 				NL80211_MCGRP_MLME, gfp);
20375 	return;
20376 
20377  nla_put_failure:
20378 	nlmsg_free(msg);
20379 }
20380 
20381 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
20382 			  struct net_device *netdev, const u8 *buf,
20383 			  size_t len, gfp_t gfp)
20384 {
20385 	struct nl80211_mlme_event event = {
20386 		.cmd = NL80211_CMD_AUTHENTICATE,
20387 		.buf = buf,
20388 		.buf_len = len,
20389 		.uapsd_queues = -1,
20390 	};
20391 
20392 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20393 }
20394 
20395 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
20396 			   struct net_device *netdev,
20397 			   const struct cfg80211_rx_assoc_resp_data *data)
20398 {
20399 	struct nl80211_mlme_event event = {
20400 		.cmd = NL80211_CMD_ASSOCIATE,
20401 		.buf = data->buf,
20402 		.buf_len = data->len,
20403 		.uapsd_queues = data->uapsd_queues,
20404 		.req_ies = data->req_ies,
20405 		.req_ies_len = data->req_ies_len,
20406 	};
20407 
20408 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
20409 }
20410 
20411 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
20412 			 struct net_device *netdev, const u8 *buf,
20413 			 size_t len, bool reconnect, gfp_t gfp)
20414 {
20415 	struct nl80211_mlme_event event = {
20416 		.cmd = NL80211_CMD_DEAUTHENTICATE,
20417 		.buf = buf,
20418 		.buf_len = len,
20419 		.reconnect = reconnect,
20420 		.uapsd_queues = -1,
20421 	};
20422 
20423 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20424 }
20425 
20426 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
20427 			   struct net_device *netdev, const u8 *buf,
20428 			   size_t len, bool reconnect, gfp_t gfp)
20429 {
20430 	struct nl80211_mlme_event event = {
20431 		.cmd = NL80211_CMD_DISASSOCIATE,
20432 		.buf = buf,
20433 		.buf_len = len,
20434 		.reconnect = reconnect,
20435 		.uapsd_queues = -1,
20436 	};
20437 
20438 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20439 }
20440 
20441 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
20442 				  size_t len)
20443 {
20444 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20445 	struct wiphy *wiphy = wdev->wiphy;
20446 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20447 	const struct ieee80211_mgmt *mgmt = (void *)buf;
20448 	struct nl80211_mlme_event event = {
20449 		.buf = buf,
20450 		.buf_len = len,
20451 		.uapsd_queues = -1,
20452 	};
20453 
20454 	if (WARN_ON(len < 2))
20455 		return;
20456 
20457 	if (ieee80211_is_deauth(mgmt->frame_control)) {
20458 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
20459 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
20460 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
20461 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
20462 		if (wdev->unprot_beacon_reported &&
20463 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
20464 			return;
20465 		event.cmd = NL80211_CMD_UNPROT_BEACON;
20466 		wdev->unprot_beacon_reported = jiffies;
20467 	} else {
20468 		return;
20469 	}
20470 
20471 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
20472 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
20473 }
20474 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
20475 
20476 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
20477 				      struct net_device *netdev, int cmd,
20478 				      const u8 *addr, gfp_t gfp)
20479 {
20480 	struct sk_buff *msg;
20481 	void *hdr;
20482 
20483 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20484 	if (!msg)
20485 		return;
20486 
20487 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20488 	if (!hdr) {
20489 		nlmsg_free(msg);
20490 		return;
20491 	}
20492 
20493 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20494 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20495 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
20496 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
20497 		goto nla_put_failure;
20498 
20499 	genlmsg_end(msg, hdr);
20500 
20501 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20502 				NL80211_MCGRP_MLME, gfp);
20503 	return;
20504 
20505  nla_put_failure:
20506 	nlmsg_free(msg);
20507 }
20508 
20509 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
20510 			       struct net_device *netdev, const u8 *addr,
20511 			       gfp_t gfp)
20512 {
20513 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
20514 				  addr, gfp);
20515 }
20516 
20517 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
20518 				struct net_device *netdev, const u8 *addr,
20519 				gfp_t gfp)
20520 {
20521 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
20522 				  addr, gfp);
20523 }
20524 
20525 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
20526 				 struct net_device *netdev,
20527 				 struct cfg80211_connect_resp_params *cr,
20528 				 gfp_t gfp)
20529 {
20530 	struct sk_buff *msg;
20531 	void *hdr;
20532 	unsigned int link;
20533 	size_t link_info_size = 0;
20534 	const u8 *connected_addr = cr->valid_links ?
20535 				   cr->ap_mld_addr : cr->links[0].bssid;
20536 
20537 	if (cr->valid_links) {
20538 		for_each_valid_link(cr, link) {
20539 			/* Nested attribute header */
20540 			link_info_size += NLA_HDRLEN;
20541 			/* Link ID */
20542 			link_info_size += nla_total_size(sizeof(u8));
20543 			link_info_size += cr->links[link].addr ?
20544 					  nla_total_size(ETH_ALEN) : 0;
20545 			link_info_size += (cr->links[link].bssid ||
20546 					   cr->links[link].bss) ?
20547 					  nla_total_size(ETH_ALEN) : 0;
20548 			link_info_size += nla_total_size(sizeof(u16));
20549 		}
20550 	}
20551 
20552 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
20553 			cr->fils.kek_len + cr->fils.pmk_len +
20554 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
20555 			gfp);
20556 	if (!msg)
20557 		return;
20558 
20559 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
20560 	if (!hdr) {
20561 		nlmsg_free(msg);
20562 		return;
20563 	}
20564 
20565 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20566 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20567 	    (connected_addr &&
20568 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
20569 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
20570 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
20571 			cr->status) ||
20572 	    (cr->status < 0 &&
20573 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
20574 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
20575 			  cr->timeout_reason))) ||
20576 	    (cr->req_ie &&
20577 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
20578 	    (cr->resp_ie &&
20579 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
20580 		     cr->resp_ie)) ||
20581 	    (cr->fils.update_erp_next_seq_num &&
20582 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
20583 			 cr->fils.erp_next_seq_num)) ||
20584 	    (cr->status == WLAN_STATUS_SUCCESS &&
20585 	     ((cr->fils.kek &&
20586 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
20587 		       cr->fils.kek)) ||
20588 	      (cr->fils.pmk &&
20589 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
20590 	      (cr->fils.pmkid &&
20591 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
20592 		goto nla_put_failure;
20593 
20594 	if (cr->valid_links) {
20595 		int i = 1;
20596 		struct nlattr *nested;
20597 
20598 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20599 		if (!nested)
20600 			goto nla_put_failure;
20601 
20602 		for_each_valid_link(cr, link) {
20603 			struct nlattr *nested_mlo_links;
20604 			const u8 *bssid = cr->links[link].bss ?
20605 					  cr->links[link].bss->bssid :
20606 					  cr->links[link].bssid;
20607 
20608 			nested_mlo_links = nla_nest_start(msg, i);
20609 			if (!nested_mlo_links)
20610 				goto nla_put_failure;
20611 
20612 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
20613 			    (bssid &&
20614 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
20615 			    (cr->links[link].addr &&
20616 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
20617 				     cr->links[link].addr)) ||
20618 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
20619 					cr->links[link].status))
20620 				goto nla_put_failure;
20621 
20622 			nla_nest_end(msg, nested_mlo_links);
20623 			i++;
20624 		}
20625 		nla_nest_end(msg, nested);
20626 	}
20627 
20628 	genlmsg_end(msg, hdr);
20629 
20630 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20631 				NL80211_MCGRP_MLME, gfp);
20632 	return;
20633 
20634  nla_put_failure:
20635 	nlmsg_free(msg);
20636 }
20637 
20638 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
20639 			 struct net_device *netdev,
20640 			 struct cfg80211_roam_info *info, gfp_t gfp)
20641 {
20642 	struct sk_buff *msg;
20643 	void *hdr;
20644 	size_t link_info_size = 0;
20645 	unsigned int link;
20646 	const u8 *connected_addr = info->ap_mld_addr ?
20647 				   info->ap_mld_addr :
20648 				   (info->links[0].bss ?
20649 				    info->links[0].bss->bssid :
20650 				    info->links[0].bssid);
20651 
20652 	if (info->valid_links) {
20653 		for_each_valid_link(info, link) {
20654 			/* Nested attribute header */
20655 			link_info_size += NLA_HDRLEN;
20656 			/* Link ID */
20657 			link_info_size += nla_total_size(sizeof(u8));
20658 			link_info_size += info->links[link].addr ?
20659 					  nla_total_size(ETH_ALEN) : 0;
20660 			link_info_size += (info->links[link].bssid ||
20661 					   info->links[link].bss) ?
20662 					  nla_total_size(ETH_ALEN) : 0;
20663 		}
20664 	}
20665 
20666 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
20667 			info->fils.kek_len + info->fils.pmk_len +
20668 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
20669 			link_info_size, gfp);
20670 	if (!msg)
20671 		return;
20672 
20673 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
20674 	if (!hdr) {
20675 		nlmsg_free(msg);
20676 		return;
20677 	}
20678 
20679 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20680 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20681 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
20682 	    (info->req_ie &&
20683 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
20684 		     info->req_ie)) ||
20685 	    (info->resp_ie &&
20686 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
20687 		     info->resp_ie)) ||
20688 	    (info->fils.update_erp_next_seq_num &&
20689 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
20690 			 info->fils.erp_next_seq_num)) ||
20691 	    (info->fils.kek &&
20692 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
20693 		     info->fils.kek)) ||
20694 	    (info->fils.pmk &&
20695 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
20696 	    (info->fils.pmkid &&
20697 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
20698 		goto nla_put_failure;
20699 
20700 	if (info->valid_links) {
20701 		int i = 1;
20702 		struct nlattr *nested;
20703 
20704 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20705 		if (!nested)
20706 			goto nla_put_failure;
20707 
20708 		for_each_valid_link(info, link) {
20709 			struct nlattr *nested_mlo_links;
20710 			const u8 *bssid = info->links[link].bss ?
20711 					  info->links[link].bss->bssid :
20712 					  info->links[link].bssid;
20713 
20714 			nested_mlo_links = nla_nest_start(msg, i);
20715 			if (!nested_mlo_links)
20716 				goto nla_put_failure;
20717 
20718 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
20719 			    (bssid &&
20720 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
20721 			    (info->links[link].addr &&
20722 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
20723 				     info->links[link].addr)))
20724 				goto nla_put_failure;
20725 
20726 			nla_nest_end(msg, nested_mlo_links);
20727 			i++;
20728 		}
20729 		nla_nest_end(msg, nested);
20730 	}
20731 
20732 	genlmsg_end(msg, hdr);
20733 
20734 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20735 				NL80211_MCGRP_MLME, gfp);
20736 	return;
20737 
20738  nla_put_failure:
20739 	nlmsg_free(msg);
20740 }
20741 
20742 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
20743 				  struct net_device *netdev, const u8 *peer_addr,
20744 				  const u8 *td_bitmap, u8 td_bitmap_len)
20745 {
20746 	struct sk_buff *msg;
20747 	void *hdr;
20748 
20749 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20750 	if (!msg)
20751 		return;
20752 
20753 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
20754 	if (!hdr) {
20755 		nlmsg_free(msg);
20756 		return;
20757 	}
20758 
20759 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20760 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20761 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
20762 		goto nla_put_failure;
20763 
20764 	if (td_bitmap_len > 0 && td_bitmap &&
20765 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
20766 		goto nla_put_failure;
20767 
20768 	genlmsg_end(msg, hdr);
20769 
20770 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20771 				NL80211_MCGRP_MLME, GFP_KERNEL);
20772 	return;
20773 
20774  nla_put_failure:
20775 	nlmsg_free(msg);
20776 }
20777 
20778 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
20779 			       struct net_device *netdev, u16 reason,
20780 			       const u8 *ie, size_t ie_len, bool from_ap)
20781 {
20782 	struct sk_buff *msg;
20783 	void *hdr;
20784 
20785 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
20786 	if (!msg)
20787 		return;
20788 
20789 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
20790 	if (!hdr) {
20791 		nlmsg_free(msg);
20792 		return;
20793 	}
20794 
20795 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20796 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20797 	    (reason &&
20798 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
20799 	    (from_ap &&
20800 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
20801 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
20802 		goto nla_put_failure;
20803 
20804 	genlmsg_end(msg, hdr);
20805 
20806 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20807 				NL80211_MCGRP_MLME, GFP_KERNEL);
20808 	return;
20809 
20810  nla_put_failure:
20811 	nlmsg_free(msg);
20812 }
20813 
20814 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
20815 {
20816 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20817 	struct wiphy *wiphy = wdev->wiphy;
20818 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20819 	struct sk_buff *msg;
20820 	struct nlattr *links;
20821 	void *hdr;
20822 
20823 	lockdep_assert_wiphy(wdev->wiphy);
20824 	trace_cfg80211_links_removed(dev, link_mask);
20825 
20826 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
20827 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
20828 		return;
20829 
20830 	if (WARN_ON(!wdev->valid_links || !link_mask ||
20831 		    (wdev->valid_links & link_mask) != link_mask ||
20832 		    wdev->valid_links == link_mask))
20833 		return;
20834 
20835 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
20836 	wdev->valid_links &= ~link_mask;
20837 
20838 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20839 	if (!msg)
20840 		return;
20841 
20842 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
20843 	if (!hdr) {
20844 		nlmsg_free(msg);
20845 		return;
20846 	}
20847 
20848 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20849 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20850 		goto nla_put_failure;
20851 
20852 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20853 	if (!links)
20854 		goto nla_put_failure;
20855 
20856 	while (link_mask) {
20857 		struct nlattr *link;
20858 		int link_id = __ffs(link_mask);
20859 
20860 		link = nla_nest_start(msg, link_id + 1);
20861 		if (!link)
20862 			goto nla_put_failure;
20863 
20864 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20865 			goto nla_put_failure;
20866 
20867 		nla_nest_end(msg, link);
20868 		link_mask &= ~(1 << link_id);
20869 	}
20870 
20871 	nla_nest_end(msg, links);
20872 
20873 	genlmsg_end(msg, hdr);
20874 
20875 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20876 				NL80211_MCGRP_MLME, GFP_KERNEL);
20877 	return;
20878 
20879  nla_put_failure:
20880 	nlmsg_free(msg);
20881 }
20882 EXPORT_SYMBOL(cfg80211_links_removed);
20883 
20884 void nl80211_mlo_reconf_add_done(struct net_device *dev,
20885 				 struct cfg80211_mlo_reconf_done_data *data)
20886 {
20887 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20888 	struct wiphy *wiphy = wdev->wiphy;
20889 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20890 	struct nl80211_mlme_event event = {
20891 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
20892 		.buf = data->buf,
20893 		.buf_len = data->len,
20894 		.uapsd_queues = -1,
20895 	};
20896 
20897 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
20898 }
20899 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
20900 
20901 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
20902 			     struct net_device *netdev, const u8 *bssid,
20903 			     gfp_t gfp)
20904 {
20905 	struct sk_buff *msg;
20906 	void *hdr;
20907 
20908 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20909 	if (!msg)
20910 		return;
20911 
20912 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
20913 	if (!hdr) {
20914 		nlmsg_free(msg);
20915 		return;
20916 	}
20917 
20918 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20919 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20920 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20921 		goto nla_put_failure;
20922 
20923 	genlmsg_end(msg, hdr);
20924 
20925 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20926 				NL80211_MCGRP_MLME, gfp);
20927 	return;
20928 
20929  nla_put_failure:
20930 	nlmsg_free(msg);
20931 }
20932 
20933 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
20934 					const u8 *ie, u8 ie_len,
20935 					int sig_dbm, gfp_t gfp)
20936 {
20937 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20938 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20939 	struct sk_buff *msg;
20940 	void *hdr;
20941 
20942 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
20943 		return;
20944 
20945 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
20946 
20947 	msg = nlmsg_new(100 + ie_len, gfp);
20948 	if (!msg)
20949 		return;
20950 
20951 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
20952 	if (!hdr) {
20953 		nlmsg_free(msg);
20954 		return;
20955 	}
20956 
20957 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20958 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20959 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20960 	    (ie_len && ie &&
20961 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
20962 	    (sig_dbm &&
20963 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
20964 		goto nla_put_failure;
20965 
20966 	genlmsg_end(msg, hdr);
20967 
20968 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20969 				NL80211_MCGRP_MLME, gfp);
20970 	return;
20971 
20972  nla_put_failure:
20973 	nlmsg_free(msg);
20974 }
20975 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
20976 
20977 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
20978 				 struct net_device *netdev, const u8 *addr,
20979 				 enum nl80211_key_type key_type, int key_id,
20980 				 const u8 *tsc, gfp_t gfp)
20981 {
20982 	struct sk_buff *msg;
20983 	void *hdr;
20984 
20985 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20986 	if (!msg)
20987 		return;
20988 
20989 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
20990 	if (!hdr) {
20991 		nlmsg_free(msg);
20992 		return;
20993 	}
20994 
20995 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20996 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20997 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
20998 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
20999 	    (key_id != -1 &&
21000 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
21001 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
21002 		goto nla_put_failure;
21003 
21004 	genlmsg_end(msg, hdr);
21005 
21006 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21007 				NL80211_MCGRP_MLME, gfp);
21008 	return;
21009 
21010  nla_put_failure:
21011 	nlmsg_free(msg);
21012 }
21013 
21014 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
21015 				    struct ieee80211_channel *channel_before,
21016 				    struct ieee80211_channel *channel_after)
21017 {
21018 	struct sk_buff *msg;
21019 	void *hdr;
21020 	struct nlattr *nl_freq;
21021 
21022 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
21023 	if (!msg)
21024 		return;
21025 
21026 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
21027 	if (!hdr) {
21028 		nlmsg_free(msg);
21029 		return;
21030 	}
21031 
21032 	/*
21033 	 * Since we are applying the beacon hint to a wiphy we know its
21034 	 * wiphy_idx is valid
21035 	 */
21036 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
21037 		goto nla_put_failure;
21038 
21039 	/* Before */
21040 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
21041 	if (!nl_freq)
21042 		goto nla_put_failure;
21043 
21044 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
21045 		goto nla_put_failure;
21046 	nla_nest_end(msg, nl_freq);
21047 
21048 	/* After */
21049 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
21050 	if (!nl_freq)
21051 		goto nla_put_failure;
21052 
21053 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
21054 		goto nla_put_failure;
21055 	nla_nest_end(msg, nl_freq);
21056 
21057 	genlmsg_end(msg, hdr);
21058 
21059 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
21060 				NL80211_MCGRP_REGULATORY);
21061 
21062 	return;
21063 
21064 nla_put_failure:
21065 	nlmsg_free(msg);
21066 }
21067 
21068 static void nl80211_send_remain_on_chan_event(
21069 	int cmd, struct cfg80211_registered_device *rdev,
21070 	struct wireless_dev *wdev, u64 cookie,
21071 	struct ieee80211_channel *chan,
21072 	unsigned int duration, gfp_t gfp)
21073 {
21074 	struct sk_buff *msg;
21075 	void *hdr;
21076 
21077 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21078 	if (!msg)
21079 		return;
21080 
21081 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21082 	if (!hdr) {
21083 		nlmsg_free(msg);
21084 		return;
21085 	}
21086 
21087 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21088 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21089 					 wdev->netdev->ifindex)) ||
21090 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21091 			      NL80211_ATTR_PAD) ||
21092 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
21093 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
21094 			NL80211_CHAN_NO_HT) ||
21095 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
21096 			      NL80211_ATTR_PAD))
21097 		goto nla_put_failure;
21098 
21099 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
21100 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
21101 		goto nla_put_failure;
21102 
21103 	genlmsg_end(msg, hdr);
21104 
21105 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21106 				NL80211_MCGRP_MLME, gfp);
21107 	return;
21108 
21109  nla_put_failure:
21110 	nlmsg_free(msg);
21111 }
21112 
21113 void cfg80211_assoc_comeback(struct net_device *netdev,
21114 			     const u8 *ap_addr, u32 timeout)
21115 {
21116 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21117 	struct wiphy *wiphy = wdev->wiphy;
21118 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21119 	struct sk_buff *msg;
21120 	void *hdr;
21121 
21122 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
21123 
21124 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21125 	if (!msg)
21126 		return;
21127 
21128 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
21129 	if (!hdr) {
21130 		nlmsg_free(msg);
21131 		return;
21132 	}
21133 
21134 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21135 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21136 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
21137 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
21138 		goto nla_put_failure;
21139 
21140 	genlmsg_end(msg, hdr);
21141 
21142 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21143 				NL80211_MCGRP_MLME, GFP_KERNEL);
21144 	return;
21145 
21146  nla_put_failure:
21147 	nlmsg_free(msg);
21148 }
21149 EXPORT_SYMBOL(cfg80211_assoc_comeback);
21150 
21151 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
21152 			       struct ieee80211_channel *chan,
21153 			       unsigned int duration, gfp_t gfp)
21154 {
21155 	struct wiphy *wiphy = wdev->wiphy;
21156 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21157 
21158 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
21159 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
21160 					  rdev, wdev, cookie, chan,
21161 					  duration, gfp);
21162 }
21163 EXPORT_SYMBOL(cfg80211_ready_on_channel);
21164 
21165 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
21166 					struct ieee80211_channel *chan,
21167 					gfp_t gfp)
21168 {
21169 	struct wiphy *wiphy = wdev->wiphy;
21170 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21171 
21172 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
21173 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
21174 					  rdev, wdev, cookie, chan, 0, gfp);
21175 }
21176 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
21177 
21178 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
21179 					struct ieee80211_channel *chan,
21180 					gfp_t gfp)
21181 {
21182 	struct wiphy *wiphy = wdev->wiphy;
21183 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21184 
21185 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
21186 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
21187 					  rdev, wdev, cookie, chan, 0, gfp);
21188 }
21189 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
21190 
21191 void cfg80211_new_sta(struct wireless_dev *wdev, const u8 *mac_addr,
21192 		      struct station_info *sinfo, gfp_t gfp)
21193 {
21194 	struct wiphy *wiphy = wdev->wiphy;
21195 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21196 	struct sk_buff *msg;
21197 
21198 	trace_cfg80211_new_sta(wdev, mac_addr, sinfo);
21199 
21200 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21201 	if (!msg)
21202 		return;
21203 
21204 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
21205 				 rdev, wdev, mac_addr, sinfo, false) < 0) {
21206 		nlmsg_free(msg);
21207 		return;
21208 	}
21209 
21210 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21211 				NL80211_MCGRP_MLME, gfp);
21212 }
21213 EXPORT_SYMBOL(cfg80211_new_sta);
21214 
21215 void cfg80211_del_sta_sinfo(struct wireless_dev *wdev, const u8 *mac_addr,
21216 			    struct station_info *sinfo, gfp_t gfp)
21217 {
21218 	struct wiphy *wiphy = wdev->wiphy;
21219 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21220 	struct sk_buff *msg;
21221 	struct station_info empty_sinfo = {};
21222 
21223 	if (!sinfo)
21224 		sinfo = &empty_sinfo;
21225 
21226 	trace_cfg80211_del_sta(wdev, mac_addr);
21227 
21228 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21229 	if (!msg) {
21230 		cfg80211_sinfo_release_content(sinfo);
21231 		return;
21232 	}
21233 
21234 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
21235 				 rdev, wdev, mac_addr, sinfo, false) < 0) {
21236 		nlmsg_free(msg);
21237 		return;
21238 	}
21239 
21240 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21241 				NL80211_MCGRP_MLME, gfp);
21242 }
21243 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
21244 
21245 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
21246 			  enum nl80211_connect_failed_reason reason,
21247 			  gfp_t gfp)
21248 {
21249 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
21250 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21251 	struct sk_buff *msg;
21252 	void *hdr;
21253 
21254 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
21255 	if (!msg)
21256 		return;
21257 
21258 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
21259 	if (!hdr) {
21260 		nlmsg_free(msg);
21261 		return;
21262 	}
21263 
21264 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21265 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
21266 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
21267 		goto nla_put_failure;
21268 
21269 	genlmsg_end(msg, hdr);
21270 
21271 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21272 				NL80211_MCGRP_MLME, gfp);
21273 	return;
21274 
21275  nla_put_failure:
21276 	nlmsg_free(msg);
21277 }
21278 EXPORT_SYMBOL(cfg80211_conn_failed);
21279 
21280 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
21281 				       const u8 *addr, int link_id, gfp_t gfp)
21282 {
21283 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21284 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21285 	struct sk_buff *msg;
21286 	void *hdr;
21287 	u32 nlportid = READ_ONCE(wdev->unexpected_nlportid);
21288 
21289 	if (!nlportid)
21290 		return false;
21291 
21292 	msg = nlmsg_new(100, gfp);
21293 	if (!msg)
21294 		return true;
21295 
21296 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21297 	if (!hdr) {
21298 		nlmsg_free(msg);
21299 		return true;
21300 	}
21301 
21302 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21303 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21304 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21305 	    (link_id >= 0 &&
21306 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21307 		goto nla_put_failure;
21308 
21309 	genlmsg_end(msg, hdr);
21310 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21311 	return true;
21312 
21313  nla_put_failure:
21314 	nlmsg_free(msg);
21315 	return true;
21316 }
21317 
21318 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
21319 				int link_id, gfp_t gfp)
21320 {
21321 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21322 	bool ret;
21323 
21324 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
21325 
21326 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
21327 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
21328 		    wdev->iftype != NL80211_IFTYPE_NAN_DATA)) {
21329 		trace_cfg80211_return_bool(false);
21330 		return false;
21331 	}
21332 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
21333 					 addr, link_id, gfp);
21334 	trace_cfg80211_return_bool(ret);
21335 	return ret;
21336 }
21337 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
21338 
21339 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
21340 					int link_id, gfp_t gfp)
21341 {
21342 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21343 	bool ret;
21344 
21345 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
21346 
21347 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
21348 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
21349 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
21350 		trace_cfg80211_return_bool(false);
21351 		return false;
21352 	}
21353 	ret = __nl80211_unexpected_frame(dev,
21354 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
21355 					 addr, link_id, gfp);
21356 	trace_cfg80211_return_bool(ret);
21357 	return ret;
21358 }
21359 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
21360 
21361 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
21362 		      struct wireless_dev *wdev, u32 nlportid,
21363 		      struct cfg80211_rx_info *info, gfp_t gfp)
21364 {
21365 	struct net_device *netdev = wdev->netdev;
21366 	struct sk_buff *msg;
21367 	void *hdr;
21368 
21369 	msg = nlmsg_new(100 + info->len, gfp);
21370 	if (!msg)
21371 		return -ENOMEM;
21372 
21373 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
21374 	if (!hdr) {
21375 		nlmsg_free(msg);
21376 		return -ENOMEM;
21377 	}
21378 
21379 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21380 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21381 					netdev->ifindex)) ||
21382 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21383 			      NL80211_ATTR_PAD) ||
21384 	    (info->have_link_id &&
21385 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
21386 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
21387 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
21388 	    (info->sig_dbm &&
21389 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
21390 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
21391 	    (info->flags &&
21392 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
21393 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
21394 						  NL80211_ATTR_RX_HW_TIMESTAMP,
21395 						  info->rx_tstamp,
21396 						  NL80211_ATTR_PAD)) ||
21397 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
21398 						   NL80211_ATTR_TX_HW_TIMESTAMP,
21399 						   info->ack_tstamp,
21400 						   NL80211_ATTR_PAD)))
21401 		goto nla_put_failure;
21402 
21403 	genlmsg_end(msg, hdr);
21404 
21405 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21406 
21407  nla_put_failure:
21408 	nlmsg_free(msg);
21409 	return -ENOBUFS;
21410 }
21411 
21412 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
21413 				    struct cfg80211_tx_status *status,
21414 				    gfp_t gfp, enum nl80211_commands command)
21415 {
21416 	struct wiphy *wiphy = wdev->wiphy;
21417 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21418 	struct net_device *netdev = wdev->netdev;
21419 	struct sk_buff *msg;
21420 	void *hdr;
21421 
21422 	if (command == NL80211_CMD_FRAME_TX_STATUS)
21423 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
21424 					      status->ack);
21425 	else
21426 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
21427 						      status->ack);
21428 
21429 	msg = nlmsg_new(100 + status->len, gfp);
21430 	if (!msg)
21431 		return;
21432 
21433 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
21434 	if (!hdr) {
21435 		nlmsg_free(msg);
21436 		return;
21437 	}
21438 
21439 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21440 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21441 				   netdev->ifindex)) ||
21442 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21443 			      NL80211_ATTR_PAD) ||
21444 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
21445 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
21446 			      NL80211_ATTR_PAD) ||
21447 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
21448 	    (status->tx_tstamp &&
21449 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
21450 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
21451 	    (status->ack_tstamp &&
21452 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
21453 			       status->ack_tstamp, NL80211_ATTR_PAD)))
21454 		goto nla_put_failure;
21455 
21456 	genlmsg_end(msg, hdr);
21457 
21458 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21459 				NL80211_MCGRP_MLME, gfp);
21460 	return;
21461 
21462 nla_put_failure:
21463 	nlmsg_free(msg);
21464 }
21465 
21466 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
21467 				     const u8 *buf, size_t len, bool ack,
21468 				     gfp_t gfp)
21469 {
21470 	struct cfg80211_tx_status status = {
21471 		.cookie = cookie,
21472 		.buf = buf,
21473 		.len = len,
21474 		.ack = ack
21475 	};
21476 
21477 	nl80211_frame_tx_status(wdev, &status, gfp,
21478 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
21479 }
21480 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
21481 
21482 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
21483 				 struct cfg80211_tx_status *status, gfp_t gfp)
21484 {
21485 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
21486 }
21487 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
21488 
21489 static int __nl80211_rx_control_port(struct net_device *dev,
21490 				     struct sk_buff *skb,
21491 				     bool unencrypted,
21492 				     int link_id,
21493 				     gfp_t gfp)
21494 {
21495 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21496 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21497 	struct ethhdr *ehdr = eth_hdr(skb);
21498 	const u8 *addr = ehdr->h_source;
21499 	u16 proto = be16_to_cpu(skb->protocol);
21500 	struct sk_buff *msg;
21501 	void *hdr;
21502 	struct nlattr *frame;
21503 
21504 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
21505 
21506 	if (!nlportid)
21507 		return -ENOENT;
21508 
21509 	msg = nlmsg_new(100 + skb->len, gfp);
21510 	if (!msg)
21511 		return -ENOMEM;
21512 
21513 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
21514 	if (!hdr) {
21515 		nlmsg_free(msg);
21516 		return -ENOBUFS;
21517 	}
21518 
21519 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21520 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21521 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21522 			      NL80211_ATTR_PAD) ||
21523 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21524 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
21525 	    (link_id >= 0 &&
21526 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
21527 	    (unencrypted && nla_put_flag(msg,
21528 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
21529 		goto nla_put_failure;
21530 
21531 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
21532 	if (!frame)
21533 		goto nla_put_failure;
21534 
21535 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
21536 	genlmsg_end(msg, hdr);
21537 
21538 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21539 
21540  nla_put_failure:
21541 	nlmsg_free(msg);
21542 	return -ENOBUFS;
21543 }
21544 
21545 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
21546 			      bool unencrypted, int link_id)
21547 {
21548 	int ret;
21549 
21550 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
21551 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
21552 					GFP_ATOMIC);
21553 	trace_cfg80211_return_bool(ret == 0);
21554 	return ret == 0;
21555 }
21556 EXPORT_SYMBOL(cfg80211_rx_control_port);
21557 
21558 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
21559 					    const char *mac, gfp_t gfp)
21560 {
21561 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21562 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21563 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21564 	void **cb;
21565 
21566 	if (!msg)
21567 		return NULL;
21568 
21569 	cb = (void **)msg->cb;
21570 
21571 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
21572 	if (!cb[0]) {
21573 		nlmsg_free(msg);
21574 		return NULL;
21575 	}
21576 
21577 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21578 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21579 		goto nla_put_failure;
21580 
21581 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
21582 		goto nla_put_failure;
21583 
21584 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
21585 	if (!cb[1])
21586 		goto nla_put_failure;
21587 
21588 	cb[2] = rdev;
21589 
21590 	return msg;
21591  nla_put_failure:
21592 	nlmsg_free(msg);
21593 	return NULL;
21594 }
21595 
21596 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
21597 {
21598 	void **cb = (void **)msg->cb;
21599 	struct cfg80211_registered_device *rdev = cb[2];
21600 
21601 	nla_nest_end(msg, cb[1]);
21602 	genlmsg_end(msg, cb[0]);
21603 
21604 	memset(msg->cb, 0, sizeof(msg->cb));
21605 
21606 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21607 				NL80211_MCGRP_MLME, gfp);
21608 }
21609 
21610 void cfg80211_cqm_rssi_notify(struct net_device *dev,
21611 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
21612 			      s32 rssi_level, gfp_t gfp)
21613 {
21614 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21615 	struct cfg80211_cqm_config *cqm_config;
21616 
21617 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
21618 
21619 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
21620 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
21621 		return;
21622 
21623 	rcu_read_lock();
21624 	cqm_config = rcu_dereference(wdev->cqm_config);
21625 	if (cqm_config) {
21626 		cqm_config->last_rssi_event_value = rssi_level;
21627 		cqm_config->last_rssi_event_type = rssi_event;
21628 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
21629 	}
21630 	rcu_read_unlock();
21631 }
21632 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
21633 
21634 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
21635 {
21636 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
21637 						 cqm_rssi_work);
21638 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21639 	enum nl80211_cqm_rssi_threshold_event rssi_event;
21640 	struct cfg80211_cqm_config *cqm_config;
21641 	struct sk_buff *msg;
21642 	s32 rssi_level;
21643 
21644 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
21645 	if (!cqm_config)
21646 		return;
21647 
21648 	if (cqm_config->use_range_api)
21649 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
21650 
21651 	rssi_level = cqm_config->last_rssi_event_value;
21652 	rssi_event = cqm_config->last_rssi_event_type;
21653 
21654 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
21655 	if (!msg)
21656 		return;
21657 
21658 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
21659 			rssi_event))
21660 		goto nla_put_failure;
21661 
21662 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
21663 				      rssi_level))
21664 		goto nla_put_failure;
21665 
21666 	cfg80211_send_cqm(msg, GFP_KERNEL);
21667 
21668 	return;
21669 
21670  nla_put_failure:
21671 	nlmsg_free(msg);
21672 }
21673 
21674 void cfg80211_cqm_txe_notify(struct net_device *dev,
21675 			     const u8 *peer, u32 num_packets,
21676 			     u32 rate, u32 intvl, gfp_t gfp)
21677 {
21678 	struct sk_buff *msg;
21679 
21680 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
21681 	if (!msg)
21682 		return;
21683 
21684 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
21685 		goto nla_put_failure;
21686 
21687 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
21688 		goto nla_put_failure;
21689 
21690 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
21691 		goto nla_put_failure;
21692 
21693 	cfg80211_send_cqm(msg, gfp);
21694 	return;
21695 
21696  nla_put_failure:
21697 	nlmsg_free(msg);
21698 }
21699 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
21700 
21701 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
21702 				 const u8 *peer, u32 num_packets, gfp_t gfp)
21703 {
21704 	struct sk_buff *msg;
21705 
21706 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
21707 
21708 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
21709 	if (!msg)
21710 		return;
21711 
21712 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
21713 		goto nla_put_failure;
21714 
21715 	cfg80211_send_cqm(msg, gfp);
21716 	return;
21717 
21718  nla_put_failure:
21719 	nlmsg_free(msg);
21720 }
21721 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
21722 
21723 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
21724 {
21725 	struct sk_buff *msg;
21726 
21727 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
21728 	if (!msg)
21729 		return;
21730 
21731 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
21732 		goto nla_put_failure;
21733 
21734 	cfg80211_send_cqm(msg, gfp);
21735 	return;
21736 
21737  nla_put_failure:
21738 	nlmsg_free(msg);
21739 }
21740 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
21741 
21742 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
21743 				     struct net_device *netdev, const u8 *bssid,
21744 				     const u8 *replay_ctr, gfp_t gfp)
21745 {
21746 	struct sk_buff *msg;
21747 	struct nlattr *rekey_attr;
21748 	void *hdr;
21749 
21750 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21751 	if (!msg)
21752 		return;
21753 
21754 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
21755 	if (!hdr) {
21756 		nlmsg_free(msg);
21757 		return;
21758 	}
21759 
21760 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21761 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21762 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
21763 		goto nla_put_failure;
21764 
21765 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
21766 	if (!rekey_attr)
21767 		goto nla_put_failure;
21768 
21769 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
21770 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
21771 		goto nla_put_failure;
21772 
21773 	nla_nest_end(msg, rekey_attr);
21774 
21775 	genlmsg_end(msg, hdr);
21776 
21777 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21778 				NL80211_MCGRP_MLME, gfp);
21779 	return;
21780 
21781  nla_put_failure:
21782 	nlmsg_free(msg);
21783 }
21784 
21785 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
21786 			       const u8 *replay_ctr, gfp_t gfp)
21787 {
21788 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21789 	struct wiphy *wiphy = wdev->wiphy;
21790 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21791 
21792 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
21793 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
21794 }
21795 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
21796 
21797 static void
21798 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
21799 			       struct net_device *netdev, int index,
21800 			       const u8 *bssid, bool preauth, gfp_t gfp)
21801 {
21802 	struct sk_buff *msg;
21803 	struct nlattr *attr;
21804 	void *hdr;
21805 
21806 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21807 	if (!msg)
21808 		return;
21809 
21810 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
21811 	if (!hdr) {
21812 		nlmsg_free(msg);
21813 		return;
21814 	}
21815 
21816 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21817 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21818 		goto nla_put_failure;
21819 
21820 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
21821 	if (!attr)
21822 		goto nla_put_failure;
21823 
21824 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
21825 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
21826 	    (preauth &&
21827 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
21828 		goto nla_put_failure;
21829 
21830 	nla_nest_end(msg, attr);
21831 
21832 	genlmsg_end(msg, hdr);
21833 
21834 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21835 				NL80211_MCGRP_MLME, gfp);
21836 	return;
21837 
21838  nla_put_failure:
21839 	nlmsg_free(msg);
21840 }
21841 
21842 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
21843 				     const u8 *bssid, bool preauth, gfp_t gfp)
21844 {
21845 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21846 	struct wiphy *wiphy = wdev->wiphy;
21847 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21848 
21849 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
21850 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
21851 }
21852 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
21853 
21854 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
21855 				     struct net_device *netdev,
21856 				     unsigned int link_id,
21857 				     struct cfg80211_chan_def *chandef,
21858 				     gfp_t gfp,
21859 				     enum nl80211_commands notif,
21860 				     u8 count, bool quiet)
21861 {
21862 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21863 	struct sk_buff *msg;
21864 	void *hdr;
21865 
21866 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21867 	if (!msg)
21868 		return;
21869 
21870 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
21871 	if (!hdr) {
21872 		nlmsg_free(msg);
21873 		return;
21874 	}
21875 
21876 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21877 		goto nla_put_failure;
21878 
21879 	if (wdev->valid_links &&
21880 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21881 		goto nla_put_failure;
21882 
21883 	if (nl80211_send_chandef(msg, chandef))
21884 		goto nla_put_failure;
21885 
21886 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
21887 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
21888 			goto nla_put_failure;
21889 		if (quiet &&
21890 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
21891 			goto nla_put_failure;
21892 	}
21893 
21894 	genlmsg_end(msg, hdr);
21895 
21896 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21897 				NL80211_MCGRP_MLME, gfp);
21898 	return;
21899 
21900  nla_put_failure:
21901 	nlmsg_free(msg);
21902 }
21903 
21904 void cfg80211_ch_switch_notify(struct net_device *dev,
21905 			       struct cfg80211_chan_def *chandef,
21906 			       unsigned int link_id)
21907 {
21908 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21909 	struct wiphy *wiphy = wdev->wiphy;
21910 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21911 
21912 	lockdep_assert_wiphy(wdev->wiphy);
21913 	WARN_INVALID_LINK_ID(wdev, link_id);
21914 
21915 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
21916 
21917 	switch (wdev->iftype) {
21918 	case NL80211_IFTYPE_STATION:
21919 	case NL80211_IFTYPE_P2P_CLIENT:
21920 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
21921 			cfg80211_update_assoc_bss_entry(wdev, link_id,
21922 							chandef->chan);
21923 		break;
21924 	case NL80211_IFTYPE_MESH_POINT:
21925 		wdev->u.mesh.chandef = *chandef;
21926 		wdev->u.mesh.preset_chandef = *chandef;
21927 		break;
21928 	case NL80211_IFTYPE_AP:
21929 	case NL80211_IFTYPE_P2P_GO:
21930 		wdev->links[link_id].ap.chandef = *chandef;
21931 		break;
21932 	case NL80211_IFTYPE_ADHOC:
21933 		wdev->u.ibss.chandef = *chandef;
21934 		break;
21935 	default:
21936 		WARN_ON(1);
21937 		break;
21938 	}
21939 
21940 	cfg80211_schedule_channels_check(wdev);
21941 	cfg80211_sched_dfs_chan_update(rdev);
21942 
21943 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21944 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
21945 }
21946 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
21947 
21948 void cfg80211_incumbent_signal_notify(struct wiphy *wiphy,
21949 				      const struct cfg80211_chan_def *chandef,
21950 				      u32 signal_interference_bitmap,
21951 				      gfp_t gfp)
21952 {
21953 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21954 	struct sk_buff *msg;
21955 	void *hdr;
21956 
21957 	trace_cfg80211_incumbent_signal_notify(wiphy, chandef, signal_interference_bitmap);
21958 
21959 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21960 	if (!msg)
21961 		return;
21962 
21963 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_INCUMBENT_SIGNAL_DETECT);
21964 	if (!hdr)
21965 		goto nla_put_failure;
21966 
21967 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21968 		goto nla_put_failure;
21969 
21970 	if (nl80211_send_chandef(msg, chandef))
21971 		goto nla_put_failure;
21972 
21973 	if (nla_put_u32(msg, NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP,
21974 			signal_interference_bitmap))
21975 		goto nla_put_failure;
21976 
21977 	genlmsg_end(msg, hdr);
21978 
21979 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21980 				NL80211_MCGRP_MLME, gfp);
21981 	return;
21982 
21983 nla_put_failure:
21984 	nlmsg_free(msg);
21985 }
21986 EXPORT_SYMBOL(cfg80211_incumbent_signal_notify);
21987 
21988 void cfg80211_ch_switch_started_notify(struct net_device *dev,
21989 				       struct cfg80211_chan_def *chandef,
21990 				       unsigned int link_id, u8 count,
21991 				       bool quiet)
21992 {
21993 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21994 	struct wiphy *wiphy = wdev->wiphy;
21995 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21996 
21997 	lockdep_assert_wiphy(wdev->wiphy);
21998 	WARN_INVALID_LINK_ID(wdev, link_id);
21999 
22000 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
22001 
22002 
22003 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
22004 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
22005 				 count, quiet);
22006 }
22007 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
22008 
22009 int cfg80211_bss_color_notify(struct net_device *dev,
22010 			      enum nl80211_commands cmd, u8 count,
22011 			      u64 color_bitmap, u8 link_id)
22012 {
22013 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22014 	struct wiphy *wiphy = wdev->wiphy;
22015 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22016 	struct sk_buff *msg;
22017 	void *hdr;
22018 
22019 	lockdep_assert_wiphy(wdev->wiphy);
22020 
22021 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
22022 
22023 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
22024 	if (!msg)
22025 		return -ENOMEM;
22026 
22027 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
22028 	if (!hdr)
22029 		goto nla_put_failure;
22030 
22031 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
22032 		goto nla_put_failure;
22033 
22034 	if (wdev->valid_links &&
22035 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
22036 		goto nla_put_failure;
22037 
22038 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
22039 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
22040 		goto nla_put_failure;
22041 
22042 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
22043 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
22044 			      color_bitmap, NL80211_ATTR_PAD))
22045 		goto nla_put_failure;
22046 
22047 	genlmsg_end(msg, hdr);
22048 
22049 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
22050 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
22051 
22052 nla_put_failure:
22053 	nlmsg_free(msg);
22054 	return -EINVAL;
22055 }
22056 EXPORT_SYMBOL(cfg80211_bss_color_notify);
22057 
22058 void
22059 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
22060 		     const struct cfg80211_chan_def *chandef,
22061 		     enum nl80211_radar_event event,
22062 		     struct net_device *netdev, gfp_t gfp)
22063 {
22064 	struct sk_buff *msg;
22065 	void *hdr;
22066 
22067 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22068 	if (!msg)
22069 		return;
22070 
22071 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
22072 	if (!hdr) {
22073 		nlmsg_free(msg);
22074 		return;
22075 	}
22076 
22077 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
22078 		goto nla_put_failure;
22079 
22080 	/* NOP and radar events don't need a netdev parameter */
22081 	if (netdev) {
22082 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
22083 
22084 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22085 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22086 				      NL80211_ATTR_PAD))
22087 			goto nla_put_failure;
22088 	}
22089 
22090 	if (rdev->background_radar_wdev &&
22091 	    cfg80211_chandef_identical(&rdev->background_radar_chandef,
22092 				       chandef)) {
22093 		if (nla_put_flag(msg, NL80211_ATTR_RADAR_BACKGROUND))
22094 			goto nla_put_failure;
22095 	}
22096 
22097 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
22098 		goto nla_put_failure;
22099 
22100 	if (nl80211_send_chandef(msg, chandef))
22101 		goto nla_put_failure;
22102 
22103 	genlmsg_end(msg, hdr);
22104 
22105 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22106 				NL80211_MCGRP_MLME, gfp);
22107 	return;
22108 
22109  nla_put_failure:
22110 	nlmsg_free(msg);
22111 }
22112 
22113 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
22114 				       struct sta_opmode_info *sta_opmode,
22115 				       gfp_t gfp)
22116 {
22117 	struct sk_buff *msg;
22118 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22119 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22120 	void *hdr;
22121 
22122 	if (WARN_ON(!mac))
22123 		return;
22124 
22125 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22126 	if (!msg)
22127 		return;
22128 
22129 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
22130 	if (!hdr) {
22131 		nlmsg_free(msg);
22132 		return;
22133 	}
22134 
22135 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
22136 		goto nla_put_failure;
22137 
22138 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
22139 		goto nla_put_failure;
22140 
22141 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
22142 		goto nla_put_failure;
22143 
22144 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
22145 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
22146 		goto nla_put_failure;
22147 
22148 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
22149 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
22150 		goto nla_put_failure;
22151 
22152 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
22153 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
22154 		goto nla_put_failure;
22155 
22156 	genlmsg_end(msg, hdr);
22157 
22158 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22159 				NL80211_MCGRP_MLME, gfp);
22160 
22161 	return;
22162 
22163 nla_put_failure:
22164 	nlmsg_free(msg);
22165 }
22166 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
22167 
22168 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
22169 			   u64 cookie, bool acked, s32 ack_signal,
22170 			   bool is_valid_ack_signal, gfp_t gfp)
22171 {
22172 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22173 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22174 	struct sk_buff *msg;
22175 	void *hdr;
22176 
22177 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
22178 
22179 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22180 
22181 	if (!msg)
22182 		return;
22183 
22184 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
22185 	if (!hdr) {
22186 		nlmsg_free(msg);
22187 		return;
22188 	}
22189 
22190 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22191 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
22192 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
22193 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
22194 			      NL80211_ATTR_PAD) ||
22195 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
22196 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
22197 						ack_signal)))
22198 		goto nla_put_failure;
22199 
22200 	genlmsg_end(msg, hdr);
22201 
22202 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22203 				NL80211_MCGRP_MLME, gfp);
22204 	return;
22205 
22206  nla_put_failure:
22207 	nlmsg_free(msg);
22208 }
22209 EXPORT_SYMBOL(cfg80211_probe_status);
22210 
22211 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
22212 				     size_t len, int freq, int sig_dbm)
22213 {
22214 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22215 	struct sk_buff *msg;
22216 	void *hdr;
22217 	struct cfg80211_beacon_registration *reg;
22218 
22219 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
22220 
22221 	spin_lock_bh(&rdev->beacon_registrations_lock);
22222 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
22223 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
22224 		if (!msg) {
22225 			spin_unlock_bh(&rdev->beacon_registrations_lock);
22226 			return;
22227 		}
22228 
22229 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
22230 		if (!hdr)
22231 			goto nla_put_failure;
22232 
22233 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22234 		    (freq &&
22235 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
22236 				  KHZ_TO_MHZ(freq)) ||
22237 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
22238 				  freq % 1000))) ||
22239 		    (sig_dbm &&
22240 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
22241 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
22242 			goto nla_put_failure;
22243 
22244 		genlmsg_end(msg, hdr);
22245 
22246 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
22247 	}
22248 	spin_unlock_bh(&rdev->beacon_registrations_lock);
22249 	return;
22250 
22251  nla_put_failure:
22252 	spin_unlock_bh(&rdev->beacon_registrations_lock);
22253 	nlmsg_free(msg);
22254 }
22255 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
22256 
22257 #ifdef CONFIG_PM
22258 static int cfg80211_net_detect_results(struct sk_buff *msg,
22259 				       struct cfg80211_wowlan_wakeup *wakeup)
22260 {
22261 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
22262 	struct nlattr *nl_results, *nl_match, *nl_freqs;
22263 	int i, j;
22264 
22265 	nl_results = nla_nest_start_noflag(msg,
22266 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
22267 	if (!nl_results)
22268 		return -EMSGSIZE;
22269 
22270 	for (i = 0; i < nd->n_matches; i++) {
22271 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
22272 
22273 		nl_match = nla_nest_start_noflag(msg, i);
22274 		if (!nl_match)
22275 			break;
22276 
22277 		/* The SSID attribute is optional in nl80211, but for
22278 		 * simplicity reasons it's always present in the
22279 		 * cfg80211 structure.  If a driver can't pass the
22280 		 * SSID, that needs to be changed.  A zero length SSID
22281 		 * is still a valid SSID (wildcard), so it cannot be
22282 		 * used for this purpose.
22283 		 */
22284 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
22285 			    match->ssid.ssid)) {
22286 			nla_nest_cancel(msg, nl_match);
22287 			goto out;
22288 		}
22289 
22290 		if (match->n_channels) {
22291 			nl_freqs = nla_nest_start_noflag(msg,
22292 							 NL80211_ATTR_SCAN_FREQUENCIES);
22293 			if (!nl_freqs) {
22294 				nla_nest_cancel(msg, nl_match);
22295 				goto out;
22296 			}
22297 
22298 			for (j = 0; j < match->n_channels; j++) {
22299 				if (nla_put_u32(msg, j, match->channels[j])) {
22300 					nla_nest_cancel(msg, nl_freqs);
22301 					nla_nest_cancel(msg, nl_match);
22302 					goto out;
22303 				}
22304 			}
22305 
22306 			nla_nest_end(msg, nl_freqs);
22307 		}
22308 
22309 		nla_nest_end(msg, nl_match);
22310 	}
22311 
22312 out:
22313 	nla_nest_end(msg, nl_results);
22314 	return 0;
22315 }
22316 
22317 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
22318 				   struct cfg80211_wowlan_wakeup *wakeup,
22319 				   gfp_t gfp)
22320 {
22321 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22322 	struct sk_buff *msg;
22323 	void *hdr;
22324 	int size = 200;
22325 
22326 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
22327 
22328 	if (wakeup)
22329 		size += wakeup->packet_present_len;
22330 
22331 	msg = nlmsg_new(size, gfp);
22332 	if (!msg)
22333 		return;
22334 
22335 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
22336 	if (!hdr)
22337 		goto free_msg;
22338 
22339 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22340 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22341 			      NL80211_ATTR_PAD))
22342 		goto free_msg;
22343 
22344 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
22345 					wdev->netdev->ifindex))
22346 		goto free_msg;
22347 
22348 	if (wakeup) {
22349 		struct nlattr *reasons;
22350 
22351 		reasons = nla_nest_start_noflag(msg,
22352 						NL80211_ATTR_WOWLAN_TRIGGERS);
22353 		if (!reasons)
22354 			goto free_msg;
22355 
22356 		if (wakeup->disconnect &&
22357 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
22358 			goto free_msg;
22359 		if (wakeup->magic_pkt &&
22360 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
22361 			goto free_msg;
22362 		if (wakeup->gtk_rekey_failure &&
22363 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
22364 			goto free_msg;
22365 		if (wakeup->eap_identity_req &&
22366 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
22367 			goto free_msg;
22368 		if (wakeup->four_way_handshake &&
22369 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
22370 			goto free_msg;
22371 		if (wakeup->rfkill_release &&
22372 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
22373 			goto free_msg;
22374 
22375 		if (wakeup->pattern_idx >= 0 &&
22376 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
22377 				wakeup->pattern_idx))
22378 			goto free_msg;
22379 
22380 		if (wakeup->tcp_match &&
22381 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
22382 			goto free_msg;
22383 
22384 		if (wakeup->tcp_connlost &&
22385 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
22386 			goto free_msg;
22387 
22388 		if (wakeup->tcp_nomoretokens &&
22389 		    nla_put_flag(msg,
22390 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
22391 			goto free_msg;
22392 
22393 		if (wakeup->unprot_deauth_disassoc &&
22394 		    nla_put_flag(msg,
22395 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
22396 			goto free_msg;
22397 
22398 		if (wakeup->packet) {
22399 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
22400 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
22401 
22402 			if (!wakeup->packet_80211) {
22403 				pkt_attr =
22404 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
22405 				len_attr =
22406 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
22407 			}
22408 
22409 			if (wakeup->packet_len &&
22410 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
22411 				goto free_msg;
22412 
22413 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
22414 				    wakeup->packet))
22415 				goto free_msg;
22416 		}
22417 
22418 		if (wakeup->net_detect &&
22419 		    cfg80211_net_detect_results(msg, wakeup))
22420 				goto free_msg;
22421 
22422 		nla_nest_end(msg, reasons);
22423 	}
22424 
22425 	genlmsg_end(msg, hdr);
22426 
22427 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22428 				NL80211_MCGRP_MLME, gfp);
22429 	return;
22430 
22431  free_msg:
22432 	nlmsg_free(msg);
22433 }
22434 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
22435 #endif
22436 
22437 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
22438 				enum nl80211_tdls_operation oper,
22439 				u16 reason_code, gfp_t gfp)
22440 {
22441 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22442 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22443 	struct sk_buff *msg;
22444 	void *hdr;
22445 
22446 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
22447 					 reason_code);
22448 
22449 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22450 	if (!msg)
22451 		return;
22452 
22453 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
22454 	if (!hdr) {
22455 		nlmsg_free(msg);
22456 		return;
22457 	}
22458 
22459 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22460 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
22461 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
22462 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
22463 	    (reason_code > 0 &&
22464 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
22465 		goto nla_put_failure;
22466 
22467 	genlmsg_end(msg, hdr);
22468 
22469 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22470 				NL80211_MCGRP_MLME, gfp);
22471 	return;
22472 
22473  nla_put_failure:
22474 	nlmsg_free(msg);
22475 }
22476 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
22477 
22478 static int nl80211_netlink_notify(struct notifier_block * nb,
22479 				  unsigned long state,
22480 				  void *_notify)
22481 {
22482 	struct netlink_notify *notify = _notify;
22483 	struct cfg80211_registered_device *rdev;
22484 	struct wireless_dev *wdev;
22485 	struct cfg80211_beacon_registration *reg, *tmp;
22486 
22487 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
22488 		return NOTIFY_DONE;
22489 
22490 	rcu_read_lock();
22491 
22492 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
22493 		struct cfg80211_sched_scan_request *sched_scan_req;
22494 
22495 		list_for_each_entry_rcu(sched_scan_req,
22496 					&rdev->sched_scan_req_list,
22497 					list) {
22498 			if (sched_scan_req->owner_nlportid == notify->portid) {
22499 				sched_scan_req->nl_owner_dead = true;
22500 				wiphy_work_queue(&rdev->wiphy,
22501 						 &rdev->sched_scan_stop_wk);
22502 			}
22503 		}
22504 
22505 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
22506 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
22507 
22508 			if (wdev->owner_nlportid == notify->portid) {
22509 				wdev->nl_owner_dead = true;
22510 				schedule_work(&rdev->destroy_work);
22511 			} else if (wdev->conn_owner_nlportid == notify->portid) {
22512 				schedule_work(&wdev->disconnect_wk);
22513 			}
22514 
22515 			cfg80211_release_pmsr(wdev, notify->portid);
22516 		}
22517 
22518 		spin_lock_bh(&rdev->beacon_registrations_lock);
22519 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
22520 					 list) {
22521 			if (reg->nlportid == notify->portid) {
22522 				list_del(&reg->list);
22523 				kfree(reg);
22524 				break;
22525 			}
22526 		}
22527 		spin_unlock_bh(&rdev->beacon_registrations_lock);
22528 	}
22529 
22530 	rcu_read_unlock();
22531 
22532 	/*
22533 	 * It is possible that the user space process that is controlling the
22534 	 * indoor setting disappeared, so notify the regulatory core.
22535 	 */
22536 	regulatory_netlink_notify(notify->portid);
22537 	return NOTIFY_OK;
22538 }
22539 
22540 static struct notifier_block nl80211_netlink_notifier = {
22541 	.notifier_call = nl80211_netlink_notify,
22542 };
22543 
22544 void cfg80211_ft_event(struct net_device *netdev,
22545 		       struct cfg80211_ft_event_params *ft_event)
22546 {
22547 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
22548 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22549 	struct sk_buff *msg;
22550 	void *hdr;
22551 
22552 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
22553 
22554 	if (!ft_event->target_ap)
22555 		return;
22556 
22557 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
22558 			GFP_KERNEL);
22559 	if (!msg)
22560 		return;
22561 
22562 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
22563 	if (!hdr)
22564 		goto out;
22565 
22566 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22567 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22568 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
22569 		goto out;
22570 
22571 	if (ft_event->ies &&
22572 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
22573 		goto out;
22574 	if (ft_event->ric_ies &&
22575 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
22576 		    ft_event->ric_ies))
22577 		goto out;
22578 
22579 	genlmsg_end(msg, hdr);
22580 
22581 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22582 				NL80211_MCGRP_MLME, GFP_KERNEL);
22583 	return;
22584  out:
22585 	nlmsg_free(msg);
22586 }
22587 EXPORT_SYMBOL(cfg80211_ft_event);
22588 
22589 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
22590 {
22591 	struct cfg80211_registered_device *rdev;
22592 	struct sk_buff *msg;
22593 	void *hdr;
22594 	u32 nlportid;
22595 
22596 	rdev = wiphy_to_rdev(wdev->wiphy);
22597 	if (!rdev->crit_proto_nlportid)
22598 		return;
22599 
22600 	nlportid = rdev->crit_proto_nlportid;
22601 	rdev->crit_proto_nlportid = 0;
22602 
22603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22604 	if (!msg)
22605 		return;
22606 
22607 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
22608 	if (!hdr)
22609 		goto nla_put_failure;
22610 
22611 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22612 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22613 			      NL80211_ATTR_PAD))
22614 		goto nla_put_failure;
22615 
22616 	genlmsg_end(msg, hdr);
22617 
22618 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
22619 	return;
22620 
22621  nla_put_failure:
22622 	nlmsg_free(msg);
22623 }
22624 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
22625 
22626 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
22627 {
22628 	struct wiphy *wiphy = wdev->wiphy;
22629 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22630 	struct sk_buff *msg;
22631 	void *hdr;
22632 
22633 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
22634 	if (!msg)
22635 		return;
22636 
22637 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
22638 	if (!hdr)
22639 		goto out;
22640 
22641 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22642 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
22643 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22644 			      NL80211_ATTR_PAD) ||
22645 	    (wdev->valid_links &&
22646 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
22647 		goto out;
22648 
22649 	genlmsg_end(msg, hdr);
22650 
22651 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
22652 				NL80211_MCGRP_MLME, GFP_KERNEL);
22653 	return;
22654  out:
22655 	nlmsg_free(msg);
22656 }
22657 
22658 int cfg80211_external_auth_request(struct net_device *dev,
22659 				   struct cfg80211_external_auth_params *params,
22660 				   gfp_t gfp)
22661 {
22662 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22663 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22664 	struct sk_buff *msg;
22665 	void *hdr;
22666 
22667 	if (!wdev->conn_owner_nlportid)
22668 		return -EINVAL;
22669 
22670 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22671 	if (!msg)
22672 		return -ENOMEM;
22673 
22674 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
22675 	if (!hdr)
22676 		goto nla_put_failure;
22677 
22678 	/* Some historical mistakes in drivers <-> userspace interface (notably
22679 	 * between drivers and wpa_supplicant) led to a big-endian conversion
22680 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
22681 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
22682 	 * benefit of older wpa_supplicant versions, send this particular value
22683 	 * in big-endian. Note that newer wpa_supplicant will also detect this
22684 	 * particular value in big endian still, so it all continues to work.
22685 	 */
22686 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
22687 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
22688 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
22689 			goto nla_put_failure;
22690 	} else {
22691 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
22692 				params->key_mgmt_suite))
22693 			goto nla_put_failure;
22694 	}
22695 
22696 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22697 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
22698 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
22699 			params->action) ||
22700 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
22701 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
22702 		    params->ssid.ssid) ||
22703 	    (!is_zero_ether_addr(params->mld_addr) &&
22704 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
22705 		goto nla_put_failure;
22706 
22707 	genlmsg_end(msg, hdr);
22708 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
22709 			wdev->conn_owner_nlportid);
22710 	return 0;
22711 
22712  nla_put_failure:
22713 	nlmsg_free(msg);
22714 	return -ENOBUFS;
22715 }
22716 EXPORT_SYMBOL(cfg80211_external_auth_request);
22717 
22718 void cfg80211_update_owe_info_event(struct net_device *netdev,
22719 				    struct cfg80211_update_owe_info *owe_info,
22720 				    gfp_t gfp)
22721 {
22722 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
22723 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22724 	struct sk_buff *msg;
22725 	void *hdr;
22726 
22727 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
22728 
22729 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22730 	if (!msg)
22731 		return;
22732 
22733 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
22734 	if (!hdr)
22735 		goto nla_put_failure;
22736 
22737 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22738 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22739 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
22740 		goto nla_put_failure;
22741 
22742 	if (!owe_info->ie_len ||
22743 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
22744 		goto nla_put_failure;
22745 
22746 	if (owe_info->assoc_link_id != -1) {
22747 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
22748 			       owe_info->assoc_link_id))
22749 			goto nla_put_failure;
22750 
22751 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
22752 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
22753 			    owe_info->peer_mld_addr))
22754 			goto nla_put_failure;
22755 	}
22756 
22757 	genlmsg_end(msg, hdr);
22758 
22759 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22760 				NL80211_MCGRP_MLME, gfp);
22761 	return;
22762 
22763 nla_put_failure:
22764 	genlmsg_cancel(msg, hdr);
22765 	nlmsg_free(msg);
22766 }
22767 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
22768 
22769 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
22770 {
22771 	struct wiphy *wiphy = wdev->wiphy;
22772 
22773 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
22774 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
22775 	    (wiphy_ext_feature_isset(wiphy,
22776 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
22777 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
22778 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
22779 		reg_check_channels();
22780 }
22781 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
22782 
22783 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
22784 {
22785 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
22786 	struct wiphy *wiphy = wdev->wiphy;
22787 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22788 	struct sk_buff *msg;
22789 	void *hdr;
22790 
22791 	trace_cfg80211_epcs_changed(wdev, enabled);
22792 
22793 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
22794 	if (!msg)
22795 		return;
22796 
22797 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
22798 	if (!hdr) {
22799 		nlmsg_free(msg);
22800 		return;
22801 	}
22802 
22803 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
22804 		goto nla_put_failure;
22805 
22806 	genlmsg_end(msg, hdr);
22807 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22808 				NL80211_MCGRP_MLME, GFP_KERNEL);
22809 	return;
22810 
22811  nla_put_failure:
22812 	nlmsg_free(msg);
22813 }
22814 EXPORT_SYMBOL(cfg80211_epcs_changed);
22815 
22816 void cfg80211_next_nan_dw_notif(struct wireless_dev *wdev,
22817 				struct ieee80211_channel *chan, gfp_t gfp)
22818 {
22819 	struct wiphy *wiphy = wdev->wiphy;
22820 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22821 	struct sk_buff *msg;
22822 	void *hdr;
22823 
22824 	trace_cfg80211_next_nan_dw_notif(wdev, chan);
22825 
22826 	if (!wdev->owner_nlportid)
22827 		return;
22828 
22829 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22830 	if (!msg)
22831 		return;
22832 
22833 	hdr = nl80211hdr_put(msg, 0, 0, 0,
22834 			     NL80211_CMD_NAN_NEXT_DW_NOTIFICATION);
22835 	if (!hdr)
22836 		goto nla_put_failure;
22837 
22838 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22839 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22840 			      NL80211_ATTR_PAD) ||
22841 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq))
22842 		goto nla_put_failure;
22843 
22844 	genlmsg_end(msg, hdr);
22845 
22846 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
22847 
22848 	return;
22849 
22850  nla_put_failure:
22851 	nlmsg_free(msg);
22852 }
22853 EXPORT_SYMBOL(cfg80211_next_nan_dw_notif);
22854 
22855 void cfg80211_nan_cluster_joined(struct wireless_dev *wdev,
22856 				 const u8 *cluster_id, bool new_cluster,
22857 				 gfp_t gfp)
22858 {
22859 	struct wiphy *wiphy = wdev->wiphy;
22860 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22861 	struct sk_buff *msg;
22862 	void *hdr;
22863 
22864 	trace_cfg80211_nan_cluster_joined(wdev, cluster_id, new_cluster);
22865 
22866 	memcpy(wdev->u.nan.cluster_id, cluster_id, ETH_ALEN);
22867 
22868 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22869 	if (!msg)
22870 		return;
22871 
22872 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CLUSTER_JOINED);
22873 	if (!hdr)
22874 		goto nla_put_failure;
22875 
22876 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22877 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22878 			      NL80211_ATTR_PAD) ||
22879 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cluster_id) ||
22880 	    (new_cluster && nla_put_flag(msg, NL80211_ATTR_NAN_NEW_CLUSTER)))
22881 		goto nla_put_failure;
22882 
22883 	genlmsg_end(msg, hdr);
22884 
22885 	if (!wdev->owner_nlportid)
22886 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy),
22887 					msg, 0, NL80211_MCGRP_NAN, gfp);
22888 	else
22889 		genlmsg_unicast(wiphy_net(wiphy), msg,
22890 				wdev->owner_nlportid);
22891 	return;
22892 
22893  nla_put_failure:
22894 	nlmsg_free(msg);
22895 }
22896 EXPORT_SYMBOL(cfg80211_nan_cluster_joined);
22897 
22898 void cfg80211_nan_ulw_update(struct wireless_dev *wdev,
22899 			     const u8 *ulw, size_t ulw_len, gfp_t gfp)
22900 {
22901 	struct wiphy *wiphy = wdev->wiphy;
22902 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22903 	struct sk_buff *msg;
22904 	void *hdr;
22905 
22906 	trace_cfg80211_nan_ulw_update(wiphy, wdev, ulw, ulw_len);
22907 
22908 	if (!wdev->owner_nlportid)
22909 		return;
22910 
22911 	/* 32 for the wiphy idx, 64 for the wdev id, 100 for padding */
22912 	msg = nlmsg_new(nla_total_size(sizeof(u32)) +
22913 			nla_total_size(ulw_len) +
22914 			nla_total_size(sizeof(u64)) + 100,
22915 			gfp);
22916 	if (!msg)
22917 		return;
22918 
22919 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_ULW_UPDATE);
22920 	if (!hdr)
22921 		goto nla_put_failure;
22922 
22923 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22924 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22925 			      NL80211_ATTR_PAD) ||
22926 	    (ulw && ulw_len &&
22927 	     nla_put(msg, NL80211_ATTR_NAN_ULW, ulw_len, ulw)))
22928 		goto nla_put_failure;
22929 
22930 	genlmsg_end(msg, hdr);
22931 
22932 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
22933 
22934 	return;
22935 
22936  nla_put_failure:
22937 	nlmsg_free(msg);
22938 }
22939 EXPORT_SYMBOL(cfg80211_nan_ulw_update);
22940 
22941 void cfg80211_nan_channel_evac(struct wireless_dev *wdev,
22942 			       const struct cfg80211_chan_def *chandef,
22943 			       gfp_t gfp)
22944 {
22945 	struct wiphy *wiphy = wdev->wiphy;
22946 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22947 	struct sk_buff *msg;
22948 	struct nlattr *chan_attr;
22949 	void *hdr;
22950 
22951 	trace_cfg80211_nan_channel_evac(wiphy, wdev, chandef);
22952 
22953 	if (!wdev->owner_nlportid)
22954 		return;
22955 
22956 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22957 	if (!msg)
22958 		return;
22959 
22960 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CHANNEL_EVAC);
22961 	if (!hdr)
22962 		goto nla_put_failure;
22963 
22964 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22965 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22966 			      NL80211_ATTR_PAD))
22967 		goto nla_put_failure;
22968 
22969 	chan_attr = nla_nest_start(msg, NL80211_ATTR_NAN_CHANNEL);
22970 	if (!chan_attr)
22971 		goto nla_put_failure;
22972 
22973 	if (nl80211_send_chandef(msg, chandef))
22974 		goto nla_put_failure;
22975 
22976 	nla_nest_end(msg, chan_attr);
22977 
22978 	genlmsg_end(msg, hdr);
22979 
22980 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
22981 
22982 	return;
22983 
22984  nla_put_failure:
22985 	nlmsg_free(msg);
22986 }
22987 EXPORT_SYMBOL(cfg80211_nan_channel_evac);
22988 
22989 /* initialisation/exit functions */
22990 
22991 int __init nl80211_init(void)
22992 {
22993 	int err;
22994 
22995 	err = genl_register_family(&nl80211_fam);
22996 	if (err)
22997 		return err;
22998 
22999 	err = netlink_register_notifier(&nl80211_netlink_notifier);
23000 	if (err)
23001 		goto err_out;
23002 
23003 	return 0;
23004  err_out:
23005 	genl_unregister_family(&nl80211_fam);
23006 	return err;
23007 }
23008 
23009 void nl80211_exit(void)
23010 {
23011 	netlink_unregister_notifier(&nl80211_netlink_notifier);
23012 	genl_unregister_family(&nl80211_fam);
23013 }
23014