xref: /linux/net/wireless/nl80211.c (revision 4d07797faaa19aa8e80e10a04ca1a72c643ef5cf) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2025 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	const struct ieee80211_ext *ext;
233 	unsigned int fixedlen, hdrlen;
234 	bool s1g_bcn;
235 
236 	if (len < offsetofend(typeof(*mgmt), frame_control))
237 		goto err;
238 
239 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
240 	if (s1g_bcn) {
241 		ext = (struct ieee80211_ext *)mgmt;
242 		fixedlen =
243 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
244 			ieee80211_s1g_optional_len(ext->frame_control);
245 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
246 	} else {
247 		fixedlen = offsetof(struct ieee80211_mgmt,
248 				    u.beacon.variable);
249 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
250 	}
251 
252 	if (len < fixedlen)
253 		goto err;
254 
255 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
256 		goto err;
257 
258 	data += fixedlen;
259 	len -= fixedlen;
260 
261 	for_each_element(elem, data, len) {
262 		/* nothing */
263 	}
264 
265 	if (for_each_element_completed(elem, data, len))
266 		return 0;
267 
268 err:
269 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
270 	return -EINVAL;
271 }
272 
273 static int validate_ie_attr(const struct nlattr *attr,
274 			    struct netlink_ext_ack *extack)
275 {
276 	const u8 *data = nla_data(attr);
277 	unsigned int len = nla_len(attr);
278 	const struct element *elem;
279 
280 	for_each_element(elem, data, len) {
281 		/* nothing */
282 	}
283 
284 	if (for_each_element_completed(elem, data, len))
285 		return 0;
286 
287 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
288 	return -EINVAL;
289 }
290 
291 static int validate_he_capa(const struct nlattr *attr,
292 			    struct netlink_ext_ack *extack)
293 {
294 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
295 		return -EINVAL;
296 
297 	return 0;
298 }
299 
300 static int validate_supported_selectors(const struct nlattr *attr,
301 					struct netlink_ext_ack *extack)
302 {
303 	const u8 *supported_selectors = nla_data(attr);
304 	u8 supported_selectors_len = nla_len(attr);
305 
306 	/* The top bit must not be set as it is not part of the selector */
307 	for (int i = 0; i < supported_selectors_len; i++) {
308 		if (supported_selectors[i] & 0x80)
309 			return -EINVAL;
310 	}
311 
312 	return 0;
313 }
314 
315 static int validate_nan_cluster_id(const struct nlattr *attr,
316 				   struct netlink_ext_ack *extack)
317 {
318 	const u8 *data = nla_data(attr);
319 	unsigned int len = nla_len(attr);
320 	static const u8 cluster_id_prefix[4] = {0x50, 0x6f, 0x9a, 0x1};
321 
322 	if (len != ETH_ALEN) {
323 		NL_SET_ERR_MSG_ATTR(extack, attr, "bad cluster id length");
324 		return -EINVAL;
325 	}
326 
327 	if (memcmp(data, cluster_id_prefix, sizeof(cluster_id_prefix))) {
328 		NL_SET_ERR_MSG_ATTR(extack, attr, "invalid cluster id prefix");
329 		return -EINVAL;
330 	}
331 
332 	return 0;
333 }
334 
335 /* policy for the attributes */
336 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
337 
338 static const struct nla_policy
339 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
340 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
341 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
342 					.len = U8_MAX },
343 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
344 					     .len = U8_MAX },
345 };
346 
347 static const struct nla_policy
348 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
349 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
350 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
351 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
352 		NLA_POLICY_MAX(NLA_U8, 15),
353 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
354 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
355 		NLA_POLICY_MAX(NLA_U8, 15),
356 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
357 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
358 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
359 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
360 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
361 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
362 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
363 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
364 };
365 
366 static const struct nla_policy
367 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
368 	[NL80211_PMSR_TYPE_FTM] =
369 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
370 };
371 
372 static const struct nla_policy
373 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
374 	[NL80211_PMSR_REQ_ATTR_DATA] =
375 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
376 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
377 };
378 
379 static const struct nla_policy
380 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
381 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
382 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
383 	[NL80211_PMSR_PEER_ATTR_REQ] =
384 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
385 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
386 };
387 
388 static const struct nla_policy
389 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
390 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
391 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
392 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
393 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
394 	[NL80211_PMSR_ATTR_PEERS] =
395 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
396 };
397 
398 static const struct nla_policy
399 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
400 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
401 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
402 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
403 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
404 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
405 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
406 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
407 		NLA_POLICY_EXACT_LEN(8),
408 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
409 		NLA_POLICY_EXACT_LEN(8),
410 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
411 };
412 
413 static const struct nla_policy
414 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
415 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
416 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
417 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
418 };
419 
420 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
421 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
422 				    .len = NL80211_MAX_SUPP_RATES },
423 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
424 				.len = NL80211_MAX_SUPP_HT_RATES },
425 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
426 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
427 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
428 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
429 						   NL80211_RATE_INFO_HE_GI_0_8,
430 						   NL80211_RATE_INFO_HE_GI_3_2),
431 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
432 						   NL80211_RATE_INFO_HE_1XLTF,
433 						   NL80211_RATE_INFO_HE_4XLTF),
434 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
435 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
436 						   NL80211_RATE_INFO_EHT_GI_0_8,
437 						   NL80211_RATE_INFO_EHT_GI_3_2),
438 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
439 						   NL80211_RATE_INFO_EHT_1XLTF,
440 						   NL80211_RATE_INFO_EHT_8XLTF),
441 
442 };
443 
444 static const struct nla_policy
445 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
446 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
447 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
448 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
449 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
450 	[NL80211_TID_CONFIG_ATTR_NOACK] =
451 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
452 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
453 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
455 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
456 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
457 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
458 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
459 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
460 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
461 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
462 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
463 			NLA_POLICY_NESTED(nl80211_txattr_policy),
464 };
465 
466 static const struct nla_policy
467 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
468 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
469 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
470 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
471 			NLA_POLICY_RANGE(NLA_BINARY,
472 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
473 					 IEEE80211_MAX_DATA_LEN),
474 };
475 
476 static const struct nla_policy
477 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
478 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
479 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
480 						       .len = IEEE80211_MAX_DATA_LEN }
481 };
482 
483 static const struct nla_policy
484 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
485 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
486 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
487 };
488 
489 static const struct nla_policy
490 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
491 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
492 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
493 };
494 
495 static const struct nla_policy
496 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
497 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
498 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
499 						NLA_POLICY_MIN(NLA_U8, 1),
500 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
501 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
502 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
503 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
504 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
505 };
506 
507 static const struct nla_policy
508 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
509 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
510 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
511 };
512 
513 static const struct nla_policy
514 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
515 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
516 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
517 				       IEEE80211_MAX_DATA_LEN),
518 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
519 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
520 				       IEEE80211_MAX_DATA_LEN),
521 };
522 
523 static const struct nla_policy
524 nl80211_nan_band_conf_policy[NL80211_NAN_BAND_CONF_ATTR_MAX + 1] = {
525 	[NL80211_NAN_BAND_CONF_BAND] = NLA_POLICY_MAX(NLA_U8,
526 						      NUM_NL80211_BANDS - 1),
527 	[NL80211_NAN_BAND_CONF_FREQ] = { .type = NLA_U16 },
528 	[NL80211_NAN_BAND_CONF_RSSI_CLOSE] = NLA_POLICY_MIN(NLA_S8, -59),
529 	[NL80211_NAN_BAND_CONF_RSSI_MIDDLE] = NLA_POLICY_MIN(NLA_S8, -74),
530 	[NL80211_NAN_BAND_CONF_WAKE_DW] = NLA_POLICY_MAX(NLA_U8, 5),
531 	[NL80211_NAN_BAND_CONF_DISABLE_SCAN] = { .type = NLA_FLAG },
532 };
533 
534 static const struct nla_policy
535 nl80211_nan_conf_policy[NL80211_NAN_CONF_ATTR_MAX + 1] = {
536 	[NL80211_NAN_CONF_CLUSTER_ID] =
537 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_cluster_id,
538 				       ETH_ALEN),
539 	[NL80211_NAN_CONF_EXTRA_ATTRS] = { .type = NLA_BINARY,
540 					   .len = IEEE80211_MAX_DATA_LEN},
541 	[NL80211_NAN_CONF_VENDOR_ELEMS] =
542 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
543 				       IEEE80211_MAX_DATA_LEN),
544 	[NL80211_NAN_CONF_BAND_CONFIGS] =
545 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_band_conf_policy),
546 	[NL80211_NAN_CONF_SCAN_PERIOD] = { .type = NLA_U16 },
547 	[NL80211_NAN_CONF_SCAN_DWELL_TIME] = NLA_POLICY_RANGE(NLA_U16, 50, 512),
548 	[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL] =
549 		NLA_POLICY_RANGE(NLA_U8, 50, 200),
550 	[NL80211_NAN_CONF_NOTIFY_DW] = { .type = NLA_FLAG },
551 };
552 
553 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
554 	.min = 0,
555 	.max = 0xffff,
556 };
557 
558 static const struct netlink_range_validation q_range = {
559 	.max = INT_MAX,
560 };
561 
562 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
563 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
564 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
565 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
566 				      .len = 20-1 },
567 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
568 
569 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
570 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
571 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
572 						NL80211_EDMG_CHANNELS_MIN,
573 						NL80211_EDMG_CHANNELS_MAX),
574 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
575 						NL80211_EDMG_BW_CONFIG_MIN,
576 						NL80211_EDMG_BW_CONFIG_MAX),
577 
578 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
579 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
580 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
581 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
582 
583 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
584 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
585 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
586 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
587 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
588 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
589 
590 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
591 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
592 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
593 
594 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
595 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
596 
597 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
598 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
599 				    .len = WLAN_MAX_KEY_LEN },
600 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
601 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
602 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
603 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
604 	[NL80211_ATTR_KEY_TYPE] =
605 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
606 
607 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
608 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
609 	[NL80211_ATTR_BEACON_HEAD] =
610 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
611 				       IEEE80211_MAX_DATA_LEN),
612 	[NL80211_ATTR_BEACON_TAIL] =
613 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
614 				       IEEE80211_MAX_DATA_LEN),
615 	[NL80211_ATTR_STA_AID] =
616 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
617 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
618 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
619 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
620 					       .len = NL80211_MAX_SUPP_RATES },
621 	[NL80211_ATTR_STA_PLINK_ACTION] =
622 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
623 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
624 		NLA_POLICY_RANGE(NLA_U8,
625 				 NL80211_TX_POWER_AUTOMATIC,
626 				 NL80211_TX_POWER_FIXED),
627 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
628 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
629 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
630 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
631 				   .len = IEEE80211_MAX_MESH_ID_LEN },
632 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
633 
634 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
635 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
636 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
637 
638 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
639 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
640 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
641 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
642 					   .len = NL80211_MAX_SUPP_RATES },
643 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
644 
645 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
646 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
647 
648 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
649 
650 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
651 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
652 						   validate_ie_attr,
653 						   IEEE80211_MAX_DATA_LEN),
654 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
655 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
656 
657 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
658 				.len = IEEE80211_MAX_SSID_LEN },
659 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
660 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
661 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
662 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
663 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
664 						  NL80211_MFP_NO,
665 						  NL80211_MFP_OPTIONAL),
666 	[NL80211_ATTR_STA_FLAGS2] =
667 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
668 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
669 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
670 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
671 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
672 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
673 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
674 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
675 	[NL80211_ATTR_WPA_VERSIONS] =
676 		NLA_POLICY_RANGE(NLA_U32, 0,
677 				 NL80211_WPA_VERSION_1 |
678 				 NL80211_WPA_VERSION_2 |
679 				 NL80211_WPA_VERSION_3),
680 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
681 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
682 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
683 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
684 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
685 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
686 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
687 				 .len = IEEE80211_MAX_DATA_LEN },
688 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
689 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
690 						   NL80211_PS_DISABLED,
691 						   NL80211_PS_ENABLED),
692 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
693 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
694 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
695 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
696 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
697 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
698 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
699 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
700 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
701 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
702 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
703 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
704 	[NL80211_ATTR_STA_PLINK_STATE] =
705 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
706 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
707 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
708 	[NL80211_ATTR_MESH_PEER_AID] =
709 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
710 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
711 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
712 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
713 	[NL80211_ATTR_HIDDEN_SSID] =
714 		NLA_POLICY_RANGE(NLA_U32,
715 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
716 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
717 	[NL80211_ATTR_IE_PROBE_RESP] =
718 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
719 				       IEEE80211_MAX_DATA_LEN),
720 	[NL80211_ATTR_IE_ASSOC_RESP] =
721 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
722 				       IEEE80211_MAX_DATA_LEN),
723 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
724 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
725 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
726 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
727 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
728 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
729 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
730 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
731 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
732 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
733 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
734 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
735 				      .len = IEEE80211_MAX_DATA_LEN },
736 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
737 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
738 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
739 		.len = NL80211_HT_CAPABILITY_LEN
740 	},
741 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
742 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
743 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
744 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
745 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
746 
747 	/* need to include at least Auth Transaction and Status Code */
748 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
749 
750 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
751 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
752 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
753 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
754 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
755 		NLA_POLICY_RANGE(NLA_U32,
756 				 NL80211_MESH_POWER_UNKNOWN + 1,
757 				 NL80211_MESH_POWER_MAX),
758 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
759 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
760 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
761 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
762 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
763 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
764 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
765 		.len = NL80211_VHT_CAPABILITY_LEN,
766 	},
767 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
768 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
769 				  .len = IEEE80211_MAX_DATA_LEN },
770 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
771 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
772 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
773 	[NL80211_ATTR_PEER_AID] =
774 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
775 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
776 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
777 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
778 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
779 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
780 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
781 	/*
782 	 * The value of the Length field of the Supported Operating
783 	 * Classes element is between 2 and 253.
784 	 */
785 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
786 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
787 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
788 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
789 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
790 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
791 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
792 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
793 						  IEEE80211_QOS_MAP_LEN_MIN,
794 						  IEEE80211_QOS_MAP_LEN_MAX),
795 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
796 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
797 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
798 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
799 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
800 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
801 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
802 	[NL80211_ATTR_USER_PRIO] =
803 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
804 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
805 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
806 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
807 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
808 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
809 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
810 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
811 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
812 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
813 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
814 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
815 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
816 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
817 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
818 	},
819 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
820 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
821 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
822 	[NL80211_ATTR_NAN_CONFIG] = NLA_POLICY_NESTED(nl80211_nan_conf_policy),
823 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
824 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
825 				    .len = FILS_MAX_KEK_LEN },
826 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
827 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
828 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
829 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
830 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
831 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
832 	},
833 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
834 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
835 					     .len = FILS_ERP_MAX_USERNAME_LEN },
836 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
837 					  .len = FILS_ERP_MAX_REALM_LEN },
838 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
839 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
840 					.len = FILS_ERP_MAX_RRK_LEN },
841 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
842 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
843 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
844 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
845 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
846 
847 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
848 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
849 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
850 	[NL80211_ATTR_HE_CAPABILITY] =
851 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
852 				       NL80211_HE_MAX_CAPABILITY_LEN),
853 	[NL80211_ATTR_FTM_RESPONDER] =
854 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
855 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
856 	[NL80211_ATTR_PEER_MEASUREMENTS] =
857 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
858 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
859 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
860 					.len = SAE_PASSWORD_MAX_LEN },
861 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
862 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
863 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
864 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
865 	[NL80211_ATTR_TID_CONFIG] =
866 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
867 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
868 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
869 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
870 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
871 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
872 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
873 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
874 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
875 	[NL80211_ATTR_FILS_DISCOVERY] =
876 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
877 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
878 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
879 	[NL80211_ATTR_S1G_CAPABILITY] =
880 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
881 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
882 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
883 	[NL80211_ATTR_SAE_PWE] =
884 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
885 				 NL80211_SAE_PWE_BOTH),
886 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
887 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
888 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
889 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
890 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
891 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
892 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
893 	[NL80211_ATTR_MBSSID_CONFIG] =
894 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
895 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
896 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
897 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
898 	[NL80211_ATTR_EHT_CAPABILITY] =
899 		NLA_POLICY_RANGE(NLA_BINARY,
900 				 NL80211_EHT_MIN_CAPABILITY_LEN,
901 				 NL80211_EHT_MAX_CAPABILITY_LEN),
902 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
903 	[NL80211_ATTR_MLO_LINKS] =
904 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
905 	[NL80211_ATTR_MLO_LINK_ID] =
906 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
907 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
908 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
909 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
910 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
911 	[NL80211_ATTR_PUNCT_BITMAP] =
912 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
913 
914 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
915 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
916 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
917 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
918 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
919 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
920 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
921 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
922 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
923 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
924 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
925 				       NL80211_MAX_SUPP_SELECTORS),
926 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
927 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
928 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
929 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
930 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
931 	[NL80211_ATTR_S1G_SHORT_BEACON] =
932 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
933 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
934 	[NL80211_ATTR_S1G_PRIMARY_2MHZ] = { .type = NLA_FLAG },
935 };
936 
937 /* policy for the key attributes */
938 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
939 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
940 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
941 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
942 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
943 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
944 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
945 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
946 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
947 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
948 };
949 
950 /* policy for the key default flags */
951 static const struct nla_policy
952 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
953 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
954 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
955 };
956 
957 #ifdef CONFIG_PM
958 /* policy for WoWLAN attributes */
959 static const struct nla_policy
960 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
961 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
962 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
963 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
964 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
965 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
966 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
967 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
968 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
969 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
970 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
971 };
972 
973 static const struct nla_policy
974 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
975 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
976 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
977 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
978 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
979 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
980 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
981 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
982 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
983 	},
984 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
985 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
986 	},
987 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
988 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
989 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
990 };
991 #endif /* CONFIG_PM */
992 
993 /* policy for coalesce rule attributes */
994 static const struct nla_policy
995 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
996 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
997 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
998 		NLA_POLICY_RANGE(NLA_U32,
999 				 NL80211_COALESCE_CONDITION_MATCH,
1000 				 NL80211_COALESCE_CONDITION_NO_MATCH),
1001 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
1002 };
1003 
1004 /* policy for GTK rekey offload attributes */
1005 static const struct nla_policy
1006 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
1007 	[NL80211_REKEY_DATA_KEK] = {
1008 		.type = NLA_BINARY,
1009 		.len = NL80211_KEK_EXT_LEN
1010 	},
1011 	[NL80211_REKEY_DATA_KCK] = {
1012 		.type = NLA_BINARY,
1013 		.len = NL80211_KCK_EXT_LEN_32
1014 	},
1015 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
1016 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
1017 };
1018 
1019 static const struct nla_policy
1020 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
1021 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
1022 						 .len = IEEE80211_MAX_SSID_LEN },
1023 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1024 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
1025 };
1026 
1027 static const struct nla_policy
1028 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
1029 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
1030 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
1031 };
1032 
1033 static const struct nla_policy
1034 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
1035 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
1036 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
1037 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
1038 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
1039 	},
1040 };
1041 
1042 /* policy for NAN function attributes */
1043 static const struct nla_policy
1044 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
1045 	[NL80211_NAN_FUNC_TYPE] =
1046 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
1047 	[NL80211_NAN_FUNC_SERVICE_ID] = {
1048 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
1049 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
1050 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
1051 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1052 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1053 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1054 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1055 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1056 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1057 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1058 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1059 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1060 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1061 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1062 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1063 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1064 };
1065 
1066 /* policy for Service Response Filter attributes */
1067 static const struct nla_policy
1068 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1069 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1070 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1071 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1072 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1073 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1074 };
1075 
1076 /* policy for packet pattern attributes */
1077 static const struct nla_policy
1078 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1079 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1080 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1081 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1082 };
1083 
1084 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1085 				     struct cfg80211_registered_device **rdev,
1086 				     struct wireless_dev **wdev,
1087 				     struct nlattr **attrbuf)
1088 {
1089 	int err;
1090 
1091 	if (!cb->args[0]) {
1092 		struct nlattr **attrbuf_free = NULL;
1093 
1094 		if (!attrbuf) {
1095 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
1096 					  GFP_KERNEL);
1097 			if (!attrbuf)
1098 				return -ENOMEM;
1099 			attrbuf_free = attrbuf;
1100 		}
1101 
1102 		err = nlmsg_parse_deprecated(cb->nlh,
1103 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1104 					     attrbuf, nl80211_fam.maxattr,
1105 					     nl80211_policy, NULL);
1106 		if (err) {
1107 			kfree(attrbuf_free);
1108 			return err;
1109 		}
1110 
1111 		rtnl_lock();
1112 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1113 						   attrbuf);
1114 		kfree(attrbuf_free);
1115 		if (IS_ERR(*wdev)) {
1116 			rtnl_unlock();
1117 			return PTR_ERR(*wdev);
1118 		}
1119 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1120 		mutex_lock(&(*rdev)->wiphy.mtx);
1121 		rtnl_unlock();
1122 		/* 0 is the first index - add 1 to parse only once */
1123 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1124 		cb->args[1] = (*wdev)->identifier;
1125 	} else {
1126 		/* subtract the 1 again here */
1127 		struct wiphy *wiphy;
1128 		struct wireless_dev *tmp;
1129 
1130 		rtnl_lock();
1131 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1132 		if (!wiphy) {
1133 			rtnl_unlock();
1134 			return -ENODEV;
1135 		}
1136 		*rdev = wiphy_to_rdev(wiphy);
1137 		*wdev = NULL;
1138 
1139 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1140 			if (tmp->identifier == cb->args[1]) {
1141 				*wdev = tmp;
1142 				break;
1143 			}
1144 		}
1145 
1146 		if (!*wdev) {
1147 			rtnl_unlock();
1148 			return -ENODEV;
1149 		}
1150 		mutex_lock(&(*rdev)->wiphy.mtx);
1151 		rtnl_unlock();
1152 	}
1153 
1154 	return 0;
1155 }
1156 
1157 /* message building helper */
1158 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1159 		     int flags, u8 cmd)
1160 {
1161 	/* since there is no private header just add the generic one */
1162 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1163 }
1164 
1165 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1166 				     const struct ieee80211_reg_rule *rule)
1167 {
1168 	int j;
1169 	struct nlattr *nl_wmm_rules =
1170 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1171 
1172 	if (!nl_wmm_rules)
1173 		goto nla_put_failure;
1174 
1175 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1176 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1177 
1178 		if (!nl_wmm_rule)
1179 			goto nla_put_failure;
1180 
1181 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1182 				rule->wmm_rule.client[j].cw_min) ||
1183 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1184 				rule->wmm_rule.client[j].cw_max) ||
1185 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1186 			       rule->wmm_rule.client[j].aifsn) ||
1187 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1188 			        rule->wmm_rule.client[j].cot))
1189 			goto nla_put_failure;
1190 
1191 		nla_nest_end(msg, nl_wmm_rule);
1192 	}
1193 	nla_nest_end(msg, nl_wmm_rules);
1194 
1195 	return 0;
1196 
1197 nla_put_failure:
1198 	return -ENOBUFS;
1199 }
1200 
1201 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1202 				   struct ieee80211_channel *chan,
1203 				   bool large)
1204 {
1205 	/* Some channels must be completely excluded from the
1206 	 * list to protect old user-space tools from breaking
1207 	 */
1208 	if (!large && chan->flags &
1209 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1210 		return 0;
1211 	if (!large && chan->freq_offset)
1212 		return 0;
1213 
1214 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1215 			chan->center_freq))
1216 		goto nla_put_failure;
1217 
1218 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1219 		goto nla_put_failure;
1220 
1221 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1222 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1223 		goto nla_put_failure;
1224 
1225 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1226 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1227 		goto nla_put_failure;
1228 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1229 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1230 			goto nla_put_failure;
1231 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1232 			goto nla_put_failure;
1233 	}
1234 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1235 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1236 			goto nla_put_failure;
1237 		if (large) {
1238 			u32 time;
1239 
1240 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1241 
1242 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1243 					chan->dfs_state))
1244 				goto nla_put_failure;
1245 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1246 					time))
1247 				goto nla_put_failure;
1248 			if (nla_put_u32(msg,
1249 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1250 					chan->dfs_cac_ms))
1251 				goto nla_put_failure;
1252 		}
1253 	}
1254 
1255 	if (large) {
1256 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1257 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1258 			goto nla_put_failure;
1259 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1260 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1261 			goto nla_put_failure;
1262 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1263 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1264 			goto nla_put_failure;
1265 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1266 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1267 			goto nla_put_failure;
1268 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1269 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1270 			goto nla_put_failure;
1271 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1272 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1273 			goto nla_put_failure;
1274 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1275 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1276 			goto nla_put_failure;
1277 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1278 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1279 			goto nla_put_failure;
1280 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1281 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1282 			goto nla_put_failure;
1283 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1284 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1285 			goto nla_put_failure;
1286 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1287 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1288 			goto nla_put_failure;
1289 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1290 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1291 			goto nla_put_failure;
1292 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1293 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1294 			goto nla_put_failure;
1295 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1296 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1297 			goto nla_put_failure;
1298 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1299 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1300 			goto nla_put_failure;
1301 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1302 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1303 			goto nla_put_failure;
1304 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1305 		    nla_put_flag(msg,
1306 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1307 			goto nla_put_failure;
1308 		if ((chan->flags & IEEE80211_CHAN_NO_4MHZ) &&
1309 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_4MHZ))
1310 			goto nla_put_failure;
1311 		if ((chan->flags & IEEE80211_CHAN_NO_8MHZ) &&
1312 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_8MHZ))
1313 			goto nla_put_failure;
1314 		if ((chan->flags & IEEE80211_CHAN_NO_16MHZ) &&
1315 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_16MHZ))
1316 			goto nla_put_failure;
1317 	}
1318 
1319 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1320 			DBM_TO_MBM(chan->max_power)))
1321 		goto nla_put_failure;
1322 
1323 	if (large) {
1324 		const struct ieee80211_reg_rule *rule =
1325 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1326 
1327 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1328 			if (nl80211_msg_put_wmm_rules(msg, rule))
1329 				goto nla_put_failure;
1330 		}
1331 	}
1332 
1333 	return 0;
1334 
1335  nla_put_failure:
1336 	return -ENOBUFS;
1337 }
1338 
1339 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1340 				  struct cfg80211_txq_stats *txqstats,
1341 				  int attrtype)
1342 {
1343 	struct nlattr *txqattr;
1344 
1345 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1346 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1347 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1348 		return false;						  \
1349 	} while (0)
1350 
1351 	txqattr = nla_nest_start_noflag(msg, attrtype);
1352 	if (!txqattr)
1353 		return false;
1354 
1355 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1356 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1357 	PUT_TXQVAL_U32(FLOWS, flows);
1358 	PUT_TXQVAL_U32(DROPS, drops);
1359 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1360 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1361 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1362 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1363 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1364 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1365 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1366 	nla_nest_end(msg, txqattr);
1367 
1368 #undef PUT_TXQVAL_U32
1369 	return true;
1370 }
1371 
1372 /* netlink command implementations */
1373 
1374 /**
1375  * nl80211_link_id - return link ID
1376  * @attrs: attributes to look at
1377  *
1378  * Returns: the link ID or 0 if not given
1379  *
1380  * Note this function doesn't do any validation of the link
1381  * ID validity wrt. links that were actually added, so it must
1382  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1383  * or if additional validation is done.
1384  */
1385 static unsigned int nl80211_link_id(struct nlattr **attrs)
1386 {
1387 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1388 
1389 	return nla_get_u8_default(linkid, 0);
1390 }
1391 
1392 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1393 {
1394 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1395 
1396 	if (!linkid)
1397 		return -1;
1398 
1399 	return nla_get_u8(linkid);
1400 }
1401 
1402 struct key_parse {
1403 	struct key_params p;
1404 	int idx;
1405 	int type;
1406 	bool def, defmgmt, defbeacon;
1407 	bool def_uni, def_multi;
1408 };
1409 
1410 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1411 				 struct key_parse *k)
1412 {
1413 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1414 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1415 					      nl80211_key_policy,
1416 					      info->extack);
1417 	if (err)
1418 		return err;
1419 
1420 	k->def = !!tb[NL80211_KEY_DEFAULT];
1421 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1422 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1423 
1424 	if (k->def) {
1425 		k->def_uni = true;
1426 		k->def_multi = true;
1427 	}
1428 	if (k->defmgmt || k->defbeacon)
1429 		k->def_multi = true;
1430 
1431 	if (tb[NL80211_KEY_IDX])
1432 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1433 
1434 	if (tb[NL80211_KEY_DATA]) {
1435 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1436 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1437 	}
1438 
1439 	if (tb[NL80211_KEY_SEQ]) {
1440 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1441 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1442 	}
1443 
1444 	if (tb[NL80211_KEY_CIPHER])
1445 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1446 
1447 	if (tb[NL80211_KEY_TYPE])
1448 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1449 
1450 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1451 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1452 
1453 		err = nla_parse_nested_deprecated(kdt,
1454 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1455 						  tb[NL80211_KEY_DEFAULT_TYPES],
1456 						  nl80211_key_default_policy,
1457 						  info->extack);
1458 		if (err)
1459 			return err;
1460 
1461 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1462 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1463 	}
1464 
1465 	if (tb[NL80211_KEY_MODE])
1466 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1467 
1468 	return 0;
1469 }
1470 
1471 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1472 {
1473 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1474 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1475 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1476 	}
1477 
1478 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1479 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1480 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1481 	}
1482 
1483 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1484 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1485 
1486 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1487 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1488 
1489 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1490 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1491 
1492 	if (k->def) {
1493 		k->def_uni = true;
1494 		k->def_multi = true;
1495 	}
1496 	if (k->defmgmt)
1497 		k->def_multi = true;
1498 
1499 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1500 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1501 
1502 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1503 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1504 		int err = nla_parse_nested_deprecated(kdt,
1505 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1506 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1507 						      nl80211_key_default_policy,
1508 						      info->extack);
1509 		if (err)
1510 			return err;
1511 
1512 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1513 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1514 	}
1515 
1516 	return 0;
1517 }
1518 
1519 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1520 {
1521 	int err;
1522 
1523 	memset(k, 0, sizeof(*k));
1524 	k->idx = -1;
1525 	k->type = -1;
1526 
1527 	if (info->attrs[NL80211_ATTR_KEY])
1528 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1529 	else
1530 		err = nl80211_parse_key_old(info, k);
1531 
1532 	if (err)
1533 		return err;
1534 
1535 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1536 	    (k->defbeacon ? 1 : 0) > 1) {
1537 		GENL_SET_ERR_MSG(info,
1538 				 "key with multiple default flags is invalid");
1539 		return -EINVAL;
1540 	}
1541 
1542 	if (k->defmgmt || k->defbeacon) {
1543 		if (k->def_uni || !k->def_multi) {
1544 			GENL_SET_ERR_MSG(info,
1545 					 "defmgmt/defbeacon key must be mcast");
1546 			return -EINVAL;
1547 		}
1548 	}
1549 
1550 	if (k->idx != -1) {
1551 		if (k->defmgmt) {
1552 			if (k->idx < 4 || k->idx > 5) {
1553 				GENL_SET_ERR_MSG(info,
1554 						 "defmgmt key idx not 4 or 5");
1555 				return -EINVAL;
1556 			}
1557 		} else if (k->defbeacon) {
1558 			if (k->idx < 6 || k->idx > 7) {
1559 				GENL_SET_ERR_MSG(info,
1560 						 "defbeacon key idx not 6 or 7");
1561 				return -EINVAL;
1562 			}
1563 		} else if (k->def) {
1564 			if (k->idx < 0 || k->idx > 3) {
1565 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1566 				return -EINVAL;
1567 			}
1568 		} else {
1569 			if (k->idx < 0 || k->idx > 7) {
1570 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1571 				return -EINVAL;
1572 			}
1573 		}
1574 	}
1575 
1576 	return 0;
1577 }
1578 
1579 static struct cfg80211_cached_keys *
1580 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1581 		       struct genl_info *info, bool *no_ht)
1582 {
1583 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1584 	struct key_parse parse;
1585 	struct nlattr *key;
1586 	struct cfg80211_cached_keys *result;
1587 	int rem, err, def = 0;
1588 	bool have_key = false;
1589 
1590 	nla_for_each_nested(key, keys, rem) {
1591 		have_key = true;
1592 		break;
1593 	}
1594 
1595 	if (!have_key)
1596 		return NULL;
1597 
1598 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1599 	if (!result)
1600 		return ERR_PTR(-ENOMEM);
1601 
1602 	result->def = -1;
1603 
1604 	nla_for_each_nested(key, keys, rem) {
1605 		memset(&parse, 0, sizeof(parse));
1606 		parse.idx = -1;
1607 
1608 		err = nl80211_parse_key_new(info, key, &parse);
1609 		if (err)
1610 			goto error;
1611 		err = -EINVAL;
1612 		if (!parse.p.key)
1613 			goto error;
1614 		if (parse.idx < 0 || parse.idx > 3) {
1615 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1616 			goto error;
1617 		}
1618 		if (parse.def) {
1619 			if (def) {
1620 				GENL_SET_ERR_MSG(info,
1621 						 "only one key can be default");
1622 				goto error;
1623 			}
1624 			def = 1;
1625 			result->def = parse.idx;
1626 			if (!parse.def_uni || !parse.def_multi)
1627 				goto error;
1628 		} else if (parse.defmgmt)
1629 			goto error;
1630 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1631 						     parse.idx, false, NULL);
1632 		if (err)
1633 			goto error;
1634 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1635 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1636 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1637 			err = -EINVAL;
1638 			goto error;
1639 		}
1640 		result->params[parse.idx].cipher = parse.p.cipher;
1641 		result->params[parse.idx].key_len = parse.p.key_len;
1642 		result->params[parse.idx].key = result->data[parse.idx];
1643 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1644 
1645 		/* must be WEP key if we got here */
1646 		if (no_ht)
1647 			*no_ht = true;
1648 	}
1649 
1650 	if (result->def < 0) {
1651 		err = -EINVAL;
1652 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1653 		goto error;
1654 	}
1655 
1656 	return result;
1657  error:
1658 	kfree_sensitive(result);
1659 	return ERR_PTR(err);
1660 }
1661 
1662 static int nl80211_key_allowed(struct wireless_dev *wdev)
1663 {
1664 	lockdep_assert_wiphy(wdev->wiphy);
1665 
1666 	switch (wdev->iftype) {
1667 	case NL80211_IFTYPE_AP:
1668 	case NL80211_IFTYPE_AP_VLAN:
1669 	case NL80211_IFTYPE_P2P_GO:
1670 	case NL80211_IFTYPE_MESH_POINT:
1671 		break;
1672 	case NL80211_IFTYPE_ADHOC:
1673 		if (wdev->u.ibss.current_bss)
1674 			return 0;
1675 		return -ENOLINK;
1676 	case NL80211_IFTYPE_STATION:
1677 	case NL80211_IFTYPE_P2P_CLIENT:
1678 		if (wdev->connected)
1679 			return 0;
1680 		return -ENOLINK;
1681 	case NL80211_IFTYPE_NAN:
1682 		if (wiphy_ext_feature_isset(wdev->wiphy,
1683 					    NL80211_EXT_FEATURE_SECURE_NAN))
1684 			return 0;
1685 		return -EINVAL;
1686 	case NL80211_IFTYPE_UNSPECIFIED:
1687 	case NL80211_IFTYPE_OCB:
1688 	case NL80211_IFTYPE_MONITOR:
1689 	case NL80211_IFTYPE_P2P_DEVICE:
1690 	case NL80211_IFTYPE_WDS:
1691 	case NUM_NL80211_IFTYPES:
1692 		return -EINVAL;
1693 	}
1694 
1695 	return 0;
1696 }
1697 
1698 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1699 							u32 freq)
1700 {
1701 	struct ieee80211_channel *chan;
1702 
1703 	chan = ieee80211_get_channel_khz(wiphy, freq);
1704 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1705 		return NULL;
1706 	return chan;
1707 }
1708 
1709 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1710 {
1711 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1712 	int i;
1713 
1714 	if (!nl_modes)
1715 		goto nla_put_failure;
1716 
1717 	i = 0;
1718 	while (ifmodes) {
1719 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1720 			goto nla_put_failure;
1721 		ifmodes >>= 1;
1722 		i++;
1723 	}
1724 
1725 	nla_nest_end(msg, nl_modes);
1726 	return 0;
1727 
1728 nla_put_failure:
1729 	return -ENOBUFS;
1730 }
1731 
1732 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1733 				   const struct ieee80211_iface_combination *c,
1734 				   u16 nested)
1735 {
1736 	struct nlattr *nl_combi, *nl_limits;
1737 	int i;
1738 
1739 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1740 	if (!nl_combi)
1741 		goto nla_put_failure;
1742 
1743 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1744 					       nested);
1745 	if (!nl_limits)
1746 		goto nla_put_failure;
1747 
1748 	for (i = 0; i < c->n_limits; i++) {
1749 		struct nlattr *nl_limit;
1750 
1751 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1752 		if (!nl_limit)
1753 			goto nla_put_failure;
1754 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1755 			goto nla_put_failure;
1756 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1757 					c->limits[i].types))
1758 			goto nla_put_failure;
1759 		nla_nest_end(msg, nl_limit);
1760 	}
1761 
1762 	nla_nest_end(msg, nl_limits);
1763 
1764 	if (c->beacon_int_infra_match &&
1765 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1766 		goto nla_put_failure;
1767 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1768 			c->num_different_channels) ||
1769 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1770 			c->max_interfaces))
1771 		goto nla_put_failure;
1772 	if (large &&
1773 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1774 			c->radar_detect_widths) ||
1775 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1776 			c->radar_detect_regions)))
1777 		goto nla_put_failure;
1778 	if (c->beacon_int_min_gcd &&
1779 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1780 			c->beacon_int_min_gcd))
1781 		goto nla_put_failure;
1782 
1783 	nla_nest_end(msg, nl_combi);
1784 
1785 	return 0;
1786 nla_put_failure:
1787 	return -ENOBUFS;
1788 }
1789 
1790 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1791 					  struct sk_buff *msg,
1792 					  int attr, int radio,
1793 					  bool large, u16 nested)
1794 {
1795 	const struct ieee80211_iface_combination *c;
1796 	struct nlattr *nl_combis;
1797 	int i, n;
1798 
1799 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1800 	if (!nl_combis)
1801 		goto nla_put_failure;
1802 
1803 	if (radio >= 0) {
1804 		c = wiphy->radio[0].iface_combinations;
1805 		n = wiphy->radio[0].n_iface_combinations;
1806 	} else {
1807 		c = wiphy->iface_combinations;
1808 		n = wiphy->n_iface_combinations;
1809 	}
1810 	for (i = 0; i < n; i++)
1811 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1812 			goto nla_put_failure;
1813 
1814 	nla_nest_end(msg, nl_combis);
1815 
1816 	return 0;
1817 nla_put_failure:
1818 	return -ENOBUFS;
1819 }
1820 
1821 #ifdef CONFIG_PM
1822 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1823 					struct sk_buff *msg)
1824 {
1825 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1826 	struct nlattr *nl_tcp;
1827 
1828 	if (!tcp)
1829 		return 0;
1830 
1831 	nl_tcp = nla_nest_start_noflag(msg,
1832 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1833 	if (!nl_tcp)
1834 		return -ENOBUFS;
1835 
1836 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1837 			tcp->data_payload_max))
1838 		return -ENOBUFS;
1839 
1840 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1841 			tcp->data_payload_max))
1842 		return -ENOBUFS;
1843 
1844 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1845 		return -ENOBUFS;
1846 
1847 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1848 				sizeof(*tcp->tok), tcp->tok))
1849 		return -ENOBUFS;
1850 
1851 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1852 			tcp->data_interval_max))
1853 		return -ENOBUFS;
1854 
1855 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1856 			tcp->wake_payload_max))
1857 		return -ENOBUFS;
1858 
1859 	nla_nest_end(msg, nl_tcp);
1860 	return 0;
1861 }
1862 
1863 static int nl80211_send_wowlan(struct sk_buff *msg,
1864 			       struct cfg80211_registered_device *rdev,
1865 			       bool large)
1866 {
1867 	struct nlattr *nl_wowlan;
1868 
1869 	if (!rdev->wiphy.wowlan)
1870 		return 0;
1871 
1872 	nl_wowlan = nla_nest_start_noflag(msg,
1873 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1874 	if (!nl_wowlan)
1875 		return -ENOBUFS;
1876 
1877 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1878 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1879 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1880 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1881 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1882 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1883 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1884 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1885 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1886 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1887 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1888 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1889 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1890 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1891 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1892 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1893 		return -ENOBUFS;
1894 
1895 	if (rdev->wiphy.wowlan->n_patterns) {
1896 		struct nl80211_pattern_support pat = {
1897 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1898 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1899 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1900 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1901 		};
1902 
1903 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1904 			    sizeof(pat), &pat))
1905 			return -ENOBUFS;
1906 	}
1907 
1908 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1909 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1910 			rdev->wiphy.wowlan->max_nd_match_sets))
1911 		return -ENOBUFS;
1912 
1913 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1914 		return -ENOBUFS;
1915 
1916 	nla_nest_end(msg, nl_wowlan);
1917 
1918 	return 0;
1919 }
1920 #endif
1921 
1922 static int nl80211_send_coalesce(struct sk_buff *msg,
1923 				 struct cfg80211_registered_device *rdev)
1924 {
1925 	struct nl80211_coalesce_rule_support rule;
1926 
1927 	if (!rdev->wiphy.coalesce)
1928 		return 0;
1929 
1930 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1931 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1932 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1933 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1934 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1935 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1936 
1937 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1938 		return -ENOBUFS;
1939 
1940 	return 0;
1941 }
1942 
1943 static int
1944 nl80211_send_iftype_data(struct sk_buff *msg,
1945 			 const struct ieee80211_supported_band *sband,
1946 			 const struct ieee80211_sband_iftype_data *iftdata)
1947 {
1948 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1949 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1950 
1951 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1952 				iftdata->types_mask))
1953 		return -ENOBUFS;
1954 
1955 	if (he_cap->has_he) {
1956 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1957 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1958 			    he_cap->he_cap_elem.mac_cap_info) ||
1959 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1960 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1961 			    he_cap->he_cap_elem.phy_cap_info) ||
1962 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1963 			    sizeof(he_cap->he_mcs_nss_supp),
1964 			    &he_cap->he_mcs_nss_supp) ||
1965 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1966 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1967 			return -ENOBUFS;
1968 	}
1969 
1970 	if (eht_cap->has_eht && he_cap->has_he) {
1971 		u8 mcs_nss_size, ppe_thresh_size;
1972 		u16 ppe_thres_hdr;
1973 		bool is_ap;
1974 
1975 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1976 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1977 
1978 		mcs_nss_size =
1979 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1980 						   &eht_cap->eht_cap_elem,
1981 						   is_ap);
1982 
1983 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1984 		ppe_thresh_size =
1985 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1986 					       eht_cap->eht_cap_elem.phy_cap_info);
1987 
1988 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1989 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1990 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1991 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1992 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1993 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1994 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1995 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1996 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1997 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1998 			return -ENOBUFS;
1999 	}
2000 
2001 	if (sband->band == NL80211_BAND_6GHZ &&
2002 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
2003 		    sizeof(iftdata->he_6ghz_capa),
2004 		    &iftdata->he_6ghz_capa))
2005 		return -ENOBUFS;
2006 
2007 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
2008 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
2009 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
2010 		return -ENOBUFS;
2011 
2012 	return 0;
2013 }
2014 
2015 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
2016 				      struct ieee80211_supported_band *sband,
2017 				      bool large)
2018 {
2019 	struct nlattr *nl_rates, *nl_rate;
2020 	struct ieee80211_rate *rate;
2021 	int i;
2022 
2023 	/* add HT info */
2024 	if (sband->ht_cap.ht_supported &&
2025 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
2026 		     sizeof(sband->ht_cap.mcs),
2027 		     &sband->ht_cap.mcs) ||
2028 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
2029 			 sband->ht_cap.cap) ||
2030 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
2031 			sband->ht_cap.ampdu_factor) ||
2032 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
2033 			sband->ht_cap.ampdu_density)))
2034 		return -ENOBUFS;
2035 
2036 	/* add VHT info */
2037 	if (sband->vht_cap.vht_supported &&
2038 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
2039 		     sizeof(sband->vht_cap.vht_mcs),
2040 		     &sband->vht_cap.vht_mcs) ||
2041 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
2042 			 sband->vht_cap.cap)))
2043 		return -ENOBUFS;
2044 
2045 	if (large && sband->n_iftype_data) {
2046 		struct nlattr *nl_iftype_data =
2047 			nla_nest_start_noflag(msg,
2048 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2049 		const struct ieee80211_sband_iftype_data *iftd;
2050 		int err;
2051 
2052 		if (!nl_iftype_data)
2053 			return -ENOBUFS;
2054 
2055 		for_each_sband_iftype_data(sband, i, iftd) {
2056 			struct nlattr *iftdata;
2057 
2058 			iftdata = nla_nest_start_noflag(msg, i + 1);
2059 			if (!iftdata)
2060 				return -ENOBUFS;
2061 
2062 			err = nl80211_send_iftype_data(msg, sband, iftd);
2063 			if (err)
2064 				return err;
2065 
2066 			nla_nest_end(msg, iftdata);
2067 		}
2068 
2069 		nla_nest_end(msg, nl_iftype_data);
2070 	}
2071 
2072 	/* add EDMG info */
2073 	if (large && sband->edmg_cap.channels &&
2074 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2075 		       sband->edmg_cap.channels) ||
2076 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2077 		       sband->edmg_cap.bw_config)))
2078 
2079 		return -ENOBUFS;
2080 
2081 	/* add bitrates */
2082 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2083 	if (!nl_rates)
2084 		return -ENOBUFS;
2085 
2086 	for (i = 0; i < sband->n_bitrates; i++) {
2087 		nl_rate = nla_nest_start_noflag(msg, i);
2088 		if (!nl_rate)
2089 			return -ENOBUFS;
2090 
2091 		rate = &sband->bitrates[i];
2092 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2093 				rate->bitrate))
2094 			return -ENOBUFS;
2095 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2096 		    nla_put_flag(msg,
2097 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2098 			return -ENOBUFS;
2099 
2100 		nla_nest_end(msg, nl_rate);
2101 	}
2102 
2103 	nla_nest_end(msg, nl_rates);
2104 
2105 	/* S1G capabilities */
2106 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2107 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2108 		     sizeof(sband->s1g_cap.cap),
2109 		     sband->s1g_cap.cap) ||
2110 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2111 		     sizeof(sband->s1g_cap.nss_mcs),
2112 		     sband->s1g_cap.nss_mcs)))
2113 		return -ENOBUFS;
2114 
2115 	return 0;
2116 }
2117 
2118 static int
2119 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2120 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2121 {
2122 	u16 stypes;
2123 	struct nlattr *nl_ftypes, *nl_ifs;
2124 	enum nl80211_iftype ift;
2125 	int i;
2126 
2127 	if (!mgmt_stypes)
2128 		return 0;
2129 
2130 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2131 	if (!nl_ifs)
2132 		return -ENOBUFS;
2133 
2134 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2135 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2136 		if (!nl_ftypes)
2137 			return -ENOBUFS;
2138 		i = 0;
2139 		stypes = mgmt_stypes[ift].tx;
2140 		while (stypes) {
2141 			if ((stypes & 1) &&
2142 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2143 					(i << 4) | IEEE80211_FTYPE_MGMT))
2144 				return -ENOBUFS;
2145 			stypes >>= 1;
2146 			i++;
2147 		}
2148 		nla_nest_end(msg, nl_ftypes);
2149 	}
2150 
2151 	nla_nest_end(msg, nl_ifs);
2152 
2153 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2154 	if (!nl_ifs)
2155 		return -ENOBUFS;
2156 
2157 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2158 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2159 		if (!nl_ftypes)
2160 			return -ENOBUFS;
2161 		i = 0;
2162 		stypes = mgmt_stypes[ift].rx;
2163 		while (stypes) {
2164 			if ((stypes & 1) &&
2165 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2166 					(i << 4) | IEEE80211_FTYPE_MGMT))
2167 				return -ENOBUFS;
2168 			stypes >>= 1;
2169 			i++;
2170 		}
2171 		nla_nest_end(msg, nl_ftypes);
2172 	}
2173 	nla_nest_end(msg, nl_ifs);
2174 
2175 	return 0;
2176 }
2177 
2178 #define CMD(op, n)							\
2179 	 do {								\
2180 		if (rdev->ops->op) {					\
2181 			i++;						\
2182 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2183 				goto nla_put_failure;			\
2184 		}							\
2185 	} while (0)
2186 
2187 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2188 					struct sk_buff *msg)
2189 {
2190 	int i = 0;
2191 
2192 	/*
2193 	 * do *NOT* add anything into this function, new things need to be
2194 	 * advertised only to new versions of userspace that can deal with
2195 	 * the split (and they can't possibly care about new features...
2196 	 */
2197 	CMD(add_virtual_intf, NEW_INTERFACE);
2198 	CMD(change_virtual_intf, SET_INTERFACE);
2199 	CMD(add_key, NEW_KEY);
2200 	CMD(start_ap, START_AP);
2201 	CMD(add_station, NEW_STATION);
2202 	CMD(add_mpath, NEW_MPATH);
2203 	CMD(update_mesh_config, SET_MESH_CONFIG);
2204 	CMD(change_bss, SET_BSS);
2205 	CMD(auth, AUTHENTICATE);
2206 	CMD(assoc, ASSOCIATE);
2207 	CMD(deauth, DEAUTHENTICATE);
2208 	CMD(disassoc, DISASSOCIATE);
2209 	CMD(join_ibss, JOIN_IBSS);
2210 	CMD(join_mesh, JOIN_MESH);
2211 	CMD(set_pmksa, SET_PMKSA);
2212 	CMD(del_pmksa, DEL_PMKSA);
2213 	CMD(flush_pmksa, FLUSH_PMKSA);
2214 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2215 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2216 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2217 	CMD(mgmt_tx, FRAME);
2218 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2219 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2220 		i++;
2221 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2222 			goto nla_put_failure;
2223 	}
2224 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2225 	    rdev->ops->join_mesh) {
2226 		i++;
2227 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2228 			goto nla_put_failure;
2229 	}
2230 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2231 		CMD(tdls_mgmt, TDLS_MGMT);
2232 		CMD(tdls_oper, TDLS_OPER);
2233 	}
2234 	if (rdev->wiphy.max_sched_scan_reqs)
2235 		CMD(sched_scan_start, START_SCHED_SCAN);
2236 	CMD(probe_client, PROBE_CLIENT);
2237 	CMD(set_noack_map, SET_NOACK_MAP);
2238 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2239 		i++;
2240 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2241 			goto nla_put_failure;
2242 	}
2243 	CMD(start_p2p_device, START_P2P_DEVICE);
2244 	CMD(set_mcast_rate, SET_MCAST_RATE);
2245 #ifdef CONFIG_NL80211_TESTMODE
2246 	CMD(testmode_cmd, TESTMODE);
2247 #endif
2248 
2249 	if (rdev->ops->connect || rdev->ops->auth) {
2250 		i++;
2251 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2252 			goto nla_put_failure;
2253 	}
2254 
2255 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2256 		i++;
2257 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2258 			goto nla_put_failure;
2259 	}
2260 
2261 	return i;
2262  nla_put_failure:
2263 	return -ENOBUFS;
2264 }
2265 
2266 static int
2267 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2268 			   struct sk_buff *msg)
2269 {
2270 	struct nlattr *ftm;
2271 
2272 	if (!cap->ftm.supported)
2273 		return 0;
2274 
2275 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2276 	if (!ftm)
2277 		return -ENOBUFS;
2278 
2279 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2280 		return -ENOBUFS;
2281 	if (cap->ftm.non_asap &&
2282 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2283 		return -ENOBUFS;
2284 	if (cap->ftm.request_lci &&
2285 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2286 		return -ENOBUFS;
2287 	if (cap->ftm.request_civicloc &&
2288 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2289 		return -ENOBUFS;
2290 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2291 			cap->ftm.preambles))
2292 		return -ENOBUFS;
2293 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2294 			cap->ftm.bandwidths))
2295 		return -ENOBUFS;
2296 	if (cap->ftm.max_bursts_exponent >= 0 &&
2297 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2298 			cap->ftm.max_bursts_exponent))
2299 		return -ENOBUFS;
2300 	if (cap->ftm.max_ftms_per_burst &&
2301 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2302 			cap->ftm.max_ftms_per_burst))
2303 		return -ENOBUFS;
2304 	if (cap->ftm.trigger_based &&
2305 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2306 		return -ENOBUFS;
2307 	if (cap->ftm.non_trigger_based &&
2308 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2309 		return -ENOBUFS;
2310 
2311 	nla_nest_end(msg, ftm);
2312 	return 0;
2313 }
2314 
2315 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2316 				  struct sk_buff *msg)
2317 {
2318 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2319 	struct nlattr *pmsr, *caps;
2320 
2321 	if (!cap)
2322 		return 0;
2323 
2324 	/*
2325 	 * we don't need to clean up anything here since the caller
2326 	 * will genlmsg_cancel() if we fail
2327 	 */
2328 
2329 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2330 	if (!pmsr)
2331 		return -ENOBUFS;
2332 
2333 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2334 		return -ENOBUFS;
2335 
2336 	if (cap->report_ap_tsf &&
2337 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2338 		return -ENOBUFS;
2339 
2340 	if (cap->randomize_mac_addr &&
2341 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2342 		return -ENOBUFS;
2343 
2344 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2345 	if (!caps)
2346 		return -ENOBUFS;
2347 
2348 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2349 		return -ENOBUFS;
2350 
2351 	nla_nest_end(msg, caps);
2352 	nla_nest_end(msg, pmsr);
2353 
2354 	return 0;
2355 }
2356 
2357 static int
2358 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2359 			      struct sk_buff *msg)
2360 {
2361 	int i;
2362 	struct nlattr *nested, *nested_akms;
2363 	const struct wiphy_iftype_akm_suites *iftype_akms;
2364 
2365 	if (!rdev->wiphy.num_iftype_akm_suites ||
2366 	    !rdev->wiphy.iftype_akm_suites)
2367 		return 0;
2368 
2369 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2370 	if (!nested)
2371 		return -ENOBUFS;
2372 
2373 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2374 		nested_akms = nla_nest_start(msg, i + 1);
2375 		if (!nested_akms)
2376 			return -ENOBUFS;
2377 
2378 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2379 
2380 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2381 					iftype_akms->iftypes_mask))
2382 			return -ENOBUFS;
2383 
2384 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2385 			    sizeof(u32) * iftype_akms->n_akm_suites,
2386 			    iftype_akms->akm_suites)) {
2387 			return -ENOBUFS;
2388 		}
2389 		nla_nest_end(msg, nested_akms);
2390 	}
2391 
2392 	nla_nest_end(msg, nested);
2393 
2394 	return 0;
2395 }
2396 
2397 static int
2398 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2399 			       struct sk_buff *msg)
2400 {
2401 	struct nlattr *supp;
2402 
2403 	if (!rdev->wiphy.tid_config_support.vif &&
2404 	    !rdev->wiphy.tid_config_support.peer)
2405 		return 0;
2406 
2407 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2408 	if (!supp)
2409 		return -ENOSPC;
2410 
2411 	if (rdev->wiphy.tid_config_support.vif &&
2412 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2413 			      rdev->wiphy.tid_config_support.vif,
2414 			      NL80211_TID_CONFIG_ATTR_PAD))
2415 		goto fail;
2416 
2417 	if (rdev->wiphy.tid_config_support.peer &&
2418 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2419 			      rdev->wiphy.tid_config_support.peer,
2420 			      NL80211_TID_CONFIG_ATTR_PAD))
2421 		goto fail;
2422 
2423 	/* for now we just use the same value ... makes more sense */
2424 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2425 		       rdev->wiphy.tid_config_support.max_retry))
2426 		goto fail;
2427 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2428 		       rdev->wiphy.tid_config_support.max_retry))
2429 		goto fail;
2430 
2431 	nla_nest_end(msg, supp);
2432 
2433 	return 0;
2434 fail:
2435 	nla_nest_cancel(msg, supp);
2436 	return -ENOBUFS;
2437 }
2438 
2439 static int
2440 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2441 		      struct sk_buff *msg)
2442 {
2443 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2444 	u8 num_freq_ranges;
2445 	int i;
2446 
2447 	if (!rdev->wiphy.sar_capa)
2448 		return 0;
2449 
2450 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2451 
2452 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2453 	if (!sar_capa)
2454 		return -ENOSPC;
2455 
2456 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2457 		goto fail;
2458 
2459 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2460 	if (!specs)
2461 		goto fail;
2462 
2463 	/* report supported freq_ranges */
2464 	for (i = 0; i < num_freq_ranges; i++) {
2465 		sub_freq_range = nla_nest_start(msg, i + 1);
2466 		if (!sub_freq_range)
2467 			goto fail;
2468 
2469 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2470 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2471 			goto fail;
2472 
2473 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2474 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2475 			goto fail;
2476 
2477 		nla_nest_end(msg, sub_freq_range);
2478 	}
2479 
2480 	nla_nest_end(msg, specs);
2481 	nla_nest_end(msg, sar_capa);
2482 
2483 	return 0;
2484 fail:
2485 	nla_nest_cancel(msg, sar_capa);
2486 	return -ENOBUFS;
2487 }
2488 
2489 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2490 {
2491 	struct nlattr *config;
2492 
2493 	if (!wiphy->mbssid_max_interfaces)
2494 		return 0;
2495 
2496 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2497 	if (!config)
2498 		return -ENOBUFS;
2499 
2500 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2501 		       wiphy->mbssid_max_interfaces))
2502 		goto fail;
2503 
2504 	if (wiphy->ema_max_profile_periodicity &&
2505 	    nla_put_u8(msg,
2506 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2507 		       wiphy->ema_max_profile_periodicity))
2508 		goto fail;
2509 
2510 	nla_nest_end(msg, config);
2511 	return 0;
2512 
2513 fail:
2514 	nla_nest_cancel(msg, config);
2515 	return -ENOBUFS;
2516 }
2517 
2518 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2519 {
2520 	const struct wiphy_radio *r = &wiphy->radio[idx];
2521 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2522 	struct nlattr *radio, *freq;
2523 	int i;
2524 
2525 	radio = nla_nest_start(msg, idx);
2526 	if (!radio)
2527 		return -ENOBUFS;
2528 
2529 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2530 		goto nla_put_failure;
2531 
2532 	if (rcfg->rts_threshold &&
2533 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2534 			rcfg->rts_threshold))
2535 		goto nla_put_failure;
2536 
2537 	if (r->antenna_mask &&
2538 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2539 			r->antenna_mask))
2540 		goto nla_put_failure;
2541 
2542 	for (i = 0; i < r->n_freq_range; i++) {
2543 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2544 
2545 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2546 		if (!freq)
2547 			goto nla_put_failure;
2548 
2549 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2550 				range->start_freq) ||
2551 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2552 				range->end_freq))
2553 			goto nla_put_failure;
2554 
2555 		nla_nest_end(msg, freq);
2556 	}
2557 
2558 	for (i = 0; i < r->n_iface_combinations; i++)
2559 		if (nl80211_put_ifcomb_data(msg, true,
2560 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2561 					    &r->iface_combinations[i],
2562 					    NLA_F_NESTED))
2563 			goto nla_put_failure;
2564 
2565 	nla_nest_end(msg, radio);
2566 
2567 	return 0;
2568 
2569 nla_put_failure:
2570 	return -ENOBUFS;
2571 }
2572 
2573 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2574 {
2575 	struct nlattr *radios;
2576 	int i;
2577 
2578 	if (!wiphy->n_radio)
2579 		return 0;
2580 
2581 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2582 	if (!radios)
2583 		return -ENOBUFS;
2584 
2585 	for (i = 0; i < wiphy->n_radio; i++)
2586 		if (nl80211_put_radio(wiphy, msg, i))
2587 			goto fail;
2588 
2589 	nla_nest_end(msg, radios);
2590 
2591 	if (nl80211_put_iface_combinations(wiphy, msg,
2592 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2593 					   -1, true, NLA_F_NESTED))
2594 		return -ENOBUFS;
2595 
2596 	return 0;
2597 
2598 fail:
2599 	nla_nest_cancel(msg, radios);
2600 	return -ENOBUFS;
2601 }
2602 
2603 static int nl80211_put_nan_capa(struct wiphy *wiphy, struct sk_buff *msg)
2604 {
2605 	struct nlattr *nan_caps;
2606 
2607 	nan_caps = nla_nest_start(msg, NL80211_ATTR_NAN_CAPABILITIES);
2608 	if (!nan_caps)
2609 		return -ENOBUFS;
2610 
2611 	if (wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_CONFIGURABLE_SYNC &&
2612 	    nla_put_flag(msg, NL80211_NAN_CAPA_CONFIGURABLE_SYNC))
2613 		goto fail;
2614 
2615 	if ((wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE) &&
2616 	    nla_put_flag(msg, NL80211_NAN_CAPA_USERSPACE_DE))
2617 		goto fail;
2618 
2619 	if (nla_put_u8(msg, NL80211_NAN_CAPA_OP_MODE,
2620 		       wiphy->nan_capa.op_mode) ||
2621 	    nla_put_u8(msg, NL80211_NAN_CAPA_NUM_ANTENNAS,
2622 		       wiphy->nan_capa.n_antennas) ||
2623 	    nla_put_u16(msg, NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME,
2624 			wiphy->nan_capa.max_channel_switch_time) ||
2625 	    nla_put_u8(msg, NL80211_NAN_CAPA_CAPABILITIES,
2626 		       wiphy->nan_capa.dev_capabilities))
2627 		goto fail;
2628 
2629 	nla_nest_end(msg, nan_caps);
2630 
2631 	return 0;
2632 
2633 fail:
2634 	nla_nest_cancel(msg, nan_caps);
2635 	return -ENOBUFS;
2636 }
2637 
2638 struct nl80211_dump_wiphy_state {
2639 	s64 filter_wiphy;
2640 	long start;
2641 	long split_start, band_start, chan_start, capa_start;
2642 	bool split;
2643 };
2644 
2645 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2646 			      enum nl80211_commands cmd,
2647 			      struct sk_buff *msg, u32 portid, u32 seq,
2648 			      int flags, struct nl80211_dump_wiphy_state *state)
2649 {
2650 	void *hdr;
2651 	struct nlattr *nl_bands, *nl_band;
2652 	struct nlattr *nl_freqs, *nl_freq;
2653 	struct nlattr *nl_cmds;
2654 	enum nl80211_band band;
2655 	struct ieee80211_channel *chan;
2656 	int i;
2657 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2658 				rdev->wiphy.mgmt_stypes;
2659 	u32 features;
2660 
2661 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2662 	if (!hdr)
2663 		return -ENOBUFS;
2664 
2665 	if (WARN_ON(!state))
2666 		return -EINVAL;
2667 
2668 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2669 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2670 			   wiphy_name(&rdev->wiphy)) ||
2671 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2672 			cfg80211_rdev_list_generation))
2673 		goto nla_put_failure;
2674 
2675 	if (cmd != NL80211_CMD_NEW_WIPHY)
2676 		goto finish;
2677 
2678 	switch (state->split_start) {
2679 	case 0:
2680 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2681 			       rdev->wiphy.retry_short) ||
2682 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2683 			       rdev->wiphy.retry_long) ||
2684 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2685 				rdev->wiphy.frag_threshold) ||
2686 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2687 				rdev->wiphy.rts_threshold) ||
2688 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2689 			       rdev->wiphy.coverage_class) ||
2690 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2691 			       rdev->wiphy.max_scan_ssids) ||
2692 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2693 			       rdev->wiphy.max_sched_scan_ssids) ||
2694 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2695 				rdev->wiphy.max_scan_ie_len) ||
2696 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2697 				rdev->wiphy.max_sched_scan_ie_len) ||
2698 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2699 			       rdev->wiphy.max_match_sets))
2700 			goto nla_put_failure;
2701 
2702 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2703 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2704 			goto nla_put_failure;
2705 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2706 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2707 			goto nla_put_failure;
2708 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2709 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2710 			goto nla_put_failure;
2711 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2712 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2713 			goto nla_put_failure;
2714 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2715 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2716 			goto nla_put_failure;
2717 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2718 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2719 			goto nla_put_failure;
2720 		state->split_start++;
2721 		if (state->split)
2722 			break;
2723 		fallthrough;
2724 	case 1:
2725 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2726 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2727 			    rdev->wiphy.cipher_suites))
2728 			goto nla_put_failure;
2729 
2730 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2731 			       rdev->wiphy.max_num_pmkids))
2732 			goto nla_put_failure;
2733 
2734 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2735 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2736 			goto nla_put_failure;
2737 
2738 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2739 				rdev->wiphy.available_antennas_tx) ||
2740 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2741 				rdev->wiphy.available_antennas_rx))
2742 			goto nla_put_failure;
2743 
2744 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2745 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2746 				rdev->wiphy.probe_resp_offload))
2747 			goto nla_put_failure;
2748 
2749 		if ((rdev->wiphy.available_antennas_tx ||
2750 		     rdev->wiphy.available_antennas_rx) &&
2751 		    rdev->ops->get_antenna) {
2752 			u32 tx_ant = 0, rx_ant = 0;
2753 			int res;
2754 
2755 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
2756 			if (!res) {
2757 				if (nla_put_u32(msg,
2758 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2759 						tx_ant) ||
2760 				    nla_put_u32(msg,
2761 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2762 						rx_ant))
2763 					goto nla_put_failure;
2764 			}
2765 		}
2766 
2767 		state->split_start++;
2768 		if (state->split)
2769 			break;
2770 		fallthrough;
2771 	case 2:
2772 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2773 					rdev->wiphy.interface_modes))
2774 				goto nla_put_failure;
2775 		state->split_start++;
2776 		if (state->split)
2777 			break;
2778 		fallthrough;
2779 	case 3:
2780 		nl_bands = nla_nest_start_noflag(msg,
2781 						 NL80211_ATTR_WIPHY_BANDS);
2782 		if (!nl_bands)
2783 			goto nla_put_failure;
2784 
2785 		for (band = state->band_start;
2786 		     band < (state->split ?
2787 				NUM_NL80211_BANDS :
2788 				NL80211_BAND_60GHZ + 1);
2789 		     band++) {
2790 			struct ieee80211_supported_band *sband;
2791 
2792 			/* omit higher bands for ancient software */
2793 			if (band > NL80211_BAND_5GHZ && !state->split)
2794 				break;
2795 
2796 			sband = rdev->wiphy.bands[band];
2797 
2798 			if (!sband)
2799 				continue;
2800 
2801 			nl_band = nla_nest_start_noflag(msg, band);
2802 			if (!nl_band)
2803 				goto nla_put_failure;
2804 
2805 			switch (state->chan_start) {
2806 			case 0:
2807 				if (nl80211_send_band_rateinfo(msg, sband,
2808 							       state->split))
2809 					goto nla_put_failure;
2810 				state->chan_start++;
2811 				if (state->split)
2812 					break;
2813 				fallthrough;
2814 			default:
2815 				/* add frequencies */
2816 				nl_freqs = nla_nest_start_noflag(msg,
2817 								 NL80211_BAND_ATTR_FREQS);
2818 				if (!nl_freqs)
2819 					goto nla_put_failure;
2820 
2821 				for (i = state->chan_start - 1;
2822 				     i < sband->n_channels;
2823 				     i++) {
2824 					nl_freq = nla_nest_start_noflag(msg,
2825 									i);
2826 					if (!nl_freq)
2827 						goto nla_put_failure;
2828 
2829 					chan = &sband->channels[i];
2830 
2831 					if (nl80211_msg_put_channel(
2832 							msg, &rdev->wiphy, chan,
2833 							state->split))
2834 						goto nla_put_failure;
2835 
2836 					nla_nest_end(msg, nl_freq);
2837 					if (state->split)
2838 						break;
2839 				}
2840 				if (i < sband->n_channels)
2841 					state->chan_start = i + 2;
2842 				else
2843 					state->chan_start = 0;
2844 				nla_nest_end(msg, nl_freqs);
2845 			}
2846 
2847 			nla_nest_end(msg, nl_band);
2848 
2849 			if (state->split) {
2850 				/* start again here */
2851 				if (state->chan_start)
2852 					band--;
2853 				break;
2854 			}
2855 		}
2856 		nla_nest_end(msg, nl_bands);
2857 
2858 		if (band < NUM_NL80211_BANDS)
2859 			state->band_start = band + 1;
2860 		else
2861 			state->band_start = 0;
2862 
2863 		/* if bands & channels are done, continue outside */
2864 		if (state->band_start == 0 && state->chan_start == 0)
2865 			state->split_start++;
2866 		if (state->split)
2867 			break;
2868 		fallthrough;
2869 	case 4:
2870 		nl_cmds = nla_nest_start_noflag(msg,
2871 						NL80211_ATTR_SUPPORTED_COMMANDS);
2872 		if (!nl_cmds)
2873 			goto nla_put_failure;
2874 
2875 		i = nl80211_add_commands_unsplit(rdev, msg);
2876 		if (i < 0)
2877 			goto nla_put_failure;
2878 		if (state->split) {
2879 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2880 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2881 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2882 				CMD(channel_switch, CHANNEL_SWITCH);
2883 			CMD(set_qos_map, SET_QOS_MAP);
2884 			if (rdev->wiphy.features &
2885 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2886 				CMD(add_tx_ts, ADD_TX_TS);
2887 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2888 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2889 			CMD(update_ft_ies, UPDATE_FT_IES);
2890 			if (rdev->wiphy.sar_capa)
2891 				CMD(set_sar_specs, SET_SAR_SPECS);
2892 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
2893 		}
2894 #undef CMD
2895 
2896 		nla_nest_end(msg, nl_cmds);
2897 		state->split_start++;
2898 		if (state->split)
2899 			break;
2900 		fallthrough;
2901 	case 5:
2902 		if (rdev->ops->remain_on_channel &&
2903 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2904 		    nla_put_u32(msg,
2905 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2906 				rdev->wiphy.max_remain_on_channel_duration))
2907 			goto nla_put_failure;
2908 
2909 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2910 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2911 			goto nla_put_failure;
2912 
2913 		state->split_start++;
2914 		if (state->split)
2915 			break;
2916 		fallthrough;
2917 	case 6:
2918 #ifdef CONFIG_PM
2919 		if (nl80211_send_wowlan(msg, rdev, state->split))
2920 			goto nla_put_failure;
2921 		state->split_start++;
2922 		if (state->split)
2923 			break;
2924 #else
2925 		state->split_start++;
2926 #endif
2927 		fallthrough;
2928 	case 7:
2929 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2930 					rdev->wiphy.software_iftypes))
2931 			goto nla_put_failure;
2932 
2933 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2934 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2935 						   rdev->wiphy.n_radio ? 0 : -1,
2936 						   state->split, 0))
2937 			goto nla_put_failure;
2938 
2939 		state->split_start++;
2940 		if (state->split)
2941 			break;
2942 		fallthrough;
2943 	case 8:
2944 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2945 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2946 				rdev->wiphy.ap_sme_capa))
2947 			goto nla_put_failure;
2948 
2949 		features = rdev->wiphy.features;
2950 		/*
2951 		 * We can only add the per-channel limit information if the
2952 		 * dump is split, otherwise it makes it too big. Therefore
2953 		 * only advertise it in that case.
2954 		 */
2955 		if (state->split)
2956 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2957 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2958 			goto nla_put_failure;
2959 
2960 		if (rdev->wiphy.ht_capa_mod_mask &&
2961 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2962 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2963 			    rdev->wiphy.ht_capa_mod_mask))
2964 			goto nla_put_failure;
2965 
2966 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2967 		    rdev->wiphy.max_acl_mac_addrs &&
2968 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2969 				rdev->wiphy.max_acl_mac_addrs))
2970 			goto nla_put_failure;
2971 
2972 		/*
2973 		 * Any information below this point is only available to
2974 		 * applications that can deal with it being split. This
2975 		 * helps ensure that newly added capabilities don't break
2976 		 * older tools by overrunning their buffers.
2977 		 *
2978 		 * We still increment split_start so that in the split
2979 		 * case we'll continue with more data in the next round,
2980 		 * but break unconditionally so unsplit data stops here.
2981 		 */
2982 		if (state->split)
2983 			state->split_start++;
2984 		else
2985 			state->split_start = 0;
2986 		break;
2987 	case 9:
2988 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2989 			goto nla_put_failure;
2990 
2991 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2992 				rdev->wiphy.max_sched_scan_plans) ||
2993 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2994 				rdev->wiphy.max_sched_scan_plan_interval) ||
2995 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2996 				rdev->wiphy.max_sched_scan_plan_iterations))
2997 			goto nla_put_failure;
2998 
2999 		if (rdev->wiphy.extended_capabilities &&
3000 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
3001 			     rdev->wiphy.extended_capabilities_len,
3002 			     rdev->wiphy.extended_capabilities) ||
3003 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3004 			     rdev->wiphy.extended_capabilities_len,
3005 			     rdev->wiphy.extended_capabilities_mask)))
3006 			goto nla_put_failure;
3007 
3008 		if (rdev->wiphy.vht_capa_mod_mask &&
3009 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
3010 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
3011 			    rdev->wiphy.vht_capa_mod_mask))
3012 			goto nla_put_failure;
3013 
3014 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3015 			    rdev->wiphy.perm_addr))
3016 			goto nla_put_failure;
3017 
3018 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
3019 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
3020 			    rdev->wiphy.addr_mask))
3021 			goto nla_put_failure;
3022 
3023 		if (rdev->wiphy.n_addresses > 1) {
3024 			void *attr;
3025 
3026 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
3027 			if (!attr)
3028 				goto nla_put_failure;
3029 
3030 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
3031 				if (nla_put(msg, i + 1, ETH_ALEN,
3032 					    rdev->wiphy.addresses[i].addr))
3033 					goto nla_put_failure;
3034 
3035 			nla_nest_end(msg, attr);
3036 		}
3037 
3038 		state->split_start++;
3039 		break;
3040 	case 10:
3041 		if (nl80211_send_coalesce(msg, rdev))
3042 			goto nla_put_failure;
3043 
3044 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
3045 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
3046 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
3047 			goto nla_put_failure;
3048 
3049 		if (rdev->wiphy.max_ap_assoc_sta &&
3050 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
3051 				rdev->wiphy.max_ap_assoc_sta))
3052 			goto nla_put_failure;
3053 
3054 		state->split_start++;
3055 		break;
3056 	case 11:
3057 		if (rdev->wiphy.n_vendor_commands) {
3058 			const struct nl80211_vendor_cmd_info *info;
3059 			struct nlattr *nested;
3060 
3061 			nested = nla_nest_start_noflag(msg,
3062 						       NL80211_ATTR_VENDOR_DATA);
3063 			if (!nested)
3064 				goto nla_put_failure;
3065 
3066 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
3067 				info = &rdev->wiphy.vendor_commands[i].info;
3068 				if (nla_put(msg, i + 1, sizeof(*info), info))
3069 					goto nla_put_failure;
3070 			}
3071 			nla_nest_end(msg, nested);
3072 		}
3073 
3074 		if (rdev->wiphy.n_vendor_events) {
3075 			const struct nl80211_vendor_cmd_info *info;
3076 			struct nlattr *nested;
3077 
3078 			nested = nla_nest_start_noflag(msg,
3079 						       NL80211_ATTR_VENDOR_EVENTS);
3080 			if (!nested)
3081 				goto nla_put_failure;
3082 
3083 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3084 				info = &rdev->wiphy.vendor_events[i];
3085 				if (nla_put(msg, i + 1, sizeof(*info), info))
3086 					goto nla_put_failure;
3087 			}
3088 			nla_nest_end(msg, nested);
3089 		}
3090 		state->split_start++;
3091 		break;
3092 	case 12:
3093 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3094 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3095 			       rdev->wiphy.max_num_csa_counters))
3096 			goto nla_put_failure;
3097 
3098 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3099 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3100 			goto nla_put_failure;
3101 
3102 		if (rdev->wiphy.max_sched_scan_reqs &&
3103 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3104 				rdev->wiphy.max_sched_scan_reqs))
3105 			goto nla_put_failure;
3106 
3107 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3108 			    sizeof(rdev->wiphy.ext_features),
3109 			    rdev->wiphy.ext_features))
3110 			goto nla_put_failure;
3111 
3112 		if (rdev->wiphy.bss_param_support) {
3113 			struct nlattr *nested;
3114 			u32 parsup = rdev->wiphy.bss_param_support;
3115 
3116 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3117 			if (!nested)
3118 				goto nla_put_failure;
3119 
3120 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3121 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3122 				goto nla_put_failure;
3123 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3124 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3125 				goto nla_put_failure;
3126 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3127 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3128 				goto nla_put_failure;
3129 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3130 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3131 				goto nla_put_failure;
3132 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3133 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3134 				goto nla_put_failure;
3135 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3136 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3137 				goto nla_put_failure;
3138 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3139 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3140 				goto nla_put_failure;
3141 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3142 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3143 				goto nla_put_failure;
3144 			nla_nest_end(msg, nested);
3145 		}
3146 		if (rdev->wiphy.bss_select_support) {
3147 			struct nlattr *nested;
3148 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3149 
3150 			nested = nla_nest_start_noflag(msg,
3151 						       NL80211_ATTR_BSS_SELECT);
3152 			if (!nested)
3153 				goto nla_put_failure;
3154 
3155 			i = 0;
3156 			while (bss_select_support) {
3157 				if ((bss_select_support & 1) &&
3158 				    nla_put_flag(msg, i))
3159 					goto nla_put_failure;
3160 				i++;
3161 				bss_select_support >>= 1;
3162 			}
3163 			nla_nest_end(msg, nested);
3164 		}
3165 
3166 		state->split_start++;
3167 		break;
3168 	case 13:
3169 		if (rdev->wiphy.num_iftype_ext_capab &&
3170 		    rdev->wiphy.iftype_ext_capab) {
3171 			struct nlattr *nested_ext_capab, *nested;
3172 
3173 			nested = nla_nest_start_noflag(msg,
3174 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3175 			if (!nested)
3176 				goto nla_put_failure;
3177 
3178 			for (i = state->capa_start;
3179 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3180 				const struct wiphy_iftype_ext_capab *capab;
3181 
3182 				capab = &rdev->wiphy.iftype_ext_capab[i];
3183 
3184 				nested_ext_capab = nla_nest_start_noflag(msg,
3185 									 i);
3186 				if (!nested_ext_capab ||
3187 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3188 						capab->iftype) ||
3189 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3190 					    capab->extended_capabilities_len,
3191 					    capab->extended_capabilities) ||
3192 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3193 					    capab->extended_capabilities_len,
3194 					    capab->extended_capabilities_mask))
3195 					goto nla_put_failure;
3196 
3197 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3198 				    (nla_put_u16(msg,
3199 						 NL80211_ATTR_EML_CAPABILITY,
3200 						 capab->eml_capabilities) ||
3201 				     nla_put_u16(msg,
3202 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3203 						 capab->mld_capa_and_ops)))
3204 					goto nla_put_failure;
3205 
3206 				nla_nest_end(msg, nested_ext_capab);
3207 				if (state->split)
3208 					break;
3209 			}
3210 			nla_nest_end(msg, nested);
3211 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3212 				state->capa_start = i + 1;
3213 				break;
3214 			}
3215 		}
3216 
3217 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3218 				rdev->wiphy.nan_supported_bands))
3219 			goto nla_put_failure;
3220 
3221 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3222 					    NL80211_EXT_FEATURE_TXQS)) {
3223 			struct cfg80211_txq_stats txqstats = {};
3224 			int res;
3225 
3226 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3227 			if (!res &&
3228 			    !nl80211_put_txq_stats(msg, &txqstats,
3229 						   NL80211_ATTR_TXQ_STATS))
3230 				goto nla_put_failure;
3231 
3232 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3233 					rdev->wiphy.txq_limit))
3234 				goto nla_put_failure;
3235 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3236 					rdev->wiphy.txq_memory_limit))
3237 				goto nla_put_failure;
3238 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3239 					rdev->wiphy.txq_quantum))
3240 				goto nla_put_failure;
3241 		}
3242 
3243 		state->split_start++;
3244 		break;
3245 	case 14:
3246 		if (nl80211_send_pmsr_capa(rdev, msg))
3247 			goto nla_put_failure;
3248 
3249 		state->split_start++;
3250 		break;
3251 	case 15:
3252 		if (rdev->wiphy.akm_suites &&
3253 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3254 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3255 			    rdev->wiphy.akm_suites))
3256 			goto nla_put_failure;
3257 
3258 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3259 			goto nla_put_failure;
3260 
3261 		if (nl80211_put_tid_config_support(rdev, msg))
3262 			goto nla_put_failure;
3263 		state->split_start++;
3264 		break;
3265 	case 16:
3266 		if (nl80211_put_sar_specs(rdev, msg))
3267 			goto nla_put_failure;
3268 
3269 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3270 			goto nla_put_failure;
3271 
3272 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3273 				rdev->wiphy.max_num_akm_suites))
3274 			goto nla_put_failure;
3275 
3276 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3277 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3278 
3279 		if (rdev->wiphy.hw_timestamp_max_peers &&
3280 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3281 				rdev->wiphy.hw_timestamp_max_peers))
3282 			goto nla_put_failure;
3283 
3284 		state->split_start++;
3285 		break;
3286 	case 17:
3287 		if (nl80211_put_radios(&rdev->wiphy, msg))
3288 			goto nla_put_failure;
3289 
3290 		state->split_start++;
3291 		break;
3292 	case 18:
3293 		if (nl80211_put_nan_capa(&rdev->wiphy, msg))
3294 			goto nla_put_failure;
3295 
3296 		/* done */
3297 		state->split_start = 0;
3298 		break;
3299 	}
3300  finish:
3301 	genlmsg_end(msg, hdr);
3302 	return 0;
3303 
3304  nla_put_failure:
3305 	genlmsg_cancel(msg, hdr);
3306 	return -EMSGSIZE;
3307 }
3308 
3309 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3310 				    struct netlink_callback *cb,
3311 				    struct nl80211_dump_wiphy_state *state)
3312 {
3313 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3314 	int ret;
3315 
3316 	if (!tb)
3317 		return -ENOMEM;
3318 
3319 	ret = nlmsg_parse_deprecated(cb->nlh,
3320 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3321 				     tb, nl80211_fam.maxattr,
3322 				     nl80211_policy, NULL);
3323 	/* ignore parse errors for backward compatibility */
3324 	if (ret) {
3325 		ret = 0;
3326 		goto out;
3327 	}
3328 
3329 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3330 	if (tb[NL80211_ATTR_WIPHY])
3331 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3332 	if (tb[NL80211_ATTR_WDEV])
3333 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3334 	if (tb[NL80211_ATTR_IFINDEX]) {
3335 		struct net_device *netdev;
3336 		struct cfg80211_registered_device *rdev;
3337 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3338 
3339 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3340 		if (!netdev) {
3341 			ret = -ENODEV;
3342 			goto out;
3343 		}
3344 		if (netdev->ieee80211_ptr) {
3345 			rdev = wiphy_to_rdev(
3346 				netdev->ieee80211_ptr->wiphy);
3347 			state->filter_wiphy = rdev->wiphy_idx;
3348 		}
3349 	}
3350 
3351 	ret = 0;
3352 out:
3353 	kfree(tb);
3354 	return ret;
3355 }
3356 
3357 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3358 {
3359 	int idx = 0, ret;
3360 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3361 	struct cfg80211_registered_device *rdev;
3362 
3363 	rtnl_lock();
3364 	if (!state) {
3365 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3366 		if (!state) {
3367 			rtnl_unlock();
3368 			return -ENOMEM;
3369 		}
3370 		state->filter_wiphy = -1;
3371 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3372 		if (ret) {
3373 			kfree(state);
3374 			rtnl_unlock();
3375 			return ret;
3376 		}
3377 		cb->args[0] = (long)state;
3378 	}
3379 
3380 	for_each_rdev(rdev) {
3381 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3382 			continue;
3383 		if (++idx <= state->start)
3384 			continue;
3385 		if (state->filter_wiphy != -1 &&
3386 		    state->filter_wiphy != rdev->wiphy_idx)
3387 			continue;
3388 		wiphy_lock(&rdev->wiphy);
3389 		/* attempt to fit multiple wiphy data chunks into the skb */
3390 		do {
3391 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3392 						 skb,
3393 						 NETLINK_CB(cb->skb).portid,
3394 						 cb->nlh->nlmsg_seq,
3395 						 NLM_F_MULTI, state);
3396 			if (ret < 0) {
3397 				/*
3398 				 * If sending the wiphy data didn't fit (ENOBUFS
3399 				 * or EMSGSIZE returned), this SKB is still
3400 				 * empty (so it's not too big because another
3401 				 * wiphy dataset is already in the skb) and
3402 				 * we've not tried to adjust the dump allocation
3403 				 * yet ... then adjust the alloc size to be
3404 				 * bigger, and return 1 but with the empty skb.
3405 				 * This results in an empty message being RX'ed
3406 				 * in userspace, but that is ignored.
3407 				 *
3408 				 * We can then retry with the larger buffer.
3409 				 */
3410 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3411 				    !skb->len && !state->split &&
3412 				    cb->min_dump_alloc < 4096) {
3413 					cb->min_dump_alloc = 4096;
3414 					state->split_start = 0;
3415 					wiphy_unlock(&rdev->wiphy);
3416 					rtnl_unlock();
3417 					return 1;
3418 				}
3419 				idx--;
3420 				break;
3421 			}
3422 		} while (state->split_start > 0);
3423 		wiphy_unlock(&rdev->wiphy);
3424 		break;
3425 	}
3426 	rtnl_unlock();
3427 
3428 	state->start = idx;
3429 
3430 	return skb->len;
3431 }
3432 
3433 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3434 {
3435 	kfree((void *)cb->args[0]);
3436 	return 0;
3437 }
3438 
3439 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3440 {
3441 	struct sk_buff *msg;
3442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3443 	struct nl80211_dump_wiphy_state state = {};
3444 
3445 	msg = nlmsg_new(4096, GFP_KERNEL);
3446 	if (!msg)
3447 		return -ENOMEM;
3448 
3449 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3450 			       info->snd_portid, info->snd_seq, 0,
3451 			       &state) < 0) {
3452 		nlmsg_free(msg);
3453 		return -ENOBUFS;
3454 	}
3455 
3456 	return genlmsg_reply(msg, info);
3457 }
3458 
3459 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3460 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3461 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3462 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3463 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3464 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3465 };
3466 
3467 static int parse_txq_params(struct nlattr *tb[],
3468 			    struct ieee80211_txq_params *txq_params)
3469 {
3470 	u8 ac;
3471 
3472 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3473 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3474 	    !tb[NL80211_TXQ_ATTR_AIFS])
3475 		return -EINVAL;
3476 
3477 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3478 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3479 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3480 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3481 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3482 
3483 	if (ac >= NL80211_NUM_ACS)
3484 		return -EINVAL;
3485 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3486 	return 0;
3487 }
3488 
3489 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3490 {
3491 	/*
3492 	 * You can only set the channel explicitly for some interfaces,
3493 	 * most have their channel managed via their respective
3494 	 * "establish a connection" command (connect, join, ...)
3495 	 *
3496 	 * For AP/GO and mesh mode, the channel can be set with the
3497 	 * channel userspace API, but is only stored and passed to the
3498 	 * low-level driver when the AP starts or the mesh is joined.
3499 	 * This is for backward compatibility, userspace can also give
3500 	 * the channel in the start-ap or join-mesh commands instead.
3501 	 *
3502 	 * Monitors are special as they are normally slaved to
3503 	 * whatever else is going on, so they have their own special
3504 	 * operation to set the monitor channel if possible.
3505 	 */
3506 	return !wdev ||
3507 		wdev->iftype == NL80211_IFTYPE_AP ||
3508 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3509 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3510 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3511 }
3512 
3513 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3514 				  struct genl_info *info, bool monitor,
3515 				  struct cfg80211_chan_def *chandef)
3516 {
3517 	struct netlink_ext_ack *extack = info->extack;
3518 	struct nlattr **attrs = info->attrs;
3519 	u32 control_freq;
3520 
3521 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3522 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3523 				    "Frequency is missing");
3524 		return -EINVAL;
3525 	}
3526 
3527 	control_freq = MHZ_TO_KHZ(
3528 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3529 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3530 		control_freq +=
3531 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3532 
3533 	memset(chandef, 0, sizeof(*chandef));
3534 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3535 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3536 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3537 	chandef->freq1_offset = control_freq % 1000;
3538 	chandef->center_freq2 = 0;
3539 	chandef->s1g_primary_2mhz = false;
3540 
3541 	if (!chandef->chan) {
3542 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3543 				    "Unknown channel");
3544 		return -EINVAL;
3545 	}
3546 
3547 	if (cfg80211_chandef_is_s1g(chandef))
3548 		chandef->width = NL80211_CHAN_WIDTH_1;
3549 
3550 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3551 		enum nl80211_channel_type chantype;
3552 
3553 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3554 
3555 		switch (chantype) {
3556 		case NL80211_CHAN_NO_HT:
3557 		case NL80211_CHAN_HT20:
3558 		case NL80211_CHAN_HT40PLUS:
3559 		case NL80211_CHAN_HT40MINUS:
3560 			cfg80211_chandef_create(chandef, chandef->chan,
3561 						chantype);
3562 			/* user input for center_freq is incorrect */
3563 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3564 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3565 				NL_SET_ERR_MSG_ATTR(extack,
3566 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3567 						    "bad center frequency 1");
3568 				return -EINVAL;
3569 			}
3570 			/* center_freq2 must be zero */
3571 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3572 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3573 				NL_SET_ERR_MSG_ATTR(extack,
3574 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3575 						    "center frequency 2 can't be used");
3576 				return -EINVAL;
3577 			}
3578 			break;
3579 		default:
3580 			NL_SET_ERR_MSG_ATTR(extack,
3581 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3582 					    "invalid channel type");
3583 			return -EINVAL;
3584 		}
3585 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3586 		chandef->width = nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3587 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3588 			chandef->center_freq1 =
3589 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3590 			chandef->freq1_offset = nla_get_u32_default(
3591 				attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET], 0);
3592 		}
3593 
3594 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3595 			chandef->center_freq2 =
3596 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3597 
3598 		chandef->s1g_primary_2mhz = nla_get_flag(
3599 			attrs[NL80211_ATTR_S1G_PRIMARY_2MHZ]);
3600 	}
3601 
3602 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3603 		chandef->edmg.channels =
3604 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3605 
3606 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3607 			chandef->edmg.bw_config =
3608 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3609 	} else {
3610 		chandef->edmg.bw_config = 0;
3611 		chandef->edmg.channels = 0;
3612 	}
3613 
3614 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3615 		chandef->punctured =
3616 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3617 
3618 		if (chandef->punctured &&
3619 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3620 					     NL80211_EXT_FEATURE_PUNCT)) {
3621 			NL_SET_ERR_MSG(extack,
3622 				       "driver doesn't support puncturing");
3623 			return -EINVAL;
3624 		}
3625 	}
3626 
3627 	if (!cfg80211_chandef_valid(chandef)) {
3628 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3629 		return -EINVAL;
3630 	}
3631 
3632 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3633 				      IEEE80211_CHAN_DISABLED,
3634 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3635 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3636 		return -EINVAL;
3637 	}
3638 
3639 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3640 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3641 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3642 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3643 		return -EINVAL;
3644 	}
3645 
3646 	return 0;
3647 }
3648 
3649 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3650 			  struct genl_info *info,
3651 			  struct cfg80211_chan_def *chandef)
3652 {
3653 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3654 }
3655 
3656 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3657 				 struct net_device *dev,
3658 				 struct genl_info *info,
3659 				 int _link_id)
3660 {
3661 	struct cfg80211_chan_def chandef;
3662 	int result;
3663 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3664 	struct wireless_dev *wdev = NULL;
3665 	int link_id = _link_id;
3666 
3667 	if (dev)
3668 		wdev = dev->ieee80211_ptr;
3669 	if (!nl80211_can_set_dev_channel(wdev))
3670 		return -EOPNOTSUPP;
3671 	if (wdev)
3672 		iftype = wdev->iftype;
3673 
3674 	if (link_id < 0) {
3675 		if (wdev && wdev->valid_links)
3676 			return -EINVAL;
3677 		link_id = 0;
3678 	}
3679 
3680 	result = _nl80211_parse_chandef(rdev, info,
3681 					iftype == NL80211_IFTYPE_MONITOR,
3682 					&chandef);
3683 	if (result)
3684 		return result;
3685 
3686 	switch (iftype) {
3687 	case NL80211_IFTYPE_AP:
3688 	case NL80211_IFTYPE_P2P_GO:
3689 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3690 						   iftype))
3691 			return -EINVAL;
3692 		if (wdev->links[link_id].ap.beacon_interval) {
3693 			struct ieee80211_channel *cur_chan;
3694 
3695 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3696 			    !(rdev->wiphy.features &
3697 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3698 				return -EBUSY;
3699 
3700 			/* Only allow dynamic channel width changes */
3701 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3702 			if (chandef.chan != cur_chan)
3703 				return -EBUSY;
3704 
3705 			/* only allow this for regular channel widths */
3706 			switch (wdev->links[link_id].ap.chandef.width) {
3707 			case NL80211_CHAN_WIDTH_20_NOHT:
3708 			case NL80211_CHAN_WIDTH_20:
3709 			case NL80211_CHAN_WIDTH_40:
3710 			case NL80211_CHAN_WIDTH_80:
3711 			case NL80211_CHAN_WIDTH_80P80:
3712 			case NL80211_CHAN_WIDTH_160:
3713 			case NL80211_CHAN_WIDTH_320:
3714 				break;
3715 			default:
3716 				return -EINVAL;
3717 			}
3718 
3719 			switch (chandef.width) {
3720 			case NL80211_CHAN_WIDTH_20_NOHT:
3721 			case NL80211_CHAN_WIDTH_20:
3722 			case NL80211_CHAN_WIDTH_40:
3723 			case NL80211_CHAN_WIDTH_80:
3724 			case NL80211_CHAN_WIDTH_80P80:
3725 			case NL80211_CHAN_WIDTH_160:
3726 			case NL80211_CHAN_WIDTH_320:
3727 				break;
3728 			default:
3729 				return -EINVAL;
3730 			}
3731 
3732 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3733 						       &chandef);
3734 			if (result)
3735 				return result;
3736 			wdev->links[link_id].ap.chandef = chandef;
3737 		} else {
3738 			wdev->u.ap.preset_chandef = chandef;
3739 		}
3740 		return 0;
3741 	case NL80211_IFTYPE_MESH_POINT:
3742 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3743 	case NL80211_IFTYPE_MONITOR:
3744 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3745 	default:
3746 		break;
3747 	}
3748 
3749 	return -EINVAL;
3750 }
3751 
3752 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3753 {
3754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3755 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3756 	struct net_device *netdev = info->user_ptr[1];
3757 
3758 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3759 }
3760 
3761 static int nl80211_set_wiphy_radio(struct genl_info *info,
3762 				   struct cfg80211_registered_device *rdev,
3763 				   int radio_idx)
3764 {
3765 	u32 rts_threshold = 0, old_rts, changed = 0;
3766 	int result;
3767 
3768 	if (!rdev->ops->set_wiphy_params)
3769 		return -EOPNOTSUPP;
3770 
3771 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3772 		rts_threshold = nla_get_u32(
3773 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3774 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3775 	}
3776 
3777 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
3778 
3779 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
3780 
3781 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
3782 	if (result)
3783 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
3784 
3785 	return 0;
3786 }
3787 
3788 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3789 {
3790 	struct cfg80211_registered_device *rdev = NULL;
3791 	struct net_device *netdev = NULL;
3792 	struct wireless_dev *wdev;
3793 	int result = 0, rem_txq_params = 0;
3794 	struct nlattr *nl_txq_params;
3795 	u32 changed;
3796 	u8 retry_short = 0, retry_long = 0;
3797 	u32 frag_threshold = 0, rts_threshold = 0;
3798 	u8 coverage_class = 0;
3799 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3800 	int radio_idx = -1;
3801 
3802 	rtnl_lock();
3803 	/*
3804 	 * Try to find the wiphy and netdev. Normally this
3805 	 * function shouldn't need the netdev, but this is
3806 	 * done for backward compatibility -- previously
3807 	 * setting the channel was done per wiphy, but now
3808 	 * it is per netdev. Previous userland like hostapd
3809 	 * also passed a netdev to set_wiphy, so that it is
3810 	 * possible to let that go to the right netdev!
3811 	 */
3812 
3813 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3814 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3815 
3816 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3817 		if (netdev && netdev->ieee80211_ptr)
3818 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3819 		else
3820 			netdev = NULL;
3821 	}
3822 
3823 	if (!netdev) {
3824 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3825 						  info->attrs);
3826 		if (IS_ERR(rdev)) {
3827 			rtnl_unlock();
3828 			return PTR_ERR(rdev);
3829 		}
3830 		wdev = NULL;
3831 		netdev = NULL;
3832 		result = 0;
3833 	} else
3834 		wdev = netdev->ieee80211_ptr;
3835 
3836 	guard(wiphy)(&rdev->wiphy);
3837 
3838 	/*
3839 	 * end workaround code, by now the rdev is available
3840 	 * and locked, and wdev may or may not be NULL.
3841 	 */
3842 
3843 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3844 		result = cfg80211_dev_rename(
3845 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3846 	rtnl_unlock();
3847 
3848 	if (result)
3849 		return result;
3850 
3851 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
3852 		/* Radio idx is not expected for non-multi radio wiphy */
3853 		if (rdev->wiphy.n_radio <= 0)
3854 			return -EINVAL;
3855 
3856 		radio_idx = nla_get_u8(
3857 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
3858 		if (radio_idx >= rdev->wiphy.n_radio)
3859 			return -EINVAL;
3860 
3861 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
3862 	}
3863 
3864 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3865 		struct ieee80211_txq_params txq_params;
3866 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3867 
3868 		if (!rdev->ops->set_txq_params)
3869 			return -EOPNOTSUPP;
3870 
3871 		if (!netdev)
3872 			return -EINVAL;
3873 
3874 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3875 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3876 			return -EINVAL;
3877 
3878 		if (!netif_running(netdev))
3879 			return -ENETDOWN;
3880 
3881 		nla_for_each_nested(nl_txq_params,
3882 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3883 				    rem_txq_params) {
3884 			result = nla_parse_nested_deprecated(tb,
3885 							     NL80211_TXQ_ATTR_MAX,
3886 							     nl_txq_params,
3887 							     txq_params_policy,
3888 							     info->extack);
3889 			if (result)
3890 				return result;
3891 
3892 			result = parse_txq_params(tb, &txq_params);
3893 			if (result)
3894 				return result;
3895 
3896 			txq_params.link_id =
3897 				nl80211_link_id_or_invalid(info->attrs);
3898 
3899 			if (txq_params.link_id >= 0 &&
3900 			    !(netdev->ieee80211_ptr->valid_links &
3901 			      BIT(txq_params.link_id)))
3902 				result = -ENOLINK;
3903 			else if (txq_params.link_id >= 0 &&
3904 				 !netdev->ieee80211_ptr->valid_links)
3905 				result = -EINVAL;
3906 			else
3907 				result = rdev_set_txq_params(rdev, netdev,
3908 							     &txq_params);
3909 			if (result)
3910 				return result;
3911 		}
3912 	}
3913 
3914 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3915 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3916 
3917 		if (wdev) {
3918 			result = __nl80211_set_channel(
3919 				rdev,
3920 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3921 				info, link_id);
3922 		} else {
3923 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3924 		}
3925 
3926 		if (result)
3927 			return result;
3928 	}
3929 
3930 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3931 		struct wireless_dev *txp_wdev = wdev;
3932 		enum nl80211_tx_power_setting type;
3933 		int idx, mbm = 0;
3934 
3935 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3936 			txp_wdev = NULL;
3937 
3938 		if (!rdev->ops->set_tx_power)
3939 			return -EOPNOTSUPP;
3940 
3941 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3942 		type = nla_get_u32(info->attrs[idx]);
3943 
3944 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3945 		    (type != NL80211_TX_POWER_AUTOMATIC))
3946 			return -EINVAL;
3947 
3948 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3949 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3950 			mbm = nla_get_u32(info->attrs[idx]);
3951 		}
3952 
3953 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
3954 					   mbm);
3955 		if (result)
3956 			return result;
3957 	}
3958 
3959 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3960 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3961 		u32 tx_ant, rx_ant;
3962 
3963 		if ((!rdev->wiphy.available_antennas_tx &&
3964 		     !rdev->wiphy.available_antennas_rx) ||
3965 		    !rdev->ops->set_antenna)
3966 			return -EOPNOTSUPP;
3967 
3968 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3969 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3970 
3971 		/* reject antenna configurations which don't match the
3972 		 * available antenna masks, except for the "all" mask */
3973 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3974 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3975 			return -EINVAL;
3976 
3977 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3978 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3979 
3980 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
3981 		if (result)
3982 			return result;
3983 	}
3984 
3985 	changed = 0;
3986 
3987 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3988 		retry_short = nla_get_u8(
3989 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3990 
3991 		changed |= WIPHY_PARAM_RETRY_SHORT;
3992 	}
3993 
3994 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3995 		retry_long = nla_get_u8(
3996 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3997 
3998 		changed |= WIPHY_PARAM_RETRY_LONG;
3999 	}
4000 
4001 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
4002 		frag_threshold = nla_get_u32(
4003 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
4004 		if (frag_threshold < 256)
4005 			return -EINVAL;
4006 
4007 		if (frag_threshold != (u32) -1) {
4008 			/*
4009 			 * Fragments (apart from the last one) are required to
4010 			 * have even length. Make the fragmentation code
4011 			 * simpler by stripping LSB should someone try to use
4012 			 * odd threshold value.
4013 			 */
4014 			frag_threshold &= ~0x1;
4015 		}
4016 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
4017 	}
4018 
4019 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4020 		rts_threshold = nla_get_u32(
4021 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4022 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4023 	}
4024 
4025 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
4026 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
4027 			return -EINVAL;
4028 
4029 		coverage_class = nla_get_u8(
4030 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
4031 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
4032 	}
4033 
4034 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
4035 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
4036 			return -EOPNOTSUPP;
4037 
4038 		changed |= WIPHY_PARAM_DYN_ACK;
4039 	}
4040 
4041 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
4042 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4043 					     NL80211_EXT_FEATURE_TXQS))
4044 			return -EOPNOTSUPP;
4045 
4046 		txq_limit = nla_get_u32(
4047 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
4048 		changed |= WIPHY_PARAM_TXQ_LIMIT;
4049 	}
4050 
4051 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
4052 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4053 					     NL80211_EXT_FEATURE_TXQS))
4054 			return -EOPNOTSUPP;
4055 
4056 		txq_memory_limit = nla_get_u32(
4057 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
4058 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
4059 	}
4060 
4061 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
4062 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4063 					     NL80211_EXT_FEATURE_TXQS))
4064 			return -EOPNOTSUPP;
4065 
4066 		txq_quantum = nla_get_u32(
4067 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
4068 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
4069 	}
4070 
4071 	if (changed) {
4072 		u8 old_retry_short, old_retry_long;
4073 		u32 old_frag_threshold, old_rts_threshold;
4074 		u8 old_coverage_class, i;
4075 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
4076 		u32 *old_radio_rts_threshold = NULL;
4077 
4078 		if (!rdev->ops->set_wiphy_params)
4079 			return -EOPNOTSUPP;
4080 
4081 		if (rdev->wiphy.n_radio) {
4082 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
4083 							  sizeof(u32),
4084 							  GFP_KERNEL);
4085 			if (!old_radio_rts_threshold)
4086 				return -ENOMEM;
4087 		}
4088 
4089 		old_retry_short = rdev->wiphy.retry_short;
4090 		old_retry_long = rdev->wiphy.retry_long;
4091 		old_frag_threshold = rdev->wiphy.frag_threshold;
4092 		old_rts_threshold = rdev->wiphy.rts_threshold;
4093 		if (old_radio_rts_threshold) {
4094 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4095 				old_radio_rts_threshold[i] =
4096 					rdev->wiphy.radio_cfg[i].rts_threshold;
4097 		}
4098 		old_coverage_class = rdev->wiphy.coverage_class;
4099 		old_txq_limit = rdev->wiphy.txq_limit;
4100 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4101 		old_txq_quantum = rdev->wiphy.txq_quantum;
4102 
4103 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4104 			rdev->wiphy.retry_short = retry_short;
4105 		if (changed & WIPHY_PARAM_RETRY_LONG)
4106 			rdev->wiphy.retry_long = retry_long;
4107 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4108 			rdev->wiphy.frag_threshold = frag_threshold;
4109 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4110 		    old_radio_rts_threshold) {
4111 			rdev->wiphy.rts_threshold = rts_threshold;
4112 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4113 				rdev->wiphy.radio_cfg[i].rts_threshold =
4114 					rdev->wiphy.rts_threshold;
4115 		}
4116 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4117 			rdev->wiphy.coverage_class = coverage_class;
4118 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4119 			rdev->wiphy.txq_limit = txq_limit;
4120 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4121 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4122 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4123 			rdev->wiphy.txq_quantum = txq_quantum;
4124 
4125 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4126 		if (result) {
4127 			rdev->wiphy.retry_short = old_retry_short;
4128 			rdev->wiphy.retry_long = old_retry_long;
4129 			rdev->wiphy.frag_threshold = old_frag_threshold;
4130 			rdev->wiphy.rts_threshold = old_rts_threshold;
4131 			if (old_radio_rts_threshold) {
4132 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4133 					rdev->wiphy.radio_cfg[i].rts_threshold =
4134 						old_radio_rts_threshold[i];
4135 			}
4136 			rdev->wiphy.coverage_class = old_coverage_class;
4137 			rdev->wiphy.txq_limit = old_txq_limit;
4138 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4139 			rdev->wiphy.txq_quantum = old_txq_quantum;
4140 		}
4141 
4142 		kfree(old_radio_rts_threshold);
4143 		return result;
4144 	}
4145 
4146 	return 0;
4147 }
4148 
4149 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4150 {
4151 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4152 		return -EINVAL;
4153 
4154 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4155 			chandef->chan->center_freq))
4156 		return -ENOBUFS;
4157 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4158 			chandef->chan->freq_offset))
4159 		return -ENOBUFS;
4160 	switch (chandef->width) {
4161 	case NL80211_CHAN_WIDTH_20_NOHT:
4162 	case NL80211_CHAN_WIDTH_20:
4163 	case NL80211_CHAN_WIDTH_40:
4164 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4165 				cfg80211_get_chandef_type(chandef)))
4166 			return -ENOBUFS;
4167 		break;
4168 	default:
4169 		break;
4170 	}
4171 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4172 		return -ENOBUFS;
4173 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4174 		return -ENOBUFS;
4175 	if (chandef->center_freq2 &&
4176 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4177 		return -ENOBUFS;
4178 	if (chandef->punctured &&
4179 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4180 		return -ENOBUFS;
4181 
4182 	return 0;
4183 }
4184 EXPORT_SYMBOL(nl80211_send_chandef);
4185 
4186 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4187 			      struct cfg80211_registered_device *rdev,
4188 			      struct wireless_dev *wdev,
4189 			      enum nl80211_commands cmd)
4190 {
4191 	struct net_device *dev = wdev->netdev;
4192 	void *hdr;
4193 
4194 	lockdep_assert_wiphy(&rdev->wiphy);
4195 
4196 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4197 		cmd != NL80211_CMD_DEL_INTERFACE &&
4198 		cmd != NL80211_CMD_SET_INTERFACE);
4199 
4200 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4201 	if (!hdr)
4202 		return -1;
4203 
4204 	if (dev &&
4205 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4206 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4207 		goto nla_put_failure;
4208 
4209 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4210 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4211 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4212 			      NL80211_ATTR_PAD) ||
4213 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4214 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4215 			rdev->devlist_generation ^
4216 			(cfg80211_rdev_list_generation << 2)) ||
4217 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4218 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4219 		goto nla_put_failure;
4220 
4221 	if (rdev->ops->get_channel && !wdev->valid_links) {
4222 		struct cfg80211_chan_def chandef = {};
4223 		int ret;
4224 
4225 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4226 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4227 			goto nla_put_failure;
4228 	}
4229 
4230 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4231 		int dbm, ret;
4232 
4233 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4234 		if (ret == 0 &&
4235 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4236 				DBM_TO_MBM(dbm)))
4237 			goto nla_put_failure;
4238 	}
4239 
4240 	switch (wdev->iftype) {
4241 	case NL80211_IFTYPE_AP:
4242 	case NL80211_IFTYPE_P2P_GO:
4243 		if (wdev->u.ap.ssid_len &&
4244 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4245 			    wdev->u.ap.ssid))
4246 			goto nla_put_failure;
4247 		break;
4248 	case NL80211_IFTYPE_STATION:
4249 	case NL80211_IFTYPE_P2P_CLIENT:
4250 		if (wdev->u.client.ssid_len &&
4251 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4252 			    wdev->u.client.ssid))
4253 			goto nla_put_failure;
4254 		break;
4255 	case NL80211_IFTYPE_ADHOC:
4256 		if (wdev->u.ibss.ssid_len &&
4257 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4258 			    wdev->u.ibss.ssid))
4259 			goto nla_put_failure;
4260 		break;
4261 	default:
4262 		/* nothing */
4263 		break;
4264 	}
4265 
4266 	if (rdev->ops->get_txq_stats) {
4267 		struct cfg80211_txq_stats txqstats = {};
4268 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4269 
4270 		if (ret == 0 &&
4271 		    !nl80211_put_txq_stats(msg, &txqstats,
4272 					   NL80211_ATTR_TXQ_STATS))
4273 			goto nla_put_failure;
4274 	}
4275 
4276 	if (wdev->valid_links) {
4277 		unsigned int link_id;
4278 		struct nlattr *links = nla_nest_start(msg,
4279 						      NL80211_ATTR_MLO_LINKS);
4280 
4281 		if (!links)
4282 			goto nla_put_failure;
4283 
4284 		for_each_valid_link(wdev, link_id) {
4285 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4286 			struct cfg80211_chan_def chandef = {};
4287 			int ret;
4288 
4289 			if (!link)
4290 				goto nla_put_failure;
4291 
4292 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4293 				goto nla_put_failure;
4294 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4295 				    wdev->links[link_id].addr))
4296 				goto nla_put_failure;
4297 
4298 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4299 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4300 				goto nla_put_failure;
4301 
4302 			if (rdev->ops->get_tx_power) {
4303 				int dbm, ret;
4304 
4305 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4306 				if (ret == 0 &&
4307 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4308 						DBM_TO_MBM(dbm)))
4309 					goto nla_put_failure;
4310 			}
4311 			nla_nest_end(msg, link);
4312 		}
4313 
4314 		nla_nest_end(msg, links);
4315 	}
4316 
4317 	genlmsg_end(msg, hdr);
4318 	return 0;
4319 
4320  nla_put_failure:
4321 	genlmsg_cancel(msg, hdr);
4322 	return -EMSGSIZE;
4323 }
4324 
4325 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4326 {
4327 	int wp_idx = 0;
4328 	int if_idx = 0;
4329 	int wp_start = cb->args[0];
4330 	int if_start = cb->args[1];
4331 	int filter_wiphy = -1;
4332 	struct cfg80211_registered_device *rdev;
4333 	struct wireless_dev *wdev;
4334 	int ret;
4335 
4336 	rtnl_lock();
4337 	if (!cb->args[2]) {
4338 		struct nl80211_dump_wiphy_state state = {
4339 			.filter_wiphy = -1,
4340 		};
4341 
4342 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4343 		if (ret)
4344 			goto out_unlock;
4345 
4346 		filter_wiphy = state.filter_wiphy;
4347 
4348 		/*
4349 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4350 		 * value needed to determine that parsing is necessary.
4351 		 */
4352 		if (filter_wiphy >= 0)
4353 			cb->args[2] = filter_wiphy + 1;
4354 		else
4355 			cb->args[2] = -1;
4356 	} else if (cb->args[2] > 0) {
4357 		filter_wiphy = cb->args[2] - 1;
4358 	}
4359 
4360 	for_each_rdev(rdev) {
4361 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4362 			continue;
4363 		if (wp_idx < wp_start) {
4364 			wp_idx++;
4365 			continue;
4366 		}
4367 
4368 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4369 			continue;
4370 
4371 		if_idx = 0;
4372 
4373 		guard(wiphy)(&rdev->wiphy);
4374 
4375 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4376 			if (if_idx < if_start) {
4377 				if_idx++;
4378 				continue;
4379 			}
4380 
4381 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4382 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4383 					       rdev, wdev,
4384 					       NL80211_CMD_NEW_INTERFACE) < 0)
4385 				goto out;
4386 
4387 			if_idx++;
4388 		}
4389 
4390 		if_start = 0;
4391 		wp_idx++;
4392 	}
4393  out:
4394 	cb->args[0] = wp_idx;
4395 	cb->args[1] = if_idx;
4396 
4397 	ret = skb->len;
4398  out_unlock:
4399 	rtnl_unlock();
4400 
4401 	return ret;
4402 }
4403 
4404 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4405 {
4406 	struct sk_buff *msg;
4407 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4408 	struct wireless_dev *wdev = info->user_ptr[1];
4409 
4410 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4411 	if (!msg)
4412 		return -ENOMEM;
4413 
4414 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4415 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4416 		nlmsg_free(msg);
4417 		return -ENOBUFS;
4418 	}
4419 
4420 	return genlmsg_reply(msg, info);
4421 }
4422 
4423 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4424 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4425 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4426 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4427 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4428 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4429 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4430 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4431 };
4432 
4433 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4434 {
4435 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4436 	int flag;
4437 
4438 	*mntrflags = 0;
4439 
4440 	if (!nla)
4441 		return -EINVAL;
4442 
4443 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4444 		return -EINVAL;
4445 
4446 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4447 		if (flags[flag])
4448 			*mntrflags |= (1<<flag);
4449 
4450 	/* cooked monitor mode is incompatible with other modes */
4451 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4452 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4453 		return -EOPNOTSUPP;
4454 
4455 	*mntrflags |= MONITOR_FLAG_CHANGED;
4456 
4457 	return 0;
4458 }
4459 
4460 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4461 				     enum nl80211_iftype type,
4462 				     struct genl_info *info,
4463 				     struct vif_params *params)
4464 {
4465 	bool change = false;
4466 	int err;
4467 
4468 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4469 		if (type != NL80211_IFTYPE_MONITOR)
4470 			return -EINVAL;
4471 
4472 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4473 					  &params->flags);
4474 		if (err)
4475 			return err;
4476 
4477 		change = true;
4478 	}
4479 
4480 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4481 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4482 		return -EOPNOTSUPP;
4483 
4484 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4485 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4486 		return -EOPNOTSUPP;
4487 
4488 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4489 		const u8 *mumimo_groups;
4490 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4491 
4492 		if (type != NL80211_IFTYPE_MONITOR)
4493 			return -EINVAL;
4494 
4495 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4496 			return -EOPNOTSUPP;
4497 
4498 		mumimo_groups =
4499 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4500 
4501 		/* bits 0 and 63 are reserved and must be zero */
4502 		if ((mumimo_groups[0] & BIT(0)) ||
4503 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4504 			return -EINVAL;
4505 
4506 		params->vht_mumimo_groups = mumimo_groups;
4507 		change = true;
4508 	}
4509 
4510 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4511 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4512 
4513 		if (type != NL80211_IFTYPE_MONITOR)
4514 			return -EINVAL;
4515 
4516 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4517 			return -EOPNOTSUPP;
4518 
4519 		params->vht_mumimo_follow_addr =
4520 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4521 		change = true;
4522 	}
4523 
4524 	return change ? 1 : 0;
4525 }
4526 
4527 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4528 			       struct net_device *netdev, u8 use_4addr,
4529 			       enum nl80211_iftype iftype)
4530 {
4531 	if (!use_4addr) {
4532 		if (netdev && netif_is_bridge_port(netdev))
4533 			return -EBUSY;
4534 		return 0;
4535 	}
4536 
4537 	switch (iftype) {
4538 	case NL80211_IFTYPE_AP_VLAN:
4539 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4540 			return 0;
4541 		break;
4542 	case NL80211_IFTYPE_STATION:
4543 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4544 			return 0;
4545 		break;
4546 	default:
4547 		break;
4548 	}
4549 
4550 	return -EOPNOTSUPP;
4551 }
4552 
4553 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4554 					u32 *radio_mask)
4555 {
4556 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4557 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4558 	u32 mask, allowed;
4559 
4560 	if (!attr) {
4561 		*radio_mask = 0;
4562 		return 0;
4563 	}
4564 
4565 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4566 	mask = nla_get_u32(attr);
4567 	if (mask & ~allowed)
4568 		return -EINVAL;
4569 	if (!mask)
4570 		mask = allowed;
4571 	*radio_mask = mask;
4572 
4573 	return 1;
4574 }
4575 
4576 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4577 {
4578 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4579 	struct vif_params params;
4580 	int err;
4581 	enum nl80211_iftype otype, ntype;
4582 	struct net_device *dev = info->user_ptr[1];
4583 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4584 	u32 radio_mask = 0;
4585 	bool change = false;
4586 
4587 	memset(&params, 0, sizeof(params));
4588 
4589 	otype = ntype = dev->ieee80211_ptr->iftype;
4590 
4591 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4592 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4593 		if (otype != ntype)
4594 			change = true;
4595 	}
4596 
4597 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4598 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4599 			return -EINVAL;
4600 		if (otype != NL80211_IFTYPE_MESH_POINT)
4601 			return -EINVAL;
4602 		if (netif_running(dev))
4603 			return -EBUSY;
4604 
4605 		wdev->u.mesh.id_up_len =
4606 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4607 		memcpy(wdev->u.mesh.id,
4608 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4609 		       wdev->u.mesh.id_up_len);
4610 	}
4611 
4612 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4613 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4614 		change = true;
4615 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4616 		if (err)
4617 			return err;
4618 	} else {
4619 		params.use_4addr = -1;
4620 	}
4621 
4622 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4623 	if (err < 0)
4624 		return err;
4625 	if (err > 0)
4626 		change = true;
4627 
4628 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4629 	if (err < 0)
4630 		return err;
4631 	if (err && netif_running(dev))
4632 		return -EBUSY;
4633 
4634 	if (change)
4635 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4636 	else
4637 		err = 0;
4638 
4639 	if (!err && params.use_4addr != -1)
4640 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4641 
4642 	if (radio_mask)
4643 		wdev->radio_mask = radio_mask;
4644 
4645 	if (change && !err)
4646 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4647 
4648 	return err;
4649 }
4650 
4651 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4652 {
4653 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4654 	struct vif_params params;
4655 	struct wireless_dev *wdev;
4656 	struct sk_buff *msg;
4657 	u32 radio_mask;
4658 	int err;
4659 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4660 
4661 	memset(&params, 0, sizeof(params));
4662 
4663 	if (!info->attrs[NL80211_ATTR_IFNAME])
4664 		return -EINVAL;
4665 
4666 	if (info->attrs[NL80211_ATTR_IFTYPE])
4667 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4668 
4669 	if (!rdev->ops->add_virtual_intf)
4670 		return -EOPNOTSUPP;
4671 
4672 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4673 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4674 	    info->attrs[NL80211_ATTR_MAC]) {
4675 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4676 			   ETH_ALEN);
4677 		if (!is_valid_ether_addr(params.macaddr))
4678 			return -EADDRNOTAVAIL;
4679 	}
4680 
4681 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4682 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4683 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4684 		if (err)
4685 			return err;
4686 	}
4687 
4688 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4689 		return -EOPNOTSUPP;
4690 
4691 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4692 	if (err < 0)
4693 		return err;
4694 
4695 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4696 	if (err < 0)
4697 		return err;
4698 
4699 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4700 	if (!msg)
4701 		return -ENOMEM;
4702 
4703 	wdev = rdev_add_virtual_intf(rdev,
4704 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4705 				NET_NAME_USER, type, &params);
4706 	if (WARN_ON(!wdev)) {
4707 		nlmsg_free(msg);
4708 		return -EPROTO;
4709 	} else if (IS_ERR(wdev)) {
4710 		nlmsg_free(msg);
4711 		return PTR_ERR(wdev);
4712 	}
4713 
4714 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4715 		wdev->owner_nlportid = info->snd_portid;
4716 
4717 	switch (type) {
4718 	case NL80211_IFTYPE_MESH_POINT:
4719 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4720 			break;
4721 		wdev->u.mesh.id_up_len =
4722 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4723 		memcpy(wdev->u.mesh.id,
4724 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4725 		       wdev->u.mesh.id_up_len);
4726 		break;
4727 	case NL80211_IFTYPE_NAN:
4728 	case NL80211_IFTYPE_P2P_DEVICE:
4729 		/*
4730 		 * P2P Device and NAN do not have a netdev, so don't go
4731 		 * through the netdev notifier and must be added here
4732 		 */
4733 		cfg80211_init_wdev(wdev);
4734 		cfg80211_register_wdev(rdev, wdev);
4735 		break;
4736 	default:
4737 		break;
4738 	}
4739 
4740 	if (radio_mask)
4741 		wdev->radio_mask = radio_mask;
4742 
4743 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4744 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4745 		nlmsg_free(msg);
4746 		return -ENOBUFS;
4747 	}
4748 
4749 	return genlmsg_reply(msg, info);
4750 }
4751 
4752 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4753 {
4754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4755 
4756 	/* to avoid failing a new interface creation due to pending removal */
4757 	cfg80211_destroy_ifaces(rdev);
4758 
4759 	guard(wiphy)(&rdev->wiphy);
4760 
4761 	return _nl80211_new_interface(skb, info);
4762 }
4763 
4764 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4765 {
4766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4767 	struct wireless_dev *wdev = info->user_ptr[1];
4768 
4769 	if (!rdev->ops->del_virtual_intf)
4770 		return -EOPNOTSUPP;
4771 
4772 	/*
4773 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4774 	 * reach 0, and thus the rdev cannot be deleted.
4775 	 *
4776 	 * We need to do it for the dev_close(), since that will call
4777 	 * the netdev notifiers, and we need to acquire the mutex there
4778 	 * but don't know if we get there from here or from some other
4779 	 * place (e.g. "ip link set ... down").
4780 	 */
4781 	mutex_unlock(&rdev->wiphy.mtx);
4782 
4783 	/*
4784 	 * If we remove a wireless device without a netdev then clear
4785 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4786 	 * to check if it needs to do dev_put(). Otherwise it crashes
4787 	 * since the wdev has been freed, unlike with a netdev where
4788 	 * we need the dev_put() for the netdev to really be freed.
4789 	 */
4790 	if (!wdev->netdev)
4791 		info->user_ptr[1] = NULL;
4792 	else
4793 		dev_close(wdev->netdev);
4794 
4795 	mutex_lock(&rdev->wiphy.mtx);
4796 
4797 	return cfg80211_remove_virtual_intf(rdev, wdev);
4798 }
4799 
4800 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4801 {
4802 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4803 	struct net_device *dev = info->user_ptr[1];
4804 	u16 noack_map;
4805 
4806 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4807 		return -EINVAL;
4808 
4809 	if (!rdev->ops->set_noack_map)
4810 		return -EOPNOTSUPP;
4811 
4812 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4813 
4814 	return rdev_set_noack_map(rdev, dev, noack_map);
4815 }
4816 
4817 static int nl80211_validate_key_link_id(struct genl_info *info,
4818 					struct wireless_dev *wdev,
4819 					int link_id, bool pairwise)
4820 {
4821 	if (pairwise) {
4822 		if (link_id != -1) {
4823 			GENL_SET_ERR_MSG(info,
4824 					 "link ID not allowed for pairwise key");
4825 			return -EINVAL;
4826 		}
4827 
4828 		return 0;
4829 	}
4830 
4831 	if (wdev->valid_links) {
4832 		if (link_id == -1) {
4833 			GENL_SET_ERR_MSG(info,
4834 					 "link ID must for MLO group key");
4835 			return -EINVAL;
4836 		}
4837 		if (!(wdev->valid_links & BIT(link_id))) {
4838 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4839 			return -EINVAL;
4840 		}
4841 	} else if (link_id != -1) {
4842 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4843 		return -EINVAL;
4844 	}
4845 
4846 	return 0;
4847 }
4848 
4849 struct get_key_cookie {
4850 	struct sk_buff *msg;
4851 	int error;
4852 	int idx;
4853 };
4854 
4855 static void get_key_callback(void *c, struct key_params *params)
4856 {
4857 	struct nlattr *key;
4858 	struct get_key_cookie *cookie = c;
4859 
4860 	if ((params->seq &&
4861 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4862 		     params->seq_len, params->seq)) ||
4863 	    (params->cipher &&
4864 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4865 			 params->cipher)))
4866 		goto nla_put_failure;
4867 
4868 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4869 	if (!key)
4870 		goto nla_put_failure;
4871 
4872 	if ((params->seq &&
4873 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4874 		     params->seq_len, params->seq)) ||
4875 	    (params->cipher &&
4876 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4877 			 params->cipher)))
4878 		goto nla_put_failure;
4879 
4880 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4881 		goto nla_put_failure;
4882 
4883 	nla_nest_end(cookie->msg, key);
4884 
4885 	return;
4886  nla_put_failure:
4887 	cookie->error = 1;
4888 }
4889 
4890 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4891 {
4892 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4893 	int err;
4894 	struct net_device *dev = info->user_ptr[1];
4895 	u8 key_idx = 0;
4896 	const u8 *mac_addr = NULL;
4897 	bool pairwise;
4898 	struct get_key_cookie cookie = {
4899 		.error = 0,
4900 	};
4901 	void *hdr;
4902 	struct sk_buff *msg;
4903 	bool bigtk_support = false;
4904 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4905 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4906 
4907 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4908 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4909 		bigtk_support = true;
4910 
4911 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4912 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4913 	    wiphy_ext_feature_isset(&rdev->wiphy,
4914 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4915 		bigtk_support = true;
4916 
4917 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4918 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4919 
4920 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4921 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4922 			return -EINVAL;
4923 		}
4924 	}
4925 
4926 	if (info->attrs[NL80211_ATTR_MAC])
4927 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4928 
4929 	pairwise = !!mac_addr;
4930 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4931 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4932 
4933 		if (kt != NL80211_KEYTYPE_GROUP &&
4934 		    kt != NL80211_KEYTYPE_PAIRWISE)
4935 			return -EINVAL;
4936 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4937 	}
4938 
4939 	if (!rdev->ops->get_key)
4940 		return -EOPNOTSUPP;
4941 
4942 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4943 		return -ENOENT;
4944 
4945 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4946 	if (!msg)
4947 		return -ENOMEM;
4948 
4949 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4950 			     NL80211_CMD_NEW_KEY);
4951 	if (!hdr)
4952 		goto nla_put_failure;
4953 
4954 	cookie.msg = msg;
4955 	cookie.idx = key_idx;
4956 
4957 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4958 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4959 		goto nla_put_failure;
4960 	if (mac_addr &&
4961 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4962 		goto nla_put_failure;
4963 
4964 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4965 	if (err)
4966 		goto free_msg;
4967 
4968 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4969 			   &cookie, get_key_callback);
4970 
4971 	if (err)
4972 		goto free_msg;
4973 
4974 	if (cookie.error)
4975 		goto nla_put_failure;
4976 
4977 	genlmsg_end(msg, hdr);
4978 	return genlmsg_reply(msg, info);
4979 
4980  nla_put_failure:
4981 	err = -ENOBUFS;
4982  free_msg:
4983 	nlmsg_free(msg);
4984 	return err;
4985 }
4986 
4987 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4988 {
4989 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4990 	struct key_parse key;
4991 	int err;
4992 	struct net_device *dev = info->user_ptr[1];
4993 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4994 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4995 
4996 	err = nl80211_parse_key(info, &key);
4997 	if (err)
4998 		return err;
4999 
5000 	if (key.idx < 0)
5001 		return -EINVAL;
5002 
5003 	/* Only support setting default key and
5004 	 * Extended Key ID action NL80211_KEY_SET_TX.
5005 	 */
5006 	if (!key.def && !key.defmgmt && !key.defbeacon &&
5007 	    !(key.p.mode == NL80211_KEY_SET_TX))
5008 		return -EINVAL;
5009 
5010 	if (key.def) {
5011 		if (!rdev->ops->set_default_key)
5012 			return -EOPNOTSUPP;
5013 
5014 		err = nl80211_key_allowed(wdev);
5015 		if (err)
5016 			return err;
5017 
5018 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5019 		if (err)
5020 			return err;
5021 
5022 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
5023 					   key.def_uni, key.def_multi);
5024 
5025 		if (err)
5026 			return err;
5027 
5028 #ifdef CONFIG_CFG80211_WEXT
5029 		wdev->wext.default_key = key.idx;
5030 #endif
5031 		return 0;
5032 	} else if (key.defmgmt) {
5033 		if (key.def_uni || !key.def_multi)
5034 			return -EINVAL;
5035 
5036 		if (!rdev->ops->set_default_mgmt_key)
5037 			return -EOPNOTSUPP;
5038 
5039 		err = nl80211_key_allowed(wdev);
5040 		if (err)
5041 			return err;
5042 
5043 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5044 		if (err)
5045 			return err;
5046 
5047 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
5048 		if (err)
5049 			return err;
5050 
5051 #ifdef CONFIG_CFG80211_WEXT
5052 		wdev->wext.default_mgmt_key = key.idx;
5053 #endif
5054 		return 0;
5055 	} else if (key.defbeacon) {
5056 		if (key.def_uni || !key.def_multi)
5057 			return -EINVAL;
5058 
5059 		if (!rdev->ops->set_default_beacon_key)
5060 			return -EOPNOTSUPP;
5061 
5062 		err = nl80211_key_allowed(wdev);
5063 		if (err)
5064 			return err;
5065 
5066 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5067 		if (err)
5068 			return err;
5069 
5070 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
5071 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
5072 		   wiphy_ext_feature_isset(&rdev->wiphy,
5073 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
5074 		u8 *mac_addr = NULL;
5075 
5076 		if (info->attrs[NL80211_ATTR_MAC])
5077 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5078 
5079 		if (!mac_addr || key.idx < 0 || key.idx > 1)
5080 			return -EINVAL;
5081 
5082 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5083 		if (err)
5084 			return err;
5085 
5086 		return rdev_add_key(rdev, dev, link_id, key.idx,
5087 				    NL80211_KEYTYPE_PAIRWISE,
5088 				    mac_addr, &key.p);
5089 	}
5090 
5091 	return -EINVAL;
5092 }
5093 
5094 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5095 {
5096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5097 	int err;
5098 	struct net_device *dev = info->user_ptr[1];
5099 	struct key_parse key;
5100 	const u8 *mac_addr = NULL;
5101 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5102 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5103 
5104 	err = nl80211_parse_key(info, &key);
5105 	if (err)
5106 		return err;
5107 
5108 	if (!key.p.key) {
5109 		GENL_SET_ERR_MSG(info, "no key");
5110 		return -EINVAL;
5111 	}
5112 
5113 	if (info->attrs[NL80211_ATTR_MAC])
5114 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5115 
5116 	if (key.type == -1) {
5117 		if (mac_addr)
5118 			key.type = NL80211_KEYTYPE_PAIRWISE;
5119 		else
5120 			key.type = NL80211_KEYTYPE_GROUP;
5121 	}
5122 
5123 	/* for now */
5124 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5125 	    key.type != NL80211_KEYTYPE_GROUP) {
5126 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5127 		return -EINVAL;
5128 	}
5129 
5130 	if (key.type == NL80211_KEYTYPE_GROUP &&
5131 	    info->attrs[NL80211_ATTR_VLAN_ID])
5132 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5133 
5134 	if (!rdev->ops->add_key)
5135 		return -EOPNOTSUPP;
5136 
5137 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
5138 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5139 					   mac_addr)) {
5140 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5141 		return -EINVAL;
5142 	}
5143 
5144 	err = nl80211_key_allowed(wdev);
5145 	if (err)
5146 		GENL_SET_ERR_MSG(info, "key not allowed");
5147 
5148 	if (!err)
5149 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5150 				key.type == NL80211_KEYTYPE_PAIRWISE);
5151 
5152 	if (!err) {
5153 		err = rdev_add_key(rdev, dev, link_id, key.idx,
5154 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5155 				    mac_addr, &key.p);
5156 		if (err)
5157 			GENL_SET_ERR_MSG(info, "key addition failed");
5158 	}
5159 
5160 	return err;
5161 }
5162 
5163 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5164 {
5165 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5166 	int err;
5167 	struct net_device *dev = info->user_ptr[1];
5168 	u8 *mac_addr = NULL;
5169 	struct key_parse key;
5170 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5171 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5172 
5173 	err = nl80211_parse_key(info, &key);
5174 	if (err)
5175 		return err;
5176 
5177 	if (info->attrs[NL80211_ATTR_MAC])
5178 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5179 
5180 	if (key.type == -1) {
5181 		if (mac_addr)
5182 			key.type = NL80211_KEYTYPE_PAIRWISE;
5183 		else
5184 			key.type = NL80211_KEYTYPE_GROUP;
5185 	}
5186 
5187 	/* for now */
5188 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5189 	    key.type != NL80211_KEYTYPE_GROUP)
5190 		return -EINVAL;
5191 
5192 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5193 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5194 		return -EINVAL;
5195 
5196 	if (!rdev->ops->del_key)
5197 		return -EOPNOTSUPP;
5198 
5199 	err = nl80211_key_allowed(wdev);
5200 
5201 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5202 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5203 		err = -ENOENT;
5204 
5205 	if (!err)
5206 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5207 				key.type == NL80211_KEYTYPE_PAIRWISE);
5208 
5209 	if (!err)
5210 		err = rdev_del_key(rdev, dev, link_id, key.idx,
5211 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5212 				   mac_addr);
5213 
5214 #ifdef CONFIG_CFG80211_WEXT
5215 	if (!err) {
5216 		if (key.idx == wdev->wext.default_key)
5217 			wdev->wext.default_key = -1;
5218 		else if (key.idx == wdev->wext.default_mgmt_key)
5219 			wdev->wext.default_mgmt_key = -1;
5220 	}
5221 #endif
5222 
5223 	return err;
5224 }
5225 
5226 /* This function returns an error or the number of nested attributes */
5227 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5228 {
5229 	struct nlattr *attr;
5230 	int n_entries = 0, tmp;
5231 
5232 	nla_for_each_nested(attr, nl_attr, tmp) {
5233 		if (nla_len(attr) != ETH_ALEN)
5234 			return -EINVAL;
5235 
5236 		n_entries++;
5237 	}
5238 
5239 	return n_entries;
5240 }
5241 
5242 /*
5243  * This function parses ACL information and allocates memory for ACL data.
5244  * On successful return, the calling function is responsible to free the
5245  * ACL buffer returned by this function.
5246  */
5247 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5248 						struct genl_info *info)
5249 {
5250 	enum nl80211_acl_policy acl_policy;
5251 	struct nlattr *attr;
5252 	struct cfg80211_acl_data *acl;
5253 	int i = 0, n_entries, tmp;
5254 
5255 	if (!wiphy->max_acl_mac_addrs)
5256 		return ERR_PTR(-EOPNOTSUPP);
5257 
5258 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5259 		return ERR_PTR(-EINVAL);
5260 
5261 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5262 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5263 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5264 		return ERR_PTR(-EINVAL);
5265 
5266 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5267 		return ERR_PTR(-EINVAL);
5268 
5269 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5270 	if (n_entries < 0)
5271 		return ERR_PTR(n_entries);
5272 
5273 	if (n_entries > wiphy->max_acl_mac_addrs)
5274 		return ERR_PTR(-EOPNOTSUPP);
5275 
5276 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5277 	if (!acl)
5278 		return ERR_PTR(-ENOMEM);
5279 	acl->n_acl_entries = n_entries;
5280 
5281 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5282 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5283 		i++;
5284 	}
5285 	acl->acl_policy = acl_policy;
5286 
5287 	return acl;
5288 }
5289 
5290 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5291 {
5292 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5293 	struct net_device *dev = info->user_ptr[1];
5294 	struct cfg80211_acl_data *acl;
5295 	int err;
5296 
5297 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5298 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5299 		return -EOPNOTSUPP;
5300 
5301 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5302 		return -EINVAL;
5303 
5304 	acl = parse_acl_data(&rdev->wiphy, info);
5305 	if (IS_ERR(acl))
5306 		return PTR_ERR(acl);
5307 
5308 	err = rdev_set_mac_acl(rdev, dev, acl);
5309 
5310 	kfree(acl);
5311 
5312 	return err;
5313 }
5314 
5315 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5316 			   u8 *rates, u8 rates_len)
5317 {
5318 	u8 i;
5319 	u32 mask = 0;
5320 
5321 	for (i = 0; i < rates_len; i++) {
5322 		int rate = (rates[i] & 0x7f) * 5;
5323 		int ridx;
5324 
5325 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5326 			struct ieee80211_rate *srate =
5327 				&sband->bitrates[ridx];
5328 			if (rate == srate->bitrate) {
5329 				mask |= 1 << ridx;
5330 				break;
5331 			}
5332 		}
5333 		if (ridx == sband->n_bitrates)
5334 			return 0; /* rate not found */
5335 	}
5336 
5337 	return mask;
5338 }
5339 
5340 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5341 			       u8 *rates, u8 rates_len,
5342 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5343 {
5344 	u8 i;
5345 
5346 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5347 
5348 	for (i = 0; i < rates_len; i++) {
5349 		int ridx, rbit;
5350 
5351 		ridx = rates[i] / 8;
5352 		rbit = BIT(rates[i] % 8);
5353 
5354 		/* check validity */
5355 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5356 			return false;
5357 
5358 		/* check availability */
5359 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5360 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5361 			mcs[ridx] |= rbit;
5362 		else
5363 			return false;
5364 	}
5365 
5366 	return true;
5367 }
5368 
5369 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5370 {
5371 	u16 mcs_mask = 0;
5372 
5373 	switch (vht_mcs_map) {
5374 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5375 		break;
5376 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5377 		mcs_mask = 0x00FF;
5378 		break;
5379 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5380 		mcs_mask = 0x01FF;
5381 		break;
5382 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5383 		mcs_mask = 0x03FF;
5384 		break;
5385 	default:
5386 		break;
5387 	}
5388 
5389 	return mcs_mask;
5390 }
5391 
5392 static void vht_build_mcs_mask(u16 vht_mcs_map,
5393 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5394 {
5395 	u8 nss;
5396 
5397 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5398 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5399 		vht_mcs_map >>= 2;
5400 	}
5401 }
5402 
5403 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5404 			     struct nl80211_txrate_vht *txrate,
5405 			     u16 mcs[NL80211_VHT_NSS_MAX])
5406 {
5407 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5408 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5409 	u8 i;
5410 
5411 	if (!sband->vht_cap.vht_supported)
5412 		return false;
5413 
5414 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5415 
5416 	/* Build vht_mcs_mask from VHT capabilities */
5417 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5418 
5419 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5420 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5421 			mcs[i] = txrate->mcs[i];
5422 		else
5423 			return false;
5424 	}
5425 
5426 	return true;
5427 }
5428 
5429 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5430 {
5431 	switch (he_mcs_map) {
5432 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5433 		return 0;
5434 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5435 		return 0x00FF;
5436 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5437 		return 0x03FF;
5438 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5439 		return 0xFFF;
5440 	default:
5441 		break;
5442 	}
5443 	return 0;
5444 }
5445 
5446 static void he_build_mcs_mask(u16 he_mcs_map,
5447 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5448 {
5449 	u8 nss;
5450 
5451 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5452 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5453 		he_mcs_map >>= 2;
5454 	}
5455 }
5456 
5457 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5458 			   const struct ieee80211_sta_he_cap *he_cap)
5459 {
5460 	struct net_device *dev = info->user_ptr[1];
5461 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5462 	struct cfg80211_chan_def *chandef;
5463 	__le16 tx_mcs;
5464 
5465 	chandef = wdev_chandef(wdev, link_id);
5466 	if (!chandef) {
5467 		/*
5468 		 * This is probably broken, but we never maintained
5469 		 * a chandef in these cases, so it always was.
5470 		 */
5471 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5472 	}
5473 
5474 	switch (chandef->width) {
5475 	case NL80211_CHAN_WIDTH_80P80:
5476 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5477 		break;
5478 	case NL80211_CHAN_WIDTH_160:
5479 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5480 		break;
5481 	default:
5482 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5483 		break;
5484 	}
5485 
5486 	return le16_to_cpu(tx_mcs);
5487 }
5488 
5489 static bool he_set_mcs_mask(struct genl_info *info,
5490 			    struct wireless_dev *wdev,
5491 			    struct ieee80211_supported_band *sband,
5492 			    struct nl80211_txrate_he *txrate,
5493 			    u16 mcs[NL80211_HE_NSS_MAX],
5494 			    unsigned int link_id)
5495 {
5496 	const struct ieee80211_sta_he_cap *he_cap;
5497 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5498 	u16 tx_mcs_map = 0;
5499 	u8 i;
5500 
5501 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5502 	if (!he_cap)
5503 		return false;
5504 
5505 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5506 
5507 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5508 
5509 	/* Build he_mcs_mask from HE capabilities */
5510 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5511 
5512 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5513 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5514 			mcs[i] = txrate->mcs[i];
5515 		else
5516 			return false;
5517 	}
5518 
5519 	return true;
5520 }
5521 
5522 static void eht_build_mcs_mask(struct genl_info *info,
5523 			       const struct ieee80211_sta_eht_cap *eht_cap,
5524 			       u8 mcs_nss_len, u16 *mcs_mask)
5525 {
5526 	struct net_device *dev = info->user_ptr[1];
5527 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5528 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
5529 	unsigned int link_id = nl80211_link_id(info->attrs);
5530 
5531 	if (mcs_nss_len == 4) {
5532 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
5533 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
5534 
5535 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
5536 				    IEEE80211_EHT_MCS_NSS_TX);
5537 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5538 				    IEEE80211_EHT_MCS_NSS_TX);
5539 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5540 				     IEEE80211_EHT_MCS_NSS_TX);
5541 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5542 				     IEEE80211_EHT_MCS_NSS_TX);
5543 
5544 	} else {
5545 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
5546 		enum nl80211_chan_width width;
5547 
5548 		switch (wdev->iftype) {
5549 		case NL80211_IFTYPE_ADHOC:
5550 			width = wdev->u.ibss.chandef.width;
5551 			break;
5552 		case NL80211_IFTYPE_MESH_POINT:
5553 			width = wdev->u.mesh.chandef.width;
5554 			break;
5555 		case NL80211_IFTYPE_OCB:
5556 			width = wdev->u.ocb.chandef.width;
5557 			break;
5558 		default:
5559 			if (wdev->valid_links)
5560 				width = wdev->links[link_id].ap.chandef.width;
5561 			else
5562 				width = wdev->u.ap.preset_chandef.width;
5563 			break;
5564 		}
5565 
5566 		switch (width) {
5567 		case NL80211_CHAN_WIDTH_320:
5568 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
5569 			break;
5570 		case NL80211_CHAN_WIDTH_160:
5571 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
5572 			break;
5573 		default:
5574 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
5575 			break;
5576 		}
5577 
5578 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5579 				    IEEE80211_EHT_MCS_NSS_TX);
5580 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5581 				    IEEE80211_EHT_MCS_NSS_TX);
5582 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5583 				     IEEE80211_EHT_MCS_NSS_TX);
5584 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5585 				     IEEE80211_EHT_MCS_NSS_TX);
5586 	}
5587 
5588 	/* Enable MCS 14 for NSS 0 */
5589 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
5590 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
5591 		mcs_mask[0] |= 0x4000;
5592 
5593 	/* Enable MCS 15 for NSS 0 */
5594 	mcs_mask[0] |= 0x8000;
5595 
5596 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
5597 		if (!mcs_7)
5598 			continue;
5599 		mcs_mask[nss] |= 0x00FF;
5600 		mcs_7--;
5601 
5602 		if (!mcs_9)
5603 			continue;
5604 		mcs_mask[nss] |= 0x0300;
5605 		mcs_9--;
5606 
5607 		if (!mcs_11)
5608 			continue;
5609 		mcs_mask[nss] |= 0x0C00;
5610 		mcs_11--;
5611 
5612 		if (!mcs_13)
5613 			continue;
5614 		mcs_mask[nss] |= 0x3000;
5615 		mcs_13--;
5616 	}
5617 }
5618 
5619 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
5620 			     struct ieee80211_supported_band *sband,
5621 			     struct nl80211_txrate_eht *txrate,
5622 			     u16 mcs[NL80211_EHT_NSS_MAX])
5623 {
5624 	const struct ieee80211_sta_he_cap *he_cap;
5625 	const struct ieee80211_sta_eht_cap *eht_cap;
5626 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
5627 	u8 i, mcs_nss_len;
5628 
5629 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5630 	if (!he_cap)
5631 		return false;
5632 
5633 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5634 	if (!eht_cap)
5635 		return false;
5636 
5637 	/* Checks for MCS 14 */
5638 	if (txrate->mcs[0] & 0x4000) {
5639 		if (sband->band != NL80211_BAND_6GHZ)
5640 			return false;
5641 
5642 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
5643 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
5644 			return false;
5645 	}
5646 
5647 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5648 						 &eht_cap->eht_cap_elem,
5649 						 wdev->iftype ==
5650 							NL80211_IFTYPE_STATION);
5651 
5652 	if (mcs_nss_len == 3) {
5653 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
5654 		switch (wdev->iftype) {
5655 		case NL80211_IFTYPE_ADHOC:
5656 		case NL80211_IFTYPE_AP:
5657 		case NL80211_IFTYPE_P2P_GO:
5658 		case NL80211_IFTYPE_MESH_POINT:
5659 		case NL80211_IFTYPE_OCB:
5660 			break;
5661 		default:
5662 			return false;
5663 		}
5664 	}
5665 
5666 	/* Build eht_mcs_mask from EHT and HE capabilities */
5667 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
5668 
5669 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
5670 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5671 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5672 			mcs[i] = txrate->mcs[i];
5673 		else
5674 			return false;
5675 	}
5676 
5677 	return true;
5678 }
5679 
5680 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5681 					 struct nlattr *attrs[],
5682 					 enum nl80211_attrs attr,
5683 					 struct cfg80211_bitrate_mask *mask,
5684 					 struct net_device *dev,
5685 					 bool default_all_enabled,
5686 					 unsigned int link_id)
5687 {
5688 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5689 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5690 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5691 	int rem, i;
5692 	struct nlattr *tx_rates;
5693 	struct ieee80211_supported_band *sband;
5694 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5695 
5696 	memset(mask, 0, sizeof(*mask));
5697 	/* Default to all rates enabled */
5698 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5699 		const struct ieee80211_sta_he_cap *he_cap;
5700 		const struct ieee80211_sta_eht_cap *eht_cap;
5701 		u8 mcs_nss_len;
5702 
5703 		if (!default_all_enabled)
5704 			break;
5705 
5706 		sband = rdev->wiphy.bands[i];
5707 
5708 		if (!sband)
5709 			continue;
5710 
5711 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5712 		memcpy(mask->control[i].ht_mcs,
5713 		       sband->ht_cap.mcs.rx_mask,
5714 		       sizeof(mask->control[i].ht_mcs));
5715 
5716 		if (sband->vht_cap.vht_supported) {
5717 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5718 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5719 		}
5720 
5721 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5722 		if (!he_cap)
5723 			continue;
5724 
5725 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5726 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5727 
5728 		mask->control[i].he_gi = 0xFF;
5729 		mask->control[i].he_ltf = 0xFF;
5730 
5731 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5732 		if (!eht_cap)
5733 			continue;
5734 
5735 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5736 							 &eht_cap->eht_cap_elem,
5737 							 wdev->iftype ==
5738 							 NL80211_IFTYPE_STATION);
5739 
5740 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
5741 				   mask->control[i].eht_mcs);
5742 
5743 		mask->control[i].eht_gi = 0xFF;
5744 		mask->control[i].eht_ltf = 0xFF;
5745 	}
5746 
5747 	/* if no rates are given set it back to the defaults */
5748 	if (!attrs[attr])
5749 		goto out;
5750 
5751 	/* The nested attribute uses enum nl80211_band as the index. This maps
5752 	 * directly to the enum nl80211_band values used in cfg80211.
5753 	 */
5754 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5755 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5756 		enum nl80211_band band = nla_type(tx_rates);
5757 		int err;
5758 
5759 		if (band < 0 || band >= NUM_NL80211_BANDS)
5760 			return -EINVAL;
5761 		sband = rdev->wiphy.bands[band];
5762 		if (sband == NULL)
5763 			return -EINVAL;
5764 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5765 						  tx_rates,
5766 						  nl80211_txattr_policy,
5767 						  info->extack);
5768 		if (err)
5769 			return err;
5770 		if (tb[NL80211_TXRATE_LEGACY]) {
5771 			mask->control[band].legacy = rateset_to_mask(
5772 				sband,
5773 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5774 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5775 			if ((mask->control[band].legacy == 0) &&
5776 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5777 				return -EINVAL;
5778 		}
5779 		if (tb[NL80211_TXRATE_HT]) {
5780 			if (!ht_rateset_to_mask(
5781 					sband,
5782 					nla_data(tb[NL80211_TXRATE_HT]),
5783 					nla_len(tb[NL80211_TXRATE_HT]),
5784 					mask->control[band].ht_mcs))
5785 				return -EINVAL;
5786 		}
5787 
5788 		if (tb[NL80211_TXRATE_VHT]) {
5789 			if (!vht_set_mcs_mask(
5790 					sband,
5791 					nla_data(tb[NL80211_TXRATE_VHT]),
5792 					mask->control[band].vht_mcs))
5793 				return -EINVAL;
5794 		}
5795 
5796 		if (tb[NL80211_TXRATE_GI]) {
5797 			mask->control[band].gi =
5798 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5799 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5800 				return -EINVAL;
5801 		}
5802 		if (tb[NL80211_TXRATE_HE] &&
5803 		    !he_set_mcs_mask(info, wdev, sband,
5804 				     nla_data(tb[NL80211_TXRATE_HE]),
5805 				     mask->control[band].he_mcs,
5806 				     link_id))
5807 			return -EINVAL;
5808 
5809 		if (tb[NL80211_TXRATE_HE_GI])
5810 			mask->control[band].he_gi =
5811 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5812 		if (tb[NL80211_TXRATE_HE_LTF])
5813 			mask->control[band].he_ltf =
5814 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5815 
5816 		if (tb[NL80211_TXRATE_EHT] &&
5817 		    !eht_set_mcs_mask(info, wdev, sband,
5818 				      nla_data(tb[NL80211_TXRATE_EHT]),
5819 				      mask->control[band].eht_mcs))
5820 			return -EINVAL;
5821 
5822 		if (tb[NL80211_TXRATE_EHT_GI])
5823 			mask->control[band].eht_gi =
5824 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
5825 		if (tb[NL80211_TXRATE_EHT_LTF])
5826 			mask->control[band].eht_ltf =
5827 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
5828 
5829 		if (mask->control[band].legacy == 0) {
5830 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
5831 			 * are not even supported.
5832 			 */
5833 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5834 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5835 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
5836 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
5837 				return -EINVAL;
5838 
5839 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5840 				if (mask->control[band].ht_mcs[i])
5841 					goto out;
5842 
5843 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5844 				if (mask->control[band].vht_mcs[i])
5845 					goto out;
5846 
5847 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5848 				if (mask->control[band].he_mcs[i])
5849 					goto out;
5850 
5851 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
5852 				if (mask->control[band].eht_mcs[i])
5853 					goto out;
5854 
5855 			/* legacy and mcs rates may not be both empty */
5856 			return -EINVAL;
5857 		}
5858 	}
5859 
5860 out:
5861 	return 0;
5862 }
5863 
5864 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5865 				   enum nl80211_band band,
5866 				   struct cfg80211_bitrate_mask *beacon_rate)
5867 {
5868 	u32 count_ht, count_vht, count_he, count_eht, i;
5869 	u32 rate = beacon_rate->control[band].legacy;
5870 
5871 	/* Allow only one rate */
5872 	if (hweight32(rate) > 1)
5873 		return -EINVAL;
5874 
5875 	count_ht = 0;
5876 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5877 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5878 			return -EINVAL;
5879 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5880 			count_ht++;
5881 			if (count_ht > 1)
5882 				return -EINVAL;
5883 		}
5884 		if (count_ht && rate)
5885 			return -EINVAL;
5886 	}
5887 
5888 	count_vht = 0;
5889 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5890 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5891 			return -EINVAL;
5892 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5893 			count_vht++;
5894 			if (count_vht > 1)
5895 				return -EINVAL;
5896 		}
5897 		if (count_vht && rate)
5898 			return -EINVAL;
5899 	}
5900 
5901 	count_he = 0;
5902 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5903 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5904 			return -EINVAL;
5905 		} else if (beacon_rate->control[band].he_mcs[i]) {
5906 			count_he++;
5907 			if (count_he > 1)
5908 				return -EINVAL;
5909 		}
5910 		if (count_he && rate)
5911 			return -EINVAL;
5912 	}
5913 
5914 	count_eht = 0;
5915 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5916 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
5917 			return -EINVAL;
5918 		} else if (beacon_rate->control[band].eht_mcs[i]) {
5919 			count_eht++;
5920 			if (count_eht > 1)
5921 				return -EINVAL;
5922 		}
5923 		if (count_eht && rate)
5924 			return -EINVAL;
5925 	}
5926 
5927 	if ((count_ht && count_vht && count_he && count_eht) ||
5928 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
5929 		return -EINVAL;
5930 
5931 	if (rate &&
5932 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5933 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5934 		return -EINVAL;
5935 	if (count_ht &&
5936 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5937 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5938 		return -EINVAL;
5939 	if (count_vht &&
5940 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5941 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5942 		return -EINVAL;
5943 	if (count_he &&
5944 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5945 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5946 		return -EINVAL;
5947 
5948 	if (count_eht &&
5949 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5950 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
5951 		return -EINVAL;
5952 
5953 	return 0;
5954 }
5955 
5956 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5957 				       struct net_device *dev,
5958 				       unsigned int link_id,
5959 				       struct nlattr *attrs,
5960 				       struct cfg80211_mbssid_config *config,
5961 				       u8 num_elems)
5962 {
5963 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5964 	int tx_link_id = -1;
5965 
5966 	if (!wiphy->mbssid_max_interfaces)
5967 		return -EOPNOTSUPP;
5968 
5969 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5970 			     NULL) ||
5971 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5972 		return -EINVAL;
5973 
5974 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5975 	if (config->ema) {
5976 		if (!wiphy->ema_max_profile_periodicity)
5977 			return -EOPNOTSUPP;
5978 
5979 		if (num_elems > wiphy->ema_max_profile_periodicity)
5980 			return -EINVAL;
5981 	}
5982 
5983 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5984 	if (config->index >= wiphy->mbssid_max_interfaces ||
5985 	    (!config->index && !num_elems))
5986 		return -EINVAL;
5987 
5988 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
5989 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
5990 
5991 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5992 		u32 tx_ifindex =
5993 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5994 
5995 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5996 		    (config->index && tx_ifindex == dev->ifindex))
5997 			return -EINVAL;
5998 
5999 		if (tx_ifindex != dev->ifindex) {
6000 			struct net_device *tx_netdev =
6001 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
6002 
6003 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
6004 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
6005 			    tx_netdev->ieee80211_ptr->iftype !=
6006 							NL80211_IFTYPE_AP) {
6007 				dev_put(tx_netdev);
6008 				return -EINVAL;
6009 			}
6010 
6011 			config->tx_wdev = tx_netdev->ieee80211_ptr;
6012 			/* Caller should call dev_put(config->tx_wdev) from this point */
6013 
6014 			if (config->tx_wdev->valid_links) {
6015 				if (tx_link_id == -1 ||
6016 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
6017 					return -ENOLINK;
6018 
6019 				config->tx_link_id = tx_link_id;
6020 			}
6021 		} else {
6022 			if (tx_link_id >= 0 && tx_link_id != link_id)
6023 				return -EINVAL;
6024 
6025 			config->tx_wdev = dev->ieee80211_ptr;
6026 		}
6027 	} else if (!config->index) {
6028 		if (tx_link_id >= 0 && tx_link_id != link_id)
6029 			return -EINVAL;
6030 
6031 		config->tx_wdev = dev->ieee80211_ptr;
6032 	} else {
6033 		return -EINVAL;
6034 	}
6035 
6036 	return 0;
6037 }
6038 
6039 static struct cfg80211_mbssid_elems *
6040 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
6041 {
6042 	struct nlattr *nl_elems;
6043 	struct cfg80211_mbssid_elems *elems;
6044 	int rem_elems;
6045 	u8 i = 0, num_elems = 0;
6046 
6047 	if (!wiphy->mbssid_max_interfaces)
6048 		return ERR_PTR(-EINVAL);
6049 
6050 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6051 		if (num_elems >= 255)
6052 			return ERR_PTR(-EINVAL);
6053 		num_elems++;
6054 	}
6055 
6056 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
6057 	if (!elems)
6058 		return ERR_PTR(-ENOMEM);
6059 	elems->cnt = num_elems;
6060 
6061 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6062 		elems->elem[i].data = nla_data(nl_elems);
6063 		elems->elem[i].len = nla_len(nl_elems);
6064 		i++;
6065 	}
6066 	return elems;
6067 }
6068 
6069 static struct cfg80211_rnr_elems *
6070 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
6071 			struct netlink_ext_ack *extack)
6072 {
6073 	struct nlattr *nl_elems;
6074 	struct cfg80211_rnr_elems *elems;
6075 	int rem_elems;
6076 	u8 i = 0, num_elems = 0;
6077 
6078 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6079 		int ret;
6080 
6081 		ret = validate_ie_attr(nl_elems, extack);
6082 		if (ret)
6083 			return ERR_PTR(ret);
6084 
6085 		num_elems++;
6086 	}
6087 
6088 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
6089 	if (!elems)
6090 		return ERR_PTR(-ENOMEM);
6091 	elems->cnt = num_elems;
6092 
6093 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6094 		elems->elem[i].data = nla_data(nl_elems);
6095 		elems->elem[i].len = nla_len(nl_elems);
6096 		i++;
6097 	}
6098 	return elems;
6099 }
6100 
6101 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6102 				      struct cfg80211_he_bss_color *he_bss_color)
6103 {
6104 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6105 	int err;
6106 
6107 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6108 			       he_bss_color_policy, NULL);
6109 	if (err)
6110 		return err;
6111 
6112 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6113 		return -EINVAL;
6114 
6115 	he_bss_color->color =
6116 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6117 	he_bss_color->enabled =
6118 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6119 	he_bss_color->partial =
6120 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6121 
6122 	return 0;
6123 }
6124 
6125 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6126 				struct nlattr *attrs[],
6127 				struct cfg80211_beacon_data *bcn,
6128 				struct netlink_ext_ack *extack)
6129 {
6130 	bool haveinfo = false;
6131 	int err;
6132 
6133 	memset(bcn, 0, sizeof(*bcn));
6134 
6135 	bcn->link_id = nl80211_link_id(attrs);
6136 
6137 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6138 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6139 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6140 		if (!bcn->head_len)
6141 			return -EINVAL;
6142 		haveinfo = true;
6143 	}
6144 
6145 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6146 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6147 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6148 		haveinfo = true;
6149 	}
6150 
6151 	if (!haveinfo)
6152 		return -EINVAL;
6153 
6154 	if (attrs[NL80211_ATTR_IE]) {
6155 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6156 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6157 	}
6158 
6159 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6160 		bcn->proberesp_ies =
6161 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6162 		bcn->proberesp_ies_len =
6163 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6164 	}
6165 
6166 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6167 		bcn->assocresp_ies =
6168 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6169 		bcn->assocresp_ies_len =
6170 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6171 	}
6172 
6173 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6174 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6175 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6176 	}
6177 
6178 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6179 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6180 
6181 		err = nla_parse_nested_deprecated(tb,
6182 						  NL80211_FTM_RESP_ATTR_MAX,
6183 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6184 						  NULL, NULL);
6185 		if (err)
6186 			return err;
6187 
6188 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6189 		    wiphy_ext_feature_isset(&rdev->wiphy,
6190 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6191 			bcn->ftm_responder = 1;
6192 		else
6193 			return -EOPNOTSUPP;
6194 
6195 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6196 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6197 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6198 		}
6199 
6200 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6201 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6202 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6203 		}
6204 	} else {
6205 		bcn->ftm_responder = -1;
6206 	}
6207 
6208 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6209 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6210 						 &bcn->he_bss_color);
6211 		if (err)
6212 			return err;
6213 		bcn->he_bss_color_valid = true;
6214 	}
6215 
6216 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6217 		struct cfg80211_mbssid_elems *mbssid =
6218 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6219 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6220 
6221 		if (IS_ERR(mbssid))
6222 			return PTR_ERR(mbssid);
6223 
6224 		bcn->mbssid_ies = mbssid;
6225 
6226 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6227 			struct cfg80211_rnr_elems *rnr =
6228 				nl80211_parse_rnr_elems(&rdev->wiphy,
6229 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6230 							extack);
6231 
6232 			if (IS_ERR(rnr))
6233 				return PTR_ERR(rnr);
6234 
6235 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6236 				return -EINVAL;
6237 
6238 			bcn->rnr_ies = rnr;
6239 		}
6240 	}
6241 
6242 	return 0;
6243 }
6244 
6245 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6246 				    struct ieee80211_he_obss_pd *he_obss_pd)
6247 {
6248 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6249 	int err;
6250 
6251 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6252 			       he_obss_pd_policy, NULL);
6253 	if (err)
6254 		return err;
6255 
6256 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6257 		return -EINVAL;
6258 
6259 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6260 
6261 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6262 		he_obss_pd->min_offset =
6263 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6264 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6265 		he_obss_pd->max_offset =
6266 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6267 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6268 		he_obss_pd->non_srg_max_offset =
6269 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6270 
6271 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6272 		return -EINVAL;
6273 
6274 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6275 		memcpy(he_obss_pd->bss_color_bitmap,
6276 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6277 		       sizeof(he_obss_pd->bss_color_bitmap));
6278 
6279 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6280 		memcpy(he_obss_pd->partial_bssid_bitmap,
6281 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6282 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6283 
6284 	he_obss_pd->enable = true;
6285 
6286 	return 0;
6287 }
6288 
6289 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6290 					struct nlattr *attrs,
6291 					struct cfg80211_fils_discovery *fd)
6292 {
6293 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6294 	int ret;
6295 
6296 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6297 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6298 		return -EINVAL;
6299 
6300 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6301 			       NULL, NULL);
6302 	if (ret)
6303 		return ret;
6304 
6305 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6306 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6307 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6308 		fd->update = true;
6309 		return 0;
6310 	}
6311 
6312 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6313 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6314 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6315 		return -EINVAL;
6316 
6317 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6318 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6319 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6320 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6321 	fd->update = true;
6322 	return 0;
6323 }
6324 
6325 static int
6326 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6327 				     struct nlattr *attrs,
6328 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6329 {
6330 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6331 	int ret;
6332 
6333 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6334 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6335 		return -EINVAL;
6336 
6337 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6338 			       attrs, NULL, NULL);
6339 	if (ret)
6340 		return ret;
6341 
6342 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6343 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6344 		presp->update = true;
6345 		return 0;
6346 	}
6347 
6348 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6349 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6350 		return -EINVAL;
6351 
6352 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6353 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6354 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6355 	presp->update = true;
6356 	return 0;
6357 }
6358 
6359 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6360 					    const struct element *rates)
6361 {
6362 	int i;
6363 
6364 	if (!rates)
6365 		return;
6366 
6367 	for (i = 0; i < rates->datalen; i++) {
6368 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6369 			params->ht_required = true;
6370 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6371 			params->vht_required = true;
6372 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6373 			params->he_required = true;
6374 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6375 			params->sae_h2e_required = true;
6376 	}
6377 }
6378 
6379 /*
6380  * Since the nl80211 API didn't include, from the beginning, attributes about
6381  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6382  * benefit of drivers that rebuild IEs in the firmware.
6383  */
6384 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6385 {
6386 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6387 	size_t ies_len = bcn->tail_len;
6388 	const u8 *ies = bcn->tail;
6389 	const struct element *rates;
6390 	const struct element *cap;
6391 
6392 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6393 	nl80211_check_ap_rate_selectors(params, rates);
6394 
6395 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6396 	nl80211_check_ap_rate_selectors(params, rates);
6397 
6398 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6399 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6400 		params->ht_cap = (void *)cap->data;
6401 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6402 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6403 		params->vht_cap = (void *)cap->data;
6404 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6405 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6406 		params->he_cap = (void *)(cap->data + 1);
6407 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6408 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6409 		params->he_oper = (void *)(cap->data + 1);
6410 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6411 	if (cap) {
6412 		if (!cap->datalen)
6413 			return -EINVAL;
6414 		params->eht_cap = (void *)(cap->data + 1);
6415 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6416 						(const u8 *)params->eht_cap,
6417 						cap->datalen - 1, true))
6418 			return -EINVAL;
6419 	}
6420 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6421 	if (cap) {
6422 		if (!cap->datalen)
6423 			return -EINVAL;
6424 		params->eht_oper = (void *)(cap->data + 1);
6425 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6426 						cap->datalen - 1))
6427 			return -EINVAL;
6428 	}
6429 	return 0;
6430 }
6431 
6432 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6433 				   struct cfg80211_ap_settings *params)
6434 {
6435 	struct wireless_dev *wdev;
6436 
6437 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6438 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6439 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6440 			continue;
6441 
6442 		if (!wdev->u.ap.preset_chandef.chan)
6443 			continue;
6444 
6445 		params->chandef = wdev->u.ap.preset_chandef;
6446 		return true;
6447 	}
6448 
6449 	return false;
6450 }
6451 
6452 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6453 				    enum nl80211_auth_type auth_type,
6454 				    enum nl80211_commands cmd)
6455 {
6456 	if (auth_type > NL80211_AUTHTYPE_MAX)
6457 		return false;
6458 
6459 	switch (cmd) {
6460 	case NL80211_CMD_AUTHENTICATE:
6461 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6462 		    auth_type == NL80211_AUTHTYPE_SAE)
6463 			return false;
6464 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6465 					     NL80211_EXT_FEATURE_FILS_STA) &&
6466 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6467 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6468 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6469 			return false;
6470 		return true;
6471 	case NL80211_CMD_CONNECT:
6472 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6473 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6474 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6475 		    auth_type == NL80211_AUTHTYPE_SAE)
6476 			return false;
6477 
6478 		/* FILS with SK PFS or PK not supported yet */
6479 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6480 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6481 			return false;
6482 		if (!wiphy_ext_feature_isset(
6483 			    &rdev->wiphy,
6484 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6485 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6486 			return false;
6487 		return true;
6488 	case NL80211_CMD_START_AP:
6489 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6490 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6491 		    auth_type == NL80211_AUTHTYPE_SAE)
6492 			return false;
6493 		/* FILS not supported yet */
6494 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6495 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6496 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6497 			return false;
6498 		return true;
6499 	default:
6500 		return false;
6501 	}
6502 }
6503 
6504 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6505 				    unsigned int link_id)
6506 {
6507 	struct wiphy *wiphy = wdev->wiphy;
6508 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6509 	struct sk_buff *msg;
6510 	void *hdr;
6511 
6512 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6513 	if (!msg)
6514 		return;
6515 
6516 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6517 	if (!hdr)
6518 		goto out;
6519 
6520 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6521 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6522 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6523 			      NL80211_ATTR_PAD) ||
6524 	    (wdev->u.ap.ssid_len &&
6525 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6526 		     wdev->u.ap.ssid)) ||
6527 	    (wdev->valid_links &&
6528 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6529 		goto out;
6530 
6531 	genlmsg_end(msg, hdr);
6532 
6533 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6534 				NL80211_MCGRP_MLME, GFP_KERNEL);
6535 	return;
6536 out:
6537 	nlmsg_free(msg);
6538 }
6539 
6540 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6541 {
6542 	struct ieee80211_channel *channel = params->chandef.chan;
6543 
6544 	if ((params->he_cap ||  params->he_oper) &&
6545 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6546 		return -EOPNOTSUPP;
6547 
6548 	if ((params->eht_cap || params->eht_oper) &&
6549 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6550 		return -EOPNOTSUPP;
6551 
6552 	return 0;
6553 }
6554 
6555 static int
6556 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
6557 			       struct nlattr *attrs,
6558 			       struct cfg80211_s1g_short_beacon *sb)
6559 {
6560 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
6561 	int ret;
6562 
6563 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
6564 		return -EINVAL;
6565 
6566 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
6567 			       NULL, NULL);
6568 	if (ret)
6569 		return ret;
6570 
6571 	/* Short beacon tail is optional (i.e might only include the TIM) */
6572 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
6573 		return -EINVAL;
6574 
6575 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6576 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6577 	sb->short_tail_len = 0;
6578 
6579 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
6580 		sb->short_tail =
6581 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6582 		sb->short_tail_len =
6583 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6584 	}
6585 
6586 	sb->update = true;
6587 	return 0;
6588 }
6589 
6590 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6591 {
6592 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6593 	struct cfg80211_beaconing_check_config beacon_check = {};
6594 	unsigned int link_id = nl80211_link_id(info->attrs);
6595 	struct net_device *dev = info->user_ptr[1];
6596 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6597 	struct cfg80211_ap_settings *params;
6598 	int err;
6599 
6600 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6601 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6602 		return -EOPNOTSUPP;
6603 
6604 	if (!rdev->ops->start_ap)
6605 		return -EOPNOTSUPP;
6606 
6607 	if (wdev->links[link_id].cac_started)
6608 		return -EBUSY;
6609 
6610 	if (wdev->links[link_id].ap.beacon_interval)
6611 		return -EALREADY;
6612 
6613 	/* these are required for START_AP */
6614 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6615 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6616 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6617 		return -EINVAL;
6618 
6619 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6620 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6621 		return -EOPNOTSUPP;
6622 
6623 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6624 	if (!params)
6625 		return -ENOMEM;
6626 
6627 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6628 				   info->extack);
6629 	if (err)
6630 		goto out;
6631 
6632 	params->beacon_interval =
6633 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6634 	params->dtim_period =
6635 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6636 
6637 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6638 					   params->beacon_interval);
6639 	if (err)
6640 		goto out;
6641 
6642 	/*
6643 	 * In theory, some of these attributes should be required here
6644 	 * but since they were not used when the command was originally
6645 	 * added, keep them optional for old user space programs to let
6646 	 * them continue to work with drivers that do not need the
6647 	 * additional information -- drivers must check!
6648 	 */
6649 	if (info->attrs[NL80211_ATTR_SSID]) {
6650 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6651 		params->ssid_len =
6652 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6653 		if (params->ssid_len == 0) {
6654 			err = -EINVAL;
6655 			goto out;
6656 		}
6657 
6658 		if (wdev->u.ap.ssid_len &&
6659 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6660 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6661 			/* require identical SSID for MLO */
6662 			err = -EINVAL;
6663 			goto out;
6664 		}
6665 	} else if (wdev->valid_links) {
6666 		/* require SSID for MLO */
6667 		err = -EINVAL;
6668 		goto out;
6669 	}
6670 
6671 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6672 		params->hidden_ssid = nla_get_u32(
6673 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6674 
6675 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6676 
6677 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6678 		params->auth_type = nla_get_u32(
6679 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6680 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6681 					     NL80211_CMD_START_AP)) {
6682 			err = -EINVAL;
6683 			goto out;
6684 		}
6685 	} else
6686 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6687 
6688 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6689 				      NL80211_MAX_NR_CIPHER_SUITES);
6690 	if (err)
6691 		goto out;
6692 
6693 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6694 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6695 			err = -EOPNOTSUPP;
6696 			goto out;
6697 		}
6698 		params->inactivity_timeout = nla_get_u16(
6699 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6700 	}
6701 
6702 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6703 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6704 			err = -EINVAL;
6705 			goto out;
6706 		}
6707 		params->p2p_ctwindow =
6708 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6709 		if (params->p2p_ctwindow != 0 &&
6710 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6711 			err = -EINVAL;
6712 			goto out;
6713 		}
6714 	}
6715 
6716 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6717 		u8 tmp;
6718 
6719 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6720 			err = -EINVAL;
6721 			goto out;
6722 		}
6723 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6724 		params->p2p_opp_ps = tmp;
6725 		if (params->p2p_opp_ps != 0 &&
6726 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6727 			err = -EINVAL;
6728 			goto out;
6729 		}
6730 	}
6731 
6732 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6733 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6734 		if (err)
6735 			goto out;
6736 	} else if (wdev->valid_links) {
6737 		/* with MLD need to specify the channel configuration */
6738 		err = -EINVAL;
6739 		goto out;
6740 	} else if (wdev->u.ap.preset_chandef.chan) {
6741 		params->chandef = wdev->u.ap.preset_chandef;
6742 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6743 		err = -EINVAL;
6744 		goto out;
6745 	}
6746 
6747 	beacon_check.iftype = wdev->iftype;
6748 	beacon_check.relax = true;
6749 	beacon_check.reg_power =
6750 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6751 					     params->beacon.tail_len);
6752 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6753 					  &beacon_check)) {
6754 		err = -EINVAL;
6755 		goto out;
6756 	}
6757 
6758 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6759 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6760 						    NL80211_ATTR_TX_RATES,
6761 						    &params->beacon_rate,
6762 						    dev, false, link_id);
6763 		if (err)
6764 			goto out;
6765 
6766 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6767 					      &params->beacon_rate);
6768 		if (err)
6769 			goto out;
6770 	}
6771 
6772 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6773 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6774 		err = -EOPNOTSUPP;
6775 		goto out;
6776 	}
6777 
6778 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6779 		params->acl = parse_acl_data(&rdev->wiphy, info);
6780 		if (IS_ERR(params->acl)) {
6781 			err = PTR_ERR(params->acl);
6782 			params->acl = NULL;
6783 			goto out;
6784 		}
6785 	}
6786 
6787 	params->twt_responder =
6788 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6789 
6790 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6791 		err = nl80211_parse_he_obss_pd(
6792 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6793 					&params->he_obss_pd);
6794 		if (err)
6795 			goto out;
6796 	}
6797 
6798 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6799 		err = nl80211_parse_fils_discovery(rdev,
6800 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6801 						   &params->fils_discovery);
6802 		if (err)
6803 			goto out;
6804 	}
6805 
6806 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6807 		err = nl80211_parse_unsol_bcast_probe_resp(
6808 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6809 			&params->unsol_bcast_probe_resp);
6810 		if (err)
6811 			goto out;
6812 	}
6813 
6814 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6815 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
6816 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6817 						  &params->mbssid_config,
6818 						  params->beacon.mbssid_ies ?
6819 							params->beacon.mbssid_ies->cnt :
6820 							0);
6821 		if (err)
6822 			goto out;
6823 	}
6824 
6825 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6826 		err = -EINVAL;
6827 		goto out;
6828 	}
6829 
6830 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
6831 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
6832 			err = -EINVAL;
6833 			goto out;
6834 		}
6835 
6836 		params->s1g_long_beacon_period = nla_get_u8(
6837 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
6838 
6839 		err = nl80211_parse_s1g_short_beacon(
6840 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
6841 			&params->s1g_short_beacon);
6842 		if (err)
6843 			goto out;
6844 	}
6845 
6846 	err = nl80211_calculate_ap_params(params);
6847 	if (err)
6848 		goto out;
6849 
6850 	err = nl80211_validate_ap_phy_operation(params);
6851 	if (err)
6852 		goto out;
6853 
6854 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6855 		params->flags = nla_get_u32(
6856 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6857 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6858 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6859 
6860 	if (wdev->conn_owner_nlportid &&
6861 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6862 	    wdev->conn_owner_nlportid != info->snd_portid) {
6863 		err = -EINVAL;
6864 		goto out;
6865 	}
6866 
6867 	/* FIXME: validate MLO/link-id against driver capabilities */
6868 
6869 	err = rdev_start_ap(rdev, dev, params);
6870 	if (!err) {
6871 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6872 		wdev->links[link_id].ap.chandef = params->chandef;
6873 		wdev->u.ap.ssid_len = params->ssid_len;
6874 		memcpy(wdev->u.ap.ssid, params->ssid,
6875 		       params->ssid_len);
6876 
6877 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6878 			wdev->conn_owner_nlportid = info->snd_portid;
6879 
6880 		nl80211_send_ap_started(wdev, link_id);
6881 	}
6882 out:
6883 	kfree(params->acl);
6884 	kfree(params->beacon.mbssid_ies);
6885 	if (params->mbssid_config.tx_wdev &&
6886 	    params->mbssid_config.tx_wdev->netdev &&
6887 	    params->mbssid_config.tx_wdev->netdev != dev)
6888 		dev_put(params->mbssid_config.tx_wdev->netdev);
6889 	kfree(params->beacon.rnr_ies);
6890 	kfree(params);
6891 
6892 	return err;
6893 }
6894 
6895 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6896 {
6897 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6898 	struct cfg80211_beaconing_check_config beacon_check = {};
6899 	unsigned int link_id = nl80211_link_id(info->attrs);
6900 	struct net_device *dev = info->user_ptr[1];
6901 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6902 	struct cfg80211_ap_update *params;
6903 	struct nlattr *attr;
6904 	int err;
6905 
6906 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6907 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6908 		return -EOPNOTSUPP;
6909 
6910 	if (!rdev->ops->change_beacon)
6911 		return -EOPNOTSUPP;
6912 
6913 	if (!wdev->links[link_id].ap.beacon_interval)
6914 		return -EINVAL;
6915 
6916 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6917 	if (!params)
6918 		return -ENOMEM;
6919 
6920 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6921 				   info->extack);
6922 	if (err)
6923 		goto out;
6924 
6925 	/* recheck beaconing is permitted with possibly changed power type */
6926 	beacon_check.iftype = wdev->iftype;
6927 	beacon_check.relax = true;
6928 	beacon_check.reg_power =
6929 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6930 					     params->beacon.tail_len);
6931 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6932 					  &wdev->links[link_id].ap.chandef,
6933 					  &beacon_check)) {
6934 		err = -EINVAL;
6935 		goto out;
6936 	}
6937 
6938 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6939 	if (attr) {
6940 		err = nl80211_parse_fils_discovery(rdev, attr,
6941 						   &params->fils_discovery);
6942 		if (err)
6943 			goto out;
6944 	}
6945 
6946 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6947 	if (attr) {
6948 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6949 							   &params->unsol_bcast_probe_resp);
6950 		if (err)
6951 			goto out;
6952 	}
6953 
6954 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
6955 	if (attr) {
6956 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
6957 						     &params->s1g_short_beacon);
6958 		if (err)
6959 			goto out;
6960 	}
6961 
6962 	err = rdev_change_beacon(rdev, dev, params);
6963 
6964 out:
6965 	kfree(params->beacon.mbssid_ies);
6966 	kfree(params->beacon.rnr_ies);
6967 	kfree(params);
6968 	return err;
6969 }
6970 
6971 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6972 {
6973 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6974 	unsigned int link_id = nl80211_link_id(info->attrs);
6975 	struct net_device *dev = info->user_ptr[1];
6976 
6977 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6978 }
6979 
6980 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6981 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6982 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6983 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6984 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6985 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6986 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6987 };
6988 
6989 static int parse_station_flags(struct genl_info *info,
6990 			       enum nl80211_iftype iftype,
6991 			       struct station_parameters *params)
6992 {
6993 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6994 	struct nlattr *nla;
6995 	int flag;
6996 
6997 	/*
6998 	 * Try parsing the new attribute first so userspace
6999 	 * can specify both for older kernels.
7000 	 */
7001 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
7002 	if (nla) {
7003 		struct nl80211_sta_flag_update *sta_flags;
7004 
7005 		sta_flags = nla_data(nla);
7006 		params->sta_flags_mask = sta_flags->mask;
7007 		params->sta_flags_set = sta_flags->set;
7008 		params->sta_flags_set &= params->sta_flags_mask;
7009 		if ((params->sta_flags_mask |
7010 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
7011 			return -EINVAL;
7012 		return 0;
7013 	}
7014 
7015 	/* if present, parse the old attribute */
7016 
7017 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
7018 	if (!nla)
7019 		return 0;
7020 
7021 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
7022 		return -EINVAL;
7023 
7024 	/*
7025 	 * Only allow certain flags for interface types so that
7026 	 * other attributes are silently ignored. Remember that
7027 	 * this is backward compatibility code with old userspace
7028 	 * and shouldn't be hit in other cases anyway.
7029 	 */
7030 	switch (iftype) {
7031 	case NL80211_IFTYPE_AP:
7032 	case NL80211_IFTYPE_AP_VLAN:
7033 	case NL80211_IFTYPE_P2P_GO:
7034 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7035 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7036 					 BIT(NL80211_STA_FLAG_WME) |
7037 					 BIT(NL80211_STA_FLAG_MFP);
7038 		break;
7039 	case NL80211_IFTYPE_P2P_CLIENT:
7040 	case NL80211_IFTYPE_STATION:
7041 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7042 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
7043 		break;
7044 	case NL80211_IFTYPE_MESH_POINT:
7045 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7046 					 BIT(NL80211_STA_FLAG_MFP) |
7047 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
7048 		break;
7049 	default:
7050 		return -EINVAL;
7051 	}
7052 
7053 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
7054 		if (flags[flag]) {
7055 			params->sta_flags_set |= (1<<flag);
7056 
7057 			/* no longer support new API additions in old API */
7058 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
7059 				return -EINVAL;
7060 		}
7061 	}
7062 
7063 	return 0;
7064 }
7065 
7066 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
7067 {
7068 	struct nlattr *rate;
7069 	u32 bitrate;
7070 	u16 bitrate_compat;
7071 	enum nl80211_rate_info rate_flg;
7072 
7073 	rate = nla_nest_start_noflag(msg, attr);
7074 	if (!rate)
7075 		return false;
7076 
7077 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
7078 	bitrate = cfg80211_calculate_bitrate(info);
7079 	/* report 16-bit bitrate only if we can */
7080 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
7081 	if (bitrate > 0 &&
7082 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7083 		return false;
7084 	if (bitrate_compat > 0 &&
7085 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7086 		return false;
7087 
7088 	switch (info->bw) {
7089 	case RATE_INFO_BW_1:
7090 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7091 		break;
7092 	case RATE_INFO_BW_2:
7093 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7094 		break;
7095 	case RATE_INFO_BW_4:
7096 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7097 		break;
7098 	case RATE_INFO_BW_5:
7099 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7100 		break;
7101 	case RATE_INFO_BW_8:
7102 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7103 		break;
7104 	case RATE_INFO_BW_10:
7105 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7106 		break;
7107 	case RATE_INFO_BW_16:
7108 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7109 		break;
7110 	default:
7111 		WARN_ON(1);
7112 		fallthrough;
7113 	case RATE_INFO_BW_20:
7114 		rate_flg = 0;
7115 		break;
7116 	case RATE_INFO_BW_40:
7117 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7118 		break;
7119 	case RATE_INFO_BW_80:
7120 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7121 		break;
7122 	case RATE_INFO_BW_160:
7123 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7124 		break;
7125 	case RATE_INFO_BW_HE_RU:
7126 		rate_flg = 0;
7127 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7128 		break;
7129 	case RATE_INFO_BW_320:
7130 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7131 		break;
7132 	case RATE_INFO_BW_EHT_RU:
7133 		rate_flg = 0;
7134 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
7135 		break;
7136 	}
7137 
7138 	if (rate_flg && nla_put_flag(msg, rate_flg))
7139 		return false;
7140 
7141 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7142 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7143 			return false;
7144 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7145 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7146 			return false;
7147 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7148 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7149 			return false;
7150 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7151 			return false;
7152 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7153 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7154 			return false;
7155 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7156 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7157 			return false;
7158 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7159 			return false;
7160 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7161 			return false;
7162 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7163 			return false;
7164 		if (info->bw == RATE_INFO_BW_HE_RU &&
7165 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7166 			       info->he_ru_alloc))
7167 			return false;
7168 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7169 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7170 			return false;
7171 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7172 			return false;
7173 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7174 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7175 			return false;
7176 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7177 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7178 			return false;
7179 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7180 			return false;
7181 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7182 			return false;
7183 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7184 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7185 			       info->eht_ru_alloc))
7186 			return false;
7187 	}
7188 
7189 	nla_nest_end(msg, rate);
7190 	return true;
7191 }
7192 
7193 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7194 			       int id)
7195 {
7196 	void *attr;
7197 	int i = 0;
7198 
7199 	if (!mask)
7200 		return true;
7201 
7202 	attr = nla_nest_start_noflag(msg, id);
7203 	if (!attr)
7204 		return false;
7205 
7206 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7207 		if (!(mask & BIT(i)))
7208 			continue;
7209 
7210 		if (nla_put_u8(msg, i, signal[i]))
7211 			return false;
7212 	}
7213 
7214 	nla_nest_end(msg, attr);
7215 
7216 	return true;
7217 }
7218 
7219 static int nl80211_fill_link_station(struct sk_buff *msg,
7220 				     struct cfg80211_registered_device *rdev,
7221 				     struct link_station_info *link_sinfo)
7222 {
7223 	struct nlattr *bss_param, *link_sinfoattr;
7224 
7225 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7226 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7227 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7228 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7229 			     link_sinfo->memb))				\
7230 		goto nla_put_failure;					\
7231 	} while (0)
7232 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7233 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7234 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7235 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7236 		goto nla_put_failure;					\
7237 	} while (0)
7238 
7239 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7240 	if (!link_sinfoattr)
7241 		goto nla_put_failure;
7242 
7243 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7244 
7245 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7246 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7247 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7248 			(u32)link_sinfo->rx_bytes))
7249 		goto nla_put_failure;
7250 
7251 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7252 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7253 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7254 			(u32)link_sinfo->tx_bytes))
7255 		goto nla_put_failure;
7256 
7257 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7258 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7259 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7260 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7261 
7262 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7263 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7264 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7265 
7266 	switch (rdev->wiphy.signal_type) {
7267 	case CFG80211_SIGNAL_TYPE_MBM:
7268 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7269 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7270 		break;
7271 	default:
7272 		break;
7273 	}
7274 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7275 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7276 					link_sinfo->chain_signal,
7277 					NL80211_STA_INFO_CHAIN_SIGNAL))
7278 			goto nla_put_failure;
7279 	}
7280 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7281 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7282 					link_sinfo->chain_signal_avg,
7283 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7284 			goto nla_put_failure;
7285 	}
7286 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7287 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7288 					  NL80211_STA_INFO_TX_BITRATE))
7289 			goto nla_put_failure;
7290 	}
7291 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7292 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7293 					  NL80211_STA_INFO_RX_BITRATE))
7294 			goto nla_put_failure;
7295 	}
7296 
7297 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7298 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7299 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7300 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7301 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7302 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7303 
7304 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7305 		bss_param = nla_nest_start_noflag(msg,
7306 						  NL80211_STA_INFO_BSS_PARAM);
7307 		if (!bss_param)
7308 			goto nla_put_failure;
7309 
7310 		if (((link_sinfo->bss_param.flags &
7311 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7312 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7313 		    ((link_sinfo->bss_param.flags &
7314 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7315 		     nla_put_flag(msg,
7316 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7317 		    ((link_sinfo->bss_param.flags &
7318 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7319 		     nla_put_flag(msg,
7320 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7321 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7322 			       link_sinfo->bss_param.dtim_period) ||
7323 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7324 				link_sinfo->bss_param.beacon_interval))
7325 			goto nla_put_failure;
7326 
7327 		nla_nest_end(msg, bss_param);
7328 	}
7329 
7330 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7331 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7332 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7333 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7334 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7335 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7336 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7337 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7338 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7339 	}
7340 
7341 #undef PUT_LINK_SINFO
7342 #undef PUT_LINK_SINFO_U64
7343 
7344 	if (link_sinfo->pertid) {
7345 		struct nlattr *tidsattr;
7346 		int tid;
7347 
7348 		tidsattr = nla_nest_start_noflag(msg,
7349 						 NL80211_STA_INFO_TID_STATS);
7350 		if (!tidsattr)
7351 			goto nla_put_failure;
7352 
7353 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7354 			struct cfg80211_tid_stats *tidstats;
7355 			struct nlattr *tidattr;
7356 
7357 			tidstats = &link_sinfo->pertid[tid];
7358 
7359 			if (!tidstats->filled)
7360 				continue;
7361 
7362 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7363 			if (!tidattr)
7364 				goto nla_put_failure;
7365 
7366 #define PUT_TIDVAL_U64(attr, memb) do {					\
7367 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7368 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7369 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7370 		goto nla_put_failure;					\
7371 	} while (0)
7372 
7373 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7374 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7375 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7376 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7377 
7378 #undef PUT_TIDVAL_U64
7379 			if ((tidstats->filled &
7380 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7381 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7382 						   NL80211_TID_STATS_TXQ_STATS))
7383 				goto nla_put_failure;
7384 
7385 			nla_nest_end(msg, tidattr);
7386 		}
7387 
7388 		nla_nest_end(msg, tidsattr);
7389 	}
7390 
7391 	nla_nest_end(msg, link_sinfoattr);
7392 	return 0;
7393 
7394 nla_put_failure:
7395 	return -EMSGSIZE;
7396 }
7397 
7398 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
7399 				u32 seq, int flags,
7400 				struct cfg80211_registered_device *rdev,
7401 				struct net_device *dev,
7402 				const u8 *mac_addr, struct station_info *sinfo,
7403 				bool link_stats)
7404 {
7405 	void *hdr;
7406 	struct nlattr *sinfoattr, *bss_param;
7407 	struct link_station_info *link_sinfo;
7408 	struct nlattr *links, *link;
7409 	int link_id;
7410 
7411 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7412 	if (!hdr) {
7413 		cfg80211_sinfo_release_content(sinfo);
7414 		return -1;
7415 	}
7416 
7417 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7418 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7419 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7420 		goto nla_put_failure;
7421 
7422 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7423 	if (!sinfoattr)
7424 		goto nla_put_failure;
7425 
7426 #define PUT_SINFO(attr, memb, type) do {				\
7427 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7428 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7429 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7430 			     sinfo->memb))				\
7431 		goto nla_put_failure;					\
7432 	} while (0)
7433 #define PUT_SINFO_U64(attr, memb) do {					\
7434 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7435 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7436 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7437 		goto nla_put_failure;					\
7438 	} while (0)
7439 
7440 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7441 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7442 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7443 
7444 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7445 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7446 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7447 			(u32)sinfo->rx_bytes))
7448 		goto nla_put_failure;
7449 
7450 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7451 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7452 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7453 			(u32)sinfo->tx_bytes))
7454 		goto nla_put_failure;
7455 
7456 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7457 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7458 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7459 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7460 
7461 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7462 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7463 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7464 
7465 	switch (rdev->wiphy.signal_type) {
7466 	case CFG80211_SIGNAL_TYPE_MBM:
7467 		PUT_SINFO(SIGNAL, signal, u8);
7468 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7469 		break;
7470 	default:
7471 		break;
7472 	}
7473 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7474 		if (!nl80211_put_signal(msg, sinfo->chains,
7475 					sinfo->chain_signal,
7476 					NL80211_STA_INFO_CHAIN_SIGNAL))
7477 			goto nla_put_failure;
7478 	}
7479 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7480 		if (!nl80211_put_signal(msg, sinfo->chains,
7481 					sinfo->chain_signal_avg,
7482 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7483 			goto nla_put_failure;
7484 	}
7485 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7486 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7487 					  NL80211_STA_INFO_TX_BITRATE))
7488 			goto nla_put_failure;
7489 	}
7490 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7491 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7492 					  NL80211_STA_INFO_RX_BITRATE))
7493 			goto nla_put_failure;
7494 	}
7495 
7496 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7497 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7498 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7499 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7500 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7501 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7502 
7503 	PUT_SINFO(LLID, llid, u16);
7504 	PUT_SINFO(PLID, plid, u16);
7505 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7506 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7507 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7508 	PUT_SINFO(PEER_PM, peer_pm, u32);
7509 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7510 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7511 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7512 	PUT_SINFO_U64(T_OFFSET, t_offset);
7513 
7514 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7515 		bss_param = nla_nest_start_noflag(msg,
7516 						  NL80211_STA_INFO_BSS_PARAM);
7517 		if (!bss_param)
7518 			goto nla_put_failure;
7519 
7520 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7521 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7522 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7523 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7524 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7525 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7526 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7527 			       sinfo->bss_param.dtim_period) ||
7528 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7529 				sinfo->bss_param.beacon_interval))
7530 			goto nla_put_failure;
7531 
7532 		nla_nest_end(msg, bss_param);
7533 	}
7534 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7535 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7536 		    sizeof(struct nl80211_sta_flag_update),
7537 		    &sinfo->sta_flags))
7538 		goto nla_put_failure;
7539 
7540 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7541 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7542 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7543 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7544 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7545 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7546 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7547 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7548 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7549 	}
7550 
7551 #undef PUT_SINFO
7552 #undef PUT_SINFO_U64
7553 
7554 	if (sinfo->pertid) {
7555 		struct nlattr *tidsattr;
7556 		int tid;
7557 
7558 		tidsattr = nla_nest_start_noflag(msg,
7559 						 NL80211_STA_INFO_TID_STATS);
7560 		if (!tidsattr)
7561 			goto nla_put_failure;
7562 
7563 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7564 			struct cfg80211_tid_stats *tidstats;
7565 			struct nlattr *tidattr;
7566 
7567 			tidstats = &sinfo->pertid[tid];
7568 
7569 			if (!tidstats->filled)
7570 				continue;
7571 
7572 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7573 			if (!tidattr)
7574 				goto nla_put_failure;
7575 
7576 #define PUT_TIDVAL_U64(attr, memb) do {					\
7577 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7578 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7579 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7580 		goto nla_put_failure;					\
7581 	} while (0)
7582 
7583 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7584 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7585 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7586 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7587 
7588 #undef PUT_TIDVAL_U64
7589 			if ((tidstats->filled &
7590 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7591 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7592 						   NL80211_TID_STATS_TXQ_STATS))
7593 				goto nla_put_failure;
7594 
7595 			nla_nest_end(msg, tidattr);
7596 		}
7597 
7598 		nla_nest_end(msg, tidsattr);
7599 	}
7600 
7601 	nla_nest_end(msg, sinfoattr);
7602 
7603 	if (sinfo->assoc_req_ies_len &&
7604 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7605 		    sinfo->assoc_req_ies))
7606 		goto nla_put_failure;
7607 
7608 	if (sinfo->assoc_resp_ies_len &&
7609 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7610 		    sinfo->assoc_resp_ies))
7611 		goto nla_put_failure;
7612 
7613 	if (sinfo->mlo_params_valid) {
7614 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7615 			       sinfo->assoc_link_id))
7616 			goto nla_put_failure;
7617 
7618 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7619 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7620 			    sinfo->mld_addr))
7621 			goto nla_put_failure;
7622 	}
7623 
7624 	if (link_stats && sinfo->valid_links) {
7625 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7626 		if (!links)
7627 			goto nla_put_failure;
7628 
7629 		for_each_valid_link(sinfo, link_id) {
7630 			link_sinfo = sinfo->links[link_id];
7631 
7632 			if (WARN_ON_ONCE(!link_sinfo))
7633 				continue;
7634 
7635 			if (!is_valid_ether_addr(link_sinfo->addr))
7636 				continue;
7637 
7638 			link = nla_nest_start(msg, link_id + 1);
7639 			if (!link)
7640 				goto nla_put_failure;
7641 
7642 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7643 				       link_id))
7644 				goto nla_put_failure;
7645 
7646 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7647 				    link_sinfo->addr))
7648 				goto nla_put_failure;
7649 
7650 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
7651 				goto nla_put_failure;
7652 
7653 			nla_nest_end(msg, link);
7654 		}
7655 		nla_nest_end(msg, links);
7656 	}
7657 
7658 	cfg80211_sinfo_release_content(sinfo);
7659 	genlmsg_end(msg, hdr);
7660 	return 0;
7661 
7662  nla_put_failure:
7663 	cfg80211_sinfo_release_content(sinfo);
7664 	genlmsg_cancel(msg, hdr);
7665 	return -EMSGSIZE;
7666 }
7667 
7668 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
7669 {
7670 	struct link_station_info *link_sinfo;
7671 	int link_id, init = 0;
7672 	u32 link_inactive_time;
7673 
7674 	sinfo->signal = -99;
7675 
7676 	for_each_valid_link(sinfo, link_id) {
7677 		link_sinfo = sinfo->links[link_id];
7678 		if (!link_sinfo)
7679 			continue;
7680 
7681 		if ((link_sinfo->filled &
7682 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
7683 			sinfo->tx_packets += link_sinfo->tx_packets;
7684 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
7685 		}
7686 
7687 		if ((link_sinfo->filled &
7688 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
7689 			sinfo->rx_packets += link_sinfo->rx_packets;
7690 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
7691 		}
7692 
7693 		if (link_sinfo->filled &
7694 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7695 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7696 			sinfo->tx_bytes += link_sinfo->tx_bytes;
7697 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
7698 		}
7699 
7700 		if (link_sinfo->filled &
7701 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7702 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7703 			sinfo->rx_bytes += link_sinfo->rx_bytes;
7704 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
7705 		}
7706 
7707 		if (link_sinfo->filled &
7708 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
7709 			sinfo->tx_retries += link_sinfo->tx_retries;
7710 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
7711 		}
7712 
7713 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
7714 			sinfo->tx_failed += link_sinfo->tx_failed;
7715 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
7716 		}
7717 
7718 		if (link_sinfo->filled &
7719 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
7720 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
7721 			sinfo->filled |=
7722 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
7723 		}
7724 
7725 		if (link_sinfo->filled &
7726 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
7727 			sinfo->beacon_loss_count +=
7728 				link_sinfo->beacon_loss_count;
7729 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
7730 		}
7731 
7732 		if (link_sinfo->filled &
7733 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
7734 			sinfo->expected_throughput +=
7735 				link_sinfo->expected_throughput;
7736 			sinfo->filled |=
7737 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
7738 		}
7739 
7740 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
7741 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
7742 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
7743 		}
7744 
7745 		if (link_sinfo->filled &
7746 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
7747 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
7748 			sinfo->filled |=
7749 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
7750 		}
7751 
7752 		if (link_sinfo->filled &
7753 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
7754 			sinfo->rx_beacon += link_sinfo->rx_beacon;
7755 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
7756 		}
7757 
7758 		/* Update MLO signal, signal_avg as best among links */
7759 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
7760 		    link_sinfo->signal > sinfo->signal) {
7761 			sinfo->signal = link_sinfo->signal;
7762 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
7763 		}
7764 
7765 		if ((link_sinfo->filled &
7766 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
7767 		    link_sinfo->signal_avg > sinfo->signal_avg) {
7768 			sinfo->signal_avg = link_sinfo->signal_avg;
7769 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
7770 		}
7771 
7772 		/* Update MLO inactive_time, bss_param based on least
7773 		 * value for corresponding field of link.
7774 		 */
7775 		if ((link_sinfo->filled &
7776 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
7777 		    (!init ||
7778 		     link_inactive_time > link_sinfo->inactive_time)) {
7779 			link_inactive_time = link_sinfo->inactive_time;
7780 			sinfo->inactive_time = link_sinfo->inactive_time;
7781 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
7782 		}
7783 
7784 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
7785 		    (!init ||
7786 		     sinfo->bss_param.dtim_period >
7787 		      link_sinfo->bss_param.dtim_period)) {
7788 			sinfo->bss_param.dtim_period =
7789 				link_sinfo->bss_param.dtim_period;
7790 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
7791 			sinfo->bss_param.beacon_interval =
7792 				link_sinfo->bss_param.beacon_interval;
7793 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
7794 		}
7795 
7796 		/* Update MLO rates as per last updated link rate */
7797 		if ((link_sinfo->filled &
7798 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
7799 		    (!init ||
7800 		     link_inactive_time > link_sinfo->inactive_time)) {
7801 			sinfo->txrate = link_sinfo->txrate;
7802 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
7803 		}
7804 		if ((link_sinfo->filled &
7805 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
7806 		    (!init ||
7807 		     link_inactive_time > link_sinfo->inactive_time)) {
7808 			sinfo->rxrate = link_sinfo->rxrate;
7809 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
7810 		}
7811 
7812 		if (link_sinfo->filled &
7813 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
7814 		    (!init ||
7815 		     link_inactive_time > link_sinfo->inactive_time)) {
7816 			sinfo->tx_duration += link_sinfo->tx_duration;
7817 			sinfo->filled |=
7818 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
7819 		}
7820 		if (link_sinfo->filled &
7821 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
7822 		    (!init ||
7823 		     link_inactive_time > link_sinfo->inactive_time)) {
7824 			sinfo->rx_duration += link_sinfo->rx_duration;
7825 			sinfo->filled |=
7826 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
7827 		}
7828 		init++;
7829 
7830 		/* pertid stats accumulate for rx/tx fields */
7831 		if (sinfo->pertid) {
7832 			sinfo->pertid->rx_msdu +=
7833 				link_sinfo->pertid->rx_msdu;
7834 			sinfo->pertid->tx_msdu +=
7835 				link_sinfo->pertid->tx_msdu;
7836 			sinfo->pertid->tx_msdu_retries +=
7837 				link_sinfo->pertid->tx_msdu_retries;
7838 			sinfo->pertid->tx_msdu_failed +=
7839 				link_sinfo->pertid->tx_msdu_failed;
7840 
7841 			sinfo->pertid->filled |=
7842 				BIT(NL80211_TID_STATS_RX_MSDU) |
7843 				BIT(NL80211_TID_STATS_TX_MSDU) |
7844 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
7845 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
7846 		}
7847 	}
7848 
7849 	/* Reset sinfo->filled bits to exclude fields which don't make
7850 	 * much sense at the MLO level.
7851 	 */
7852 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
7853 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
7854 }
7855 
7856 static int nl80211_dump_station(struct sk_buff *skb,
7857 				struct netlink_callback *cb)
7858 {
7859 	struct station_info sinfo;
7860 	struct cfg80211_registered_device *rdev;
7861 	struct wireless_dev *wdev;
7862 	u8 mac_addr[ETH_ALEN];
7863 	int sta_idx = cb->args[2];
7864 	bool sinfo_alloc = false;
7865 	int err, i;
7866 
7867 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7868 	if (err)
7869 		return err;
7870 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7871 	__acquire(&rdev->wiphy.mtx);
7872 
7873 	if (!wdev->netdev) {
7874 		err = -EINVAL;
7875 		goto out_err;
7876 	}
7877 
7878 	if (!rdev->ops->dump_station) {
7879 		err = -EOPNOTSUPP;
7880 		goto out_err;
7881 	}
7882 
7883 	while (1) {
7884 		memset(&sinfo, 0, sizeof(sinfo));
7885 
7886 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7887 			sinfo.links[i] =
7888 				kzalloc(sizeof(*sinfo.links[0]), GFP_KERNEL);
7889 			if (!sinfo.links[i]) {
7890 				err = -ENOMEM;
7891 				goto out_err;
7892 			}
7893 			sinfo_alloc = true;
7894 		}
7895 
7896 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
7897 					mac_addr, &sinfo);
7898 		if (err == -ENOENT)
7899 			break;
7900 		if (err)
7901 			goto out_err;
7902 
7903 		if (sinfo.valid_links)
7904 			cfg80211_sta_set_mld_sinfo(&sinfo);
7905 
7906 		/* reset the sinfo_alloc flag as nl80211_send_station()
7907 		 * always releases sinfo
7908 		 */
7909 		sinfo_alloc = false;
7910 
7911 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
7912 				NETLINK_CB(cb->skb).portid,
7913 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7914 				rdev, wdev->netdev, mac_addr,
7915 				&sinfo, false) < 0)
7916 			goto out;
7917 
7918 		sta_idx++;
7919 	}
7920 
7921  out:
7922 	cb->args[2] = sta_idx;
7923 	err = skb->len;
7924  out_err:
7925 	if (sinfo_alloc)
7926 		cfg80211_sinfo_release_content(&sinfo);
7927 	wiphy_unlock(&rdev->wiphy);
7928 
7929 	return err;
7930 }
7931 
7932 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
7933 {
7934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7935 	struct net_device *dev = info->user_ptr[1];
7936 	struct station_info sinfo;
7937 	struct sk_buff *msg;
7938 	u8 *mac_addr = NULL;
7939 	int err, i;
7940 
7941 	memset(&sinfo, 0, sizeof(sinfo));
7942 
7943 	if (!info->attrs[NL80211_ATTR_MAC])
7944 		return -EINVAL;
7945 
7946 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7947 
7948 	if (!rdev->ops->get_station)
7949 		return -EOPNOTSUPP;
7950 
7951 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7952 		sinfo.links[i] = kzalloc(sizeof(*sinfo.links[0]), GFP_KERNEL);
7953 		if (!sinfo.links[i]) {
7954 			cfg80211_sinfo_release_content(&sinfo);
7955 			return -ENOMEM;
7956 		}
7957 	}
7958 
7959 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
7960 	if (err) {
7961 		cfg80211_sinfo_release_content(&sinfo);
7962 		return err;
7963 	}
7964 
7965 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7966 	if (!msg) {
7967 		cfg80211_sinfo_release_content(&sinfo);
7968 		return -ENOMEM;
7969 	}
7970 
7971 	if (sinfo.valid_links)
7972 		cfg80211_sta_set_mld_sinfo(&sinfo);
7973 
7974 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
7975 				 info->snd_portid, info->snd_seq, 0,
7976 				 rdev, dev, mac_addr, &sinfo, false) < 0) {
7977 		nlmsg_free(msg);
7978 		return -ENOBUFS;
7979 	}
7980 
7981 	return genlmsg_reply(msg, info);
7982 }
7983 
7984 int cfg80211_check_station_change(struct wiphy *wiphy,
7985 				  struct station_parameters *params,
7986 				  enum cfg80211_station_type statype)
7987 {
7988 	if (params->listen_interval != -1 &&
7989 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7990 		return -EINVAL;
7991 
7992 	if (params->support_p2p_ps != -1 &&
7993 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7994 		return -EINVAL;
7995 
7996 	if (params->aid &&
7997 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7998 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7999 		return -EINVAL;
8000 
8001 	/* When you run into this, adjust the code below for the new flag */
8002 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8003 
8004 	switch (statype) {
8005 	case CFG80211_STA_MESH_PEER_KERNEL:
8006 	case CFG80211_STA_MESH_PEER_USER:
8007 		/*
8008 		 * No ignoring the TDLS flag here -- the userspace mesh
8009 		 * code doesn't have the bug of including TDLS in the
8010 		 * mask everywhere.
8011 		 */
8012 		if (params->sta_flags_mask &
8013 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8014 				  BIT(NL80211_STA_FLAG_MFP) |
8015 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
8016 			return -EINVAL;
8017 		break;
8018 	case CFG80211_STA_TDLS_PEER_SETUP:
8019 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8020 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8021 			return -EINVAL;
8022 		/* ignore since it can't change */
8023 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8024 		break;
8025 	default:
8026 		/* disallow mesh-specific things */
8027 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
8028 			return -EINVAL;
8029 		if (params->local_pm)
8030 			return -EINVAL;
8031 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8032 			return -EINVAL;
8033 	}
8034 
8035 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8036 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
8037 		/* TDLS can't be set, ... */
8038 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
8039 			return -EINVAL;
8040 		/*
8041 		 * ... but don't bother the driver with it. This works around
8042 		 * a hostapd/wpa_supplicant issue -- it always includes the
8043 		 * TLDS_PEER flag in the mask even for AP mode.
8044 		 */
8045 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8046 	}
8047 
8048 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8049 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8050 		/* reject other things that can't change */
8051 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
8052 			return -EINVAL;
8053 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
8054 			return -EINVAL;
8055 		if (params->link_sta_params.supported_rates)
8056 			return -EINVAL;
8057 		if (params->ext_capab || params->link_sta_params.ht_capa ||
8058 		    params->link_sta_params.vht_capa ||
8059 		    params->link_sta_params.he_capa ||
8060 		    params->link_sta_params.eht_capa)
8061 			return -EINVAL;
8062 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8063 			return -EINVAL;
8064 	}
8065 
8066 	if (statype != CFG80211_STA_AP_CLIENT &&
8067 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8068 		if (params->vlan)
8069 			return -EINVAL;
8070 	}
8071 
8072 	/* Accept EMLSR capabilities only for AP client before association */
8073 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8074 	    params->eml_cap_present)
8075 		return -EINVAL;
8076 
8077 	switch (statype) {
8078 	case CFG80211_STA_AP_MLME_CLIENT:
8079 		/* Use this only for authorizing/unauthorizing a station */
8080 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
8081 			return -EOPNOTSUPP;
8082 		break;
8083 	case CFG80211_STA_AP_CLIENT:
8084 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8085 		/* accept only the listed bits */
8086 		if (params->sta_flags_mask &
8087 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8088 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8089 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8090 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8091 				  BIT(NL80211_STA_FLAG_WME) |
8092 				  BIT(NL80211_STA_FLAG_MFP) |
8093 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8094 			return -EINVAL;
8095 
8096 		/* but authenticated/associated only if driver handles it */
8097 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8098 		    params->sta_flags_mask &
8099 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8100 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8101 			return -EINVAL;
8102 		break;
8103 	case CFG80211_STA_IBSS:
8104 	case CFG80211_STA_AP_STA:
8105 		/* reject any changes other than AUTHORIZED */
8106 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8107 			return -EINVAL;
8108 		break;
8109 	case CFG80211_STA_TDLS_PEER_SETUP:
8110 		/* reject any changes other than AUTHORIZED or WME */
8111 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8112 					       BIT(NL80211_STA_FLAG_WME)))
8113 			return -EINVAL;
8114 		/* force (at least) rates when authorizing */
8115 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8116 		    !params->link_sta_params.supported_rates)
8117 			return -EINVAL;
8118 		break;
8119 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8120 		/* reject any changes */
8121 		return -EINVAL;
8122 	case CFG80211_STA_MESH_PEER_KERNEL:
8123 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8124 			return -EINVAL;
8125 		break;
8126 	case CFG80211_STA_MESH_PEER_USER:
8127 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8128 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8129 			return -EINVAL;
8130 		break;
8131 	}
8132 
8133 	/*
8134 	 * Older kernel versions ignored this attribute entirely, so don't
8135 	 * reject attempts to update it but mark it as unused instead so the
8136 	 * driver won't look at the data.
8137 	 */
8138 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8139 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8140 		params->link_sta_params.opmode_notif_used = false;
8141 
8142 	return 0;
8143 }
8144 EXPORT_SYMBOL(cfg80211_check_station_change);
8145 
8146 /*
8147  * Get vlan interface making sure it is running and on the right wiphy.
8148  */
8149 static struct net_device *get_vlan(struct genl_info *info,
8150 				   struct cfg80211_registered_device *rdev)
8151 {
8152 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8153 	struct net_device *v;
8154 	int ret;
8155 
8156 	if (!vlanattr)
8157 		return NULL;
8158 
8159 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8160 	if (!v)
8161 		return ERR_PTR(-ENODEV);
8162 
8163 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8164 		ret = -EINVAL;
8165 		goto error;
8166 	}
8167 
8168 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8169 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8170 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8171 		ret = -EINVAL;
8172 		goto error;
8173 	}
8174 
8175 	if (!netif_running(v)) {
8176 		ret = -ENETDOWN;
8177 		goto error;
8178 	}
8179 
8180 	return v;
8181  error:
8182 	dev_put(v);
8183 	return ERR_PTR(ret);
8184 }
8185 
8186 static int nl80211_parse_sta_wme(struct genl_info *info,
8187 				 struct station_parameters *params)
8188 {
8189 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8190 	struct nlattr *nla;
8191 	int err;
8192 
8193 	/* parse WME attributes if present */
8194 	if (!info->attrs[NL80211_ATTR_STA_WME])
8195 		return 0;
8196 
8197 	nla = info->attrs[NL80211_ATTR_STA_WME];
8198 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8199 					  nl80211_sta_wme_policy,
8200 					  info->extack);
8201 	if (err)
8202 		return err;
8203 
8204 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8205 		params->uapsd_queues = nla_get_u8(
8206 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8207 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8208 		return -EINVAL;
8209 
8210 	if (tb[NL80211_STA_WME_MAX_SP])
8211 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8212 
8213 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8214 		return -EINVAL;
8215 
8216 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8217 
8218 	return 0;
8219 }
8220 
8221 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8222 				      struct station_parameters *params)
8223 {
8224 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8225 		params->supported_channels =
8226 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8227 		params->supported_channels_len =
8228 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8229 		/*
8230 		 * Need to include at least one (first channel, number of
8231 		 * channels) tuple for each subband (checked in policy),
8232 		 * and must have proper tuples for the rest of the data as well.
8233 		 */
8234 		if (params->supported_channels_len % 2)
8235 			return -EINVAL;
8236 	}
8237 
8238 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8239 		params->supported_oper_classes =
8240 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8241 		params->supported_oper_classes_len =
8242 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8243 	}
8244 	return 0;
8245 }
8246 
8247 static int nl80211_set_station_tdls(struct genl_info *info,
8248 				    struct station_parameters *params)
8249 {
8250 	int err;
8251 	/* Dummy STA entry gets updated once the peer capabilities are known */
8252 	if (info->attrs[NL80211_ATTR_PEER_AID])
8253 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8254 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8255 		params->link_sta_params.ht_capa =
8256 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8257 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8258 		params->link_sta_params.vht_capa =
8259 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8260 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8261 		params->link_sta_params.he_capa =
8262 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8263 		params->link_sta_params.he_capa_len =
8264 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8265 
8266 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8267 			params->link_sta_params.eht_capa =
8268 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8269 			params->link_sta_params.eht_capa_len =
8270 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8271 
8272 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8273 							(const u8 *)params->link_sta_params.eht_capa,
8274 							params->link_sta_params.eht_capa_len,
8275 							false))
8276 				return -EINVAL;
8277 		}
8278 	}
8279 
8280 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8281 		params->link_sta_params.s1g_capa =
8282 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8283 
8284 	err = nl80211_parse_sta_channel_info(info, params);
8285 	if (err)
8286 		return err;
8287 
8288 	return nl80211_parse_sta_wme(info, params);
8289 }
8290 
8291 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8292 					     struct sta_txpwr *txpwr,
8293 					     bool *txpwr_set)
8294 {
8295 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8296 	int idx;
8297 
8298 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8299 		if (!rdev->ops->set_tx_power ||
8300 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8301 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8302 			return -EOPNOTSUPP;
8303 
8304 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8305 		txpwr->type = nla_get_u8(info->attrs[idx]);
8306 
8307 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8308 			idx = NL80211_ATTR_STA_TX_POWER;
8309 
8310 			if (info->attrs[idx])
8311 				txpwr->power = nla_get_s16(info->attrs[idx]);
8312 			else
8313 				return -EINVAL;
8314 		}
8315 
8316 		*txpwr_set = true;
8317 	} else {
8318 		*txpwr_set = false;
8319 	}
8320 
8321 	return 0;
8322 }
8323 
8324 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8325 {
8326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8327 	struct net_device *dev = info->user_ptr[1];
8328 	struct station_parameters params;
8329 	u8 *mac_addr;
8330 	int err;
8331 
8332 	memset(&params, 0, sizeof(params));
8333 
8334 	if (!rdev->ops->change_station)
8335 		return -EOPNOTSUPP;
8336 
8337 	/*
8338 	 * AID and listen_interval properties can be set only for unassociated
8339 	 * station. Include these parameters here and will check them in
8340 	 * cfg80211_check_station_change().
8341 	 */
8342 	if (info->attrs[NL80211_ATTR_STA_AID])
8343 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8344 
8345 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8346 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8347 
8348 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8349 		params.listen_interval =
8350 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8351 	else
8352 		params.listen_interval = -1;
8353 
8354 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
8355 		params.support_p2p_ps =
8356 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8357 	else
8358 		params.support_p2p_ps = -1;
8359 
8360 	if (!info->attrs[NL80211_ATTR_MAC])
8361 		return -EINVAL;
8362 
8363 	params.link_sta_params.link_id =
8364 		nl80211_link_id_or_invalid(info->attrs);
8365 
8366 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8367 		/* If MLD_ADDR attribute is set then this is an MLD station
8368 		 * and the MLD_ADDR attribute holds the MLD address and the
8369 		 * MAC attribute holds for the LINK address.
8370 		 * In that case, the link_id is also expected to be valid.
8371 		 */
8372 		if (params.link_sta_params.link_id < 0)
8373 			return -EINVAL;
8374 
8375 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8376 		params.link_sta_params.mld_mac = mac_addr;
8377 		params.link_sta_params.link_mac =
8378 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8379 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8380 			return -EINVAL;
8381 	} else {
8382 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8383 	}
8384 
8385 
8386 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8387 		params.link_sta_params.supported_rates =
8388 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8389 		params.link_sta_params.supported_rates_len =
8390 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8391 	}
8392 
8393 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8394 		params.capability =
8395 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8396 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8397 	}
8398 
8399 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8400 		params.ext_capab =
8401 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8402 		params.ext_capab_len =
8403 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8404 	}
8405 
8406 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8407 		return -EINVAL;
8408 
8409 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8410 		params.plink_action =
8411 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8412 
8413 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8414 		params.plink_state =
8415 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8416 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8417 			params.peer_aid = nla_get_u16(
8418 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8419 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8420 	}
8421 
8422 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8423 		params.local_pm = nla_get_u32(
8424 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8425 
8426 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8427 		params.link_sta_params.opmode_notif_used = true;
8428 		params.link_sta_params.opmode_notif =
8429 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8430 	}
8431 
8432 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8433 		params.link_sta_params.he_6ghz_capa =
8434 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8435 
8436 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8437 		params.eml_cap_present = true;
8438 		params.eml_cap =
8439 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8440 	}
8441 
8442 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8443 		params.airtime_weight =
8444 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8445 
8446 	if (params.airtime_weight &&
8447 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8448 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8449 		return -EOPNOTSUPP;
8450 
8451 	err = nl80211_parse_sta_txpower_setting(info,
8452 						&params.link_sta_params.txpwr,
8453 						&params.link_sta_params.txpwr_set);
8454 	if (err)
8455 		return err;
8456 
8457 	/* Include parameters for TDLS peer (will check later) */
8458 	err = nl80211_set_station_tdls(info, &params);
8459 	if (err)
8460 		return err;
8461 
8462 	params.vlan = get_vlan(info, rdev);
8463 	if (IS_ERR(params.vlan))
8464 		return PTR_ERR(params.vlan);
8465 
8466 	switch (dev->ieee80211_ptr->iftype) {
8467 	case NL80211_IFTYPE_AP:
8468 	case NL80211_IFTYPE_AP_VLAN:
8469 	case NL80211_IFTYPE_P2P_GO:
8470 	case NL80211_IFTYPE_P2P_CLIENT:
8471 	case NL80211_IFTYPE_STATION:
8472 	case NL80211_IFTYPE_ADHOC:
8473 	case NL80211_IFTYPE_MESH_POINT:
8474 		break;
8475 	default:
8476 		err = -EOPNOTSUPP;
8477 		goto out_put_vlan;
8478 	}
8479 
8480 	/* driver will call cfg80211_check_station_change() */
8481 	err = rdev_change_station(rdev, dev, mac_addr, &params);
8482 
8483  out_put_vlan:
8484 	dev_put(params.vlan);
8485 
8486 	return err;
8487 }
8488 
8489 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8490 {
8491 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8492 	int err;
8493 	struct net_device *dev = info->user_ptr[1];
8494 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8495 	struct station_parameters params;
8496 	u8 *mac_addr = NULL;
8497 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8498 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8499 
8500 	memset(&params, 0, sizeof(params));
8501 
8502 	if (!rdev->ops->add_station)
8503 		return -EOPNOTSUPP;
8504 
8505 	if (!info->attrs[NL80211_ATTR_MAC])
8506 		return -EINVAL;
8507 
8508 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8509 		return -EINVAL;
8510 
8511 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8512 		return -EINVAL;
8513 
8514 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
8515 	    !info->attrs[NL80211_ATTR_PEER_AID])
8516 		return -EINVAL;
8517 
8518 	params.link_sta_params.link_id =
8519 		nl80211_link_id_or_invalid(info->attrs);
8520 
8521 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8522 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8523 		params.link_sta_params.mld_mac = mac_addr;
8524 		params.link_sta_params.link_mac =
8525 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8526 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8527 			return -EINVAL;
8528 	} else {
8529 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8530 	}
8531 
8532 	params.link_sta_params.supported_rates =
8533 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8534 	params.link_sta_params.supported_rates_len =
8535 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8536 	params.listen_interval =
8537 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8538 
8539 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8540 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8541 
8542 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8543 		params.support_p2p_ps =
8544 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8545 	} else {
8546 		/*
8547 		 * if not specified, assume it's supported for P2P GO interface,
8548 		 * and is NOT supported for AP interface
8549 		 */
8550 		params.support_p2p_ps =
8551 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
8552 	}
8553 
8554 	if (info->attrs[NL80211_ATTR_PEER_AID])
8555 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8556 	else
8557 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8558 
8559 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8560 		params.capability =
8561 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8562 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8563 	}
8564 
8565 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8566 		params.ext_capab =
8567 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8568 		params.ext_capab_len =
8569 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8570 	}
8571 
8572 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8573 		params.link_sta_params.ht_capa =
8574 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8575 
8576 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8577 		params.link_sta_params.vht_capa =
8578 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8579 
8580 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8581 		params.link_sta_params.he_capa =
8582 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8583 		params.link_sta_params.he_capa_len =
8584 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8585 
8586 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8587 			params.link_sta_params.eht_capa =
8588 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8589 			params.link_sta_params.eht_capa_len =
8590 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8591 
8592 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
8593 							(const u8 *)params.link_sta_params.eht_capa,
8594 							params.link_sta_params.eht_capa_len,
8595 							false))
8596 				return -EINVAL;
8597 		}
8598 	}
8599 
8600 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8601 		params.eml_cap_present = true;
8602 		params.eml_cap =
8603 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8604 	}
8605 
8606 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8607 		params.link_sta_params.he_6ghz_capa =
8608 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8609 
8610 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8611 		params.link_sta_params.s1g_capa =
8612 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8613 
8614 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8615 		params.link_sta_params.opmode_notif_used = true;
8616 		params.link_sta_params.opmode_notif =
8617 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8618 	}
8619 
8620 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8621 		params.plink_action =
8622 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8623 
8624 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8625 		params.airtime_weight =
8626 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8627 
8628 	if (params.airtime_weight &&
8629 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8630 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8631 		return -EOPNOTSUPP;
8632 
8633 	err = nl80211_parse_sta_txpower_setting(info,
8634 						&params.link_sta_params.txpwr,
8635 						&params.link_sta_params.txpwr_set);
8636 	if (err)
8637 		return err;
8638 
8639 	err = nl80211_parse_sta_channel_info(info, &params);
8640 	if (err)
8641 		return err;
8642 
8643 	err = nl80211_parse_sta_wme(info, &params);
8644 	if (err)
8645 		return err;
8646 
8647 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8648 		return -EINVAL;
8649 
8650 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
8651 	 * as userspace might just pass through the capabilities from the IEs
8652 	 * directly, rather than enforcing this restriction and returning an
8653 	 * error in this case.
8654 	 */
8655 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
8656 		params.link_sta_params.ht_capa = NULL;
8657 		params.link_sta_params.vht_capa = NULL;
8658 
8659 		/* HE and EHT require WME */
8660 		if (params.link_sta_params.he_capa_len ||
8661 		    params.link_sta_params.he_6ghz_capa ||
8662 		    params.link_sta_params.eht_capa_len)
8663 			return -EINVAL;
8664 	}
8665 
8666 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
8667 	if (params.link_sta_params.he_6ghz_capa &&
8668 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
8669 		return -EINVAL;
8670 
8671 	/* When you run into this, adjust the code below for the new flag */
8672 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8673 
8674 	switch (dev->ieee80211_ptr->iftype) {
8675 	case NL80211_IFTYPE_AP:
8676 	case NL80211_IFTYPE_AP_VLAN:
8677 	case NL80211_IFTYPE_P2P_GO:
8678 		/* ignore WME attributes if iface/sta is not capable */
8679 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
8680 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
8681 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8682 
8683 		/* TDLS peers cannot be added */
8684 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8685 		    info->attrs[NL80211_ATTR_PEER_AID])
8686 			return -EINVAL;
8687 		/* but don't bother the driver with it */
8688 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8689 
8690 		/* allow authenticated/associated only if driver handles it */
8691 		if (!(rdev->wiphy.features &
8692 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8693 		    params.sta_flags_mask & auth_assoc)
8694 			return -EINVAL;
8695 
8696 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8697 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
8698 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8699 			return -EINVAL;
8700 
8701 		/* Older userspace, or userspace wanting to be compatible with
8702 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
8703 		 * and assoc flags in the mask, but assumes the station will be
8704 		 * added as associated anyway since this was the required driver
8705 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
8706 		 * introduced.
8707 		 * In order to not bother drivers with this quirk in the API
8708 		 * set the flags in both the mask and set for new stations in
8709 		 * this case.
8710 		 */
8711 		if (!(params.sta_flags_mask & auth_assoc)) {
8712 			params.sta_flags_mask |= auth_assoc;
8713 			params.sta_flags_set |= auth_assoc;
8714 		}
8715 
8716 		/* must be last in here for error handling */
8717 		params.vlan = get_vlan(info, rdev);
8718 		if (IS_ERR(params.vlan))
8719 			return PTR_ERR(params.vlan);
8720 		break;
8721 	case NL80211_IFTYPE_MESH_POINT:
8722 		/* ignore uAPSD data */
8723 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8724 
8725 		/* associated is disallowed */
8726 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
8727 			return -EINVAL;
8728 		/* TDLS peers cannot be added */
8729 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8730 		    info->attrs[NL80211_ATTR_PEER_AID])
8731 			return -EINVAL;
8732 		break;
8733 	case NL80211_IFTYPE_STATION:
8734 	case NL80211_IFTYPE_P2P_CLIENT:
8735 		/* ignore uAPSD data */
8736 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8737 
8738 		/* these are disallowed */
8739 		if (params.sta_flags_mask &
8740 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
8741 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
8742 			return -EINVAL;
8743 		/* Only TDLS peers can be added */
8744 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8745 			return -EINVAL;
8746 		/* Can only add if TDLS ... */
8747 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
8748 			return -EOPNOTSUPP;
8749 		/* ... with external setup is supported */
8750 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
8751 			return -EOPNOTSUPP;
8752 		/*
8753 		 * Older wpa_supplicant versions always mark the TDLS peer
8754 		 * as authorized, but it shouldn't yet be.
8755 		 */
8756 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
8757 		break;
8758 	default:
8759 		return -EOPNOTSUPP;
8760 	}
8761 
8762 	/* be aware of params.vlan when changing code here */
8763 
8764 	if (wdev->valid_links) {
8765 		if (params.link_sta_params.link_id < 0) {
8766 			err = -EINVAL;
8767 			goto out;
8768 		}
8769 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
8770 			err = -ENOLINK;
8771 			goto out;
8772 		}
8773 	} else {
8774 		if (params.link_sta_params.link_id >= 0) {
8775 			err = -EINVAL;
8776 			goto out;
8777 		}
8778 	}
8779 	err = rdev_add_station(rdev, dev, mac_addr, &params);
8780 out:
8781 	dev_put(params.vlan);
8782 	return err;
8783 }
8784 
8785 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
8786 {
8787 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8788 	struct net_device *dev = info->user_ptr[1];
8789 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8790 	struct station_del_parameters params;
8791 	int link_id = nl80211_link_id_or_invalid(info->attrs);
8792 
8793 	memset(&params, 0, sizeof(params));
8794 
8795 	if (info->attrs[NL80211_ATTR_MAC])
8796 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
8797 
8798 	switch (wdev->iftype) {
8799 	case NL80211_IFTYPE_AP:
8800 	case NL80211_IFTYPE_AP_VLAN:
8801 	case NL80211_IFTYPE_MESH_POINT:
8802 	case NL80211_IFTYPE_P2P_GO:
8803 		/* always accept these */
8804 		break;
8805 	case NL80211_IFTYPE_ADHOC:
8806 		/* conditionally accept */
8807 		if (wiphy_ext_feature_isset(&rdev->wiphy,
8808 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
8809 			break;
8810 		return -EINVAL;
8811 	default:
8812 		return -EINVAL;
8813 	}
8814 
8815 	if (!rdev->ops->del_station)
8816 		return -EOPNOTSUPP;
8817 
8818 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
8819 		params.subtype =
8820 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
8821 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
8822 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
8823 			return -EINVAL;
8824 	} else {
8825 		/* Default to Deauthentication frame */
8826 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
8827 	}
8828 
8829 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
8830 		params.reason_code =
8831 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8832 		if (params.reason_code == 0)
8833 			return -EINVAL; /* 0 is reserved */
8834 	} else {
8835 		/* Default to reason code 2 */
8836 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
8837 	}
8838 
8839 	/* Link ID not expected in case of non-ML operation */
8840 	if (!wdev->valid_links && link_id != -1)
8841 		return -EINVAL;
8842 
8843 	/* If given, a valid link ID should be passed during MLO */
8844 	if (wdev->valid_links && link_id >= 0 &&
8845 	    !(wdev->valid_links & BIT(link_id)))
8846 		return -EINVAL;
8847 
8848 	params.link_id = link_id;
8849 
8850 	return rdev_del_station(rdev, dev, &params);
8851 }
8852 
8853 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
8854 				int flags, struct net_device *dev,
8855 				u8 *dst, u8 *next_hop,
8856 				struct mpath_info *pinfo)
8857 {
8858 	void *hdr;
8859 	struct nlattr *pinfoattr;
8860 
8861 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
8862 	if (!hdr)
8863 		return -1;
8864 
8865 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8866 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
8867 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
8868 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
8869 		goto nla_put_failure;
8870 
8871 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
8872 	if (!pinfoattr)
8873 		goto nla_put_failure;
8874 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
8875 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
8876 			pinfo->frame_qlen))
8877 		goto nla_put_failure;
8878 	if (((pinfo->filled & MPATH_INFO_SN) &&
8879 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
8880 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
8881 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
8882 			 pinfo->metric)) ||
8883 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
8884 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
8885 			 pinfo->exptime)) ||
8886 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
8887 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
8888 			pinfo->flags)) ||
8889 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
8890 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
8891 			 pinfo->discovery_timeout)) ||
8892 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
8893 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
8894 			pinfo->discovery_retries)) ||
8895 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
8896 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
8897 			pinfo->hop_count)) ||
8898 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
8899 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
8900 			 pinfo->path_change_count)))
8901 		goto nla_put_failure;
8902 
8903 	nla_nest_end(msg, pinfoattr);
8904 
8905 	genlmsg_end(msg, hdr);
8906 	return 0;
8907 
8908  nla_put_failure:
8909 	genlmsg_cancel(msg, hdr);
8910 	return -EMSGSIZE;
8911 }
8912 
8913 static int nl80211_dump_mpath(struct sk_buff *skb,
8914 			      struct netlink_callback *cb)
8915 {
8916 	struct mpath_info pinfo;
8917 	struct cfg80211_registered_device *rdev;
8918 	struct wireless_dev *wdev;
8919 	u8 dst[ETH_ALEN];
8920 	u8 next_hop[ETH_ALEN];
8921 	int path_idx = cb->args[2];
8922 	int err;
8923 
8924 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8925 	if (err)
8926 		return err;
8927 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8928 	__acquire(&rdev->wiphy.mtx);
8929 
8930 	if (!rdev->ops->dump_mpath) {
8931 		err = -EOPNOTSUPP;
8932 		goto out_err;
8933 	}
8934 
8935 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8936 		err = -EOPNOTSUPP;
8937 		goto out_err;
8938 	}
8939 
8940 	while (1) {
8941 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
8942 				      next_hop, &pinfo);
8943 		if (err == -ENOENT)
8944 			break;
8945 		if (err)
8946 			goto out_err;
8947 
8948 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8949 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8950 				       wdev->netdev, dst, next_hop,
8951 				       &pinfo) < 0)
8952 			goto out;
8953 
8954 		path_idx++;
8955 	}
8956 
8957  out:
8958 	cb->args[2] = path_idx;
8959 	err = skb->len;
8960  out_err:
8961 	wiphy_unlock(&rdev->wiphy);
8962 	return err;
8963 }
8964 
8965 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
8966 {
8967 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8968 	int err;
8969 	struct net_device *dev = info->user_ptr[1];
8970 	struct mpath_info pinfo;
8971 	struct sk_buff *msg;
8972 	u8 *dst = NULL;
8973 	u8 next_hop[ETH_ALEN];
8974 
8975 	memset(&pinfo, 0, sizeof(pinfo));
8976 
8977 	if (!info->attrs[NL80211_ATTR_MAC])
8978 		return -EINVAL;
8979 
8980 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8981 
8982 	if (!rdev->ops->get_mpath)
8983 		return -EOPNOTSUPP;
8984 
8985 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8986 		return -EOPNOTSUPP;
8987 
8988 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
8989 	if (err)
8990 		return err;
8991 
8992 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8993 	if (!msg)
8994 		return -ENOMEM;
8995 
8996 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8997 				 dev, dst, next_hop, &pinfo) < 0) {
8998 		nlmsg_free(msg);
8999 		return -ENOBUFS;
9000 	}
9001 
9002 	return genlmsg_reply(msg, info);
9003 }
9004 
9005 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
9006 {
9007 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9008 	struct net_device *dev = info->user_ptr[1];
9009 	u8 *dst = NULL;
9010 	u8 *next_hop = NULL;
9011 
9012 	if (!info->attrs[NL80211_ATTR_MAC])
9013 		return -EINVAL;
9014 
9015 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9016 		return -EINVAL;
9017 
9018 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9019 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9020 
9021 	if (!rdev->ops->change_mpath)
9022 		return -EOPNOTSUPP;
9023 
9024 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9025 		return -EOPNOTSUPP;
9026 
9027 	return rdev_change_mpath(rdev, dev, dst, next_hop);
9028 }
9029 
9030 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
9031 {
9032 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9033 	struct net_device *dev = info->user_ptr[1];
9034 	u8 *dst = NULL;
9035 	u8 *next_hop = NULL;
9036 
9037 	if (!info->attrs[NL80211_ATTR_MAC])
9038 		return -EINVAL;
9039 
9040 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9041 		return -EINVAL;
9042 
9043 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9044 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9045 
9046 	if (!rdev->ops->add_mpath)
9047 		return -EOPNOTSUPP;
9048 
9049 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9050 		return -EOPNOTSUPP;
9051 
9052 	return rdev_add_mpath(rdev, dev, dst, next_hop);
9053 }
9054 
9055 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
9056 {
9057 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9058 	struct net_device *dev = info->user_ptr[1];
9059 	u8 *dst = NULL;
9060 
9061 	if (info->attrs[NL80211_ATTR_MAC])
9062 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9063 
9064 	if (!rdev->ops->del_mpath)
9065 		return -EOPNOTSUPP;
9066 
9067 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9068 		return -EOPNOTSUPP;
9069 
9070 	return rdev_del_mpath(rdev, dev, dst);
9071 }
9072 
9073 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
9074 {
9075 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9076 	int err;
9077 	struct net_device *dev = info->user_ptr[1];
9078 	struct mpath_info pinfo;
9079 	struct sk_buff *msg;
9080 	u8 *dst = NULL;
9081 	u8 mpp[ETH_ALEN];
9082 
9083 	memset(&pinfo, 0, sizeof(pinfo));
9084 
9085 	if (!info->attrs[NL80211_ATTR_MAC])
9086 		return -EINVAL;
9087 
9088 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9089 
9090 	if (!rdev->ops->get_mpp)
9091 		return -EOPNOTSUPP;
9092 
9093 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9094 		return -EOPNOTSUPP;
9095 
9096 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9097 	if (err)
9098 		return err;
9099 
9100 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9101 	if (!msg)
9102 		return -ENOMEM;
9103 
9104 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9105 			       dev, dst, mpp, &pinfo) < 0) {
9106 		nlmsg_free(msg);
9107 		return -ENOBUFS;
9108 	}
9109 
9110 	return genlmsg_reply(msg, info);
9111 }
9112 
9113 static int nl80211_dump_mpp(struct sk_buff *skb,
9114 			    struct netlink_callback *cb)
9115 {
9116 	struct mpath_info pinfo;
9117 	struct cfg80211_registered_device *rdev;
9118 	struct wireless_dev *wdev;
9119 	u8 dst[ETH_ALEN];
9120 	u8 mpp[ETH_ALEN];
9121 	int path_idx = cb->args[2];
9122 	int err;
9123 
9124 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9125 	if (err)
9126 		return err;
9127 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9128 	__acquire(&rdev->wiphy.mtx);
9129 
9130 	if (!rdev->ops->dump_mpp) {
9131 		err = -EOPNOTSUPP;
9132 		goto out_err;
9133 	}
9134 
9135 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9136 		err = -EOPNOTSUPP;
9137 		goto out_err;
9138 	}
9139 
9140 	while (1) {
9141 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9142 				    mpp, &pinfo);
9143 		if (err == -ENOENT)
9144 			break;
9145 		if (err)
9146 			goto out_err;
9147 
9148 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9149 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9150 				       wdev->netdev, dst, mpp,
9151 				       &pinfo) < 0)
9152 			goto out;
9153 
9154 		path_idx++;
9155 	}
9156 
9157  out:
9158 	cb->args[2] = path_idx;
9159 	err = skb->len;
9160  out_err:
9161 	wiphy_unlock(&rdev->wiphy);
9162 	return err;
9163 }
9164 
9165 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9166 {
9167 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9168 	struct net_device *dev = info->user_ptr[1];
9169 	struct bss_parameters params;
9170 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9171 	u32 changed = 0;
9172 	bool strict;
9173 
9174 	memset(&params, 0, sizeof(params));
9175 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9176 	/* default to not changing parameters */
9177 	params.use_cts_prot = -1;
9178 	params.use_short_preamble = -1;
9179 	params.use_short_slot_time = -1;
9180 	params.ap_isolate = -1;
9181 	params.ht_opmode = -1;
9182 	params.p2p_ctwindow = -1;
9183 	params.p2p_opp_ps = -1;
9184 
9185 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9186 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9187 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9188 			return -EINVAL;
9189 		params.use_cts_prot =
9190 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9191 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9192 	}
9193 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9194 		if (strict &&
9195 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9196 			return -EINVAL;
9197 		params.use_short_preamble =
9198 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9199 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9200 	}
9201 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9202 		if (strict &&
9203 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9204 			return -EINVAL;
9205 		params.use_short_slot_time =
9206 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9207 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9208 	}
9209 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9210 		if (strict &&
9211 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9212 			return -EINVAL;
9213 		params.basic_rates =
9214 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9215 		params.basic_rates_len =
9216 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9217 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9218 	}
9219 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9220 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9221 			return -EINVAL;
9222 		params.ap_isolate =
9223 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9224 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9225 	}
9226 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9227 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9228 			return -EINVAL;
9229 		params.ht_opmode =
9230 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9231 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9232 	}
9233 
9234 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9235 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9236 			return -EINVAL;
9237 		params.p2p_ctwindow =
9238 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9239 		if (params.p2p_ctwindow != 0 &&
9240 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9241 			return -EINVAL;
9242 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9243 	}
9244 
9245 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9246 		u8 tmp;
9247 
9248 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9249 			return -EINVAL;
9250 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9251 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9252 			return -EINVAL;
9253 		params.p2p_opp_ps = tmp;
9254 		if (params.p2p_opp_ps &&
9255 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9256 			return -EINVAL;
9257 	}
9258 
9259 	if (!rdev->ops->change_bss)
9260 		return -EOPNOTSUPP;
9261 
9262 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9263 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9264 		return -EOPNOTSUPP;
9265 
9266 	changed &= rdev->wiphy.bss_param_support;
9267 	if (!changed)
9268 		return 0;
9269 
9270 	return rdev_change_bss(rdev, dev, &params);
9271 }
9272 
9273 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
9274 {
9275 	char *data = NULL;
9276 	bool is_indoor;
9277 	enum nl80211_user_reg_hint_type user_reg_hint_type;
9278 	u32 owner_nlportid;
9279 
9280 	/*
9281 	 * You should only get this when cfg80211 hasn't yet initialized
9282 	 * completely when built-in to the kernel right between the time
9283 	 * window between nl80211_init() and regulatory_init(), if that is
9284 	 * even possible.
9285 	 */
9286 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
9287 		return -EINPROGRESS;
9288 
9289 	user_reg_hint_type =
9290 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
9291 				    NL80211_USER_REG_HINT_USER);
9292 
9293 	switch (user_reg_hint_type) {
9294 	case NL80211_USER_REG_HINT_USER:
9295 	case NL80211_USER_REG_HINT_CELL_BASE:
9296 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9297 			return -EINVAL;
9298 
9299 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9300 		return regulatory_hint_user(data, user_reg_hint_type);
9301 	case NL80211_USER_REG_HINT_INDOOR:
9302 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9303 			owner_nlportid = info->snd_portid;
9304 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
9305 		} else {
9306 			owner_nlportid = 0;
9307 			is_indoor = true;
9308 		}
9309 
9310 		regulatory_hint_indoor(is_indoor, owner_nlportid);
9311 		return 0;
9312 	default:
9313 		return -EINVAL;
9314 	}
9315 }
9316 
9317 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
9318 {
9319 	return reg_reload_regdb();
9320 }
9321 
9322 static int nl80211_get_mesh_config(struct sk_buff *skb,
9323 				   struct genl_info *info)
9324 {
9325 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9326 	struct net_device *dev = info->user_ptr[1];
9327 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9328 	struct mesh_config cur_params;
9329 	int err = 0;
9330 	void *hdr;
9331 	struct nlattr *pinfoattr;
9332 	struct sk_buff *msg;
9333 
9334 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9335 		return -EOPNOTSUPP;
9336 
9337 	if (!rdev->ops->get_mesh_config)
9338 		return -EOPNOTSUPP;
9339 
9340 	/* If not connected, get default parameters */
9341 	if (!wdev->u.mesh.id_len)
9342 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
9343 	else
9344 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
9345 
9346 	if (err)
9347 		return err;
9348 
9349 	/* Draw up a netlink message to send back */
9350 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9351 	if (!msg)
9352 		return -ENOMEM;
9353 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9354 			     NL80211_CMD_GET_MESH_CONFIG);
9355 	if (!hdr)
9356 		goto out;
9357 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
9358 	if (!pinfoattr)
9359 		goto nla_put_failure;
9360 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9361 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
9362 			cur_params.dot11MeshRetryTimeout) ||
9363 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
9364 			cur_params.dot11MeshConfirmTimeout) ||
9365 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
9366 			cur_params.dot11MeshHoldingTimeout) ||
9367 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
9368 			cur_params.dot11MeshMaxPeerLinks) ||
9369 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
9370 		       cur_params.dot11MeshMaxRetries) ||
9371 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
9372 		       cur_params.dot11MeshTTL) ||
9373 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
9374 		       cur_params.element_ttl) ||
9375 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9376 		       cur_params.auto_open_plinks) ||
9377 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9378 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
9379 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9380 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
9381 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
9382 			cur_params.path_refresh_time) ||
9383 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9384 			cur_params.min_discovery_timeout) ||
9385 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9386 			cur_params.dot11MeshHWMPactivePathTimeout) ||
9387 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9388 			cur_params.dot11MeshHWMPpreqMinInterval) ||
9389 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9390 			cur_params.dot11MeshHWMPperrMinInterval) ||
9391 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9392 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
9393 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
9394 		       cur_params.dot11MeshHWMPRootMode) ||
9395 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9396 			cur_params.dot11MeshHWMPRannInterval) ||
9397 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9398 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
9399 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
9400 		       cur_params.dot11MeshForwarding) ||
9401 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
9402 			cur_params.rssi_threshold) ||
9403 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
9404 			cur_params.ht_opmode) ||
9405 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9406 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
9407 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9408 			cur_params.dot11MeshHWMProotInterval) ||
9409 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9410 			cur_params.dot11MeshHWMPconfirmationInterval) ||
9411 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
9412 			cur_params.power_mode) ||
9413 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
9414 			cur_params.dot11MeshAwakeWindowDuration) ||
9415 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
9416 			cur_params.plink_timeout) ||
9417 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
9418 		       cur_params.dot11MeshConnectedToMeshGate) ||
9419 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
9420 		       cur_params.dot11MeshNolearn) ||
9421 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
9422 		       cur_params.dot11MeshConnectedToAuthServer))
9423 		goto nla_put_failure;
9424 	nla_nest_end(msg, pinfoattr);
9425 	genlmsg_end(msg, hdr);
9426 	return genlmsg_reply(msg, info);
9427 
9428  nla_put_failure:
9429  out:
9430 	nlmsg_free(msg);
9431 	return -ENOBUFS;
9432 }
9433 
9434 static const struct nla_policy
9435 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
9436 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
9437 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9438 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
9439 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9440 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
9441 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9442 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
9443 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
9444 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
9445 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9446 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9447 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9448 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9449 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9450 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9451 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9452 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9453 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9454 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9455 		NLA_POLICY_MIN(NLA_U16, 1),
9456 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9457 		NLA_POLICY_MIN(NLA_U16, 1),
9458 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9459 		NLA_POLICY_MIN(NLA_U16, 1),
9460 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9461 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9462 		NLA_POLICY_MIN(NLA_U16, 1),
9463 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9464 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9465 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9466 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9467 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9468 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9469 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9470 		NLA_POLICY_MIN(NLA_U16, 1),
9471 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9472 		NLA_POLICY_MIN(NLA_U16, 1),
9473 	[NL80211_MESHCONF_POWER_MODE] =
9474 		NLA_POLICY_RANGE(NLA_U32,
9475 				 NL80211_MESH_POWER_ACTIVE,
9476 				 NL80211_MESH_POWER_MAX),
9477 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9478 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9479 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9480 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9481 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9482 };
9483 
9484 static const struct nla_policy
9485 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9486 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9487 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9488 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9489 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9490 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9491 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9492 	[NL80211_MESH_SETUP_IE] =
9493 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9494 				       IEEE80211_MAX_DATA_LEN),
9495 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9496 };
9497 
9498 static int nl80211_parse_mesh_config(struct genl_info *info,
9499 				     struct mesh_config *cfg,
9500 				     u32 *mask_out)
9501 {
9502 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9503 	u32 mask = 0;
9504 	u16 ht_opmode;
9505 
9506 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9507 do {									\
9508 	if (tb[attr]) {							\
9509 		cfg->param = fn(tb[attr]);				\
9510 		mask |= BIT((attr) - 1);				\
9511 	}								\
9512 } while (0)
9513 
9514 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9515 		return -EINVAL;
9516 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9517 		return -EINVAL;
9518 
9519 	/* This makes sure that there aren't more than 32 mesh config
9520 	 * parameters (otherwise our bitfield scheme would not work.) */
9521 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9522 
9523 	/* Fill in the params struct */
9524 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9525 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9526 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9527 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9528 				  nla_get_u16);
9529 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9530 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9531 				  nla_get_u16);
9532 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9533 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9534 				  nla_get_u16);
9535 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9536 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9537 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9538 				  NL80211_MESHCONF_TTL, nla_get_u8);
9539 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9540 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9541 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9542 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9543 				  nla_get_u8);
9544 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9545 				  mask,
9546 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9547 				  nla_get_u32);
9548 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9549 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9550 				  nla_get_u8);
9551 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9552 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9553 				  nla_get_u32);
9554 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9555 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9556 		return -EINVAL;
9557 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
9558 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9559 				  nla_get_u16);
9560 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
9561 				  mask,
9562 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9563 				  nla_get_u32);
9564 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
9565 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
9566 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
9567 		return -EINVAL;
9568 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
9569 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9570 				  nla_get_u16);
9571 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
9572 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9573 				  nla_get_u16);
9574 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9575 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
9576 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9577 				  nla_get_u16);
9578 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
9579 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
9580 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
9581 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9582 				  nla_get_u16);
9583 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
9584 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9585 				  nla_get_u8);
9586 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
9587 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
9588 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
9589 				  NL80211_MESHCONF_RSSI_THRESHOLD,
9590 				  nla_get_s32);
9591 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
9592 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
9593 				  nla_get_u8);
9594 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
9595 				  NL80211_MESHCONF_CONNECTED_TO_AS,
9596 				  nla_get_u8);
9597 	/*
9598 	 * Check HT operation mode based on
9599 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
9600 	 */
9601 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
9602 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
9603 
9604 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
9605 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
9606 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
9607 			return -EINVAL;
9608 
9609 		/* NON_HT_STA bit is reserved, but some programs set it */
9610 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
9611 
9612 		cfg->ht_opmode = ht_opmode;
9613 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
9614 	}
9615 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9616 				  dot11MeshHWMPactivePathToRootTimeout, mask,
9617 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9618 				  nla_get_u32);
9619 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
9620 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
9621 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
9622 		return -EINVAL;
9623 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
9624 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9625 				  nla_get_u16);
9626 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
9627 				  mask,
9628 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9629 				  nla_get_u16);
9630 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
9631 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
9632 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
9633 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
9634 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
9635 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
9636 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
9637 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
9638 	if (mask_out)
9639 		*mask_out = mask;
9640 
9641 	return 0;
9642 
9643 #undef FILL_IN_MESH_PARAM_IF_SET
9644 }
9645 
9646 static int nl80211_parse_mesh_setup(struct genl_info *info,
9647 				     struct mesh_setup *setup)
9648 {
9649 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9650 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
9651 
9652 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
9653 		return -EINVAL;
9654 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
9655 		return -EINVAL;
9656 
9657 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
9658 		setup->sync_method =
9659 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
9660 		 IEEE80211_SYNC_METHOD_VENDOR :
9661 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
9662 
9663 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
9664 		setup->path_sel_proto =
9665 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
9666 		 IEEE80211_PATH_PROTOCOL_VENDOR :
9667 		 IEEE80211_PATH_PROTOCOL_HWMP;
9668 
9669 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
9670 		setup->path_metric =
9671 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
9672 		 IEEE80211_PATH_METRIC_VENDOR :
9673 		 IEEE80211_PATH_METRIC_AIRTIME;
9674 
9675 	if (tb[NL80211_MESH_SETUP_IE]) {
9676 		struct nlattr *ieattr =
9677 			tb[NL80211_MESH_SETUP_IE];
9678 		setup->ie = nla_data(ieattr);
9679 		setup->ie_len = nla_len(ieattr);
9680 	}
9681 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
9682 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
9683 		return -EINVAL;
9684 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
9685 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
9686 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
9687 	if (setup->is_secure)
9688 		setup->user_mpm = true;
9689 
9690 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
9691 		if (!setup->user_mpm)
9692 			return -EINVAL;
9693 		setup->auth_id =
9694 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
9695 	}
9696 
9697 	return 0;
9698 }
9699 
9700 static int nl80211_update_mesh_config(struct sk_buff *skb,
9701 				      struct genl_info *info)
9702 {
9703 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9704 	struct net_device *dev = info->user_ptr[1];
9705 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9706 	struct mesh_config cfg = {};
9707 	u32 mask;
9708 	int err;
9709 
9710 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9711 		return -EOPNOTSUPP;
9712 
9713 	if (!rdev->ops->update_mesh_config)
9714 		return -EOPNOTSUPP;
9715 
9716 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
9717 	if (err)
9718 		return err;
9719 
9720 	if (!wdev->u.mesh.id_len)
9721 		err = -ENOLINK;
9722 
9723 	if (!err)
9724 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
9725 
9726 	return err;
9727 }
9728 
9729 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
9730 			      struct sk_buff *msg)
9731 {
9732 	struct nlattr *nl_reg_rules;
9733 	unsigned int i;
9734 
9735 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
9736 	    (regdom->dfs_region &&
9737 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
9738 		goto nla_put_failure;
9739 
9740 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
9741 	if (!nl_reg_rules)
9742 		goto nla_put_failure;
9743 
9744 	for (i = 0; i < regdom->n_reg_rules; i++) {
9745 		struct nlattr *nl_reg_rule;
9746 		const struct ieee80211_reg_rule *reg_rule;
9747 		const struct ieee80211_freq_range *freq_range;
9748 		const struct ieee80211_power_rule *power_rule;
9749 		unsigned int max_bandwidth_khz;
9750 
9751 		reg_rule = &regdom->reg_rules[i];
9752 		freq_range = &reg_rule->freq_range;
9753 		power_rule = &reg_rule->power_rule;
9754 
9755 		nl_reg_rule = nla_nest_start_noflag(msg, i);
9756 		if (!nl_reg_rule)
9757 			goto nla_put_failure;
9758 
9759 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
9760 		if (!max_bandwidth_khz)
9761 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
9762 								  reg_rule);
9763 
9764 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
9765 				reg_rule->flags) ||
9766 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
9767 				freq_range->start_freq_khz) ||
9768 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
9769 				freq_range->end_freq_khz) ||
9770 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
9771 				max_bandwidth_khz) ||
9772 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
9773 				power_rule->max_antenna_gain) ||
9774 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
9775 				power_rule->max_eirp) ||
9776 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
9777 				reg_rule->dfs_cac_ms))
9778 			goto nla_put_failure;
9779 
9780 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
9781 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
9782 			       reg_rule->psd))
9783 			goto nla_put_failure;
9784 
9785 		nla_nest_end(msg, nl_reg_rule);
9786 	}
9787 
9788 	nla_nest_end(msg, nl_reg_rules);
9789 	return 0;
9790 
9791 nla_put_failure:
9792 	return -EMSGSIZE;
9793 }
9794 
9795 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
9796 {
9797 	const struct ieee80211_regdomain *regdom = NULL;
9798 	struct cfg80211_registered_device *rdev;
9799 	struct wiphy *wiphy = NULL;
9800 	struct sk_buff *msg;
9801 	int err = -EMSGSIZE;
9802 	void *hdr;
9803 
9804 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9805 	if (!msg)
9806 		return -ENOBUFS;
9807 
9808 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9809 			     NL80211_CMD_GET_REG);
9810 	if (!hdr)
9811 		goto put_failure;
9812 
9813 	rtnl_lock();
9814 
9815 	if (info->attrs[NL80211_ATTR_WIPHY]) {
9816 		bool self_managed;
9817 
9818 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9819 		if (IS_ERR(rdev)) {
9820 			err = PTR_ERR(rdev);
9821 			goto nla_put_failure;
9822 		}
9823 
9824 		wiphy = &rdev->wiphy;
9825 		self_managed = wiphy->regulatory_flags &
9826 			       REGULATORY_WIPHY_SELF_MANAGED;
9827 
9828 		rcu_read_lock();
9829 
9830 		regdom = get_wiphy_regdom(wiphy);
9831 
9832 		/* a self-managed-reg device must have a private regdom */
9833 		if (WARN_ON(!regdom && self_managed)) {
9834 			err = -EINVAL;
9835 			goto nla_put_failure_rcu;
9836 		}
9837 
9838 		if (regdom &&
9839 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9840 			goto nla_put_failure_rcu;
9841 	} else {
9842 		rcu_read_lock();
9843 	}
9844 
9845 	if (!wiphy && reg_last_request_cell_base() &&
9846 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9847 			NL80211_USER_REG_HINT_CELL_BASE))
9848 		goto nla_put_failure_rcu;
9849 
9850 	if (!regdom)
9851 		regdom = rcu_dereference(cfg80211_regdomain);
9852 
9853 	if (nl80211_put_regdom(regdom, msg))
9854 		goto nla_put_failure_rcu;
9855 
9856 	rcu_read_unlock();
9857 
9858 	genlmsg_end(msg, hdr);
9859 	rtnl_unlock();
9860 	return genlmsg_reply(msg, info);
9861 
9862 nla_put_failure_rcu:
9863 	rcu_read_unlock();
9864 nla_put_failure:
9865 	rtnl_unlock();
9866 put_failure:
9867 	nlmsg_free(msg);
9868 	return err;
9869 }
9870 
9871 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
9872 			       u32 seq, int flags, struct wiphy *wiphy,
9873 			       const struct ieee80211_regdomain *regdom)
9874 {
9875 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9876 				   NL80211_CMD_GET_REG);
9877 
9878 	if (!hdr)
9879 		return -1;
9880 
9881 	genl_dump_check_consistent(cb, hdr);
9882 
9883 	if (nl80211_put_regdom(regdom, msg))
9884 		goto nla_put_failure;
9885 
9886 	if (!wiphy && reg_last_request_cell_base() &&
9887 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9888 			NL80211_USER_REG_HINT_CELL_BASE))
9889 		goto nla_put_failure;
9890 
9891 	if (wiphy &&
9892 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9893 		goto nla_put_failure;
9894 
9895 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
9896 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
9897 		goto nla_put_failure;
9898 
9899 	genlmsg_end(msg, hdr);
9900 	return 0;
9901 
9902 nla_put_failure:
9903 	genlmsg_cancel(msg, hdr);
9904 	return -EMSGSIZE;
9905 }
9906 
9907 static int nl80211_get_reg_dump(struct sk_buff *skb,
9908 				struct netlink_callback *cb)
9909 {
9910 	const struct ieee80211_regdomain *regdom = NULL;
9911 	struct cfg80211_registered_device *rdev;
9912 	int err, reg_idx, start = cb->args[2];
9913 
9914 	rcu_read_lock();
9915 
9916 	if (cfg80211_regdomain && start == 0) {
9917 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
9918 					  NLM_F_MULTI, NULL,
9919 					  rcu_dereference(cfg80211_regdomain));
9920 		if (err < 0)
9921 			goto out_err;
9922 	}
9923 
9924 	/* the global regdom is idx 0 */
9925 	reg_idx = 1;
9926 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
9927 		regdom = get_wiphy_regdom(&rdev->wiphy);
9928 		if (!regdom)
9929 			continue;
9930 
9931 		if (++reg_idx <= start)
9932 			continue;
9933 
9934 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
9935 					  NLM_F_MULTI, &rdev->wiphy, regdom);
9936 		if (err < 0) {
9937 			reg_idx--;
9938 			break;
9939 		}
9940 	}
9941 
9942 	cb->args[2] = reg_idx;
9943 	err = skb->len;
9944 out_err:
9945 	rcu_read_unlock();
9946 	return err;
9947 }
9948 
9949 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
9950 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
9951 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
9952 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
9953 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
9954 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
9955 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
9956 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
9957 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
9958 };
9959 
9960 static int parse_reg_rule(struct nlattr *tb[],
9961 	struct ieee80211_reg_rule *reg_rule)
9962 {
9963 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
9964 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
9965 
9966 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
9967 		return -EINVAL;
9968 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
9969 		return -EINVAL;
9970 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
9971 		return -EINVAL;
9972 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
9973 		return -EINVAL;
9974 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
9975 		return -EINVAL;
9976 
9977 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
9978 
9979 	freq_range->start_freq_khz =
9980 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
9981 	freq_range->end_freq_khz =
9982 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
9983 	freq_range->max_bandwidth_khz =
9984 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
9985 
9986 	power_rule->max_eirp =
9987 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
9988 
9989 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
9990 		power_rule->max_antenna_gain =
9991 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
9992 
9993 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
9994 		reg_rule->dfs_cac_ms =
9995 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
9996 
9997 	return 0;
9998 }
9999 
10000 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
10001 {
10002 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
10003 	struct nlattr *nl_reg_rule;
10004 	char *alpha2;
10005 	int rem_reg_rules, r;
10006 	u32 num_rules = 0, rule_idx = 0;
10007 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
10008 	struct ieee80211_regdomain *rd;
10009 
10010 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10011 		return -EINVAL;
10012 
10013 	if (!info->attrs[NL80211_ATTR_REG_RULES])
10014 		return -EINVAL;
10015 
10016 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10017 
10018 	if (info->attrs[NL80211_ATTR_DFS_REGION])
10019 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
10020 
10021 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10022 			    rem_reg_rules) {
10023 		num_rules++;
10024 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
10025 			return -EINVAL;
10026 	}
10027 
10028 	rtnl_lock();
10029 	if (!reg_is_valid_request(alpha2)) {
10030 		r = -EINVAL;
10031 		goto out;
10032 	}
10033 
10034 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
10035 	if (!rd) {
10036 		r = -ENOMEM;
10037 		goto out;
10038 	}
10039 
10040 	rd->n_reg_rules = num_rules;
10041 	rd->alpha2[0] = alpha2[0];
10042 	rd->alpha2[1] = alpha2[1];
10043 
10044 	/*
10045 	 * Disable DFS master mode if the DFS region was
10046 	 * not supported or known on this kernel.
10047 	 */
10048 	if (reg_supported_dfs_region(dfs_region))
10049 		rd->dfs_region = dfs_region;
10050 
10051 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10052 			    rem_reg_rules) {
10053 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
10054 						nl_reg_rule, reg_rule_policy,
10055 						info->extack);
10056 		if (r)
10057 			goto bad_reg;
10058 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
10059 		if (r)
10060 			goto bad_reg;
10061 
10062 		rule_idx++;
10063 
10064 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
10065 			r = -EINVAL;
10066 			goto bad_reg;
10067 		}
10068 	}
10069 
10070 	r = set_regdom(rd, REGD_SOURCE_CRDA);
10071 	/* set_regdom takes ownership of rd */
10072 	rd = NULL;
10073  bad_reg:
10074 	kfree(rd);
10075  out:
10076 	rtnl_unlock();
10077 	return r;
10078 }
10079 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
10080 
10081 static int validate_scan_freqs(struct nlattr *freqs)
10082 {
10083 	struct nlattr *attr1, *attr2;
10084 	int n_channels = 0, tmp1, tmp2;
10085 
10086 	nla_for_each_nested(attr1, freqs, tmp1)
10087 		if (nla_len(attr1) != sizeof(u32))
10088 			return 0;
10089 
10090 	nla_for_each_nested(attr1, freqs, tmp1) {
10091 		n_channels++;
10092 		/*
10093 		 * Some hardware has a limited channel list for
10094 		 * scanning, and it is pretty much nonsensical
10095 		 * to scan for a channel twice, so disallow that
10096 		 * and don't require drivers to check that the
10097 		 * channel list they get isn't longer than what
10098 		 * they can scan, as long as they can scan all
10099 		 * the channels they registered at once.
10100 		 */
10101 		nla_for_each_nested(attr2, freqs, tmp2)
10102 			if (attr1 != attr2 &&
10103 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10104 				return 0;
10105 	}
10106 
10107 	return n_channels;
10108 }
10109 
10110 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10111 {
10112 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10113 }
10114 
10115 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10116 			    struct cfg80211_bss_selection *bss_select)
10117 {
10118 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10119 	struct nlattr *nest;
10120 	int err;
10121 	bool found = false;
10122 	int i;
10123 
10124 	/* only process one nested attribute */
10125 	nest = nla_data(nla);
10126 	if (!nla_ok(nest, nla_len(nest)))
10127 		return -EINVAL;
10128 
10129 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10130 					  nest, nl80211_bss_select_policy,
10131 					  NULL);
10132 	if (err)
10133 		return err;
10134 
10135 	/* only one attribute may be given */
10136 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10137 		if (attr[i]) {
10138 			if (found)
10139 				return -EINVAL;
10140 			found = true;
10141 		}
10142 	}
10143 
10144 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10145 
10146 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10147 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10148 
10149 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10150 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10151 		bss_select->param.band_pref =
10152 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10153 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10154 			return -EINVAL;
10155 	}
10156 
10157 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10158 		struct nl80211_bss_select_rssi_adjust *adj_param;
10159 
10160 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10161 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10162 		bss_select->param.adjust.band = adj_param->band;
10163 		bss_select->param.adjust.delta = adj_param->delta;
10164 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10165 			return -EINVAL;
10166 	}
10167 
10168 	/* user-space did not provide behaviour attribute */
10169 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10170 		return -EINVAL;
10171 
10172 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10173 		return -EINVAL;
10174 
10175 	return 0;
10176 }
10177 
10178 int nl80211_parse_random_mac(struct nlattr **attrs,
10179 			     u8 *mac_addr, u8 *mac_addr_mask)
10180 {
10181 	int i;
10182 
10183 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10184 		eth_zero_addr(mac_addr);
10185 		eth_zero_addr(mac_addr_mask);
10186 		mac_addr[0] = 0x2;
10187 		mac_addr_mask[0] = 0x3;
10188 
10189 		return 0;
10190 	}
10191 
10192 	/* need both or none */
10193 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10194 		return -EINVAL;
10195 
10196 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10197 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10198 
10199 	/* don't allow or configure an mcast address */
10200 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10201 	    is_multicast_ether_addr(mac_addr))
10202 		return -EINVAL;
10203 
10204 	/*
10205 	 * allow users to pass a MAC address that has bits set outside
10206 	 * of the mask, but don't bother drivers with having to deal
10207 	 * with such bits
10208 	 */
10209 	for (i = 0; i < ETH_ALEN; i++)
10210 		mac_addr[i] &= mac_addr_mask[i];
10211 
10212 	return 0;
10213 }
10214 
10215 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10216 					      struct ieee80211_channel *chan)
10217 {
10218 	unsigned int link_id;
10219 	bool all_ok = true;
10220 	int radio_idx;
10221 
10222 	lockdep_assert_wiphy(wdev->wiphy);
10223 
10224 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10225 		return false;
10226 
10227 	if (!cfg80211_beaconing_iface_active(wdev))
10228 		return true;
10229 
10230 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10231 
10232 	/*
10233 	 * FIXME: check if we have a free radio/link for chan
10234 	 *
10235 	 * This, as well as the FIXME below, requires knowing the link
10236 	 * capabilities of the hardware.
10237 	 */
10238 
10239 	/* we cannot leave radar channels */
10240 	for_each_valid_link(wdev, link_id) {
10241 		struct cfg80211_chan_def *chandef;
10242 		int link_radio_idx;
10243 
10244 		chandef = wdev_chandef(wdev, link_id);
10245 		if (!chandef || !chandef->chan)
10246 			continue;
10247 
10248 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10249 			continue;
10250 
10251 		/*
10252 		 * chandef->chan is a radar channel. If the radio/link onto
10253 		 * which this radar channel falls is the same radio/link onto
10254 		 * which the input 'chan' falls, off-channel operation should
10255 		 * not be allowed. Hence, set 'all_ok' to false.
10256 		 */
10257 
10258 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10259 								chandef->chan);
10260 		if (link_radio_idx == radio_idx) {
10261 			all_ok = false;
10262 			break;
10263 		}
10264 	}
10265 
10266 	if (all_ok)
10267 		return true;
10268 
10269 	return regulatory_pre_cac_allowed(wdev->wiphy);
10270 }
10271 
10272 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
10273 				    enum nl80211_ext_feature_index feat)
10274 {
10275 	if (!(flags & flag))
10276 		return true;
10277 	if (wiphy_ext_feature_isset(wiphy, feat))
10278 		return true;
10279 	return false;
10280 }
10281 
10282 static int
10283 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
10284 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
10285 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
10286 {
10287 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
10288 		return 0;
10289 
10290 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
10291 
10292 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
10293 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
10294 	    !nl80211_check_scan_feat(wiphy, *flags,
10295 				     NL80211_SCAN_FLAG_LOW_SPAN,
10296 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
10297 	    !nl80211_check_scan_feat(wiphy, *flags,
10298 				     NL80211_SCAN_FLAG_LOW_POWER,
10299 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
10300 	    !nl80211_check_scan_feat(wiphy, *flags,
10301 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
10302 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
10303 	    !nl80211_check_scan_feat(wiphy, *flags,
10304 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
10305 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
10306 	    !nl80211_check_scan_feat(wiphy, *flags,
10307 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
10308 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
10309 	    !nl80211_check_scan_feat(wiphy, *flags,
10310 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
10311 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
10312 	    !nl80211_check_scan_feat(wiphy, *flags,
10313 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
10314 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
10315 	    !nl80211_check_scan_feat(wiphy, *flags,
10316 				     NL80211_SCAN_FLAG_RANDOM_SN,
10317 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
10318 	    !nl80211_check_scan_feat(wiphy, *flags,
10319 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
10320 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
10321 		return -EOPNOTSUPP;
10322 
10323 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
10324 		int err;
10325 
10326 		if (!(wiphy->features & randomness_flag) ||
10327 		    (wdev && wdev->connected))
10328 			return -EOPNOTSUPP;
10329 
10330 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
10331 		if (err)
10332 			return err;
10333 	}
10334 
10335 	return 0;
10336 }
10337 
10338 static int
10339 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
10340 			       struct nlattr **attrs,
10341 			       struct cfg80211_sched_scan_request *req)
10342 {
10343 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10344 					req->mac_addr, req->mac_addr_mask,
10345 					&req->flags,
10346 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
10347 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
10348 }
10349 
10350 static int
10351 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
10352 			     struct nlattr **attrs,
10353 			     struct cfg80211_scan_request_int *req)
10354 {
10355 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10356 					req->req.mac_addr,
10357 					req->req.mac_addr_mask,
10358 					&req->req.flags,
10359 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
10360 }
10361 
10362 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
10363 {
10364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10365 	struct wireless_dev *wdev = info->user_ptr[1];
10366 	struct cfg80211_scan_request_int *request;
10367 	struct nlattr *scan_freqs = NULL;
10368 	bool scan_freqs_khz = false;
10369 	struct nlattr *attr;
10370 	struct wiphy *wiphy;
10371 	int err, tmp, n_ssids = 0, n_channels, i;
10372 	size_t ie_len, size;
10373 	size_t ssids_offset, ie_offset;
10374 
10375 	wiphy = &rdev->wiphy;
10376 
10377 	if (wdev->iftype == NL80211_IFTYPE_NAN)
10378 		return -EOPNOTSUPP;
10379 
10380 	if (!rdev->ops->scan)
10381 		return -EOPNOTSUPP;
10382 
10383 	if (rdev->scan_req || rdev->scan_msg)
10384 		return -EBUSY;
10385 
10386 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
10387 		if (!wiphy_ext_feature_isset(wiphy,
10388 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
10389 			return -EOPNOTSUPP;
10390 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
10391 		scan_freqs_khz = true;
10392 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
10393 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
10394 
10395 	if (scan_freqs) {
10396 		n_channels = validate_scan_freqs(scan_freqs);
10397 		if (!n_channels)
10398 			return -EINVAL;
10399 	} else {
10400 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10401 	}
10402 
10403 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
10404 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
10405 			n_ssids++;
10406 
10407 	if (n_ssids > wiphy->max_scan_ssids)
10408 		return -EINVAL;
10409 
10410 	if (info->attrs[NL80211_ATTR_IE])
10411 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10412 	else
10413 		ie_len = 0;
10414 
10415 	if (ie_len > wiphy->max_scan_ie_len)
10416 		return -EINVAL;
10417 
10418 	size = struct_size(request, req.channels, n_channels);
10419 	ssids_offset = size;
10420 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
10421 	ie_offset = size;
10422 	size = size_add(size, ie_len);
10423 	request = kzalloc(size, GFP_KERNEL);
10424 	if (!request)
10425 		return -ENOMEM;
10426 
10427 	if (n_ssids)
10428 		request->req.ssids = (void *)request + ssids_offset;
10429 	request->req.n_ssids = n_ssids;
10430 	if (ie_len)
10431 		request->req.ie = (void *)request + ie_offset;
10432 
10433 	i = 0;
10434 	if (scan_freqs) {
10435 		/* user specified, bail out if channel not found */
10436 		nla_for_each_nested(attr, scan_freqs, tmp) {
10437 			struct ieee80211_channel *chan;
10438 			int freq = nla_get_u32(attr);
10439 
10440 			if (!scan_freqs_khz)
10441 				freq = MHZ_TO_KHZ(freq);
10442 
10443 			chan = ieee80211_get_channel_khz(wiphy, freq);
10444 			if (!chan) {
10445 				err = -EINVAL;
10446 				goto out_free;
10447 			}
10448 
10449 			/* Ignore disabled / no primary channels */
10450 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10451 			    chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY ||
10452 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10453 				continue;
10454 
10455 			request->req.channels[i] = chan;
10456 			i++;
10457 		}
10458 	} else {
10459 		enum nl80211_band band;
10460 
10461 		/* all channels */
10462 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10463 			int j;
10464 
10465 			if (!wiphy->bands[band])
10466 				continue;
10467 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10468 				struct ieee80211_channel *chan;
10469 
10470 				chan = &wiphy->bands[band]->channels[j];
10471 
10472 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10473 				    chan->flags &
10474 					    IEEE80211_CHAN_S1G_NO_PRIMARY ||
10475 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10476 					continue;
10477 
10478 				request->req.channels[i] = chan;
10479 				i++;
10480 			}
10481 		}
10482 	}
10483 
10484 	if (!i) {
10485 		err = -EINVAL;
10486 		goto out_free;
10487 	}
10488 
10489 	request->req.n_channels = i;
10490 
10491 	for (i = 0; i < request->req.n_channels; i++) {
10492 		struct ieee80211_channel *chan = request->req.channels[i];
10493 
10494 		/* if we can go off-channel to the target channel we're good */
10495 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10496 			continue;
10497 
10498 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10499 			err = -EBUSY;
10500 			goto out_free;
10501 		}
10502 	}
10503 
10504 	i = 0;
10505 	if (n_ssids) {
10506 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10507 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10508 				err = -EINVAL;
10509 				goto out_free;
10510 			}
10511 			request->req.ssids[i].ssid_len = nla_len(attr);
10512 			memcpy(request->req.ssids[i].ssid,
10513 			       nla_data(attr), nla_len(attr));
10514 			i++;
10515 		}
10516 	}
10517 
10518 	if (info->attrs[NL80211_ATTR_IE]) {
10519 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10520 		memcpy((void *)request->req.ie,
10521 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10522 		       request->req.ie_len);
10523 	}
10524 
10525 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10526 		if (wiphy->bands[i])
10527 			request->req.rates[i] =
10528 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10529 
10530 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10531 		nla_for_each_nested(attr,
10532 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10533 				    tmp) {
10534 			enum nl80211_band band = nla_type(attr);
10535 
10536 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10537 				err = -EINVAL;
10538 				goto out_free;
10539 			}
10540 
10541 			if (!wiphy->bands[band])
10542 				continue;
10543 
10544 			err = ieee80211_get_ratemask(wiphy->bands[band],
10545 						     nla_data(attr),
10546 						     nla_len(attr),
10547 						     &request->req.rates[band]);
10548 			if (err)
10549 				goto out_free;
10550 		}
10551 	}
10552 
10553 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10554 		request->req.duration =
10555 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10556 		request->req.duration_mandatory =
10557 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
10558 	}
10559 
10560 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
10561 	if (err)
10562 		goto out_free;
10563 
10564 	request->req.no_cck =
10565 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10566 
10567 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
10568 	 * BSSID to scan for. This was problematic because that same attribute
10569 	 * was already used for another purpose (local random MAC address). The
10570 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
10571 	 * compatibility with older userspace components, also use the
10572 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
10573 	 * the specific BSSID use case instead of the random MAC address
10574 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
10575 	 */
10576 	if (info->attrs[NL80211_ATTR_BSSID])
10577 		memcpy(request->req.bssid,
10578 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
10579 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
10580 		 info->attrs[NL80211_ATTR_MAC])
10581 		memcpy(request->req.bssid,
10582 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
10583 		       ETH_ALEN);
10584 	else
10585 		eth_broadcast_addr(request->req.bssid);
10586 
10587 	request->req.tsf_report_link_id =
10588 		nl80211_link_id_or_invalid(info->attrs);
10589 	request->req.wdev = wdev;
10590 	request->req.wiphy = &rdev->wiphy;
10591 	request->req.scan_start = jiffies;
10592 
10593 	rdev->scan_req = request;
10594 	err = cfg80211_scan(rdev);
10595 
10596 	if (err)
10597 		goto out_free;
10598 
10599 	nl80211_send_scan_start(rdev, wdev);
10600 	dev_hold(wdev->netdev);
10601 
10602 	return 0;
10603 
10604  out_free:
10605 	rdev->scan_req = NULL;
10606 	kfree(request);
10607 
10608 	return err;
10609 }
10610 
10611 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
10612 {
10613 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10614 	struct wireless_dev *wdev = info->user_ptr[1];
10615 
10616 	if (!rdev->ops->abort_scan)
10617 		return -EOPNOTSUPP;
10618 
10619 	if (rdev->scan_msg)
10620 		return 0;
10621 
10622 	if (!rdev->scan_req)
10623 		return -ENOENT;
10624 
10625 	rdev_abort_scan(rdev, wdev);
10626 	return 0;
10627 }
10628 
10629 static int
10630 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
10631 			       struct cfg80211_sched_scan_request *request,
10632 			       struct nlattr **attrs)
10633 {
10634 	int tmp, err, i = 0;
10635 	struct nlattr *attr;
10636 
10637 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10638 		u32 interval;
10639 
10640 		/*
10641 		 * If scan plans are not specified,
10642 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
10643 		 * case one scan plan will be set with the specified scan
10644 		 * interval and infinite number of iterations.
10645 		 */
10646 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
10647 		if (!interval)
10648 			return -EINVAL;
10649 
10650 		request->scan_plans[0].interval =
10651 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
10652 		if (!request->scan_plans[0].interval)
10653 			return -EINVAL;
10654 
10655 		if (request->scan_plans[0].interval >
10656 		    wiphy->max_sched_scan_plan_interval)
10657 			request->scan_plans[0].interval =
10658 				wiphy->max_sched_scan_plan_interval;
10659 
10660 		return 0;
10661 	}
10662 
10663 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
10664 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
10665 
10666 		if (WARN_ON(i >= n_plans))
10667 			return -EINVAL;
10668 
10669 		err = nla_parse_nested_deprecated(plan,
10670 						  NL80211_SCHED_SCAN_PLAN_MAX,
10671 						  attr, nl80211_plan_policy,
10672 						  NULL);
10673 		if (err)
10674 			return err;
10675 
10676 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
10677 			return -EINVAL;
10678 
10679 		request->scan_plans[i].interval =
10680 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
10681 		if (!request->scan_plans[i].interval ||
10682 		    request->scan_plans[i].interval >
10683 		    wiphy->max_sched_scan_plan_interval)
10684 			return -EINVAL;
10685 
10686 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
10687 			request->scan_plans[i].iterations =
10688 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
10689 			if (!request->scan_plans[i].iterations ||
10690 			    (request->scan_plans[i].iterations >
10691 			     wiphy->max_sched_scan_plan_iterations))
10692 				return -EINVAL;
10693 		} else if (i < n_plans - 1) {
10694 			/*
10695 			 * All scan plans but the last one must specify
10696 			 * a finite number of iterations
10697 			 */
10698 			return -EINVAL;
10699 		}
10700 
10701 		i++;
10702 	}
10703 
10704 	/*
10705 	 * The last scan plan must not specify the number of
10706 	 * iterations, it is supposed to run infinitely
10707 	 */
10708 	if (request->scan_plans[n_plans - 1].iterations)
10709 		return  -EINVAL;
10710 
10711 	return 0;
10712 }
10713 
10714 static struct cfg80211_sched_scan_request *
10715 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
10716 			 struct nlattr **attrs, int max_match_sets)
10717 {
10718 	struct cfg80211_sched_scan_request *request;
10719 	struct nlattr *attr;
10720 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
10721 	enum nl80211_band band;
10722 	size_t ie_len, size;
10723 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
10724 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
10725 
10726 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10727 		n_channels = validate_scan_freqs(
10728 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
10729 		if (!n_channels)
10730 			return ERR_PTR(-EINVAL);
10731 	} else {
10732 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10733 	}
10734 
10735 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
10736 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10737 				    tmp)
10738 			n_ssids++;
10739 
10740 	if (n_ssids > wiphy->max_sched_scan_ssids)
10741 		return ERR_PTR(-EINVAL);
10742 
10743 	/*
10744 	 * First, count the number of 'real' matchsets. Due to an issue with
10745 	 * the old implementation, matchsets containing only the RSSI attribute
10746 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
10747 	 * RSSI for all matchsets, rather than their own matchset for reporting
10748 	 * all APs with a strong RSSI. This is needed to be compatible with
10749 	 * older userspace that treated a matchset with only the RSSI as the
10750 	 * global RSSI for all other matchsets - if there are other matchsets.
10751 	 */
10752 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10753 		nla_for_each_nested(attr,
10754 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10755 				    tmp) {
10756 			struct nlattr *rssi;
10757 
10758 			err = nla_parse_nested_deprecated(tb,
10759 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10760 							  attr,
10761 							  nl80211_match_policy,
10762 							  NULL);
10763 			if (err)
10764 				return ERR_PTR(err);
10765 
10766 			/* SSID and BSSID are mutually exclusive */
10767 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
10768 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
10769 				return ERR_PTR(-EINVAL);
10770 
10771 			/* add other standalone attributes here */
10772 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
10773 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
10774 				n_match_sets++;
10775 				continue;
10776 			}
10777 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10778 			if (rssi)
10779 				default_match_rssi = nla_get_s32(rssi);
10780 		}
10781 	}
10782 
10783 	/* However, if there's no other matchset, add the RSSI one */
10784 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
10785 		n_match_sets = 1;
10786 
10787 	if (n_match_sets > max_match_sets)
10788 		return ERR_PTR(-EINVAL);
10789 
10790 	if (attrs[NL80211_ATTR_IE])
10791 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
10792 	else
10793 		ie_len = 0;
10794 
10795 	if (ie_len > wiphy->max_sched_scan_ie_len)
10796 		return ERR_PTR(-EINVAL);
10797 
10798 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10799 		/*
10800 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
10801 		 * each scan plan already specifies its own interval
10802 		 */
10803 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10804 			return ERR_PTR(-EINVAL);
10805 
10806 		nla_for_each_nested(attr,
10807 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
10808 			n_plans++;
10809 	} else {
10810 		/*
10811 		 * The scan interval attribute is kept for backward
10812 		 * compatibility. If no scan plans are specified and sched scan
10813 		 * interval is specified, one scan plan will be set with this
10814 		 * scan interval and infinite number of iterations.
10815 		 */
10816 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10817 			return ERR_PTR(-EINVAL);
10818 
10819 		n_plans = 1;
10820 	}
10821 
10822 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
10823 		return ERR_PTR(-EINVAL);
10824 
10825 	if (!wiphy_ext_feature_isset(
10826 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
10827 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
10828 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
10829 		return ERR_PTR(-EINVAL);
10830 
10831 	size = struct_size(request, channels, n_channels);
10832 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
10833 	size = size_add(size, array_size(sizeof(*request->match_sets),
10834 					 n_match_sets));
10835 	size = size_add(size, array_size(sizeof(*request->scan_plans),
10836 					 n_plans));
10837 	size = size_add(size, ie_len);
10838 	request = kzalloc(size, GFP_KERNEL);
10839 	if (!request)
10840 		return ERR_PTR(-ENOMEM);
10841 	request->n_channels = n_channels;
10842 
10843 	if (n_ssids)
10844 		request->ssids = (void *)request +
10845 			struct_size(request, channels, n_channels);
10846 	request->n_ssids = n_ssids;
10847 	if (ie_len) {
10848 		if (n_ssids)
10849 			request->ie = (void *)(request->ssids + n_ssids);
10850 		else
10851 			request->ie = (void *)(request->channels + n_channels);
10852 	}
10853 
10854 	if (n_match_sets) {
10855 		if (request->ie)
10856 			request->match_sets = (void *)(request->ie + ie_len);
10857 		else if (n_ssids)
10858 			request->match_sets =
10859 				(void *)(request->ssids + n_ssids);
10860 		else
10861 			request->match_sets =
10862 				(void *)(request->channels + n_channels);
10863 	}
10864 	request->n_match_sets = n_match_sets;
10865 
10866 	if (n_match_sets)
10867 		request->scan_plans = (void *)(request->match_sets +
10868 					       n_match_sets);
10869 	else if (request->ie)
10870 		request->scan_plans = (void *)(request->ie + ie_len);
10871 	else if (n_ssids)
10872 		request->scan_plans = (void *)(request->ssids + n_ssids);
10873 	else
10874 		request->scan_plans = (void *)(request->channels + n_channels);
10875 
10876 	request->n_scan_plans = n_plans;
10877 
10878 	i = 0;
10879 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10880 		/* user specified, bail out if channel not found */
10881 		nla_for_each_nested(attr,
10882 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
10883 				    tmp) {
10884 			struct ieee80211_channel *chan;
10885 
10886 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
10887 
10888 			if (!chan) {
10889 				err = -EINVAL;
10890 				goto out_free;
10891 			}
10892 
10893 			/* ignore disabled channels */
10894 			if (chan->flags & IEEE80211_CHAN_DISABLED)
10895 				continue;
10896 
10897 			request->channels[i] = chan;
10898 			i++;
10899 		}
10900 	} else {
10901 		/* all channels */
10902 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10903 			int j;
10904 
10905 			if (!wiphy->bands[band])
10906 				continue;
10907 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10908 				struct ieee80211_channel *chan;
10909 
10910 				chan = &wiphy->bands[band]->channels[j];
10911 
10912 				if (chan->flags & IEEE80211_CHAN_DISABLED)
10913 					continue;
10914 
10915 				request->channels[i] = chan;
10916 				i++;
10917 			}
10918 		}
10919 	}
10920 
10921 	if (!i) {
10922 		err = -EINVAL;
10923 		goto out_free;
10924 	}
10925 
10926 	request->n_channels = i;
10927 
10928 	i = 0;
10929 	if (n_ssids) {
10930 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10931 				    tmp) {
10932 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10933 				err = -EINVAL;
10934 				goto out_free;
10935 			}
10936 			request->ssids[i].ssid_len = nla_len(attr);
10937 			memcpy(request->ssids[i].ssid, nla_data(attr),
10938 			       nla_len(attr));
10939 			i++;
10940 		}
10941 	}
10942 
10943 	i = 0;
10944 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10945 		nla_for_each_nested(attr,
10946 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10947 				    tmp) {
10948 			struct nlattr *ssid, *bssid, *rssi;
10949 
10950 			err = nla_parse_nested_deprecated(tb,
10951 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10952 							  attr,
10953 							  nl80211_match_policy,
10954 							  NULL);
10955 			if (err)
10956 				goto out_free;
10957 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
10958 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
10959 
10960 			if (!ssid && !bssid) {
10961 				i++;
10962 				continue;
10963 			}
10964 
10965 			if (WARN_ON(i >= n_match_sets)) {
10966 				/* this indicates a programming error,
10967 				 * the loop above should have verified
10968 				 * things properly
10969 				 */
10970 				err = -EINVAL;
10971 				goto out_free;
10972 			}
10973 
10974 			if (ssid) {
10975 				memcpy(request->match_sets[i].ssid.ssid,
10976 				       nla_data(ssid), nla_len(ssid));
10977 				request->match_sets[i].ssid.ssid_len =
10978 					nla_len(ssid);
10979 			}
10980 			if (bssid)
10981 				memcpy(request->match_sets[i].bssid,
10982 				       nla_data(bssid), ETH_ALEN);
10983 
10984 			/* special attribute - old implementation w/a */
10985 			request->match_sets[i].rssi_thold = default_match_rssi;
10986 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10987 			if (rssi)
10988 				request->match_sets[i].rssi_thold =
10989 					nla_get_s32(rssi);
10990 			i++;
10991 		}
10992 
10993 		/* there was no other matchset, so the RSSI one is alone */
10994 		if (i == 0 && n_match_sets)
10995 			request->match_sets[0].rssi_thold = default_match_rssi;
10996 
10997 		request->min_rssi_thold = INT_MAX;
10998 		for (i = 0; i < n_match_sets; i++)
10999 			request->min_rssi_thold =
11000 				min(request->match_sets[i].rssi_thold,
11001 				    request->min_rssi_thold);
11002 	} else {
11003 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
11004 	}
11005 
11006 	if (ie_len) {
11007 		request->ie_len = ie_len;
11008 		memcpy((void *)request->ie,
11009 		       nla_data(attrs[NL80211_ATTR_IE]),
11010 		       request->ie_len);
11011 	}
11012 
11013 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
11014 	if (err)
11015 		goto out_free;
11016 
11017 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
11018 		request->delay =
11019 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
11020 
11021 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
11022 		request->relative_rssi = nla_get_s8(
11023 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
11024 		request->relative_rssi_set = true;
11025 	}
11026 
11027 	if (request->relative_rssi_set &&
11028 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
11029 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
11030 
11031 		rssi_adjust = nla_data(
11032 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
11033 		request->rssi_adjust.band = rssi_adjust->band;
11034 		request->rssi_adjust.delta = rssi_adjust->delta;
11035 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
11036 			err = -EINVAL;
11037 			goto out_free;
11038 		}
11039 	}
11040 
11041 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
11042 	if (err)
11043 		goto out_free;
11044 
11045 	request->scan_start = jiffies;
11046 
11047 	return request;
11048 
11049 out_free:
11050 	kfree(request);
11051 	return ERR_PTR(err);
11052 }
11053 
11054 static int nl80211_start_sched_scan(struct sk_buff *skb,
11055 				    struct genl_info *info)
11056 {
11057 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11058 	struct net_device *dev = info->user_ptr[1];
11059 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11060 	struct cfg80211_sched_scan_request *sched_scan_req;
11061 	bool want_multi;
11062 	int err;
11063 
11064 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
11065 		return -EOPNOTSUPP;
11066 
11067 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
11068 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
11069 	if (err)
11070 		return err;
11071 
11072 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
11073 						  info->attrs,
11074 						  rdev->wiphy.max_match_sets);
11075 
11076 	err = PTR_ERR_OR_ZERO(sched_scan_req);
11077 	if (err)
11078 		goto out_err;
11079 
11080 	/* leave request id zero for legacy request
11081 	 * or if driver does not support multi-scheduled scan
11082 	 */
11083 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
11084 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
11085 
11086 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11087 	if (err)
11088 		goto out_free;
11089 
11090 	sched_scan_req->dev = dev;
11091 	sched_scan_req->wiphy = &rdev->wiphy;
11092 
11093 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11094 		sched_scan_req->owner_nlportid = info->snd_portid;
11095 
11096 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11097 
11098 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11099 	return 0;
11100 
11101 out_free:
11102 	kfree(sched_scan_req);
11103 out_err:
11104 	return err;
11105 }
11106 
11107 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11108 				   struct genl_info *info)
11109 {
11110 	struct cfg80211_sched_scan_request *req;
11111 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11112 	u64 cookie;
11113 
11114 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11115 		return -EOPNOTSUPP;
11116 
11117 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11118 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11119 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11120 	}
11121 
11122 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11123 				     struct cfg80211_sched_scan_request,
11124 				     list);
11125 	if (!req || req->reqid ||
11126 	    (req->owner_nlportid &&
11127 	     req->owner_nlportid != info->snd_portid))
11128 		return -ENOENT;
11129 
11130 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11131 }
11132 
11133 static int nl80211_start_radar_detection(struct sk_buff *skb,
11134 					 struct genl_info *info)
11135 {
11136 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11137 	struct net_device *dev = info->user_ptr[1];
11138 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11139 	int link_id = nl80211_link_id(info->attrs);
11140 	struct wiphy *wiphy = wdev->wiphy;
11141 	struct cfg80211_chan_def chandef;
11142 	enum nl80211_dfs_regions dfs_region;
11143 	unsigned int cac_time_ms;
11144 	int err;
11145 
11146 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11147 
11148 	switch (wdev->iftype) {
11149 	case NL80211_IFTYPE_AP:
11150 	case NL80211_IFTYPE_P2P_GO:
11151 	case NL80211_IFTYPE_MESH_POINT:
11152 	case NL80211_IFTYPE_ADHOC:
11153 		break;
11154 	default:
11155 		/* caution - see cfg80211_beaconing_iface_active() below */
11156 		return -EINVAL;
11157 	}
11158 
11159 	guard(wiphy)(wiphy);
11160 
11161 	dfs_region = reg_get_dfs_region(wiphy);
11162 	if (dfs_region == NL80211_DFS_UNSET)
11163 		return -EINVAL;
11164 
11165 	err = nl80211_parse_chandef(rdev, info, &chandef);
11166 	if (err)
11167 		return err;
11168 
11169 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11170 	if (err < 0)
11171 		return err;
11172 
11173 	if (err == 0)
11174 		return -EINVAL;
11175 
11176 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11177 		return -EINVAL;
11178 
11179 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11180 		return cfg80211_start_background_radar_detection(rdev, wdev,
11181 								 &chandef);
11182 
11183 	if (cfg80211_beaconing_iface_active(wdev)) {
11184 		/* During MLO other link(s) can beacon, only the current link
11185 		 * can not already beacon
11186 		 */
11187 		if (wdev->valid_links &&
11188 		    !wdev->links[link_id].ap.beacon_interval) {
11189 			/* nothing */
11190 		} else {
11191 			return -EBUSY;
11192 		}
11193 	}
11194 
11195 	if (wdev->links[link_id].cac_started)
11196 		return -EBUSY;
11197 
11198 	/* CAC start is offloaded to HW and can't be started manually */
11199 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11200 		return -EOPNOTSUPP;
11201 
11202 	if (!rdev->ops->start_radar_detection)
11203 		return -EOPNOTSUPP;
11204 
11205 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11206 	if (WARN_ON(!cac_time_ms))
11207 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11208 
11209 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11210 					 link_id);
11211 	if (err)
11212 		return err;
11213 
11214 	switch (wdev->iftype) {
11215 	case NL80211_IFTYPE_AP:
11216 	case NL80211_IFTYPE_P2P_GO:
11217 		wdev->links[link_id].ap.chandef = chandef;
11218 		break;
11219 	case NL80211_IFTYPE_ADHOC:
11220 		wdev->u.ibss.chandef = chandef;
11221 		break;
11222 	case NL80211_IFTYPE_MESH_POINT:
11223 		wdev->u.mesh.chandef = chandef;
11224 		break;
11225 	default:
11226 		break;
11227 	}
11228 	wdev->links[link_id].cac_started = true;
11229 	wdev->links[link_id].cac_start_time = jiffies;
11230 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11231 
11232 	return 0;
11233 }
11234 
11235 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11236 					  struct genl_info *info)
11237 {
11238 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11239 	struct net_device *dev = info->user_ptr[1];
11240 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11241 	struct wiphy *wiphy = wdev->wiphy;
11242 	struct cfg80211_chan_def chandef;
11243 	enum nl80211_dfs_regions dfs_region;
11244 	int err;
11245 
11246 	dfs_region = reg_get_dfs_region(wiphy);
11247 	if (dfs_region == NL80211_DFS_UNSET) {
11248 		GENL_SET_ERR_MSG(info,
11249 				 "DFS Region is not set. Unexpected Radar indication");
11250 		return -EINVAL;
11251 	}
11252 
11253 	err = nl80211_parse_chandef(rdev, info, &chandef);
11254 	if (err) {
11255 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11256 		return err;
11257 	}
11258 
11259 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11260 	if (err < 0) {
11261 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11262 		return err;
11263 	}
11264 
11265 	if (err == 0) {
11266 		GENL_SET_ERR_MSG(info,
11267 				 "Unexpected Radar indication for chandef/iftype");
11268 		return -EINVAL;
11269 	}
11270 
11271 	/* Do not process this notification if radar is already detected
11272 	 * by kernel on this channel, and return success.
11273 	 */
11274 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
11275 		return 0;
11276 
11277 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
11278 
11279 	cfg80211_sched_dfs_chan_update(rdev);
11280 
11281 	rdev->radar_chandef = chandef;
11282 
11283 	/* Propagate this notification to other radios as well */
11284 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
11285 
11286 	return 0;
11287 }
11288 
11289 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
11290 					 const u8 *data, size_t datalen,
11291 					 int first_count, struct nlattr *attr,
11292 					 const u16 **offsets, unsigned int *n_offsets)
11293 {
11294 	int i;
11295 
11296 	*n_offsets = 0;
11297 
11298 	if (!attr)
11299 		return 0;
11300 
11301 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
11302 		return -EINVAL;
11303 
11304 	*n_offsets = nla_len(attr) / sizeof(u16);
11305 	if (rdev->wiphy.max_num_csa_counters &&
11306 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
11307 		return -EINVAL;
11308 
11309 	*offsets = nla_data(attr);
11310 
11311 	/* sanity checks - counters should fit and be the same */
11312 	for (i = 0; i < *n_offsets; i++) {
11313 		u16 offset = (*offsets)[i];
11314 
11315 		if (offset >= datalen)
11316 			return -EINVAL;
11317 
11318 		if (first_count != -1 && data[offset] != first_count)
11319 			return -EINVAL;
11320 	}
11321 
11322 	return 0;
11323 }
11324 
11325 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
11326 {
11327 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11328 	unsigned int link_id = nl80211_link_id(info->attrs);
11329 	struct net_device *dev = info->user_ptr[1];
11330 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11331 	struct cfg80211_csa_settings params;
11332 	struct nlattr **csa_attrs = NULL;
11333 	int err;
11334 	bool need_new_beacon = false;
11335 	bool need_handle_dfs_flag = true;
11336 	u32 cs_count;
11337 
11338 	if (!rdev->ops->channel_switch ||
11339 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
11340 		return -EOPNOTSUPP;
11341 
11342 	switch (dev->ieee80211_ptr->iftype) {
11343 	case NL80211_IFTYPE_AP:
11344 	case NL80211_IFTYPE_P2P_GO:
11345 		need_new_beacon = true;
11346 		/* For all modes except AP the handle_dfs flag needs to be
11347 		 * supplied to tell the kernel that userspace will handle radar
11348 		 * events when they happen. Otherwise a switch to a channel
11349 		 * requiring DFS will be rejected.
11350 		 */
11351 		need_handle_dfs_flag = false;
11352 
11353 		/* useless if AP is not running */
11354 		if (!wdev->links[link_id].ap.beacon_interval)
11355 			return -ENOTCONN;
11356 		break;
11357 	case NL80211_IFTYPE_ADHOC:
11358 		if (!wdev->u.ibss.ssid_len)
11359 			return -ENOTCONN;
11360 		break;
11361 	case NL80211_IFTYPE_MESH_POINT:
11362 		if (!wdev->u.mesh.id_len)
11363 			return -ENOTCONN;
11364 		break;
11365 	default:
11366 		return -EOPNOTSUPP;
11367 	}
11368 
11369 	memset(&params, 0, sizeof(params));
11370 	params.beacon_csa.ftm_responder = -1;
11371 
11372 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11373 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
11374 		return -EINVAL;
11375 
11376 	/* only important for AP, IBSS and mesh create IEs internally */
11377 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
11378 		return -EINVAL;
11379 
11380 	/* Even though the attribute is u32, the specification says
11381 	 * u8, so let's make sure we don't overflow.
11382 	 */
11383 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
11384 	if (cs_count > 255)
11385 		return -EINVAL;
11386 
11387 	params.count = cs_count;
11388 
11389 	if (!need_new_beacon)
11390 		goto skip_beacons;
11391 
11392 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
11393 				   info->extack);
11394 	if (err)
11395 		goto free;
11396 
11397 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
11398 			    GFP_KERNEL);
11399 	if (!csa_attrs) {
11400 		err = -ENOMEM;
11401 		goto free;
11402 	}
11403 
11404 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
11405 					  info->attrs[NL80211_ATTR_CSA_IES],
11406 					  nl80211_policy, info->extack);
11407 	if (err)
11408 		goto free;
11409 
11410 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
11411 				   info->extack);
11412 	if (err)
11413 		goto free;
11414 
11415 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
11416 		err = -EINVAL;
11417 		goto free;
11418 	}
11419 
11420 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
11421 					    params.beacon_csa.tail_len,
11422 					    params.count,
11423 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
11424 					    &params.counter_offsets_beacon,
11425 					    &params.n_counter_offsets_beacon);
11426 	if (err)
11427 		goto free;
11428 
11429 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
11430 					    params.beacon_csa.probe_resp_len,
11431 					    params.count,
11432 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
11433 					    &params.counter_offsets_presp,
11434 					    &params.n_counter_offsets_presp);
11435 	if (err)
11436 		goto free;
11437 
11438 skip_beacons:
11439 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
11440 	if (err)
11441 		goto free;
11442 
11443 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
11444 					   wdev->iftype)) {
11445 		err = -EINVAL;
11446 		goto free;
11447 	}
11448 
11449 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11450 					    &params.chandef,
11451 					    wdev->iftype);
11452 	if (err < 0)
11453 		goto free;
11454 
11455 	if (err > 0) {
11456 		params.radar_required = true;
11457 		if (need_handle_dfs_flag &&
11458 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11459 			err = -EINVAL;
11460 			goto free;
11461 		}
11462 	}
11463 
11464 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11465 		params.block_tx = true;
11466 
11467 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11468 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11469 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11470 		err = nl80211_parse_unsol_bcast_probe_resp(
11471 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11472 			&params.unsol_bcast_probe_resp);
11473 		if (err)
11474 			goto free;
11475 	}
11476 
11477 	params.link_id = link_id;
11478 	err = rdev_channel_switch(rdev, dev, &params);
11479 
11480 free:
11481 	kfree(params.beacon_after.mbssid_ies);
11482 	kfree(params.beacon_csa.mbssid_ies);
11483 	kfree(params.beacon_after.rnr_ies);
11484 	kfree(params.beacon_csa.rnr_ies);
11485 	kfree(csa_attrs);
11486 	return err;
11487 }
11488 
11489 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11490 			    u32 seq, int flags,
11491 			    struct cfg80211_registered_device *rdev,
11492 			    struct wireless_dev *wdev,
11493 			    struct cfg80211_internal_bss *intbss)
11494 {
11495 	struct cfg80211_bss *res = &intbss->pub;
11496 	const struct cfg80211_bss_ies *ies;
11497 	unsigned int link_id;
11498 	void *hdr;
11499 	struct nlattr *bss;
11500 
11501 	lockdep_assert_wiphy(wdev->wiphy);
11502 
11503 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11504 			     NL80211_CMD_NEW_SCAN_RESULTS);
11505 	if (!hdr)
11506 		return -1;
11507 
11508 	genl_dump_check_consistent(cb, hdr);
11509 
11510 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11511 		goto nla_put_failure;
11512 	if (wdev->netdev &&
11513 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11514 		goto nla_put_failure;
11515 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11516 			      NL80211_ATTR_PAD))
11517 		goto nla_put_failure;
11518 
11519 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11520 	if (!bss)
11521 		goto nla_put_failure;
11522 	if ((!is_zero_ether_addr(res->bssid) &&
11523 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11524 		goto nla_put_failure;
11525 
11526 	rcu_read_lock();
11527 	/* indicate whether we have probe response data or not */
11528 	if (rcu_access_pointer(res->proberesp_ies) &&
11529 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11530 		goto fail_unlock_rcu;
11531 
11532 	/* this pointer prefers to be pointed to probe response data
11533 	 * but is always valid
11534 	 */
11535 	ies = rcu_dereference(res->ies);
11536 	if (ies) {
11537 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11538 				      NL80211_BSS_PAD))
11539 			goto fail_unlock_rcu;
11540 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11541 					ies->len, ies->data))
11542 			goto fail_unlock_rcu;
11543 	}
11544 
11545 	/* and this pointer is always (unless driver didn't know) beacon data */
11546 	ies = rcu_dereference(res->beacon_ies);
11547 	if (ies && ies->from_beacon) {
11548 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11549 				      NL80211_BSS_PAD))
11550 			goto fail_unlock_rcu;
11551 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11552 					ies->len, ies->data))
11553 			goto fail_unlock_rcu;
11554 	}
11555 	rcu_read_unlock();
11556 
11557 	if (res->beacon_interval &&
11558 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
11559 		goto nla_put_failure;
11560 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
11561 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
11562 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
11563 			res->channel->freq_offset) ||
11564 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
11565 			jiffies_to_msecs(jiffies - intbss->ts)))
11566 		goto nla_put_failure;
11567 
11568 	if (intbss->parent_tsf &&
11569 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
11570 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
11571 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
11572 		     intbss->parent_bssid)))
11573 		goto nla_put_failure;
11574 
11575 	if (res->ts_boottime &&
11576 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
11577 			      res->ts_boottime, NL80211_BSS_PAD))
11578 		goto nla_put_failure;
11579 
11580 	if (!nl80211_put_signal(msg, intbss->pub.chains,
11581 				intbss->pub.chain_signal,
11582 				NL80211_BSS_CHAIN_SIGNAL))
11583 		goto nla_put_failure;
11584 
11585 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
11586 		switch (rdev->wiphy.signal_type) {
11587 		case CFG80211_SIGNAL_TYPE_MBM:
11588 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
11589 					res->signal))
11590 				goto nla_put_failure;
11591 			break;
11592 		case CFG80211_SIGNAL_TYPE_UNSPEC:
11593 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
11594 				       res->signal))
11595 				goto nla_put_failure;
11596 			break;
11597 		default:
11598 			break;
11599 		}
11600 	}
11601 
11602 	switch (wdev->iftype) {
11603 	case NL80211_IFTYPE_P2P_CLIENT:
11604 	case NL80211_IFTYPE_STATION:
11605 		for_each_valid_link(wdev, link_id) {
11606 			if (intbss == wdev->links[link_id].client.current_bss &&
11607 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
11608 					 NL80211_BSS_STATUS_ASSOCIATED) ||
11609 			     (wdev->valid_links &&
11610 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
11611 					  link_id) ||
11612 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
11613 				       wdev->u.client.connected_addr)))))
11614 				goto nla_put_failure;
11615 		}
11616 		break;
11617 	case NL80211_IFTYPE_ADHOC:
11618 		if (intbss == wdev->u.ibss.current_bss &&
11619 		    nla_put_u32(msg, NL80211_BSS_STATUS,
11620 				NL80211_BSS_STATUS_IBSS_JOINED))
11621 			goto nla_put_failure;
11622 		break;
11623 	default:
11624 		break;
11625 	}
11626 
11627 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
11628 		goto nla_put_failure;
11629 
11630 	if (res->cannot_use_reasons &&
11631 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
11632 			      res->cannot_use_reasons,
11633 			      NL80211_BSS_PAD))
11634 		goto nla_put_failure;
11635 
11636 	nla_nest_end(msg, bss);
11637 
11638 	genlmsg_end(msg, hdr);
11639 	return 0;
11640 
11641  fail_unlock_rcu:
11642 	rcu_read_unlock();
11643  nla_put_failure:
11644 	genlmsg_cancel(msg, hdr);
11645 	return -EMSGSIZE;
11646 }
11647 
11648 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
11649 {
11650 	struct cfg80211_registered_device *rdev;
11651 	struct cfg80211_internal_bss *scan;
11652 	struct wireless_dev *wdev;
11653 	struct nlattr **attrbuf;
11654 	int start = cb->args[2], idx = 0;
11655 	bool dump_include_use_data;
11656 	int err;
11657 
11658 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
11659 	if (!attrbuf)
11660 		return -ENOMEM;
11661 
11662 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11663 	if (err) {
11664 		kfree(attrbuf);
11665 		return err;
11666 	}
11667 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11668 	__acquire(&rdev->wiphy.mtx);
11669 
11670 	dump_include_use_data =
11671 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
11672 	kfree(attrbuf);
11673 
11674 	spin_lock_bh(&rdev->bss_lock);
11675 
11676 	/*
11677 	 * dump_scan will be called multiple times to break up the scan results
11678 	 * into multiple messages.  It is unlikely that any more bss-es will be
11679 	 * expired after the first call, so only call only call this on the
11680 	 * first dump_scan invocation.
11681 	 */
11682 	if (start == 0)
11683 		cfg80211_bss_expire(rdev);
11684 
11685 	cb->seq = rdev->bss_generation;
11686 
11687 	list_for_each_entry(scan, &rdev->bss_list, list) {
11688 		if (++idx <= start)
11689 			continue;
11690 		if (!dump_include_use_data &&
11691 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
11692 			continue;
11693 		if (nl80211_send_bss(skb, cb,
11694 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11695 				rdev, wdev, scan) < 0) {
11696 			idx--;
11697 			break;
11698 		}
11699 	}
11700 
11701 	spin_unlock_bh(&rdev->bss_lock);
11702 
11703 	cb->args[2] = idx;
11704 	wiphy_unlock(&rdev->wiphy);
11705 
11706 	return skb->len;
11707 }
11708 
11709 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
11710 			       int flags, struct net_device *dev,
11711 			       bool allow_radio_stats,
11712 			       struct survey_info *survey)
11713 {
11714 	void *hdr;
11715 	struct nlattr *infoattr;
11716 
11717 	/* skip radio stats if userspace didn't request them */
11718 	if (!survey->channel && !allow_radio_stats)
11719 		return 0;
11720 
11721 	hdr = nl80211hdr_put(msg, portid, seq, flags,
11722 			     NL80211_CMD_NEW_SURVEY_RESULTS);
11723 	if (!hdr)
11724 		return -ENOMEM;
11725 
11726 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11727 		goto nla_put_failure;
11728 
11729 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
11730 	if (!infoattr)
11731 		goto nla_put_failure;
11732 
11733 	if (survey->channel &&
11734 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
11735 			survey->channel->center_freq))
11736 		goto nla_put_failure;
11737 
11738 	if (survey->channel && survey->channel->freq_offset &&
11739 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
11740 			survey->channel->freq_offset))
11741 		goto nla_put_failure;
11742 
11743 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
11744 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
11745 		goto nla_put_failure;
11746 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
11747 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
11748 		goto nla_put_failure;
11749 	if ((survey->filled & SURVEY_INFO_TIME) &&
11750 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
11751 			survey->time, NL80211_SURVEY_INFO_PAD))
11752 		goto nla_put_failure;
11753 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
11754 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
11755 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
11756 		goto nla_put_failure;
11757 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
11758 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
11759 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
11760 		goto nla_put_failure;
11761 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
11762 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
11763 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
11764 		goto nla_put_failure;
11765 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
11766 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
11767 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
11768 		goto nla_put_failure;
11769 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
11770 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
11771 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
11772 		goto nla_put_failure;
11773 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
11774 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
11775 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
11776 		goto nla_put_failure;
11777 
11778 	nla_nest_end(msg, infoattr);
11779 
11780 	genlmsg_end(msg, hdr);
11781 	return 0;
11782 
11783  nla_put_failure:
11784 	genlmsg_cancel(msg, hdr);
11785 	return -EMSGSIZE;
11786 }
11787 
11788 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
11789 {
11790 	struct nlattr **attrbuf;
11791 	struct survey_info survey;
11792 	struct cfg80211_registered_device *rdev;
11793 	struct wireless_dev *wdev;
11794 	int survey_idx = cb->args[2];
11795 	int res;
11796 	bool radio_stats;
11797 
11798 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
11799 	if (!attrbuf)
11800 		return -ENOMEM;
11801 
11802 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11803 	if (res) {
11804 		kfree(attrbuf);
11805 		return res;
11806 	}
11807 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11808 	__acquire(&rdev->wiphy.mtx);
11809 
11810 	/* prepare_wdev_dump parsed the attributes */
11811 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
11812 
11813 	if (!wdev->netdev) {
11814 		res = -EINVAL;
11815 		goto out_err;
11816 	}
11817 
11818 	if (!rdev->ops->dump_survey) {
11819 		res = -EOPNOTSUPP;
11820 		goto out_err;
11821 	}
11822 
11823 	while (1) {
11824 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
11825 		if (res == -ENOENT)
11826 			break;
11827 		if (res)
11828 			goto out_err;
11829 
11830 		/* don't send disabled channels, but do send non-channel data */
11831 		if (survey.channel &&
11832 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
11833 			survey_idx++;
11834 			continue;
11835 		}
11836 
11837 		if (nl80211_send_survey(skb,
11838 				NETLINK_CB(cb->skb).portid,
11839 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11840 				wdev->netdev, radio_stats, &survey) < 0)
11841 			goto out;
11842 		survey_idx++;
11843 	}
11844 
11845  out:
11846 	cb->args[2] = survey_idx;
11847 	res = skb->len;
11848  out_err:
11849 	kfree(attrbuf);
11850 	wiphy_unlock(&rdev->wiphy);
11851 	return res;
11852 }
11853 
11854 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
11855 {
11856 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11857 	struct net_device *dev = info->user_ptr[1];
11858 	struct ieee80211_channel *chan;
11859 	const u8 *bssid, *ssid;
11860 	int err, ssid_len;
11861 	enum nl80211_auth_type auth_type;
11862 	struct key_parse key;
11863 	bool local_state_change;
11864 	struct cfg80211_auth_request req = {};
11865 	u32 freq;
11866 
11867 	if (!info->attrs[NL80211_ATTR_MAC])
11868 		return -EINVAL;
11869 
11870 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
11871 		return -EINVAL;
11872 
11873 	if (!info->attrs[NL80211_ATTR_SSID])
11874 		return -EINVAL;
11875 
11876 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11877 		return -EINVAL;
11878 
11879 	err = nl80211_parse_key(info, &key);
11880 	if (err)
11881 		return err;
11882 
11883 	if (key.idx >= 0) {
11884 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
11885 			return -EINVAL;
11886 		if (!key.p.key || !key.p.key_len)
11887 			return -EINVAL;
11888 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
11889 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
11890 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
11891 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
11892 			return -EINVAL;
11893 		if (key.idx > 3)
11894 			return -EINVAL;
11895 	} else {
11896 		key.p.key_len = 0;
11897 		key.p.key = NULL;
11898 	}
11899 
11900 	if (key.idx >= 0) {
11901 		int i;
11902 		bool ok = false;
11903 
11904 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
11905 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
11906 				ok = true;
11907 				break;
11908 			}
11909 		}
11910 		if (!ok)
11911 			return -EINVAL;
11912 	}
11913 
11914 	if (!rdev->ops->auth)
11915 		return -EOPNOTSUPP;
11916 
11917 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11918 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11919 		return -EOPNOTSUPP;
11920 
11921 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11922 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11923 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11924 		freq +=
11925 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11926 
11927 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11928 	if (!chan)
11929 		return -EINVAL;
11930 
11931 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11932 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11933 
11934 	if (info->attrs[NL80211_ATTR_IE]) {
11935 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11936 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11937 	}
11938 
11939 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
11940 		req.supported_selectors =
11941 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11942 		req.supported_selectors_len =
11943 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11944 	}
11945 
11946 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11947 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
11948 		return -EINVAL;
11949 
11950 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
11951 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
11952 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
11953 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
11954 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
11955 		return -EINVAL;
11956 
11957 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
11958 		if (auth_type != NL80211_AUTHTYPE_SAE &&
11959 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
11960 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
11961 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
11962 			return -EINVAL;
11963 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
11964 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
11965 	}
11966 
11967 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11968 
11969 	/*
11970 	 * Since we no longer track auth state, ignore
11971 	 * requests to only change local state.
11972 	 */
11973 	if (local_state_change)
11974 		return 0;
11975 
11976 	req.auth_type = auth_type;
11977 	req.key = key.p.key;
11978 	req.key_len = key.p.key_len;
11979 	req.key_idx = key.idx;
11980 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11981 	if (req.link_id >= 0) {
11982 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11983 			return -EINVAL;
11984 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
11985 			return -EINVAL;
11986 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11987 		if (!is_valid_ether_addr(req.ap_mld_addr))
11988 			return -EINVAL;
11989 	}
11990 
11991 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
11992 				   IEEE80211_BSS_TYPE_ESS,
11993 				   IEEE80211_PRIVACY_ANY);
11994 	if (!req.bss)
11995 		return -ENOENT;
11996 
11997 	err = cfg80211_mlme_auth(rdev, dev, &req);
11998 
11999 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12000 
12001 	return err;
12002 }
12003 
12004 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
12005 				     struct genl_info *info)
12006 {
12007 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12008 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
12009 		return -EINVAL;
12010 	}
12011 
12012 	if (!rdev->ops->tx_control_port ||
12013 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12014 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12015 		return -EOPNOTSUPP;
12016 
12017 	return 0;
12018 }
12019 
12020 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
12021 				   struct genl_info *info,
12022 				   struct cfg80211_crypto_settings *settings,
12023 				   int cipher_limit)
12024 {
12025 	memset(settings, 0, sizeof(*settings));
12026 
12027 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
12028 
12029 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12030 		u16 proto;
12031 
12032 		proto = nla_get_u16(
12033 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12034 		settings->control_port_ethertype = cpu_to_be16(proto);
12035 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
12036 		    proto != ETH_P_PAE)
12037 			return -EINVAL;
12038 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
12039 			settings->control_port_no_encrypt = true;
12040 	} else
12041 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
12042 
12043 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12044 		int r = validate_pae_over_nl80211(rdev, info);
12045 
12046 		if (r < 0)
12047 			return r;
12048 
12049 		settings->control_port_over_nl80211 = true;
12050 
12051 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
12052 			settings->control_port_no_preauth = true;
12053 	}
12054 
12055 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
12056 		void *data;
12057 		int len, i;
12058 
12059 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12060 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12061 		settings->n_ciphers_pairwise = len / sizeof(u32);
12062 
12063 		if (len % sizeof(u32))
12064 			return -EINVAL;
12065 
12066 		if (settings->n_ciphers_pairwise > cipher_limit)
12067 			return -EINVAL;
12068 
12069 		memcpy(settings->ciphers_pairwise, data, len);
12070 
12071 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
12072 			if (!cfg80211_supported_cipher_suite(
12073 					&rdev->wiphy,
12074 					settings->ciphers_pairwise[i]))
12075 				return -EINVAL;
12076 	}
12077 
12078 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
12079 		settings->cipher_group =
12080 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
12081 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
12082 						     settings->cipher_group))
12083 			return -EINVAL;
12084 	}
12085 
12086 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12087 		settings->wpa_versions =
12088 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12089 
12090 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12091 		void *data;
12092 		int len;
12093 
12094 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12095 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12096 		settings->n_akm_suites = len / sizeof(u32);
12097 
12098 		if (len % sizeof(u32))
12099 			return -EINVAL;
12100 
12101 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12102 			return -EINVAL;
12103 
12104 		memcpy(settings->akm_suites, data, len);
12105 	}
12106 
12107 	if (info->attrs[NL80211_ATTR_PMK]) {
12108 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12109 			return -EINVAL;
12110 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12111 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12112 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12113 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12114 			return -EINVAL;
12115 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12116 	}
12117 
12118 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12119 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12120 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12121 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12122 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12123 			return -EINVAL;
12124 		settings->sae_pwd =
12125 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12126 		settings->sae_pwd_len =
12127 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12128 	}
12129 
12130 	settings->sae_pwe =
12131 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12132 				   NL80211_SAE_PWE_UNSPECIFIED);
12133 
12134 	return 0;
12135 }
12136 
12137 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12138 					      const u8 *ssid, int ssid_len,
12139 					      struct nlattr **attrs,
12140 					      int assoc_link_id, int link_id)
12141 {
12142 	struct ieee80211_channel *chan;
12143 	struct cfg80211_bss *bss;
12144 	const u8 *bssid;
12145 	u32 freq, use_for = 0;
12146 
12147 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12148 		return ERR_PTR(-EINVAL);
12149 
12150 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12151 
12152 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12153 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12154 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12155 
12156 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12157 	if (!chan)
12158 		return ERR_PTR(-EINVAL);
12159 
12160 	if (assoc_link_id >= 0)
12161 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12162 	if (assoc_link_id == link_id)
12163 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12164 
12165 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12166 				 ssid, ssid_len,
12167 				 IEEE80211_BSS_TYPE_ESS,
12168 				 IEEE80211_PRIVACY_ANY,
12169 				 use_for);
12170 	if (!bss)
12171 		return ERR_PTR(-ENOENT);
12172 
12173 	return bss;
12174 }
12175 
12176 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12177 				 struct cfg80211_assoc_link *links,
12178 				 int assoc_link_id,
12179 				 const u8 *ssid, int ssid_len,
12180 				 struct genl_info *info)
12181 {
12182 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12183 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12184 	struct nlattr *link;
12185 	unsigned int link_id;
12186 	int rem, err;
12187 
12188 	if (!attrs)
12189 		return -ENOMEM;
12190 
12191 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12192 		memset(attrs, 0, attrsize);
12193 
12194 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12195 
12196 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12197 			NL_SET_BAD_ATTR(info->extack, link);
12198 			return -EINVAL;
12199 		}
12200 
12201 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12202 		/* cannot use the same link ID again */
12203 		if (links[link_id].bss) {
12204 			NL_SET_BAD_ATTR(info->extack, link);
12205 			return -EINVAL;
12206 		}
12207 		links[link_id].bss =
12208 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12209 					  assoc_link_id, link_id);
12210 		if (IS_ERR(links[link_id].bss)) {
12211 			err = PTR_ERR(links[link_id].bss);
12212 			links[link_id].bss = NULL;
12213 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12214 					    "Error fetching BSS for link");
12215 			return err;
12216 		}
12217 
12218 		if (attrs[NL80211_ATTR_IE]) {
12219 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12220 			links[link_id].elems_len =
12221 				nla_len(attrs[NL80211_ATTR_IE]);
12222 
12223 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12224 					       links[link_id].elems,
12225 					       links[link_id].elems_len)) {
12226 				NL_SET_ERR_MSG_ATTR(info->extack,
12227 						    attrs[NL80211_ATTR_IE],
12228 						    "cannot deal with fragmentation");
12229 				return -EINVAL;
12230 			}
12231 
12232 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12233 						   links[link_id].elems,
12234 						   links[link_id].elems_len)) {
12235 				NL_SET_ERR_MSG_ATTR(info->extack,
12236 						    attrs[NL80211_ATTR_IE],
12237 						    "cannot deal with non-inheritance");
12238 				return -EINVAL;
12239 			}
12240 		}
12241 
12242 		links[link_id].disabled =
12243 			nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
12244 	}
12245 
12246 	return 0;
12247 }
12248 
12249 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12250 {
12251 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12252 	struct net_device *dev = info->user_ptr[1];
12253 	struct cfg80211_assoc_request req = {};
12254 	const u8 *ap_addr, *ssid;
12255 	unsigned int link_id;
12256 	int err, ssid_len;
12257 
12258 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12259 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12260 		return -EPERM;
12261 
12262 	if (!info->attrs[NL80211_ATTR_SSID])
12263 		return -EINVAL;
12264 
12265 	if (!rdev->ops->assoc)
12266 		return -EOPNOTSUPP;
12267 
12268 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12269 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12270 		return -EOPNOTSUPP;
12271 
12272 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12273 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12274 
12275 	if (info->attrs[NL80211_ATTR_IE]) {
12276 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12277 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12278 
12279 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12280 					   req.ie, req.ie_len)) {
12281 			NL_SET_ERR_MSG_ATTR(info->extack,
12282 					    info->attrs[NL80211_ATTR_IE],
12283 					    "non-inheritance makes no sense");
12284 			return -EINVAL;
12285 		}
12286 	}
12287 
12288 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12289 		enum nl80211_mfp mfp =
12290 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12291 		if (mfp == NL80211_MFP_REQUIRED)
12292 			req.use_mfp = true;
12293 		else if (mfp != NL80211_MFP_NO)
12294 			return -EINVAL;
12295 	}
12296 
12297 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12298 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12299 
12300 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12301 		req.supported_selectors =
12302 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12303 		req.supported_selectors_len =
12304 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12305 	}
12306 
12307 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12308 		req.flags |= ASSOC_REQ_DISABLE_HT;
12309 
12310 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12311 		memcpy(&req.ht_capa_mask,
12312 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12313 		       sizeof(req.ht_capa_mask));
12314 
12315 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12316 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12317 			return -EINVAL;
12318 		memcpy(&req.ht_capa,
12319 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12320 		       sizeof(req.ht_capa));
12321 	}
12322 
12323 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12324 		req.flags |= ASSOC_REQ_DISABLE_VHT;
12325 
12326 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12327 		req.flags |= ASSOC_REQ_DISABLE_HE;
12328 
12329 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12330 		req.flags |= ASSOC_REQ_DISABLE_EHT;
12331 
12332 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12333 		memcpy(&req.vht_capa_mask,
12334 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12335 		       sizeof(req.vht_capa_mask));
12336 
12337 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12338 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12339 			return -EINVAL;
12340 		memcpy(&req.vht_capa,
12341 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12342 		       sizeof(req.vht_capa));
12343 	}
12344 
12345 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12346 		if (!((rdev->wiphy.features &
12347 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12348 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12349 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12350 					     NL80211_EXT_FEATURE_RRM))
12351 			return -EINVAL;
12352 		req.flags |= ASSOC_REQ_USE_RRM;
12353 	}
12354 
12355 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
12356 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
12357 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
12358 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
12359 			return -EINVAL;
12360 		req.fils_nonces =
12361 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
12362 	}
12363 
12364 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
12365 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
12366 			return -EINVAL;
12367 		memcpy(&req.s1g_capa_mask,
12368 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
12369 		       sizeof(req.s1g_capa_mask));
12370 	}
12371 
12372 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
12373 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
12374 			return -EINVAL;
12375 		memcpy(&req.s1g_capa,
12376 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
12377 		       sizeof(req.s1g_capa));
12378 	}
12379 
12380 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
12381 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12382 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
12383 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
12384 			return -EINVAL;
12385 		}
12386 		req.flags |= ASSOC_REQ_SPP_AMSDU;
12387 	}
12388 
12389 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12390 
12391 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12392 		if (req.link_id < 0)
12393 			return -EINVAL;
12394 
12395 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12396 			return -EINVAL;
12397 
12398 		if (info->attrs[NL80211_ATTR_MAC] ||
12399 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12400 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
12401 			return -EINVAL;
12402 
12403 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12404 		ap_addr = req.ap_mld_addr;
12405 
12406 		err = nl80211_process_links(rdev, req.links, req.link_id,
12407 					    ssid, ssid_len, info);
12408 		if (err)
12409 			goto free;
12410 
12411 		if (!req.links[req.link_id].bss) {
12412 			err = -EINVAL;
12413 			goto free;
12414 		}
12415 
12416 		if (req.links[req.link_id].elems_len) {
12417 			GENL_SET_ERR_MSG(info,
12418 					 "cannot have per-link elems on assoc link");
12419 			err = -EINVAL;
12420 			goto free;
12421 		}
12422 
12423 		if (req.links[req.link_id].disabled) {
12424 			GENL_SET_ERR_MSG(info,
12425 					 "cannot have assoc link disabled");
12426 			err = -EINVAL;
12427 			goto free;
12428 		}
12429 
12430 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12431 			req.ext_mld_capa_ops =
12432 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
12433 	} else {
12434 		if (req.link_id >= 0)
12435 			return -EINVAL;
12436 
12437 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
12438 					    -1, -1);
12439 		if (IS_ERR(req.bss))
12440 			return PTR_ERR(req.bss);
12441 		ap_addr = req.bss->bssid;
12442 
12443 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12444 			return -EINVAL;
12445 	}
12446 
12447 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
12448 	if (!err) {
12449 		struct nlattr *link;
12450 		int rem = 0;
12451 
12452 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12453 					  info->extack);
12454 
12455 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12456 			dev->ieee80211_ptr->conn_owner_nlportid =
12457 				info->snd_portid;
12458 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12459 			       ap_addr, ETH_ALEN);
12460 		}
12461 
12462 		/* Report error from first problematic link */
12463 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12464 			nla_for_each_nested(link,
12465 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12466 					    rem) {
12467 				struct nlattr *link_id_attr =
12468 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12469 
12470 				if (!link_id_attr)
12471 					continue;
12472 
12473 				link_id = nla_get_u8(link_id_attr);
12474 
12475 				if (link_id == req.link_id)
12476 					continue;
12477 
12478 				if (!req.links[link_id].error ||
12479 				    WARN_ON(req.links[link_id].error > 0))
12480 					continue;
12481 
12482 				WARN_ON(err >= 0);
12483 
12484 				NL_SET_BAD_ATTR(info->extack, link);
12485 				err = req.links[link_id].error;
12486 				break;
12487 			}
12488 		}
12489 	}
12490 
12491 free:
12492 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12493 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12494 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12495 
12496 	return err;
12497 }
12498 
12499 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12500 {
12501 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12502 	struct net_device *dev = info->user_ptr[1];
12503 	const u8 *ie = NULL, *bssid;
12504 	int ie_len = 0;
12505 	u16 reason_code;
12506 	bool local_state_change;
12507 
12508 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12509 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12510 		return -EPERM;
12511 
12512 	if (!info->attrs[NL80211_ATTR_MAC])
12513 		return -EINVAL;
12514 
12515 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12516 		return -EINVAL;
12517 
12518 	if (!rdev->ops->deauth)
12519 		return -EOPNOTSUPP;
12520 
12521 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12522 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12523 		return -EOPNOTSUPP;
12524 
12525 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12526 
12527 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12528 	if (reason_code == 0) {
12529 		/* Reason Code 0 is reserved */
12530 		return -EINVAL;
12531 	}
12532 
12533 	if (info->attrs[NL80211_ATTR_IE]) {
12534 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12535 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12536 	}
12537 
12538 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12539 
12540 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12541 				    local_state_change);
12542 }
12543 
12544 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12545 {
12546 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12547 	struct net_device *dev = info->user_ptr[1];
12548 	const u8 *ie = NULL, *bssid;
12549 	int ie_len = 0;
12550 	u16 reason_code;
12551 	bool local_state_change;
12552 
12553 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12554 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12555 		return -EPERM;
12556 
12557 	if (!info->attrs[NL80211_ATTR_MAC])
12558 		return -EINVAL;
12559 
12560 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12561 		return -EINVAL;
12562 
12563 	if (!rdev->ops->disassoc)
12564 		return -EOPNOTSUPP;
12565 
12566 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12567 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12568 		return -EOPNOTSUPP;
12569 
12570 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12571 
12572 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12573 	if (reason_code == 0) {
12574 		/* Reason Code 0 is reserved */
12575 		return -EINVAL;
12576 	}
12577 
12578 	if (info->attrs[NL80211_ATTR_IE]) {
12579 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12580 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12581 	}
12582 
12583 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12584 
12585 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
12586 				      local_state_change);
12587 }
12588 
12589 static bool
12590 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
12591 			 int mcast_rate[NUM_NL80211_BANDS],
12592 			 int rateval)
12593 {
12594 	struct wiphy *wiphy = &rdev->wiphy;
12595 	bool found = false;
12596 	int band, i;
12597 
12598 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
12599 		struct ieee80211_supported_band *sband;
12600 
12601 		sband = wiphy->bands[band];
12602 		if (!sband)
12603 			continue;
12604 
12605 		for (i = 0; i < sband->n_bitrates; i++) {
12606 			if (sband->bitrates[i].bitrate == rateval) {
12607 				mcast_rate[band] = i + 1;
12608 				found = true;
12609 				break;
12610 			}
12611 		}
12612 	}
12613 
12614 	return found;
12615 }
12616 
12617 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
12618 {
12619 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12620 	struct net_device *dev = info->user_ptr[1];
12621 	struct cfg80211_ibss_params ibss;
12622 	struct wiphy *wiphy;
12623 	struct cfg80211_cached_keys *connkeys = NULL;
12624 	int err;
12625 
12626 	memset(&ibss, 0, sizeof(ibss));
12627 
12628 	if (!info->attrs[NL80211_ATTR_SSID] ||
12629 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12630 		return -EINVAL;
12631 
12632 	ibss.beacon_interval = 100;
12633 
12634 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
12635 		ibss.beacon_interval =
12636 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12637 
12638 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
12639 					   ibss.beacon_interval);
12640 	if (err)
12641 		return err;
12642 
12643 	if (!rdev->ops->join_ibss)
12644 		return -EOPNOTSUPP;
12645 
12646 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12647 		return -EOPNOTSUPP;
12648 
12649 	wiphy = &rdev->wiphy;
12650 
12651 	if (info->attrs[NL80211_ATTR_MAC]) {
12652 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12653 
12654 		if (!is_valid_ether_addr(ibss.bssid))
12655 			return -EINVAL;
12656 	}
12657 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12658 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12659 
12660 	if (info->attrs[NL80211_ATTR_IE]) {
12661 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12662 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12663 	}
12664 
12665 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
12666 	if (err)
12667 		return err;
12668 
12669 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
12670 				     NL80211_IFTYPE_ADHOC))
12671 		return -EINVAL;
12672 
12673 	switch (ibss.chandef.width) {
12674 	case NL80211_CHAN_WIDTH_5:
12675 	case NL80211_CHAN_WIDTH_10:
12676 	case NL80211_CHAN_WIDTH_20_NOHT:
12677 		break;
12678 	case NL80211_CHAN_WIDTH_20:
12679 	case NL80211_CHAN_WIDTH_40:
12680 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12681 			return -EINVAL;
12682 		break;
12683 	case NL80211_CHAN_WIDTH_80:
12684 	case NL80211_CHAN_WIDTH_80P80:
12685 	case NL80211_CHAN_WIDTH_160:
12686 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12687 			return -EINVAL;
12688 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12689 					     NL80211_EXT_FEATURE_VHT_IBSS))
12690 			return -EINVAL;
12691 		break;
12692 	case NL80211_CHAN_WIDTH_320:
12693 		return -EINVAL;
12694 	default:
12695 		return -EINVAL;
12696 	}
12697 
12698 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
12699 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
12700 
12701 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12702 		u8 *rates =
12703 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12704 		int n_rates =
12705 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12706 		struct ieee80211_supported_band *sband =
12707 			wiphy->bands[ibss.chandef.chan->band];
12708 
12709 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12710 					     &ibss.basic_rates);
12711 		if (err)
12712 			return err;
12713 	}
12714 
12715 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12716 		memcpy(&ibss.ht_capa_mask,
12717 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12718 		       sizeof(ibss.ht_capa_mask));
12719 
12720 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12721 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12722 			return -EINVAL;
12723 		memcpy(&ibss.ht_capa,
12724 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12725 		       sizeof(ibss.ht_capa));
12726 	}
12727 
12728 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12729 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
12730 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12731 		return -EINVAL;
12732 
12733 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12734 		bool no_ht = false;
12735 
12736 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
12737 		if (IS_ERR(connkeys))
12738 			return PTR_ERR(connkeys);
12739 
12740 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
12741 		    no_ht) {
12742 			kfree_sensitive(connkeys);
12743 			return -EINVAL;
12744 		}
12745 	}
12746 
12747 	ibss.control_port =
12748 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
12749 
12750 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12751 		int r = validate_pae_over_nl80211(rdev, info);
12752 
12753 		if (r < 0) {
12754 			kfree_sensitive(connkeys);
12755 			return r;
12756 		}
12757 
12758 		ibss.control_port_over_nl80211 = true;
12759 	}
12760 
12761 	ibss.userspace_handles_dfs =
12762 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12763 
12764 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
12765 	if (err)
12766 		kfree_sensitive(connkeys);
12767 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
12768 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12769 
12770 	return err;
12771 }
12772 
12773 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
12774 {
12775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12776 	struct net_device *dev = info->user_ptr[1];
12777 
12778 	if (!rdev->ops->leave_ibss)
12779 		return -EOPNOTSUPP;
12780 
12781 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12782 		return -EOPNOTSUPP;
12783 
12784 	return cfg80211_leave_ibss(rdev, dev, false);
12785 }
12786 
12787 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
12788 {
12789 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12790 	struct net_device *dev = info->user_ptr[1];
12791 	int mcast_rate[NUM_NL80211_BANDS];
12792 	u32 nla_rate;
12793 
12794 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
12795 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
12796 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
12797 		return -EOPNOTSUPP;
12798 
12799 	if (!rdev->ops->set_mcast_rate)
12800 		return -EOPNOTSUPP;
12801 
12802 	memset(mcast_rate, 0, sizeof(mcast_rate));
12803 
12804 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
12805 		return -EINVAL;
12806 
12807 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
12808 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
12809 		return -EINVAL;
12810 
12811 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
12812 }
12813 
12814 static struct sk_buff *
12815 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
12816 			    struct wireless_dev *wdev, int approxlen,
12817 			    u32 portid, u32 seq, enum nl80211_commands cmd,
12818 			    enum nl80211_attrs attr,
12819 			    const struct nl80211_vendor_cmd_info *info,
12820 			    gfp_t gfp)
12821 {
12822 	struct sk_buff *skb;
12823 	void *hdr;
12824 	struct nlattr *data;
12825 
12826 	skb = nlmsg_new(approxlen + 100, gfp);
12827 	if (!skb)
12828 		return NULL;
12829 
12830 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
12831 	if (!hdr) {
12832 		kfree_skb(skb);
12833 		return NULL;
12834 	}
12835 
12836 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12837 		goto nla_put_failure;
12838 
12839 	if (info) {
12840 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
12841 				info->vendor_id))
12842 			goto nla_put_failure;
12843 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
12844 				info->subcmd))
12845 			goto nla_put_failure;
12846 	}
12847 
12848 	if (wdev) {
12849 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12850 				      wdev_id(wdev), NL80211_ATTR_PAD))
12851 			goto nla_put_failure;
12852 		if (wdev->netdev &&
12853 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
12854 				wdev->netdev->ifindex))
12855 			goto nla_put_failure;
12856 	}
12857 
12858 	data = nla_nest_start_noflag(skb, attr);
12859 	if (!data)
12860 		goto nla_put_failure;
12861 
12862 	((void **)skb->cb)[0] = rdev;
12863 	((void **)skb->cb)[1] = hdr;
12864 	((void **)skb->cb)[2] = data;
12865 
12866 	return skb;
12867 
12868  nla_put_failure:
12869 	kfree_skb(skb);
12870 	return NULL;
12871 }
12872 
12873 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
12874 					   struct wireless_dev *wdev,
12875 					   enum nl80211_commands cmd,
12876 					   enum nl80211_attrs attr,
12877 					   unsigned int portid,
12878 					   int vendor_event_idx,
12879 					   int approxlen, gfp_t gfp)
12880 {
12881 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12882 	const struct nl80211_vendor_cmd_info *info;
12883 
12884 	switch (cmd) {
12885 	case NL80211_CMD_TESTMODE:
12886 		if (WARN_ON(vendor_event_idx != -1))
12887 			return NULL;
12888 		info = NULL;
12889 		break;
12890 	case NL80211_CMD_VENDOR:
12891 		if (WARN_ON(vendor_event_idx < 0 ||
12892 			    vendor_event_idx >= wiphy->n_vendor_events))
12893 			return NULL;
12894 		info = &wiphy->vendor_events[vendor_event_idx];
12895 		break;
12896 	default:
12897 		WARN_ON(1);
12898 		return NULL;
12899 	}
12900 
12901 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
12902 					   cmd, attr, info, gfp);
12903 }
12904 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
12905 
12906 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
12907 {
12908 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
12909 	void *hdr = ((void **)skb->cb)[1];
12910 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
12911 	struct nlattr *data = ((void **)skb->cb)[2];
12912 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
12913 
12914 	/* clear CB data for netlink core to own from now on */
12915 	memset(skb->cb, 0, sizeof(skb->cb));
12916 
12917 	nla_nest_end(skb, data);
12918 	genlmsg_end(skb, hdr);
12919 
12920 	if (nlhdr->nlmsg_pid) {
12921 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
12922 				nlhdr->nlmsg_pid);
12923 	} else {
12924 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
12925 			mcgrp = NL80211_MCGRP_VENDOR;
12926 
12927 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12928 					skb, 0, mcgrp, gfp);
12929 	}
12930 }
12931 EXPORT_SYMBOL(__cfg80211_send_event_skb);
12932 
12933 #ifdef CONFIG_NL80211_TESTMODE
12934 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
12935 {
12936 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12937 	struct wireless_dev *wdev;
12938 	int err;
12939 
12940 	lockdep_assert_held(&rdev->wiphy.mtx);
12941 
12942 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
12943 					  info->attrs);
12944 
12945 	if (!rdev->ops->testmode_cmd)
12946 		return -EOPNOTSUPP;
12947 
12948 	if (IS_ERR(wdev)) {
12949 		err = PTR_ERR(wdev);
12950 		if (err != -EINVAL)
12951 			return err;
12952 		wdev = NULL;
12953 	} else if (wdev->wiphy != &rdev->wiphy) {
12954 		return -EINVAL;
12955 	}
12956 
12957 	if (!info->attrs[NL80211_ATTR_TESTDATA])
12958 		return -EINVAL;
12959 
12960 	rdev->cur_cmd_info = info;
12961 	err = rdev_testmode_cmd(rdev, wdev,
12962 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
12963 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
12964 	rdev->cur_cmd_info = NULL;
12965 
12966 	return err;
12967 }
12968 
12969 static int nl80211_testmode_dump(struct sk_buff *skb,
12970 				 struct netlink_callback *cb)
12971 {
12972 	struct cfg80211_registered_device *rdev;
12973 	struct nlattr **attrbuf = NULL;
12974 	int err;
12975 	long phy_idx;
12976 	void *data = NULL;
12977 	int data_len = 0;
12978 
12979 	rtnl_lock();
12980 
12981 	if (cb->args[0]) {
12982 		/*
12983 		 * 0 is a valid index, but not valid for args[0],
12984 		 * so we need to offset by 1.
12985 		 */
12986 		phy_idx = cb->args[0] - 1;
12987 
12988 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
12989 		if (!rdev) {
12990 			err = -ENOENT;
12991 			goto out_err;
12992 		}
12993 	} else {
12994 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
12995 				  GFP_KERNEL);
12996 		if (!attrbuf) {
12997 			err = -ENOMEM;
12998 			goto out_err;
12999 		}
13000 
13001 		err = nlmsg_parse_deprecated(cb->nlh,
13002 					     GENL_HDRLEN + nl80211_fam.hdrsize,
13003 					     attrbuf, nl80211_fam.maxattr,
13004 					     nl80211_policy, NULL);
13005 		if (err)
13006 			goto out_err;
13007 
13008 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13009 		if (IS_ERR(rdev)) {
13010 			err = PTR_ERR(rdev);
13011 			goto out_err;
13012 		}
13013 		phy_idx = rdev->wiphy_idx;
13014 
13015 		if (attrbuf[NL80211_ATTR_TESTDATA])
13016 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
13017 	}
13018 
13019 	if (cb->args[1]) {
13020 		data = nla_data((void *)cb->args[1]);
13021 		data_len = nla_len((void *)cb->args[1]);
13022 	}
13023 
13024 	if (!rdev->ops->testmode_dump) {
13025 		err = -EOPNOTSUPP;
13026 		goto out_err;
13027 	}
13028 
13029 	while (1) {
13030 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13031 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13032 					   NL80211_CMD_TESTMODE);
13033 		struct nlattr *tmdata;
13034 
13035 		if (!hdr)
13036 			break;
13037 
13038 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
13039 			genlmsg_cancel(skb, hdr);
13040 			break;
13041 		}
13042 
13043 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
13044 		if (!tmdata) {
13045 			genlmsg_cancel(skb, hdr);
13046 			break;
13047 		}
13048 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
13049 		nla_nest_end(skb, tmdata);
13050 
13051 		if (err == -ENOBUFS || err == -ENOENT) {
13052 			genlmsg_cancel(skb, hdr);
13053 			break;
13054 		} else if (err) {
13055 			genlmsg_cancel(skb, hdr);
13056 			goto out_err;
13057 		}
13058 
13059 		genlmsg_end(skb, hdr);
13060 	}
13061 
13062 	err = skb->len;
13063 	/* see above */
13064 	cb->args[0] = phy_idx + 1;
13065  out_err:
13066 	kfree(attrbuf);
13067 	rtnl_unlock();
13068 	return err;
13069 }
13070 #endif
13071 
13072 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
13073 {
13074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13075 	struct net_device *dev = info->user_ptr[1];
13076 	struct cfg80211_connect_params connect;
13077 	struct wiphy *wiphy;
13078 	struct cfg80211_cached_keys *connkeys = NULL;
13079 	u32 freq = 0;
13080 	int err;
13081 
13082 	memset(&connect, 0, sizeof(connect));
13083 
13084 	if (!info->attrs[NL80211_ATTR_SSID] ||
13085 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13086 		return -EINVAL;
13087 
13088 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13089 		connect.auth_type =
13090 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13091 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13092 					     NL80211_CMD_CONNECT))
13093 			return -EINVAL;
13094 	} else
13095 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13096 
13097 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13098 
13099 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13100 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13101 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13102 		return -EINVAL;
13103 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13104 
13105 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13106 				      NL80211_MAX_NR_CIPHER_SUITES);
13107 	if (err)
13108 		return err;
13109 
13110 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13111 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13112 		return -EOPNOTSUPP;
13113 
13114 	wiphy = &rdev->wiphy;
13115 
13116 	connect.bg_scan_period = -1;
13117 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13118 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13119 		connect.bg_scan_period =
13120 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13121 	}
13122 
13123 	if (info->attrs[NL80211_ATTR_MAC])
13124 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13125 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13126 		connect.bssid_hint =
13127 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13128 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13129 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13130 
13131 	if (info->attrs[NL80211_ATTR_IE]) {
13132 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13133 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13134 	}
13135 
13136 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13137 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13138 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13139 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13140 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13141 			return -EOPNOTSUPP;
13142 	} else {
13143 		connect.mfp = NL80211_MFP_NO;
13144 	}
13145 
13146 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13147 		connect.prev_bssid =
13148 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13149 
13150 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13151 		freq = MHZ_TO_KHZ(nla_get_u32(
13152 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13153 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13154 		freq +=
13155 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13156 
13157 	if (freq) {
13158 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13159 		if (!connect.channel)
13160 			return -EINVAL;
13161 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13162 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13163 		freq = MHZ_TO_KHZ(freq);
13164 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13165 		if (!connect.channel_hint)
13166 			return -EINVAL;
13167 	}
13168 
13169 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13170 		connect.edmg.channels =
13171 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13172 
13173 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13174 			connect.edmg.bw_config =
13175 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13176 	}
13177 
13178 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13179 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
13180 		if (IS_ERR(connkeys))
13181 			return PTR_ERR(connkeys);
13182 	}
13183 
13184 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13185 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13186 
13187 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13188 		memcpy(&connect.ht_capa_mask,
13189 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13190 		       sizeof(connect.ht_capa_mask));
13191 
13192 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13193 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13194 			kfree_sensitive(connkeys);
13195 			return -EINVAL;
13196 		}
13197 		memcpy(&connect.ht_capa,
13198 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13199 		       sizeof(connect.ht_capa));
13200 	}
13201 
13202 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13203 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13204 
13205 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13206 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13207 
13208 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13209 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13210 
13211 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13212 		memcpy(&connect.vht_capa_mask,
13213 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13214 		       sizeof(connect.vht_capa_mask));
13215 
13216 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13217 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13218 			kfree_sensitive(connkeys);
13219 			return -EINVAL;
13220 		}
13221 		memcpy(&connect.vht_capa,
13222 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13223 		       sizeof(connect.vht_capa));
13224 	}
13225 
13226 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13227 		if (!((rdev->wiphy.features &
13228 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13229 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13230 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13231 					     NL80211_EXT_FEATURE_RRM)) {
13232 			kfree_sensitive(connkeys);
13233 			return -EINVAL;
13234 		}
13235 		connect.flags |= ASSOC_REQ_USE_RRM;
13236 	}
13237 
13238 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13239 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13240 		kfree_sensitive(connkeys);
13241 		return -EOPNOTSUPP;
13242 	}
13243 
13244 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13245 		/* bss selection makes no sense if bssid is set */
13246 		if (connect.bssid) {
13247 			kfree_sensitive(connkeys);
13248 			return -EINVAL;
13249 		}
13250 
13251 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13252 				       wiphy, &connect.bss_select);
13253 		if (err) {
13254 			kfree_sensitive(connkeys);
13255 			return err;
13256 		}
13257 	}
13258 
13259 	if (wiphy_ext_feature_isset(&rdev->wiphy,
13260 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
13261 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13262 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13263 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13264 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13265 		connect.fils_erp_username =
13266 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13267 		connect.fils_erp_username_len =
13268 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13269 		connect.fils_erp_realm =
13270 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13271 		connect.fils_erp_realm_len =
13272 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13273 		connect.fils_erp_next_seq_num =
13274 			nla_get_u16(
13275 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13276 		connect.fils_erp_rrk =
13277 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13278 		connect.fils_erp_rrk_len =
13279 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13280 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13281 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13282 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13283 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13284 		kfree_sensitive(connkeys);
13285 		return -EINVAL;
13286 	}
13287 
13288 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
13289 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13290 			kfree_sensitive(connkeys);
13291 			GENL_SET_ERR_MSG(info,
13292 					 "external auth requires connection ownership");
13293 			return -EINVAL;
13294 		}
13295 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
13296 	}
13297 
13298 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
13299 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
13300 
13301 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
13302 			       connect.prev_bssid);
13303 	if (err)
13304 		kfree_sensitive(connkeys);
13305 
13306 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13307 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13308 		if (connect.bssid)
13309 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13310 			       connect.bssid, ETH_ALEN);
13311 		else
13312 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
13313 	}
13314 
13315 	return err;
13316 }
13317 
13318 static int nl80211_update_connect_params(struct sk_buff *skb,
13319 					 struct genl_info *info)
13320 {
13321 	struct cfg80211_connect_params connect = {};
13322 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13323 	struct net_device *dev = info->user_ptr[1];
13324 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13325 	bool fils_sk_offload;
13326 	u32 auth_type;
13327 	u32 changed = 0;
13328 
13329 	if (!rdev->ops->update_connect_params)
13330 		return -EOPNOTSUPP;
13331 
13332 	if (info->attrs[NL80211_ATTR_IE]) {
13333 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13334 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13335 		changed |= UPDATE_ASSOC_IES;
13336 	}
13337 
13338 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
13339 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
13340 
13341 	/*
13342 	 * when driver supports fils-sk offload all attributes must be
13343 	 * provided. So the else covers "fils-sk-not-all" and
13344 	 * "no-fils-sk-any".
13345 	 */
13346 	if (fils_sk_offload &&
13347 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13348 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13349 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13350 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13351 		connect.fils_erp_username =
13352 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13353 		connect.fils_erp_username_len =
13354 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13355 		connect.fils_erp_realm =
13356 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13357 		connect.fils_erp_realm_len =
13358 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13359 		connect.fils_erp_next_seq_num =
13360 			nla_get_u16(
13361 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13362 		connect.fils_erp_rrk =
13363 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13364 		connect.fils_erp_rrk_len =
13365 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13366 		changed |= UPDATE_FILS_ERP_INFO;
13367 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13368 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13369 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13370 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13371 		return -EINVAL;
13372 	}
13373 
13374 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13375 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13376 		if (!nl80211_valid_auth_type(rdev, auth_type,
13377 					     NL80211_CMD_CONNECT))
13378 			return -EINVAL;
13379 
13380 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
13381 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
13382 			return -EINVAL;
13383 
13384 		connect.auth_type = auth_type;
13385 		changed |= UPDATE_AUTH_TYPE;
13386 	}
13387 
13388 	if (!wdev->connected)
13389 		return -ENOLINK;
13390 
13391 	return rdev_update_connect_params(rdev, dev, &connect, changed);
13392 }
13393 
13394 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
13395 {
13396 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13397 	struct net_device *dev = info->user_ptr[1];
13398 	u16 reason;
13399 
13400 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13401 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13402 		return -EPERM;
13403 
13404 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
13405 				     WLAN_REASON_DEAUTH_LEAVING);
13406 
13407 	if (reason == 0)
13408 		return -EINVAL;
13409 
13410 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13411 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13412 		return -EOPNOTSUPP;
13413 
13414 	return cfg80211_disconnect(rdev, dev, reason, true);
13415 }
13416 
13417 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
13418 {
13419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13420 	struct net *net;
13421 	int err;
13422 
13423 	if (info->attrs[NL80211_ATTR_PID]) {
13424 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
13425 
13426 		net = get_net_ns_by_pid(pid);
13427 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
13428 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
13429 
13430 		net = get_net_ns_by_fd(fd);
13431 	} else {
13432 		return -EINVAL;
13433 	}
13434 
13435 	if (IS_ERR(net))
13436 		return PTR_ERR(net);
13437 
13438 	err = 0;
13439 
13440 	/* check if anything to do */
13441 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
13442 		err = cfg80211_switch_netns(rdev, net);
13443 
13444 	put_net(net);
13445 	return err;
13446 }
13447 
13448 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
13449 {
13450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13451 	struct net_device *dev = info->user_ptr[1];
13452 	struct cfg80211_pmksa pmksa;
13453 	bool ap_pmksa_caching_support = false;
13454 
13455 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13456 
13457 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13458 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13459 
13460 	if (!info->attrs[NL80211_ATTR_PMKID])
13461 		return -EINVAL;
13462 
13463 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13464 
13465 	if (info->attrs[NL80211_ATTR_MAC]) {
13466 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13467 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13468 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13469 	           info->attrs[NL80211_ATTR_PMK]) {
13470 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13471 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13472 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13473 	} else {
13474 		return -EINVAL;
13475 	}
13476 
13477 	if (info->attrs[NL80211_ATTR_PMK]) {
13478 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13479 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13480 	}
13481 
13482 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13483 		pmksa.pmk_lifetime =
13484 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13485 
13486 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13487 		pmksa.pmk_reauth_threshold =
13488 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13489 
13490 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13491 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13492 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13493 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13494 	       ap_pmksa_caching_support))
13495 		return -EOPNOTSUPP;
13496 
13497 	if (!rdev->ops->set_pmksa)
13498 		return -EOPNOTSUPP;
13499 
13500 	return rdev_set_pmksa(rdev, dev, &pmksa);
13501 }
13502 
13503 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13504 {
13505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13506 	struct net_device *dev = info->user_ptr[1];
13507 	struct cfg80211_pmksa pmksa;
13508 	bool sae_offload_support = false;
13509 	bool owe_offload_support = false;
13510 	bool ap_pmksa_caching_support = false;
13511 
13512 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13513 
13514 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13515 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13516 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13517 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13518 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13519 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13520 
13521 	if (info->attrs[NL80211_ATTR_PMKID])
13522 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13523 
13524 	if (info->attrs[NL80211_ATTR_MAC]) {
13525 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13526 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13527 		/* SSID based pmksa flush supported only for FILS,
13528 		 * OWE/SAE OFFLOAD cases
13529 		 */
13530 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13531 		    info->attrs[NL80211_ATTR_PMK]) {
13532 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13533 		} else if (!sae_offload_support && !owe_offload_support) {
13534 			return -EINVAL;
13535 		}
13536 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13537 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13538 	} else {
13539 		return -EINVAL;
13540 	}
13541 
13542 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13543 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13544 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13545 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13546 	       ap_pmksa_caching_support))
13547 		return -EOPNOTSUPP;
13548 
13549 	if (!rdev->ops->del_pmksa)
13550 		return -EOPNOTSUPP;
13551 
13552 	return rdev_del_pmksa(rdev, dev, &pmksa);
13553 }
13554 
13555 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
13556 {
13557 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13558 	struct net_device *dev = info->user_ptr[1];
13559 
13560 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13561 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13562 		return -EOPNOTSUPP;
13563 
13564 	if (!rdev->ops->flush_pmksa)
13565 		return -EOPNOTSUPP;
13566 
13567 	return rdev_flush_pmksa(rdev, dev);
13568 }
13569 
13570 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
13571 {
13572 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13573 	struct net_device *dev = info->user_ptr[1];
13574 	u8 action_code, dialog_token;
13575 	u32 peer_capability = 0;
13576 	u16 status_code;
13577 	u8 *peer;
13578 	int link_id;
13579 	bool initiator;
13580 
13581 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13582 	    !rdev->ops->tdls_mgmt)
13583 		return -EOPNOTSUPP;
13584 
13585 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
13586 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
13587 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
13588 	    !info->attrs[NL80211_ATTR_IE] ||
13589 	    !info->attrs[NL80211_ATTR_MAC])
13590 		return -EINVAL;
13591 
13592 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13593 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
13594 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13595 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
13596 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
13597 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
13598 		peer_capability =
13599 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
13600 	link_id = nl80211_link_id_or_invalid(info->attrs);
13601 
13602 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
13603 			      dialog_token, status_code, peer_capability,
13604 			      initiator,
13605 			      nla_data(info->attrs[NL80211_ATTR_IE]),
13606 			      nla_len(info->attrs[NL80211_ATTR_IE]));
13607 }
13608 
13609 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
13610 {
13611 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13612 	struct net_device *dev = info->user_ptr[1];
13613 	enum nl80211_tdls_operation operation;
13614 	u8 *peer;
13615 
13616 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13617 	    !rdev->ops->tdls_oper)
13618 		return -EOPNOTSUPP;
13619 
13620 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
13621 	    !info->attrs[NL80211_ATTR_MAC])
13622 		return -EINVAL;
13623 
13624 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
13625 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13626 
13627 	return rdev_tdls_oper(rdev, dev, peer, operation);
13628 }
13629 
13630 static int nl80211_remain_on_channel(struct sk_buff *skb,
13631 				     struct genl_info *info)
13632 {
13633 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13634 	unsigned int link_id = nl80211_link_id(info->attrs);
13635 	struct wireless_dev *wdev = info->user_ptr[1];
13636 	struct cfg80211_chan_def chandef;
13637 	struct sk_buff *msg;
13638 	void *hdr;
13639 	u64 cookie;
13640 	u32 duration;
13641 	int err;
13642 
13643 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
13644 	    !info->attrs[NL80211_ATTR_DURATION])
13645 		return -EINVAL;
13646 
13647 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13648 
13649 	if (!rdev->ops->remain_on_channel ||
13650 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
13651 		return -EOPNOTSUPP;
13652 
13653 	/*
13654 	 * We should be on that channel for at least a minimum amount of
13655 	 * time (10ms) but no longer than the driver supports.
13656 	 */
13657 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13658 	    duration > rdev->wiphy.max_remain_on_channel_duration)
13659 		return -EINVAL;
13660 
13661 	err = nl80211_parse_chandef(rdev, info, &chandef);
13662 	if (err)
13663 		return err;
13664 
13665 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
13666 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
13667 
13668 		oper_chandef = wdev_chandef(wdev, link_id);
13669 
13670 		if (WARN_ON(!oper_chandef)) {
13671 			/* cannot happen since we must beacon to get here */
13672 			WARN_ON(1);
13673 			return -EBUSY;
13674 		}
13675 
13676 		/* note: returns first one if identical chandefs */
13677 		compat_chandef = cfg80211_chandef_compatible(&chandef,
13678 							     oper_chandef);
13679 
13680 		if (compat_chandef != &chandef)
13681 			return -EBUSY;
13682 	}
13683 
13684 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13685 	if (!msg)
13686 		return -ENOMEM;
13687 
13688 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13689 			     NL80211_CMD_REMAIN_ON_CHANNEL);
13690 	if (!hdr) {
13691 		err = -ENOBUFS;
13692 		goto free_msg;
13693 	}
13694 
13695 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
13696 				     duration, &cookie);
13697 
13698 	if (err)
13699 		goto free_msg;
13700 
13701 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13702 			      NL80211_ATTR_PAD))
13703 		goto nla_put_failure;
13704 
13705 	genlmsg_end(msg, hdr);
13706 
13707 	return genlmsg_reply(msg, info);
13708 
13709  nla_put_failure:
13710 	err = -ENOBUFS;
13711  free_msg:
13712 	nlmsg_free(msg);
13713 	return err;
13714 }
13715 
13716 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
13717 					    struct genl_info *info)
13718 {
13719 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13720 	struct wireless_dev *wdev = info->user_ptr[1];
13721 	u64 cookie;
13722 
13723 	if (!info->attrs[NL80211_ATTR_COOKIE])
13724 		return -EINVAL;
13725 
13726 	if (!rdev->ops->cancel_remain_on_channel)
13727 		return -EOPNOTSUPP;
13728 
13729 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13730 
13731 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
13732 }
13733 
13734 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
13735 				       struct genl_info *info)
13736 {
13737 	struct cfg80211_bitrate_mask mask;
13738 	unsigned int link_id = nl80211_link_id(info->attrs);
13739 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13740 	struct net_device *dev = info->user_ptr[1];
13741 	int err;
13742 
13743 	if (!rdev->ops->set_bitrate_mask)
13744 		return -EOPNOTSUPP;
13745 
13746 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13747 					    NL80211_ATTR_TX_RATES, &mask,
13748 					    dev, true, link_id);
13749 	if (err)
13750 		return err;
13751 
13752 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
13753 }
13754 
13755 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
13756 {
13757 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13758 	struct wireless_dev *wdev = info->user_ptr[1];
13759 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
13760 
13761 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
13762 		return -EINVAL;
13763 
13764 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
13765 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
13766 
13767 	switch (wdev->iftype) {
13768 	case NL80211_IFTYPE_STATION:
13769 	case NL80211_IFTYPE_ADHOC:
13770 	case NL80211_IFTYPE_P2P_CLIENT:
13771 	case NL80211_IFTYPE_AP:
13772 	case NL80211_IFTYPE_AP_VLAN:
13773 	case NL80211_IFTYPE_MESH_POINT:
13774 	case NL80211_IFTYPE_P2P_GO:
13775 	case NL80211_IFTYPE_P2P_DEVICE:
13776 		break;
13777 	case NL80211_IFTYPE_NAN:
13778 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13779 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13780 		    !(wdev->wiphy->nan_capa.flags &
13781 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13782 			return -EOPNOTSUPP;
13783 		break;
13784 	default:
13785 		return -EOPNOTSUPP;
13786 	}
13787 
13788 	/* not much point in registering if we can't reply */
13789 	if (!rdev->ops->mgmt_tx)
13790 		return -EOPNOTSUPP;
13791 
13792 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
13793 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13794 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
13795 		GENL_SET_ERR_MSG(info,
13796 				 "multicast RX registrations are not supported");
13797 		return -EOPNOTSUPP;
13798 	}
13799 
13800 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
13801 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13802 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13803 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
13804 					   info->extack);
13805 }
13806 
13807 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
13808 {
13809 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13810 	struct wireless_dev *wdev = info->user_ptr[1];
13811 	struct cfg80211_chan_def chandef;
13812 	int err;
13813 	void *hdr = NULL;
13814 	u64 cookie;
13815 	struct sk_buff *msg = NULL;
13816 	struct cfg80211_mgmt_tx_params params = {
13817 		.dont_wait_for_ack =
13818 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
13819 	};
13820 
13821 	if (!info->attrs[NL80211_ATTR_FRAME])
13822 		return -EINVAL;
13823 
13824 	if (!rdev->ops->mgmt_tx)
13825 		return -EOPNOTSUPP;
13826 
13827 	switch (wdev->iftype) {
13828 	case NL80211_IFTYPE_P2P_DEVICE:
13829 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
13830 			return -EINVAL;
13831 		break;
13832 	case NL80211_IFTYPE_STATION:
13833 	case NL80211_IFTYPE_ADHOC:
13834 	case NL80211_IFTYPE_P2P_CLIENT:
13835 	case NL80211_IFTYPE_AP:
13836 	case NL80211_IFTYPE_AP_VLAN:
13837 	case NL80211_IFTYPE_MESH_POINT:
13838 	case NL80211_IFTYPE_P2P_GO:
13839 		break;
13840 	case NL80211_IFTYPE_NAN:
13841 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13842 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13843 		    !(wdev->wiphy->nan_capa.flags &
13844 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13845 			return -EOPNOTSUPP;
13846 		break;
13847 	default:
13848 		return -EOPNOTSUPP;
13849 	}
13850 
13851 	if (info->attrs[NL80211_ATTR_DURATION]) {
13852 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13853 			return -EINVAL;
13854 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13855 
13856 		/*
13857 		 * We should wait on the channel for at least a minimum amount
13858 		 * of time (10ms) but no longer than the driver supports.
13859 		 */
13860 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13861 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
13862 			return -EINVAL;
13863 	}
13864 
13865 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
13866 
13867 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13868 		return -EINVAL;
13869 
13870 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
13871 
13872 	/* get the channel if any has been specified, otherwise pass NULL to
13873 	 * the driver. The latter will use the current one
13874 	 */
13875 	chandef.chan = NULL;
13876 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13877 		err = nl80211_parse_chandef(rdev, info, &chandef);
13878 		if (err)
13879 			return err;
13880 	}
13881 
13882 	if (!chandef.chan && params.offchan)
13883 		return -EINVAL;
13884 
13885 	if (params.offchan &&
13886 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
13887 		return -EBUSY;
13888 
13889 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
13890 	/*
13891 	 * This now races due to the unlock, but we cannot check
13892 	 * the valid links for the _station_ anyway, so that's up
13893 	 * to the driver.
13894 	 */
13895 	if (params.link_id >= 0 &&
13896 	    !(wdev->valid_links & BIT(params.link_id)))
13897 		return -EINVAL;
13898 
13899 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13900 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13901 
13902 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
13903 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
13904 					    &params.csa_offsets,
13905 					    &params.n_csa_offsets);
13906 	if (err)
13907 		return err;
13908 
13909 	if (!params.dont_wait_for_ack) {
13910 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13911 		if (!msg)
13912 			return -ENOMEM;
13913 
13914 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13915 				     NL80211_CMD_FRAME);
13916 		if (!hdr) {
13917 			err = -ENOBUFS;
13918 			goto free_msg;
13919 		}
13920 	}
13921 
13922 	params.chan = chandef.chan;
13923 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
13924 	if (err)
13925 		goto free_msg;
13926 
13927 	if (msg) {
13928 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13929 				      NL80211_ATTR_PAD))
13930 			goto nla_put_failure;
13931 
13932 		genlmsg_end(msg, hdr);
13933 		return genlmsg_reply(msg, info);
13934 	}
13935 
13936 	return 0;
13937 
13938  nla_put_failure:
13939 	err = -ENOBUFS;
13940  free_msg:
13941 	nlmsg_free(msg);
13942 	return err;
13943 }
13944 
13945 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
13946 {
13947 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13948 	struct wireless_dev *wdev = info->user_ptr[1];
13949 	u64 cookie;
13950 
13951 	if (!info->attrs[NL80211_ATTR_COOKIE])
13952 		return -EINVAL;
13953 
13954 	if (!rdev->ops->mgmt_tx_cancel_wait)
13955 		return -EOPNOTSUPP;
13956 
13957 	switch (wdev->iftype) {
13958 	case NL80211_IFTYPE_STATION:
13959 	case NL80211_IFTYPE_ADHOC:
13960 	case NL80211_IFTYPE_P2P_CLIENT:
13961 	case NL80211_IFTYPE_AP:
13962 	case NL80211_IFTYPE_AP_VLAN:
13963 	case NL80211_IFTYPE_P2P_GO:
13964 	case NL80211_IFTYPE_P2P_DEVICE:
13965 		break;
13966 	case NL80211_IFTYPE_NAN:
13967 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13968 					     NL80211_EXT_FEATURE_SECURE_NAN))
13969 			return -EOPNOTSUPP;
13970 		break;
13971 	default:
13972 		return -EOPNOTSUPP;
13973 	}
13974 
13975 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13976 
13977 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
13978 }
13979 
13980 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
13981 {
13982 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13983 	struct wireless_dev *wdev;
13984 	struct net_device *dev = info->user_ptr[1];
13985 	u8 ps_state;
13986 	bool state;
13987 	int err;
13988 
13989 	if (!info->attrs[NL80211_ATTR_PS_STATE])
13990 		return -EINVAL;
13991 
13992 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
13993 
13994 	wdev = dev->ieee80211_ptr;
13995 
13996 	if (!rdev->ops->set_power_mgmt)
13997 		return -EOPNOTSUPP;
13998 
13999 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
14000 
14001 	if (state == wdev->ps)
14002 		return 0;
14003 
14004 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
14005 	if (!err)
14006 		wdev->ps = state;
14007 	return err;
14008 }
14009 
14010 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
14011 {
14012 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14013 	enum nl80211_ps_state ps_state;
14014 	struct wireless_dev *wdev;
14015 	struct net_device *dev = info->user_ptr[1];
14016 	struct sk_buff *msg;
14017 	void *hdr;
14018 	int err;
14019 
14020 	wdev = dev->ieee80211_ptr;
14021 
14022 	if (!rdev->ops->set_power_mgmt)
14023 		return -EOPNOTSUPP;
14024 
14025 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14026 	if (!msg)
14027 		return -ENOMEM;
14028 
14029 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14030 			     NL80211_CMD_GET_POWER_SAVE);
14031 	if (!hdr) {
14032 		err = -ENOBUFS;
14033 		goto free_msg;
14034 	}
14035 
14036 	if (wdev->ps)
14037 		ps_state = NL80211_PS_ENABLED;
14038 	else
14039 		ps_state = NL80211_PS_DISABLED;
14040 
14041 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
14042 		goto nla_put_failure;
14043 
14044 	genlmsg_end(msg, hdr);
14045 	return genlmsg_reply(msg, info);
14046 
14047  nla_put_failure:
14048 	err = -ENOBUFS;
14049  free_msg:
14050 	nlmsg_free(msg);
14051 	return err;
14052 }
14053 
14054 static const struct nla_policy
14055 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
14056 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
14057 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
14058 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
14059 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
14060 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
14061 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
14062 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
14063 };
14064 
14065 static int nl80211_set_cqm_txe(struct genl_info *info,
14066 			       u32 rate, u32 pkts, u32 intvl)
14067 {
14068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14069 	struct net_device *dev = info->user_ptr[1];
14070 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14071 
14072 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
14073 		return -EINVAL;
14074 
14075 	if (!rdev->ops->set_cqm_txe_config)
14076 		return -EOPNOTSUPP;
14077 
14078 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14079 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14080 		return -EOPNOTSUPP;
14081 
14082 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
14083 }
14084 
14085 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
14086 				    struct net_device *dev,
14087 				    struct cfg80211_cqm_config *cqm_config)
14088 {
14089 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14090 	s32 last, low, high;
14091 	u32 hyst;
14092 	int i, n, low_index;
14093 	int err;
14094 
14095 	/*
14096 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14097 	 * event has been received yet, we should receive an event after a
14098 	 * connection is established and enough beacons received to calculate
14099 	 * the average.
14100 	 */
14101 	if (!cqm_config->last_rssi_event_value &&
14102 	    wdev->links[0].client.current_bss &&
14103 	    rdev->ops->get_station) {
14104 		struct station_info sinfo = {};
14105 		u8 *mac_addr;
14106 
14107 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14108 
14109 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
14110 		if (err)
14111 			return err;
14112 
14113 		cfg80211_sinfo_release_content(&sinfo);
14114 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14115 			cqm_config->last_rssi_event_value =
14116 				(s8) sinfo.rx_beacon_signal_avg;
14117 	}
14118 
14119 	last = cqm_config->last_rssi_event_value;
14120 	hyst = cqm_config->rssi_hyst;
14121 	n = cqm_config->n_rssi_thresholds;
14122 
14123 	for (i = 0; i < n; i++) {
14124 		i = array_index_nospec(i, n);
14125 		if (last < cqm_config->rssi_thresholds[i])
14126 			break;
14127 	}
14128 
14129 	low_index = i - 1;
14130 	if (low_index >= 0) {
14131 		low_index = array_index_nospec(low_index, n);
14132 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14133 	} else {
14134 		low = S32_MIN;
14135 	}
14136 	if (i < n) {
14137 		i = array_index_nospec(i, n);
14138 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14139 	} else {
14140 		high = S32_MAX;
14141 	}
14142 
14143 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14144 }
14145 
14146 static int nl80211_set_cqm_rssi(struct genl_info *info,
14147 				const s32 *thresholds, int n_thresholds,
14148 				u32 hysteresis)
14149 {
14150 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14151 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14152 	struct net_device *dev = info->user_ptr[1];
14153 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14154 	s32 prev = S32_MIN;
14155 	int i, err;
14156 
14157 	/* Check all values negative and sorted */
14158 	for (i = 0; i < n_thresholds; i++) {
14159 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14160 			return -EINVAL;
14161 
14162 		prev = thresholds[i];
14163 	}
14164 
14165 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14166 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14167 		return -EOPNOTSUPP;
14168 
14169 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14170 		n_thresholds = 0;
14171 
14172 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14173 
14174 	/* if already disabled just succeed */
14175 	if (!n_thresholds && !old)
14176 		return 0;
14177 
14178 	if (n_thresholds > 1) {
14179 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14180 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14181 		    !rdev->ops->set_cqm_rssi_range_config)
14182 			return -EOPNOTSUPP;
14183 	} else {
14184 		if (!rdev->ops->set_cqm_rssi_config)
14185 			return -EOPNOTSUPP;
14186 	}
14187 
14188 	if (n_thresholds) {
14189 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
14190 						 n_thresholds),
14191 				     GFP_KERNEL);
14192 		if (!cqm_config)
14193 			return -ENOMEM;
14194 
14195 		cqm_config->rssi_hyst = hysteresis;
14196 		cqm_config->n_rssi_thresholds = n_thresholds;
14197 		memcpy(cqm_config->rssi_thresholds, thresholds,
14198 		       flex_array_size(cqm_config, rssi_thresholds,
14199 				       n_thresholds));
14200 		cqm_config->use_range_api = n_thresholds > 1 ||
14201 					    !rdev->ops->set_cqm_rssi_config;
14202 
14203 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14204 
14205 		if (cqm_config->use_range_api)
14206 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14207 		else
14208 			err = rdev_set_cqm_rssi_config(rdev, dev,
14209 						       thresholds[0],
14210 						       hysteresis);
14211 	} else {
14212 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14213 		/* if enabled as range also disable via range */
14214 		if (old->use_range_api)
14215 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14216 		else
14217 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
14218 	}
14219 
14220 	if (err) {
14221 		rcu_assign_pointer(wdev->cqm_config, old);
14222 		kfree_rcu(cqm_config, rcu_head);
14223 	} else {
14224 		kfree_rcu(old, rcu_head);
14225 	}
14226 
14227 	return err;
14228 }
14229 
14230 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
14231 {
14232 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
14233 	struct nlattr *cqm;
14234 	int err;
14235 
14236 	cqm = info->attrs[NL80211_ATTR_CQM];
14237 	if (!cqm)
14238 		return -EINVAL;
14239 
14240 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
14241 					  nl80211_attr_cqm_policy,
14242 					  info->extack);
14243 	if (err)
14244 		return err;
14245 
14246 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
14247 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
14248 		const s32 *thresholds =
14249 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14250 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14251 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
14252 
14253 		if (len % 4)
14254 			return -EINVAL;
14255 
14256 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
14257 					    hysteresis);
14258 	}
14259 
14260 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
14261 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
14262 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
14263 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
14264 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
14265 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
14266 
14267 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
14268 	}
14269 
14270 	return -EINVAL;
14271 }
14272 
14273 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
14274 {
14275 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14276 	struct net_device *dev = info->user_ptr[1];
14277 	struct ocb_setup setup = {};
14278 	int err;
14279 
14280 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14281 	if (err)
14282 		return err;
14283 
14284 	return cfg80211_join_ocb(rdev, dev, &setup);
14285 }
14286 
14287 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
14288 {
14289 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14290 	struct net_device *dev = info->user_ptr[1];
14291 
14292 	return cfg80211_leave_ocb(rdev, dev);
14293 }
14294 
14295 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
14296 {
14297 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14298 	struct net_device *dev = info->user_ptr[1];
14299 	struct mesh_config cfg;
14300 	struct mesh_setup setup;
14301 	int err;
14302 
14303 	/* start with default */
14304 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
14305 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
14306 
14307 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
14308 		/* and parse parameters if given */
14309 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
14310 		if (err)
14311 			return err;
14312 	}
14313 
14314 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
14315 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
14316 		return -EINVAL;
14317 
14318 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
14319 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
14320 
14321 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
14322 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
14323 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
14324 			return -EINVAL;
14325 
14326 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
14327 		setup.beacon_interval =
14328 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
14329 
14330 		err = cfg80211_validate_beacon_int(rdev,
14331 						   NL80211_IFTYPE_MESH_POINT,
14332 						   setup.beacon_interval);
14333 		if (err)
14334 			return err;
14335 	}
14336 
14337 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
14338 		setup.dtim_period =
14339 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
14340 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
14341 			return -EINVAL;
14342 	}
14343 
14344 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
14345 		/* parse additional setup parameters if given */
14346 		err = nl80211_parse_mesh_setup(info, &setup);
14347 		if (err)
14348 			return err;
14349 	}
14350 
14351 	if (setup.user_mpm)
14352 		cfg.auto_open_plinks = false;
14353 
14354 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14355 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14356 		if (err)
14357 			return err;
14358 	} else {
14359 		/* __cfg80211_join_mesh() will sort it out */
14360 		setup.chandef.chan = NULL;
14361 	}
14362 
14363 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
14364 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14365 		int n_rates =
14366 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14367 		struct ieee80211_supported_band *sband;
14368 
14369 		if (!setup.chandef.chan)
14370 			return -EINVAL;
14371 
14372 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
14373 
14374 		err = ieee80211_get_ratemask(sband, rates, n_rates,
14375 					     &setup.basic_rates);
14376 		if (err)
14377 			return err;
14378 	}
14379 
14380 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
14381 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14382 						    NL80211_ATTR_TX_RATES,
14383 						    &setup.beacon_rate,
14384 						    dev, false, 0);
14385 		if (err)
14386 			return err;
14387 
14388 		if (!setup.chandef.chan)
14389 			return -EINVAL;
14390 
14391 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
14392 					      &setup.beacon_rate);
14393 		if (err)
14394 			return err;
14395 	}
14396 
14397 	setup.userspace_handles_dfs =
14398 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
14399 
14400 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
14401 		int r = validate_pae_over_nl80211(rdev, info);
14402 
14403 		if (r < 0)
14404 			return r;
14405 
14406 		setup.control_port_over_nl80211 = true;
14407 	}
14408 
14409 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
14410 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
14411 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14412 
14413 	return err;
14414 }
14415 
14416 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
14417 {
14418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14419 	struct net_device *dev = info->user_ptr[1];
14420 
14421 	return cfg80211_leave_mesh(rdev, dev);
14422 }
14423 
14424 #ifdef CONFIG_PM
14425 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
14426 					struct cfg80211_registered_device *rdev)
14427 {
14428 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
14429 	struct nlattr *nl_pats, *nl_pat;
14430 	int i, pat_len;
14431 
14432 	if (!wowlan->n_patterns)
14433 		return 0;
14434 
14435 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
14436 	if (!nl_pats)
14437 		return -ENOBUFS;
14438 
14439 	for (i = 0; i < wowlan->n_patterns; i++) {
14440 		nl_pat = nla_nest_start_noflag(msg, i + 1);
14441 		if (!nl_pat)
14442 			return -ENOBUFS;
14443 		pat_len = wowlan->patterns[i].pattern_len;
14444 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
14445 			    wowlan->patterns[i].mask) ||
14446 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14447 			    wowlan->patterns[i].pattern) ||
14448 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14449 				wowlan->patterns[i].pkt_offset))
14450 			return -ENOBUFS;
14451 		nla_nest_end(msg, nl_pat);
14452 	}
14453 	nla_nest_end(msg, nl_pats);
14454 
14455 	return 0;
14456 }
14457 
14458 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14459 				   struct cfg80211_wowlan_tcp *tcp)
14460 {
14461 	struct nlattr *nl_tcp;
14462 
14463 	if (!tcp)
14464 		return 0;
14465 
14466 	nl_tcp = nla_nest_start_noflag(msg,
14467 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14468 	if (!nl_tcp)
14469 		return -ENOBUFS;
14470 
14471 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14472 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14473 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14474 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14475 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14476 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14477 		    tcp->payload_len, tcp->payload) ||
14478 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14479 			tcp->data_interval) ||
14480 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14481 		    tcp->wake_len, tcp->wake_data) ||
14482 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14483 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14484 		return -ENOBUFS;
14485 
14486 	if (tcp->payload_seq.len &&
14487 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14488 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14489 		return -ENOBUFS;
14490 
14491 	if (tcp->payload_tok.len &&
14492 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14493 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14494 		    &tcp->payload_tok))
14495 		return -ENOBUFS;
14496 
14497 	nla_nest_end(msg, nl_tcp);
14498 
14499 	return 0;
14500 }
14501 
14502 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14503 				  struct cfg80211_sched_scan_request *req)
14504 {
14505 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14506 	int i;
14507 
14508 	if (!req)
14509 		return 0;
14510 
14511 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14512 	if (!nd)
14513 		return -ENOBUFS;
14514 
14515 	if (req->n_scan_plans == 1 &&
14516 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14517 			req->scan_plans[0].interval * 1000))
14518 		return -ENOBUFS;
14519 
14520 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14521 		return -ENOBUFS;
14522 
14523 	if (req->relative_rssi_set) {
14524 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14525 
14526 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14527 			       req->relative_rssi))
14528 			return -ENOBUFS;
14529 
14530 		rssi_adjust.band = req->rssi_adjust.band;
14531 		rssi_adjust.delta = req->rssi_adjust.delta;
14532 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14533 			    sizeof(rssi_adjust), &rssi_adjust))
14534 			return -ENOBUFS;
14535 	}
14536 
14537 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14538 	if (!freqs)
14539 		return -ENOBUFS;
14540 
14541 	for (i = 0; i < req->n_channels; i++) {
14542 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14543 			return -ENOBUFS;
14544 	}
14545 
14546 	nla_nest_end(msg, freqs);
14547 
14548 	if (req->n_match_sets) {
14549 		matches = nla_nest_start_noflag(msg,
14550 						NL80211_ATTR_SCHED_SCAN_MATCH);
14551 		if (!matches)
14552 			return -ENOBUFS;
14553 
14554 		for (i = 0; i < req->n_match_sets; i++) {
14555 			match = nla_nest_start_noflag(msg, i);
14556 			if (!match)
14557 				return -ENOBUFS;
14558 
14559 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
14560 				    req->match_sets[i].ssid.ssid_len,
14561 				    req->match_sets[i].ssid.ssid))
14562 				return -ENOBUFS;
14563 			nla_nest_end(msg, match);
14564 		}
14565 		nla_nest_end(msg, matches);
14566 	}
14567 
14568 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
14569 	if (!scan_plans)
14570 		return -ENOBUFS;
14571 
14572 	for (i = 0; i < req->n_scan_plans; i++) {
14573 		scan_plan = nla_nest_start_noflag(msg, i + 1);
14574 		if (!scan_plan)
14575 			return -ENOBUFS;
14576 
14577 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
14578 				req->scan_plans[i].interval) ||
14579 		    (req->scan_plans[i].iterations &&
14580 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
14581 				 req->scan_plans[i].iterations)))
14582 			return -ENOBUFS;
14583 		nla_nest_end(msg, scan_plan);
14584 	}
14585 	nla_nest_end(msg, scan_plans);
14586 
14587 	nla_nest_end(msg, nd);
14588 
14589 	return 0;
14590 }
14591 
14592 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
14593 {
14594 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14595 	struct sk_buff *msg;
14596 	void *hdr;
14597 	u32 size = NLMSG_DEFAULT_SIZE;
14598 
14599 	if (!rdev->wiphy.wowlan)
14600 		return -EOPNOTSUPP;
14601 
14602 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
14603 		/* adjust size to have room for all the data */
14604 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
14605 			rdev->wiphy.wowlan_config->tcp->payload_len +
14606 			rdev->wiphy.wowlan_config->tcp->wake_len +
14607 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
14608 	}
14609 
14610 	msg = nlmsg_new(size, GFP_KERNEL);
14611 	if (!msg)
14612 		return -ENOMEM;
14613 
14614 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14615 			     NL80211_CMD_GET_WOWLAN);
14616 	if (!hdr)
14617 		goto nla_put_failure;
14618 
14619 	if (rdev->wiphy.wowlan_config) {
14620 		struct nlattr *nl_wowlan;
14621 
14622 		nl_wowlan = nla_nest_start_noflag(msg,
14623 						  NL80211_ATTR_WOWLAN_TRIGGERS);
14624 		if (!nl_wowlan)
14625 			goto nla_put_failure;
14626 
14627 		if ((rdev->wiphy.wowlan_config->any &&
14628 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
14629 		    (rdev->wiphy.wowlan_config->disconnect &&
14630 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
14631 		    (rdev->wiphy.wowlan_config->magic_pkt &&
14632 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
14633 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
14634 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
14635 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
14636 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
14637 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
14638 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
14639 		    (rdev->wiphy.wowlan_config->rfkill_release &&
14640 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
14641 			goto nla_put_failure;
14642 
14643 		if (nl80211_send_wowlan_patterns(msg, rdev))
14644 			goto nla_put_failure;
14645 
14646 		if (nl80211_send_wowlan_tcp(msg,
14647 					    rdev->wiphy.wowlan_config->tcp))
14648 			goto nla_put_failure;
14649 
14650 		if (nl80211_send_wowlan_nd(
14651 			    msg,
14652 			    rdev->wiphy.wowlan_config->nd_config))
14653 			goto nla_put_failure;
14654 
14655 		nla_nest_end(msg, nl_wowlan);
14656 	}
14657 
14658 	genlmsg_end(msg, hdr);
14659 	return genlmsg_reply(msg, info);
14660 
14661 nla_put_failure:
14662 	nlmsg_free(msg);
14663 	return -ENOBUFS;
14664 }
14665 
14666 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
14667 				    struct nlattr *attr,
14668 				    struct cfg80211_wowlan *trig)
14669 {
14670 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
14671 	struct cfg80211_wowlan_tcp *cfg;
14672 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
14673 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
14674 	u32 size;
14675 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
14676 	int err, port;
14677 
14678 	if (!rdev->wiphy.wowlan->tcp)
14679 		return -EINVAL;
14680 
14681 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
14682 					  nl80211_wowlan_tcp_policy, NULL);
14683 	if (err)
14684 		return err;
14685 
14686 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
14687 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
14688 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
14689 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
14690 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
14691 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
14692 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
14693 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
14694 		return -EINVAL;
14695 
14696 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
14697 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
14698 		return -EINVAL;
14699 
14700 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
14701 			rdev->wiphy.wowlan->tcp->data_interval_max ||
14702 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
14703 		return -EINVAL;
14704 
14705 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
14706 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
14707 		return -EINVAL;
14708 
14709 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
14710 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
14711 		return -EINVAL;
14712 
14713 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
14714 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14715 
14716 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14717 		tokens_size = tokln - sizeof(*tok);
14718 
14719 		if (!tok->len || tokens_size % tok->len)
14720 			return -EINVAL;
14721 		if (!rdev->wiphy.wowlan->tcp->tok)
14722 			return -EINVAL;
14723 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
14724 			return -EINVAL;
14725 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
14726 			return -EINVAL;
14727 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
14728 			return -EINVAL;
14729 		if (tok->offset + tok->len > data_size)
14730 			return -EINVAL;
14731 	}
14732 
14733 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
14734 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
14735 		if (!rdev->wiphy.wowlan->tcp->seq)
14736 			return -EINVAL;
14737 		if (seq->len == 0 || seq->len > 4)
14738 			return -EINVAL;
14739 		if (seq->len + seq->offset > data_size)
14740 			return -EINVAL;
14741 	}
14742 
14743 	size = sizeof(*cfg);
14744 	size += data_size;
14745 	size += wake_size + wake_mask_size;
14746 	size += tokens_size;
14747 
14748 	cfg = kzalloc(size, GFP_KERNEL);
14749 	if (!cfg)
14750 		return -ENOMEM;
14751 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
14752 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
14753 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
14754 	       ETH_ALEN);
14755 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
14756 #ifdef CONFIG_INET
14757 	/* allocate a socket and port for it and use it */
14758 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
14759 			    IPPROTO_TCP, &cfg->sock, 1);
14760 	if (err) {
14761 		kfree(cfg);
14762 		return err;
14763 	}
14764 	if (inet_csk_get_port(cfg->sock->sk, port)) {
14765 		sock_release(cfg->sock);
14766 		kfree(cfg);
14767 		return -EADDRINUSE;
14768 	}
14769 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
14770 #else
14771 	if (!port) {
14772 		kfree(cfg);
14773 		return -EINVAL;
14774 	}
14775 	cfg->src_port = port;
14776 #endif
14777 
14778 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
14779 	cfg->payload_len = data_size;
14780 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
14781 	memcpy((void *)cfg->payload,
14782 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
14783 	       data_size);
14784 	if (seq)
14785 		cfg->payload_seq = *seq;
14786 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
14787 	cfg->wake_len = wake_size;
14788 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
14789 	memcpy((void *)cfg->wake_data,
14790 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
14791 	       wake_size);
14792 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
14793 			 data_size + wake_size;
14794 	memcpy((void *)cfg->wake_mask,
14795 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
14796 	       wake_mask_size);
14797 	if (tok) {
14798 		cfg->tokens_size = tokens_size;
14799 		cfg->payload_tok = *tok;
14800 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
14801 		       tokens_size);
14802 	}
14803 
14804 	trig->tcp = cfg;
14805 
14806 	return 0;
14807 }
14808 
14809 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
14810 				   const struct wiphy_wowlan_support *wowlan,
14811 				   struct nlattr *attr,
14812 				   struct cfg80211_wowlan *trig)
14813 {
14814 	struct nlattr **tb;
14815 	int err;
14816 
14817 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
14818 	if (!tb)
14819 		return -ENOMEM;
14820 
14821 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
14822 		err = -EOPNOTSUPP;
14823 		goto out;
14824 	}
14825 
14826 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
14827 					  nl80211_policy, NULL);
14828 	if (err)
14829 		goto out;
14830 
14831 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
14832 						   wowlan->max_nd_match_sets);
14833 	err = PTR_ERR_OR_ZERO(trig->nd_config);
14834 	if (err)
14835 		trig->nd_config = NULL;
14836 
14837 out:
14838 	kfree(tb);
14839 	return err;
14840 }
14841 
14842 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
14843 {
14844 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14845 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
14846 	struct cfg80211_wowlan new_triggers = {};
14847 	struct cfg80211_wowlan *ntrig;
14848 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
14849 	int err, i;
14850 	bool prev_enabled = rdev->wiphy.wowlan_config;
14851 	bool regular = false;
14852 
14853 	if (!wowlan)
14854 		return -EOPNOTSUPP;
14855 
14856 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
14857 		cfg80211_rdev_free_wowlan(rdev);
14858 		rdev->wiphy.wowlan_config = NULL;
14859 		goto set_wakeup;
14860 	}
14861 
14862 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
14863 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
14864 					  nl80211_wowlan_policy, info->extack);
14865 	if (err)
14866 		return err;
14867 
14868 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
14869 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
14870 			return -EINVAL;
14871 		new_triggers.any = true;
14872 	}
14873 
14874 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
14875 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
14876 			return -EINVAL;
14877 		new_triggers.disconnect = true;
14878 		regular = true;
14879 	}
14880 
14881 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
14882 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
14883 			return -EINVAL;
14884 		new_triggers.magic_pkt = true;
14885 		regular = true;
14886 	}
14887 
14888 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
14889 		return -EINVAL;
14890 
14891 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
14892 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
14893 			return -EINVAL;
14894 		new_triggers.gtk_rekey_failure = true;
14895 		regular = true;
14896 	}
14897 
14898 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
14899 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
14900 			return -EINVAL;
14901 		new_triggers.eap_identity_req = true;
14902 		regular = true;
14903 	}
14904 
14905 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
14906 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
14907 			return -EINVAL;
14908 		new_triggers.four_way_handshake = true;
14909 		regular = true;
14910 	}
14911 
14912 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
14913 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
14914 			return -EINVAL;
14915 		new_triggers.rfkill_release = true;
14916 		regular = true;
14917 	}
14918 
14919 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
14920 		struct nlattr *pat;
14921 		int n_patterns = 0;
14922 		int rem, pat_len, mask_len, pkt_offset;
14923 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14924 
14925 		regular = true;
14926 
14927 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
14928 				    rem)
14929 			n_patterns++;
14930 		if (n_patterns > wowlan->n_patterns)
14931 			return -EINVAL;
14932 
14933 		new_triggers.patterns = kcalloc(n_patterns,
14934 						sizeof(new_triggers.patterns[0]),
14935 						GFP_KERNEL);
14936 		if (!new_triggers.patterns)
14937 			return -ENOMEM;
14938 
14939 		new_triggers.n_patterns = n_patterns;
14940 		i = 0;
14941 
14942 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
14943 				    rem) {
14944 			u8 *mask_pat;
14945 
14946 			err = nla_parse_nested_deprecated(pat_tb,
14947 							  MAX_NL80211_PKTPAT,
14948 							  pat,
14949 							  nl80211_packet_pattern_policy,
14950 							  info->extack);
14951 			if (err)
14952 				goto error;
14953 
14954 			err = -EINVAL;
14955 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
14956 			    !pat_tb[NL80211_PKTPAT_PATTERN])
14957 				goto error;
14958 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14959 			mask_len = DIV_ROUND_UP(pat_len, 8);
14960 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14961 				goto error;
14962 			if (pat_len > wowlan->pattern_max_len ||
14963 			    pat_len < wowlan->pattern_min_len)
14964 				goto error;
14965 
14966 			pkt_offset =
14967 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
14968 						    0);
14969 			if (pkt_offset > wowlan->max_pkt_offset)
14970 				goto error;
14971 			new_triggers.patterns[i].pkt_offset = pkt_offset;
14972 
14973 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14974 			if (!mask_pat) {
14975 				err = -ENOMEM;
14976 				goto error;
14977 			}
14978 			new_triggers.patterns[i].mask = mask_pat;
14979 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14980 			       mask_len);
14981 			mask_pat += mask_len;
14982 			new_triggers.patterns[i].pattern = mask_pat;
14983 			new_triggers.patterns[i].pattern_len = pat_len;
14984 			memcpy(mask_pat,
14985 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14986 			       pat_len);
14987 			i++;
14988 		}
14989 	}
14990 
14991 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
14992 		regular = true;
14993 		err = nl80211_parse_wowlan_tcp(
14994 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
14995 			&new_triggers);
14996 		if (err)
14997 			goto error;
14998 	}
14999 
15000 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
15001 		regular = true;
15002 		err = nl80211_parse_wowlan_nd(
15003 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
15004 			&new_triggers);
15005 		if (err)
15006 			goto error;
15007 	}
15008 
15009 	/* The 'any' trigger means the device continues operating more or less
15010 	 * as in its normal operation mode and wakes up the host on most of the
15011 	 * normal interrupts (like packet RX, ...)
15012 	 * It therefore makes little sense to combine with the more constrained
15013 	 * wakeup trigger modes.
15014 	 */
15015 	if (new_triggers.any && regular) {
15016 		err = -EINVAL;
15017 		goto error;
15018 	}
15019 
15020 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
15021 	if (!ntrig) {
15022 		err = -ENOMEM;
15023 		goto error;
15024 	}
15025 	cfg80211_rdev_free_wowlan(rdev);
15026 	rdev->wiphy.wowlan_config = ntrig;
15027 
15028  set_wakeup:
15029 	if (rdev->ops->set_wakeup &&
15030 	    prev_enabled != !!rdev->wiphy.wowlan_config)
15031 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
15032 
15033 	return 0;
15034  error:
15035 	for (i = 0; i < new_triggers.n_patterns; i++)
15036 		kfree(new_triggers.patterns[i].mask);
15037 	kfree(new_triggers.patterns);
15038 	if (new_triggers.tcp && new_triggers.tcp->sock)
15039 		sock_release(new_triggers.tcp->sock);
15040 	kfree(new_triggers.tcp);
15041 	kfree(new_triggers.nd_config);
15042 	return err;
15043 }
15044 #endif
15045 
15046 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
15047 				       struct cfg80211_registered_device *rdev)
15048 {
15049 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
15050 	int i, j, pat_len;
15051 	struct cfg80211_coalesce_rules *rule;
15052 
15053 	if (!rdev->coalesce->n_rules)
15054 		return 0;
15055 
15056 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
15057 	if (!nl_rules)
15058 		return -ENOBUFS;
15059 
15060 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
15061 		nl_rule = nla_nest_start_noflag(msg, i + 1);
15062 		if (!nl_rule)
15063 			return -ENOBUFS;
15064 
15065 		rule = &rdev->coalesce->rules[i];
15066 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
15067 				rule->delay))
15068 			return -ENOBUFS;
15069 
15070 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
15071 				rule->condition))
15072 			return -ENOBUFS;
15073 
15074 		nl_pats = nla_nest_start_noflag(msg,
15075 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
15076 		if (!nl_pats)
15077 			return -ENOBUFS;
15078 
15079 		for (j = 0; j < rule->n_patterns; j++) {
15080 			nl_pat = nla_nest_start_noflag(msg, j + 1);
15081 			if (!nl_pat)
15082 				return -ENOBUFS;
15083 			pat_len = rule->patterns[j].pattern_len;
15084 			if (nla_put(msg, NL80211_PKTPAT_MASK,
15085 				    DIV_ROUND_UP(pat_len, 8),
15086 				    rule->patterns[j].mask) ||
15087 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15088 				    rule->patterns[j].pattern) ||
15089 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15090 					rule->patterns[j].pkt_offset))
15091 				return -ENOBUFS;
15092 			nla_nest_end(msg, nl_pat);
15093 		}
15094 		nla_nest_end(msg, nl_pats);
15095 		nla_nest_end(msg, nl_rule);
15096 	}
15097 	nla_nest_end(msg, nl_rules);
15098 
15099 	return 0;
15100 }
15101 
15102 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15103 {
15104 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15105 	struct sk_buff *msg;
15106 	void *hdr;
15107 
15108 	if (!rdev->wiphy.coalesce)
15109 		return -EOPNOTSUPP;
15110 
15111 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15112 	if (!msg)
15113 		return -ENOMEM;
15114 
15115 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15116 			     NL80211_CMD_GET_COALESCE);
15117 	if (!hdr)
15118 		goto nla_put_failure;
15119 
15120 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15121 		goto nla_put_failure;
15122 
15123 	genlmsg_end(msg, hdr);
15124 	return genlmsg_reply(msg, info);
15125 
15126 nla_put_failure:
15127 	nlmsg_free(msg);
15128 	return -ENOBUFS;
15129 }
15130 
15131 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15132 {
15133 	int i, j;
15134 	struct cfg80211_coalesce_rules *rule;
15135 
15136 	if (!coalesce)
15137 		return;
15138 
15139 	for (i = 0; i < coalesce->n_rules; i++) {
15140 		rule = &coalesce->rules[i];
15141 		for (j = 0; j < rule->n_patterns; j++)
15142 			kfree(rule->patterns[j].mask);
15143 		kfree(rule->patterns);
15144 	}
15145 	kfree(coalesce);
15146 }
15147 
15148 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15149 				       struct nlattr *rule,
15150 				       struct cfg80211_coalesce_rules *new_rule)
15151 {
15152 	int err, i;
15153 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15154 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15155 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15156 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15157 
15158 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15159 					  rule, nl80211_coalesce_policy, NULL);
15160 	if (err)
15161 		return err;
15162 
15163 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15164 		new_rule->delay =
15165 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15166 	if (new_rule->delay > coalesce->max_delay)
15167 		return -EINVAL;
15168 
15169 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15170 		new_rule->condition =
15171 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15172 
15173 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15174 		return -EINVAL;
15175 
15176 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15177 			    rem)
15178 		n_patterns++;
15179 	if (n_patterns > coalesce->n_patterns)
15180 		return -EINVAL;
15181 
15182 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
15183 				     GFP_KERNEL);
15184 	if (!new_rule->patterns)
15185 		return -ENOMEM;
15186 
15187 	new_rule->n_patterns = n_patterns;
15188 	i = 0;
15189 
15190 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15191 			    rem) {
15192 		u8 *mask_pat;
15193 
15194 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15195 						  pat,
15196 						  nl80211_packet_pattern_policy,
15197 						  NULL);
15198 		if (err)
15199 			return err;
15200 
15201 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15202 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15203 			return -EINVAL;
15204 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15205 		mask_len = DIV_ROUND_UP(pat_len, 8);
15206 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15207 			return -EINVAL;
15208 		if (pat_len > coalesce->pattern_max_len ||
15209 		    pat_len < coalesce->pattern_min_len)
15210 			return -EINVAL;
15211 
15212 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15213 						 0);
15214 		if (pkt_offset > coalesce->max_pkt_offset)
15215 			return -EINVAL;
15216 		new_rule->patterns[i].pkt_offset = pkt_offset;
15217 
15218 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15219 		if (!mask_pat)
15220 			return -ENOMEM;
15221 
15222 		new_rule->patterns[i].mask = mask_pat;
15223 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15224 		       mask_len);
15225 
15226 		mask_pat += mask_len;
15227 		new_rule->patterns[i].pattern = mask_pat;
15228 		new_rule->patterns[i].pattern_len = pat_len;
15229 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15230 		       pat_len);
15231 		i++;
15232 	}
15233 
15234 	return 0;
15235 }
15236 
15237 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
15238 {
15239 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15240 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15241 	struct cfg80211_coalesce *new_coalesce;
15242 	int err, rem_rule, n_rules = 0, i;
15243 	struct nlattr *rule;
15244 
15245 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
15246 		return -EOPNOTSUPP;
15247 
15248 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
15249 		cfg80211_free_coalesce(rdev->coalesce);
15250 		rdev->coalesce = NULL;
15251 		rdev_set_coalesce(rdev, NULL);
15252 		return 0;
15253 	}
15254 
15255 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15256 			    rem_rule)
15257 		n_rules++;
15258 	if (n_rules > coalesce->n_rules)
15259 		return -EINVAL;
15260 
15261 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
15262 			       GFP_KERNEL);
15263 	if (!new_coalesce)
15264 		return -ENOMEM;
15265 
15266 	new_coalesce->n_rules = n_rules;
15267 	i = 0;
15268 
15269 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15270 			    rem_rule) {
15271 		err = nl80211_parse_coalesce_rule(rdev, rule,
15272 						  &new_coalesce->rules[i]);
15273 		if (err)
15274 			goto error;
15275 
15276 		i++;
15277 	}
15278 
15279 	err = rdev_set_coalesce(rdev, new_coalesce);
15280 	if (err)
15281 		goto error;
15282 
15283 	cfg80211_free_coalesce(rdev->coalesce);
15284 	rdev->coalesce = new_coalesce;
15285 
15286 	return 0;
15287 error:
15288 	cfg80211_free_coalesce(new_coalesce);
15289 
15290 	return err;
15291 }
15292 
15293 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
15294 {
15295 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15296 	struct net_device *dev = info->user_ptr[1];
15297 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15298 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
15299 	struct cfg80211_gtk_rekey_data rekey_data = {};
15300 	int err;
15301 
15302 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
15303 		return -EINVAL;
15304 
15305 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
15306 					  info->attrs[NL80211_ATTR_REKEY_DATA],
15307 					  nl80211_rekey_policy, info->extack);
15308 	if (err)
15309 		return err;
15310 
15311 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
15312 	    !tb[NL80211_REKEY_DATA_KCK])
15313 		return -EINVAL;
15314 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
15315 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15316 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
15317 		return -ERANGE;
15318 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
15319 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15320 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
15321 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
15322 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
15323 		return -ERANGE;
15324 
15325 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
15326 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
15327 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
15328 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
15329 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
15330 	if (tb[NL80211_REKEY_DATA_AKM])
15331 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
15332 
15333 	if (!wdev->connected)
15334 		return -ENOTCONN;
15335 
15336 	if (!rdev->ops->set_rekey_data)
15337 		return -EOPNOTSUPP;
15338 
15339 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
15340 }
15341 
15342 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
15343 					     struct genl_info *info)
15344 {
15345 	struct net_device *dev = info->user_ptr[1];
15346 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15347 
15348 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15349 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15350 		return -EINVAL;
15351 
15352 	if (wdev->ap_unexpected_nlportid)
15353 		return -EBUSY;
15354 
15355 	wdev->ap_unexpected_nlportid = info->snd_portid;
15356 	return 0;
15357 }
15358 
15359 static int nl80211_probe_client(struct sk_buff *skb,
15360 				struct genl_info *info)
15361 {
15362 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15363 	struct net_device *dev = info->user_ptr[1];
15364 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15365 	struct sk_buff *msg;
15366 	void *hdr;
15367 	const u8 *addr;
15368 	u64 cookie;
15369 	int err;
15370 
15371 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15372 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15373 		return -EOPNOTSUPP;
15374 
15375 	if (!info->attrs[NL80211_ATTR_MAC])
15376 		return -EINVAL;
15377 
15378 	if (!rdev->ops->probe_client)
15379 		return -EOPNOTSUPP;
15380 
15381 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15382 	if (!msg)
15383 		return -ENOMEM;
15384 
15385 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15386 			     NL80211_CMD_PROBE_CLIENT);
15387 	if (!hdr) {
15388 		err = -ENOBUFS;
15389 		goto free_msg;
15390 	}
15391 
15392 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15393 
15394 	err = rdev_probe_client(rdev, dev, addr, &cookie);
15395 	if (err)
15396 		goto free_msg;
15397 
15398 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15399 			      NL80211_ATTR_PAD))
15400 		goto nla_put_failure;
15401 
15402 	genlmsg_end(msg, hdr);
15403 
15404 	return genlmsg_reply(msg, info);
15405 
15406  nla_put_failure:
15407 	err = -ENOBUFS;
15408  free_msg:
15409 	nlmsg_free(msg);
15410 	return err;
15411 }
15412 
15413 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
15414 {
15415 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15416 	struct cfg80211_beacon_registration *reg, *nreg;
15417 	int rv;
15418 
15419 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
15420 		return -EOPNOTSUPP;
15421 
15422 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
15423 	if (!nreg)
15424 		return -ENOMEM;
15425 
15426 	/* First, check if already registered. */
15427 	spin_lock_bh(&rdev->beacon_registrations_lock);
15428 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15429 		if (reg->nlportid == info->snd_portid) {
15430 			rv = -EALREADY;
15431 			goto out_err;
15432 		}
15433 	}
15434 	/* Add it to the list */
15435 	nreg->nlportid = info->snd_portid;
15436 	list_add(&nreg->list, &rdev->beacon_registrations);
15437 
15438 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15439 
15440 	return 0;
15441 out_err:
15442 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15443 	kfree(nreg);
15444 	return rv;
15445 }
15446 
15447 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
15448 {
15449 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15450 	struct wireless_dev *wdev = info->user_ptr[1];
15451 	int err;
15452 
15453 	if (!rdev->ops->start_p2p_device)
15454 		return -EOPNOTSUPP;
15455 
15456 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15457 		return -EOPNOTSUPP;
15458 
15459 	if (wdev_running(wdev))
15460 		return 0;
15461 
15462 	if (rfkill_blocked(rdev->wiphy.rfkill))
15463 		return -ERFKILL;
15464 
15465 	err = rdev_start_p2p_device(rdev, wdev);
15466 	if (err)
15467 		return err;
15468 
15469 	wdev->is_running = true;
15470 	rdev->opencount++;
15471 
15472 	return 0;
15473 }
15474 
15475 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15476 {
15477 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15478 	struct wireless_dev *wdev = info->user_ptr[1];
15479 
15480 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15481 		return -EOPNOTSUPP;
15482 
15483 	if (!rdev->ops->stop_p2p_device)
15484 		return -EOPNOTSUPP;
15485 
15486 	cfg80211_stop_p2p_device(rdev, wdev);
15487 
15488 	return 0;
15489 }
15490 
15491 static struct ieee80211_channel *nl80211_get_nan_channel(struct wiphy *wiphy,
15492 							 int freq)
15493 {
15494 	struct ieee80211_channel *chan;
15495 	struct cfg80211_chan_def def;
15496 
15497 	/* Check if the frequency is valid for NAN */
15498 	if (freq != 5220 && freq != 5745 && freq != 2437)
15499 		return NULL;
15500 
15501 	chan = ieee80211_get_channel(wiphy, freq);
15502 	if (!chan)
15503 		return NULL;
15504 
15505 	cfg80211_chandef_create(&def, chan, NL80211_CHAN_NO_HT);
15506 
15507 	/* Check if the channel is allowed */
15508 	if (cfg80211_reg_can_beacon(wiphy, &def, NL80211_IFTYPE_NAN))
15509 		return chan;
15510 
15511 	return NULL;
15512 }
15513 
15514 static int nl80211_parse_nan_band_config(struct wiphy *wiphy,
15515 					 struct nlattr **tb,
15516 					 struct cfg80211_nan_band_config *cfg,
15517 					 enum nl80211_band band)
15518 {
15519 	if (BIT(band) & ~(u32)wiphy->nan_supported_bands)
15520 		return -EINVAL;
15521 
15522 	if (tb[NL80211_NAN_BAND_CONF_FREQ]) {
15523 		u16 freq = nla_get_u16(tb[NL80211_NAN_BAND_CONF_FREQ]);
15524 
15525 		if (band != NL80211_BAND_5GHZ)
15526 			return -EINVAL;
15527 
15528 		cfg->chan = nl80211_get_nan_channel(wiphy, freq);
15529 		if (!cfg->chan)
15530 			return -EINVAL;
15531 	}
15532 
15533 	if (tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]) {
15534 		cfg->rssi_close =
15535 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]);
15536 		if (!tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE])
15537 			return -EINVAL;
15538 	}
15539 
15540 	if (tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]) {
15541 		cfg->rssi_middle =
15542 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]);
15543 		if (!cfg->rssi_close || cfg->rssi_middle >= cfg->rssi_close)
15544 			return -EINVAL;
15545 	}
15546 
15547 	if (tb[NL80211_NAN_BAND_CONF_WAKE_DW]) {
15548 		cfg->awake_dw_interval =
15549 			nla_get_u8(tb[NL80211_NAN_BAND_CONF_WAKE_DW]);
15550 
15551 		if (band == NL80211_BAND_2GHZ && cfg->awake_dw_interval == 0)
15552 			return -EINVAL;
15553 	}
15554 
15555 	cfg->disable_scan =
15556 		nla_get_flag(tb[NL80211_NAN_BAND_CONF_DISABLE_SCAN]);
15557 	return 0;
15558 }
15559 
15560 static int nl80211_parse_nan_conf(struct wiphy *wiphy,
15561 				  struct genl_info *info,
15562 				  struct cfg80211_nan_conf *conf,
15563 				  u32 *changed_flags)
15564 {
15565 	struct nlattr *attrs[NL80211_NAN_CONF_ATTR_MAX + 1];
15566 	int err, rem;
15567 	u32 changed = 0;
15568 	struct nlattr *band_config;
15569 
15570 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
15571 		conf->master_pref =
15572 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15573 
15574 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
15575 	}
15576 
15577 	if (info->attrs[NL80211_ATTR_BANDS]) {
15578 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15579 
15580 		if (bands & ~(u32)wiphy->nan_supported_bands)
15581 			return -EOPNOTSUPP;
15582 
15583 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15584 			return -EINVAL;
15585 
15586 		conf->bands = bands;
15587 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
15588 	}
15589 
15590 	conf->band_cfgs[NL80211_BAND_2GHZ].awake_dw_interval = 1;
15591 	if (conf->bands & BIT(NL80211_BAND_5GHZ) || !conf->bands)
15592 		conf->band_cfgs[NL80211_BAND_5GHZ].awake_dw_interval = 1;
15593 
15594 	/* On 2.4 GHz band use channel 6 */
15595 	conf->band_cfgs[NL80211_BAND_2GHZ].chan =
15596 		nl80211_get_nan_channel(wiphy, 2437);
15597 	if (!conf->band_cfgs[NL80211_BAND_2GHZ].chan)
15598 		return -EINVAL;
15599 
15600 	if (!info->attrs[NL80211_ATTR_NAN_CONFIG])
15601 		goto out;
15602 
15603 	err = nla_parse_nested(attrs, NL80211_NAN_CONF_ATTR_MAX,
15604 			       info->attrs[NL80211_ATTR_NAN_CONFIG], NULL,
15605 			       info->extack);
15606 	if (err)
15607 		return err;
15608 
15609 	changed |= CFG80211_NAN_CONF_CHANGED_CONFIG;
15610 	if (attrs[NL80211_NAN_CONF_CLUSTER_ID])
15611 		conf->cluster_id =
15612 			nla_data(attrs[NL80211_NAN_CONF_CLUSTER_ID]);
15613 
15614 	if (attrs[NL80211_NAN_CONF_EXTRA_ATTRS]) {
15615 		conf->extra_nan_attrs =
15616 			nla_data(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15617 		conf->extra_nan_attrs_len =
15618 			nla_len(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15619 	}
15620 
15621 	if (attrs[NL80211_NAN_CONF_VENDOR_ELEMS]) {
15622 		conf->vendor_elems =
15623 			nla_data(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15624 		conf->vendor_elems_len =
15625 			nla_len(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15626 	}
15627 
15628 	if (attrs[NL80211_NAN_CONF_BAND_CONFIGS]) {
15629 		nla_for_each_nested(band_config,
15630 				    attrs[NL80211_NAN_CONF_BAND_CONFIGS],
15631 				    rem) {
15632 			enum nl80211_band band;
15633 			struct cfg80211_nan_band_config *cfg;
15634 			struct nlattr *tb[NL80211_NAN_BAND_CONF_ATTR_MAX + 1];
15635 
15636 			err = nla_parse_nested(tb,
15637 					       NL80211_NAN_BAND_CONF_ATTR_MAX,
15638 					       band_config, NULL,
15639 					       info->extack);
15640 			if (err)
15641 				return err;
15642 
15643 			if (!tb[NL80211_NAN_BAND_CONF_BAND])
15644 				return -EINVAL;
15645 
15646 			band = nla_get_u8(tb[NL80211_NAN_BAND_CONF_BAND]);
15647 			if (conf->bands && !(conf->bands & BIT(band)))
15648 				return -EINVAL;
15649 
15650 			cfg = &conf->band_cfgs[band];
15651 
15652 			err = nl80211_parse_nan_band_config(wiphy, tb, cfg,
15653 							    band);
15654 			if (err)
15655 				return err;
15656 		}
15657 	}
15658 
15659 	if (attrs[NL80211_NAN_CONF_SCAN_PERIOD])
15660 		conf->scan_period =
15661 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_PERIOD]);
15662 
15663 	if (attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME])
15664 		conf->scan_dwell_time =
15665 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME]);
15666 
15667 	if (attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL])
15668 		conf->discovery_beacon_interval =
15669 			nla_get_u8(attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL]);
15670 
15671 	if (attrs[NL80211_NAN_CONF_NOTIFY_DW])
15672 		conf->enable_dw_notification =
15673 			nla_get_flag(attrs[NL80211_NAN_CONF_NOTIFY_DW]);
15674 
15675 out:
15676 	if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15677 	    (!conf->bands || conf->bands & BIT(NL80211_BAND_5GHZ))) {
15678 		/* If no 5GHz channel is specified use default, if possible */
15679 		conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15680 				nl80211_get_nan_channel(wiphy, 5745);
15681 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan)
15682 			conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15683 					nl80211_get_nan_channel(wiphy, 5220);
15684 
15685 		/* Return error if user space asked explicitly for 5 GHz */
15686 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15687 		    conf->bands & BIT(NL80211_BAND_5GHZ)) {
15688 			NL_SET_ERR_MSG_ATTR(info->extack,
15689 					    info->attrs[NL80211_ATTR_BANDS],
15690 					    "5 GHz band operation is not allowed");
15691 			return -EINVAL;
15692 		}
15693 	}
15694 
15695 	if (changed_flags)
15696 		*changed_flags = changed;
15697 
15698 	return 0;
15699 }
15700 
15701 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
15702 {
15703 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15704 	struct wireless_dev *wdev = info->user_ptr[1];
15705 	struct cfg80211_nan_conf conf = {};
15706 	int err;
15707 
15708 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15709 		return -EOPNOTSUPP;
15710 
15711 	if (wdev_running(wdev))
15712 		return -EEXIST;
15713 
15714 	if (rfkill_blocked(rdev->wiphy.rfkill))
15715 		return -ERFKILL;
15716 
15717 	/* Master preference is mandatory for START_NAN */
15718 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
15719 		return -EINVAL;
15720 
15721 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, NULL);
15722 	if (err)
15723 		return err;
15724 
15725 	err = rdev_start_nan(rdev, wdev, &conf);
15726 	if (err)
15727 		return err;
15728 
15729 	wdev->is_running = true;
15730 	rdev->opencount++;
15731 
15732 	return 0;
15733 }
15734 
15735 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
15736 {
15737 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15738 	struct wireless_dev *wdev = info->user_ptr[1];
15739 
15740 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15741 		return -EOPNOTSUPP;
15742 
15743 	cfg80211_stop_nan(rdev, wdev);
15744 
15745 	return 0;
15746 }
15747 
15748 static int validate_nan_filter(struct nlattr *filter_attr)
15749 {
15750 	struct nlattr *attr;
15751 	int len = 0, n_entries = 0, rem;
15752 
15753 	nla_for_each_nested(attr, filter_attr, rem) {
15754 		len += nla_len(attr);
15755 		n_entries++;
15756 	}
15757 
15758 	if (len >= U8_MAX)
15759 		return -EINVAL;
15760 
15761 	return n_entries;
15762 }
15763 
15764 static int handle_nan_filter(struct nlattr *attr_filter,
15765 			     struct cfg80211_nan_func *func,
15766 			     bool tx)
15767 {
15768 	struct nlattr *attr;
15769 	int n_entries, rem, i;
15770 	struct cfg80211_nan_func_filter *filter;
15771 
15772 	n_entries = validate_nan_filter(attr_filter);
15773 	if (n_entries < 0)
15774 		return n_entries;
15775 
15776 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
15777 
15778 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
15779 	if (!filter)
15780 		return -ENOMEM;
15781 
15782 	i = 0;
15783 	nla_for_each_nested(attr, attr_filter, rem) {
15784 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
15785 		if (!filter[i].filter)
15786 			goto err;
15787 
15788 		filter[i].len = nla_len(attr);
15789 		i++;
15790 	}
15791 	if (tx) {
15792 		func->num_tx_filters = n_entries;
15793 		func->tx_filters = filter;
15794 	} else {
15795 		func->num_rx_filters = n_entries;
15796 		func->rx_filters = filter;
15797 	}
15798 
15799 	return 0;
15800 
15801 err:
15802 	i = 0;
15803 	nla_for_each_nested(attr, attr_filter, rem) {
15804 		kfree(filter[i].filter);
15805 		i++;
15806 	}
15807 	kfree(filter);
15808 	return -ENOMEM;
15809 }
15810 
15811 static int nl80211_nan_add_func(struct sk_buff *skb,
15812 				struct genl_info *info)
15813 {
15814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15815 	struct wireless_dev *wdev = info->user_ptr[1];
15816 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
15817 	struct cfg80211_nan_func *func;
15818 	struct sk_buff *msg = NULL;
15819 	void *hdr = NULL;
15820 	int err = 0;
15821 
15822 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15823 		return -EOPNOTSUPP;
15824 
15825 	if (!wdev_running(wdev))
15826 		return -ENOTCONN;
15827 
15828 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
15829 		return -EINVAL;
15830 
15831 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
15832 					  info->attrs[NL80211_ATTR_NAN_FUNC],
15833 					  nl80211_nan_func_policy,
15834 					  info->extack);
15835 	if (err)
15836 		return err;
15837 
15838 	func = kzalloc(sizeof(*func), GFP_KERNEL);
15839 	if (!func)
15840 		return -ENOMEM;
15841 
15842 	func->cookie = cfg80211_assign_cookie(rdev);
15843 
15844 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
15845 		err = -EINVAL;
15846 		goto out;
15847 	}
15848 
15849 
15850 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
15851 
15852 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
15853 		err = -EINVAL;
15854 		goto out;
15855 	}
15856 
15857 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
15858 	       sizeof(func->service_id));
15859 
15860 	func->close_range =
15861 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
15862 
15863 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
15864 		func->serv_spec_info_len =
15865 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
15866 		func->serv_spec_info =
15867 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
15868 				func->serv_spec_info_len,
15869 				GFP_KERNEL);
15870 		if (!func->serv_spec_info) {
15871 			err = -ENOMEM;
15872 			goto out;
15873 		}
15874 	}
15875 
15876 	if (tb[NL80211_NAN_FUNC_TTL])
15877 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
15878 
15879 	switch (func->type) {
15880 	case NL80211_NAN_FUNC_PUBLISH:
15881 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
15882 			err = -EINVAL;
15883 			goto out;
15884 		}
15885 
15886 		func->publish_type =
15887 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
15888 		func->publish_bcast =
15889 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
15890 
15891 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
15892 			func->publish_bcast) {
15893 			err = -EINVAL;
15894 			goto out;
15895 		}
15896 		break;
15897 	case NL80211_NAN_FUNC_SUBSCRIBE:
15898 		func->subscribe_active =
15899 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
15900 		break;
15901 	case NL80211_NAN_FUNC_FOLLOW_UP:
15902 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
15903 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
15904 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
15905 			err = -EINVAL;
15906 			goto out;
15907 		}
15908 
15909 		func->followup_id =
15910 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
15911 		func->followup_reqid =
15912 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
15913 		memcpy(func->followup_dest.addr,
15914 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
15915 		       sizeof(func->followup_dest.addr));
15916 		if (func->ttl) {
15917 			err = -EINVAL;
15918 			goto out;
15919 		}
15920 		break;
15921 	default:
15922 		err = -EINVAL;
15923 		goto out;
15924 	}
15925 
15926 	if (tb[NL80211_NAN_FUNC_SRF]) {
15927 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
15928 
15929 		err = nla_parse_nested_deprecated(srf_tb,
15930 						  NL80211_NAN_SRF_ATTR_MAX,
15931 						  tb[NL80211_NAN_FUNC_SRF],
15932 						  nl80211_nan_srf_policy,
15933 						  info->extack);
15934 		if (err)
15935 			goto out;
15936 
15937 		func->srf_include =
15938 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
15939 
15940 		if (srf_tb[NL80211_NAN_SRF_BF]) {
15941 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
15942 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
15943 				err = -EINVAL;
15944 				goto out;
15945 			}
15946 
15947 			func->srf_bf_len =
15948 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
15949 			func->srf_bf =
15950 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
15951 					func->srf_bf_len, GFP_KERNEL);
15952 			if (!func->srf_bf) {
15953 				err = -ENOMEM;
15954 				goto out;
15955 			}
15956 
15957 			func->srf_bf_idx =
15958 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
15959 		} else {
15960 			struct nlattr *attr, *mac_attr =
15961 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
15962 			int n_entries, rem, i = 0;
15963 
15964 			if (!mac_attr) {
15965 				err = -EINVAL;
15966 				goto out;
15967 			}
15968 
15969 			n_entries = validate_acl_mac_addrs(mac_attr);
15970 			if (n_entries <= 0) {
15971 				err = -EINVAL;
15972 				goto out;
15973 			}
15974 
15975 			func->srf_num_macs = n_entries;
15976 			func->srf_macs =
15977 				kcalloc(n_entries, sizeof(*func->srf_macs),
15978 					GFP_KERNEL);
15979 			if (!func->srf_macs) {
15980 				err = -ENOMEM;
15981 				goto out;
15982 			}
15983 
15984 			nla_for_each_nested(attr, mac_attr, rem)
15985 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
15986 				       sizeof(*func->srf_macs));
15987 		}
15988 	}
15989 
15990 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
15991 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
15992 					func, true);
15993 		if (err)
15994 			goto out;
15995 	}
15996 
15997 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
15998 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
15999 					func, false);
16000 		if (err)
16001 			goto out;
16002 	}
16003 
16004 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16005 	if (!msg) {
16006 		err = -ENOMEM;
16007 		goto out;
16008 	}
16009 
16010 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16011 			     NL80211_CMD_ADD_NAN_FUNCTION);
16012 	/* This can't really happen - we just allocated 4KB */
16013 	if (WARN_ON(!hdr)) {
16014 		err = -ENOMEM;
16015 		goto out;
16016 	}
16017 
16018 	err = rdev_add_nan_func(rdev, wdev, func);
16019 out:
16020 	if (err < 0) {
16021 		cfg80211_free_nan_func(func);
16022 		nlmsg_free(msg);
16023 		return err;
16024 	}
16025 
16026 	/* propagate the instance id and cookie to userspace  */
16027 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
16028 			      NL80211_ATTR_PAD))
16029 		goto nla_put_failure;
16030 
16031 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16032 	if (!func_attr)
16033 		goto nla_put_failure;
16034 
16035 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
16036 		       func->instance_id))
16037 		goto nla_put_failure;
16038 
16039 	nla_nest_end(msg, func_attr);
16040 
16041 	genlmsg_end(msg, hdr);
16042 	return genlmsg_reply(msg, info);
16043 
16044 nla_put_failure:
16045 	nlmsg_free(msg);
16046 	return -ENOBUFS;
16047 }
16048 
16049 static int nl80211_nan_del_func(struct sk_buff *skb,
16050 			       struct genl_info *info)
16051 {
16052 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16053 	struct wireless_dev *wdev = info->user_ptr[1];
16054 	u64 cookie;
16055 
16056 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16057 		return -EOPNOTSUPP;
16058 
16059 	if (!wdev_running(wdev))
16060 		return -ENOTCONN;
16061 
16062 	if (!info->attrs[NL80211_ATTR_COOKIE])
16063 		return -EINVAL;
16064 
16065 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
16066 
16067 	rdev_del_nan_func(rdev, wdev, cookie);
16068 
16069 	return 0;
16070 }
16071 
16072 static int nl80211_nan_change_config(struct sk_buff *skb,
16073 				     struct genl_info *info)
16074 {
16075 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16076 	struct wireless_dev *wdev = info->user_ptr[1];
16077 	struct cfg80211_nan_conf conf = {};
16078 	u32 changed = 0;
16079 	int err;
16080 
16081 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16082 		return -EOPNOTSUPP;
16083 
16084 	if (!wdev_running(wdev))
16085 		return -ENOTCONN;
16086 
16087 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, &changed);
16088 	if (err)
16089 		return err;
16090 
16091 	if (!changed)
16092 		return -EINVAL;
16093 
16094 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
16095 }
16096 
16097 void cfg80211_nan_match(struct wireless_dev *wdev,
16098 			struct cfg80211_nan_match_params *match, gfp_t gfp)
16099 {
16100 	struct wiphy *wiphy = wdev->wiphy;
16101 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16102 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
16103 	struct sk_buff *msg;
16104 	void *hdr;
16105 
16106 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
16107 		return;
16108 
16109 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16110 	if (!msg)
16111 		return;
16112 
16113 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
16114 	if (!hdr) {
16115 		nlmsg_free(msg);
16116 		return;
16117 	}
16118 
16119 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16120 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16121 					 wdev->netdev->ifindex)) ||
16122 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16123 			      NL80211_ATTR_PAD))
16124 		goto nla_put_failure;
16125 
16126 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
16127 			      NL80211_ATTR_PAD) ||
16128 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
16129 		goto nla_put_failure;
16130 
16131 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
16132 	if (!match_attr)
16133 		goto nla_put_failure;
16134 
16135 	local_func_attr = nla_nest_start_noflag(msg,
16136 						NL80211_NAN_MATCH_FUNC_LOCAL);
16137 	if (!local_func_attr)
16138 		goto nla_put_failure;
16139 
16140 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
16141 		goto nla_put_failure;
16142 
16143 	nla_nest_end(msg, local_func_attr);
16144 
16145 	peer_func_attr = nla_nest_start_noflag(msg,
16146 					       NL80211_NAN_MATCH_FUNC_PEER);
16147 	if (!peer_func_attr)
16148 		goto nla_put_failure;
16149 
16150 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
16151 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
16152 		goto nla_put_failure;
16153 
16154 	if (match->info && match->info_len &&
16155 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
16156 		    match->info))
16157 		goto nla_put_failure;
16158 
16159 	nla_nest_end(msg, peer_func_attr);
16160 	nla_nest_end(msg, match_attr);
16161 	genlmsg_end(msg, hdr);
16162 
16163 	if (!wdev->owner_nlportid)
16164 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16165 					msg, 0, NL80211_MCGRP_NAN, gfp);
16166 	else
16167 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16168 				wdev->owner_nlportid);
16169 
16170 	return;
16171 
16172 nla_put_failure:
16173 	nlmsg_free(msg);
16174 }
16175 EXPORT_SYMBOL(cfg80211_nan_match);
16176 
16177 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
16178 				  u8 inst_id,
16179 				  enum nl80211_nan_func_term_reason reason,
16180 				  u64 cookie, gfp_t gfp)
16181 {
16182 	struct wiphy *wiphy = wdev->wiphy;
16183 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16184 	struct sk_buff *msg;
16185 	struct nlattr *func_attr;
16186 	void *hdr;
16187 
16188 	if (WARN_ON(!inst_id))
16189 		return;
16190 
16191 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16192 	if (!msg)
16193 		return;
16194 
16195 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
16196 	if (!hdr) {
16197 		nlmsg_free(msg);
16198 		return;
16199 	}
16200 
16201 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16202 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16203 					 wdev->netdev->ifindex)) ||
16204 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16205 			      NL80211_ATTR_PAD))
16206 		goto nla_put_failure;
16207 
16208 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16209 			      NL80211_ATTR_PAD))
16210 		goto nla_put_failure;
16211 
16212 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16213 	if (!func_attr)
16214 		goto nla_put_failure;
16215 
16216 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
16217 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
16218 		goto nla_put_failure;
16219 
16220 	nla_nest_end(msg, func_attr);
16221 	genlmsg_end(msg, hdr);
16222 
16223 	if (!wdev->owner_nlportid)
16224 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16225 					msg, 0, NL80211_MCGRP_NAN, gfp);
16226 	else
16227 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16228 				wdev->owner_nlportid);
16229 
16230 	return;
16231 
16232 nla_put_failure:
16233 	nlmsg_free(msg);
16234 }
16235 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
16236 
16237 static int nl80211_get_protocol_features(struct sk_buff *skb,
16238 					 struct genl_info *info)
16239 {
16240 	void *hdr;
16241 	struct sk_buff *msg;
16242 
16243 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16244 	if (!msg)
16245 		return -ENOMEM;
16246 
16247 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16248 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
16249 	if (!hdr)
16250 		goto nla_put_failure;
16251 
16252 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
16253 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
16254 		goto nla_put_failure;
16255 
16256 	genlmsg_end(msg, hdr);
16257 	return genlmsg_reply(msg, info);
16258 
16259  nla_put_failure:
16260 	kfree_skb(msg);
16261 	return -ENOBUFS;
16262 }
16263 
16264 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
16265 {
16266 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16267 	struct cfg80211_update_ft_ies_params ft_params;
16268 	struct net_device *dev = info->user_ptr[1];
16269 
16270 	if (!rdev->ops->update_ft_ies)
16271 		return -EOPNOTSUPP;
16272 
16273 	if (!info->attrs[NL80211_ATTR_MDID] ||
16274 	    !info->attrs[NL80211_ATTR_IE])
16275 		return -EINVAL;
16276 
16277 	memset(&ft_params, 0, sizeof(ft_params));
16278 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
16279 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
16280 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
16281 
16282 	return rdev_update_ft_ies(rdev, dev, &ft_params);
16283 }
16284 
16285 static int nl80211_crit_protocol_start(struct sk_buff *skb,
16286 				       struct genl_info *info)
16287 {
16288 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16289 	struct wireless_dev *wdev = info->user_ptr[1];
16290 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
16291 	u16 duration;
16292 	int ret;
16293 
16294 	if (!rdev->ops->crit_proto_start)
16295 		return -EOPNOTSUPP;
16296 
16297 	if (WARN_ON(!rdev->ops->crit_proto_stop))
16298 		return -EINVAL;
16299 
16300 	if (rdev->crit_proto_nlportid)
16301 		return -EBUSY;
16302 
16303 	/* determine protocol if provided */
16304 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
16305 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
16306 
16307 	if (proto >= NUM_NL80211_CRIT_PROTO)
16308 		return -EINVAL;
16309 
16310 	/* timeout must be provided */
16311 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
16312 		return -EINVAL;
16313 
16314 	duration =
16315 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
16316 
16317 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
16318 	if (!ret)
16319 		rdev->crit_proto_nlportid = info->snd_portid;
16320 
16321 	return ret;
16322 }
16323 
16324 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
16325 				      struct genl_info *info)
16326 {
16327 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16328 	struct wireless_dev *wdev = info->user_ptr[1];
16329 
16330 	if (!rdev->ops->crit_proto_stop)
16331 		return -EOPNOTSUPP;
16332 
16333 	if (rdev->crit_proto_nlportid) {
16334 		rdev->crit_proto_nlportid = 0;
16335 		rdev_crit_proto_stop(rdev, wdev);
16336 	}
16337 	return 0;
16338 }
16339 
16340 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
16341 				       struct nlattr *attr,
16342 				       struct netlink_ext_ack *extack)
16343 {
16344 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
16345 		if (attr->nla_type & NLA_F_NESTED) {
16346 			NL_SET_ERR_MSG_ATTR(extack, attr,
16347 					    "unexpected nested data");
16348 			return -EINVAL;
16349 		}
16350 
16351 		return 0;
16352 	}
16353 
16354 	if (!(attr->nla_type & NLA_F_NESTED)) {
16355 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
16356 		return -EINVAL;
16357 	}
16358 
16359 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
16360 }
16361 
16362 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
16363 {
16364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16365 	struct wireless_dev *wdev =
16366 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
16367 					   info->attrs);
16368 	int i, err;
16369 	u32 vid, subcmd;
16370 
16371 	if (!rdev->wiphy.vendor_commands)
16372 		return -EOPNOTSUPP;
16373 
16374 	if (IS_ERR(wdev)) {
16375 		err = PTR_ERR(wdev);
16376 		if (err != -EINVAL)
16377 			return err;
16378 		wdev = NULL;
16379 	} else if (wdev->wiphy != &rdev->wiphy) {
16380 		return -EINVAL;
16381 	}
16382 
16383 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
16384 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
16385 		return -EINVAL;
16386 
16387 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
16388 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
16389 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
16390 		const struct wiphy_vendor_command *vcmd;
16391 		void *data = NULL;
16392 		int len = 0;
16393 
16394 		vcmd = &rdev->wiphy.vendor_commands[i];
16395 
16396 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16397 			continue;
16398 
16399 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16400 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16401 			if (!wdev)
16402 				return -EINVAL;
16403 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16404 			    !wdev->netdev)
16405 				return -EINVAL;
16406 
16407 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16408 				if (!wdev_running(wdev))
16409 					return -ENETDOWN;
16410 			}
16411 		} else {
16412 			wdev = NULL;
16413 		}
16414 
16415 		if (!vcmd->doit)
16416 			return -EOPNOTSUPP;
16417 
16418 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
16419 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16420 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16421 
16422 			err = nl80211_vendor_check_policy(vcmd,
16423 					info->attrs[NL80211_ATTR_VENDOR_DATA],
16424 					info->extack);
16425 			if (err)
16426 				return err;
16427 		}
16428 
16429 		rdev->cur_cmd_info = info;
16430 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
16431 		rdev->cur_cmd_info = NULL;
16432 		return err;
16433 	}
16434 
16435 	return -EOPNOTSUPP;
16436 }
16437 
16438 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
16439 				       struct netlink_callback *cb,
16440 				       struct cfg80211_registered_device **rdev,
16441 				       struct wireless_dev **wdev)
16442 {
16443 	struct nlattr **attrbuf;
16444 	u32 vid, subcmd;
16445 	unsigned int i;
16446 	int vcmd_idx = -1;
16447 	int err;
16448 	void *data = NULL;
16449 	unsigned int data_len = 0;
16450 
16451 	if (cb->args[0]) {
16452 		/* subtract the 1 again here */
16453 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
16454 		struct wireless_dev *tmp;
16455 
16456 		if (!wiphy)
16457 			return -ENODEV;
16458 		*rdev = wiphy_to_rdev(wiphy);
16459 		*wdev = NULL;
16460 
16461 		if (cb->args[1]) {
16462 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
16463 				if (tmp->identifier == cb->args[1] - 1) {
16464 					*wdev = tmp;
16465 					break;
16466 				}
16467 			}
16468 		}
16469 
16470 		/* keep rtnl locked in successful case */
16471 		return 0;
16472 	}
16473 
16474 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
16475 	if (!attrbuf)
16476 		return -ENOMEM;
16477 
16478 	err = nlmsg_parse_deprecated(cb->nlh,
16479 				     GENL_HDRLEN + nl80211_fam.hdrsize,
16480 				     attrbuf, nl80211_fam.maxattr,
16481 				     nl80211_policy, NULL);
16482 	if (err)
16483 		goto out;
16484 
16485 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
16486 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
16487 		err = -EINVAL;
16488 		goto out;
16489 	}
16490 
16491 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
16492 	if (IS_ERR(*wdev))
16493 		*wdev = NULL;
16494 
16495 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
16496 	if (IS_ERR(*rdev)) {
16497 		err = PTR_ERR(*rdev);
16498 		goto out;
16499 	}
16500 
16501 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
16502 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
16503 
16504 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
16505 		const struct wiphy_vendor_command *vcmd;
16506 
16507 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
16508 
16509 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16510 			continue;
16511 
16512 		if (!vcmd->dumpit) {
16513 			err = -EOPNOTSUPP;
16514 			goto out;
16515 		}
16516 
16517 		vcmd_idx = i;
16518 		break;
16519 	}
16520 
16521 	if (vcmd_idx < 0) {
16522 		err = -EOPNOTSUPP;
16523 		goto out;
16524 	}
16525 
16526 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
16527 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16528 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16529 
16530 		err = nl80211_vendor_check_policy(
16531 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
16532 				attrbuf[NL80211_ATTR_VENDOR_DATA],
16533 				cb->extack);
16534 		if (err)
16535 			goto out;
16536 	}
16537 
16538 	/* 0 is the first index - add 1 to parse only once */
16539 	cb->args[0] = (*rdev)->wiphy_idx + 1;
16540 	/* add 1 to know if it was NULL */
16541 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
16542 	cb->args[2] = vcmd_idx;
16543 	cb->args[3] = (unsigned long)data;
16544 	cb->args[4] = data_len;
16545 
16546 	/* keep rtnl locked in successful case */
16547 	err = 0;
16548 out:
16549 	kfree(attrbuf);
16550 	return err;
16551 }
16552 
16553 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
16554 				   struct netlink_callback *cb)
16555 {
16556 	struct cfg80211_registered_device *rdev;
16557 	struct wireless_dev *wdev;
16558 	unsigned int vcmd_idx;
16559 	const struct wiphy_vendor_command *vcmd;
16560 	void *data;
16561 	int data_len;
16562 	int err;
16563 	struct nlattr *vendor_data;
16564 
16565 	rtnl_lock();
16566 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
16567 	if (err)
16568 		goto out;
16569 
16570 	vcmd_idx = cb->args[2];
16571 	data = (void *)cb->args[3];
16572 	data_len = cb->args[4];
16573 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
16574 
16575 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16576 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16577 		if (!wdev) {
16578 			err = -EINVAL;
16579 			goto out;
16580 		}
16581 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16582 		    !wdev->netdev) {
16583 			err = -EINVAL;
16584 			goto out;
16585 		}
16586 
16587 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16588 			if (!wdev_running(wdev)) {
16589 				err = -ENETDOWN;
16590 				goto out;
16591 			}
16592 		}
16593 	}
16594 
16595 	while (1) {
16596 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
16597 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
16598 					   NL80211_CMD_VENDOR);
16599 		if (!hdr)
16600 			break;
16601 
16602 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16603 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
16604 					       wdev_id(wdev),
16605 					       NL80211_ATTR_PAD))) {
16606 			genlmsg_cancel(skb, hdr);
16607 			break;
16608 		}
16609 
16610 		vendor_data = nla_nest_start_noflag(skb,
16611 						    NL80211_ATTR_VENDOR_DATA);
16612 		if (!vendor_data) {
16613 			genlmsg_cancel(skb, hdr);
16614 			break;
16615 		}
16616 
16617 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
16618 				   (unsigned long *)&cb->args[5]);
16619 		nla_nest_end(skb, vendor_data);
16620 
16621 		if (err == -ENOBUFS || err == -ENOENT) {
16622 			genlmsg_cancel(skb, hdr);
16623 			break;
16624 		} else if (err <= 0) {
16625 			genlmsg_cancel(skb, hdr);
16626 			goto out;
16627 		}
16628 
16629 		genlmsg_end(skb, hdr);
16630 	}
16631 
16632 	err = skb->len;
16633  out:
16634 	rtnl_unlock();
16635 	return err;
16636 }
16637 
16638 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
16639 					   enum nl80211_commands cmd,
16640 					   enum nl80211_attrs attr,
16641 					   int approxlen)
16642 {
16643 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16644 
16645 	if (WARN_ON(!rdev->cur_cmd_info))
16646 		return NULL;
16647 
16648 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
16649 					   rdev->cur_cmd_info->snd_portid,
16650 					   rdev->cur_cmd_info->snd_seq,
16651 					   cmd, attr, NULL, GFP_KERNEL);
16652 }
16653 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
16654 
16655 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
16656 {
16657 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
16658 	void *hdr = ((void **)skb->cb)[1];
16659 	struct nlattr *data = ((void **)skb->cb)[2];
16660 
16661 	/* clear CB data for netlink core to own from now on */
16662 	memset(skb->cb, 0, sizeof(skb->cb));
16663 
16664 	if (WARN_ON(!rdev->cur_cmd_info)) {
16665 		kfree_skb(skb);
16666 		return -EINVAL;
16667 	}
16668 
16669 	nla_nest_end(skb, data);
16670 	genlmsg_end(skb, hdr);
16671 	return genlmsg_reply(skb, rdev->cur_cmd_info);
16672 }
16673 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
16674 
16675 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
16676 {
16677 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16678 
16679 	if (WARN_ON(!rdev->cur_cmd_info))
16680 		return 0;
16681 
16682 	return rdev->cur_cmd_info->snd_portid;
16683 }
16684 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
16685 
16686 static int nl80211_set_qos_map(struct sk_buff *skb,
16687 			       struct genl_info *info)
16688 {
16689 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16690 	struct cfg80211_qos_map *qos_map = NULL;
16691 	struct net_device *dev = info->user_ptr[1];
16692 	u8 *pos, len, num_des, des_len, des;
16693 	int ret;
16694 
16695 	if (!rdev->ops->set_qos_map)
16696 		return -EOPNOTSUPP;
16697 
16698 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
16699 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
16700 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
16701 
16702 		if (len % 2)
16703 			return -EINVAL;
16704 
16705 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
16706 		if (!qos_map)
16707 			return -ENOMEM;
16708 
16709 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
16710 		if (num_des) {
16711 			des_len = num_des *
16712 				sizeof(struct cfg80211_dscp_exception);
16713 			memcpy(qos_map->dscp_exception, pos, des_len);
16714 			qos_map->num_des = num_des;
16715 			for (des = 0; des < num_des; des++) {
16716 				if (qos_map->dscp_exception[des].up > 7) {
16717 					kfree(qos_map);
16718 					return -EINVAL;
16719 				}
16720 			}
16721 			pos += des_len;
16722 		}
16723 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
16724 	}
16725 
16726 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
16727 	if (!ret)
16728 		ret = rdev_set_qos_map(rdev, dev, qos_map);
16729 
16730 	kfree(qos_map);
16731 	return ret;
16732 }
16733 
16734 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
16735 {
16736 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16737 	struct net_device *dev = info->user_ptr[1];
16738 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16739 	const u8 *peer;
16740 	u8 tsid, up;
16741 	u16 admitted_time = 0;
16742 
16743 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
16744 		return -EOPNOTSUPP;
16745 
16746 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
16747 	    !info->attrs[NL80211_ATTR_USER_PRIO])
16748 		return -EINVAL;
16749 
16750 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16751 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
16752 
16753 	/* WMM uses TIDs 0-7 even for TSPEC */
16754 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
16755 		/* TODO: handle 802.11 TSPEC/admission control
16756 		 * need more attributes for that (e.g. BA session requirement);
16757 		 * change the WMM admission test above to allow both then
16758 		 */
16759 		return -EINVAL;
16760 	}
16761 
16762 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16763 
16764 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
16765 		admitted_time =
16766 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
16767 		if (!admitted_time)
16768 			return -EINVAL;
16769 	}
16770 
16771 	switch (wdev->iftype) {
16772 	case NL80211_IFTYPE_STATION:
16773 	case NL80211_IFTYPE_P2P_CLIENT:
16774 		if (wdev->connected)
16775 			break;
16776 		return -ENOTCONN;
16777 	default:
16778 		return -EOPNOTSUPP;
16779 	}
16780 
16781 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
16782 }
16783 
16784 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
16785 {
16786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16787 	struct net_device *dev = info->user_ptr[1];
16788 	const u8 *peer;
16789 	u8 tsid;
16790 
16791 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
16792 		return -EINVAL;
16793 
16794 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16795 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16796 
16797 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
16798 }
16799 
16800 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
16801 				       struct genl_info *info)
16802 {
16803 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16804 	struct net_device *dev = info->user_ptr[1];
16805 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16806 	struct cfg80211_chan_def chandef = {};
16807 	const u8 *addr;
16808 	u8 oper_class;
16809 	int err;
16810 
16811 	if (!rdev->ops->tdls_channel_switch ||
16812 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16813 		return -EOPNOTSUPP;
16814 
16815 	switch (dev->ieee80211_ptr->iftype) {
16816 	case NL80211_IFTYPE_STATION:
16817 	case NL80211_IFTYPE_P2P_CLIENT:
16818 		break;
16819 	default:
16820 		return -EOPNOTSUPP;
16821 	}
16822 
16823 	if (!info->attrs[NL80211_ATTR_MAC] ||
16824 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
16825 		return -EINVAL;
16826 
16827 	err = nl80211_parse_chandef(rdev, info, &chandef);
16828 	if (err)
16829 		return err;
16830 
16831 	/*
16832 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
16833 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
16834 	 * specification is not defined for them.
16835 	 */
16836 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
16837 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
16838 	    chandef.width != NL80211_CHAN_WIDTH_20)
16839 		return -EINVAL;
16840 
16841 	/* we will be active on the TDLS link */
16842 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
16843 					   wdev->iftype))
16844 		return -EINVAL;
16845 
16846 	/* don't allow switching to DFS channels */
16847 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
16848 		return -EINVAL;
16849 
16850 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16851 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
16852 
16853 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
16854 }
16855 
16856 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
16857 					      struct genl_info *info)
16858 {
16859 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16860 	struct net_device *dev = info->user_ptr[1];
16861 	const u8 *addr;
16862 
16863 	if (!rdev->ops->tdls_channel_switch ||
16864 	    !rdev->ops->tdls_cancel_channel_switch ||
16865 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16866 		return -EOPNOTSUPP;
16867 
16868 	switch (dev->ieee80211_ptr->iftype) {
16869 	case NL80211_IFTYPE_STATION:
16870 	case NL80211_IFTYPE_P2P_CLIENT:
16871 		break;
16872 	default:
16873 		return -EOPNOTSUPP;
16874 	}
16875 
16876 	if (!info->attrs[NL80211_ATTR_MAC])
16877 		return -EINVAL;
16878 
16879 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16880 
16881 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
16882 
16883 	return 0;
16884 }
16885 
16886 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
16887 					    struct genl_info *info)
16888 {
16889 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16890 	struct net_device *dev = info->user_ptr[1];
16891 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16892 	const struct nlattr *nla;
16893 	bool enabled;
16894 
16895 	if (!rdev->ops->set_multicast_to_unicast)
16896 		return -EOPNOTSUPP;
16897 
16898 	if (wdev->iftype != NL80211_IFTYPE_AP &&
16899 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
16900 		return -EOPNOTSUPP;
16901 
16902 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
16903 	enabled = nla_get_flag(nla);
16904 
16905 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
16906 }
16907 
16908 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
16909 {
16910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16911 	struct net_device *dev = info->user_ptr[1];
16912 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16913 	struct cfg80211_pmk_conf pmk_conf = {};
16914 
16915 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16916 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16917 		return -EOPNOTSUPP;
16918 
16919 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16920 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
16921 		return -EOPNOTSUPP;
16922 
16923 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
16924 		return -EINVAL;
16925 
16926 	if (!wdev->connected)
16927 		return -ENOTCONN;
16928 
16929 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
16930 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
16931 		return -EINVAL;
16932 
16933 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
16934 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
16935 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
16936 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
16937 		return -EINVAL;
16938 
16939 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
16940 		pmk_conf.pmk_r0_name =
16941 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
16942 
16943 	return rdev_set_pmk(rdev, dev, &pmk_conf);
16944 }
16945 
16946 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
16947 {
16948 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16949 	struct net_device *dev = info->user_ptr[1];
16950 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16951 	const u8 *aa;
16952 
16953 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16954 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16955 		return -EOPNOTSUPP;
16956 
16957 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16958 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
16959 		return -EOPNOTSUPP;
16960 
16961 	if (!info->attrs[NL80211_ATTR_MAC])
16962 		return -EINVAL;
16963 
16964 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
16965 	return rdev_del_pmk(rdev, dev, aa);
16966 }
16967 
16968 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
16969 {
16970 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16971 	struct net_device *dev = info->user_ptr[1];
16972 	struct cfg80211_external_auth_params params;
16973 
16974 	if (!rdev->ops->external_auth)
16975 		return -EOPNOTSUPP;
16976 
16977 	if (!info->attrs[NL80211_ATTR_SSID] &&
16978 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
16979 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
16980 		return -EINVAL;
16981 
16982 	if (!info->attrs[NL80211_ATTR_BSSID])
16983 		return -EINVAL;
16984 
16985 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
16986 		return -EINVAL;
16987 
16988 	memset(&params, 0, sizeof(params));
16989 
16990 	if (info->attrs[NL80211_ATTR_SSID]) {
16991 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
16992 		if (params.ssid.ssid_len == 0)
16993 			return -EINVAL;
16994 		memcpy(params.ssid.ssid,
16995 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
16996 		       params.ssid.ssid_len);
16997 	}
16998 
16999 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
17000 	       ETH_ALEN);
17001 
17002 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17003 
17004 	if (info->attrs[NL80211_ATTR_PMKID])
17005 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
17006 
17007 	return rdev_external_auth(rdev, dev, &params);
17008 }
17009 
17010 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
17011 {
17012 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
17013 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17014 	struct net_device *dev = info->user_ptr[1];
17015 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17016 	const u8 *buf;
17017 	size_t len;
17018 	u8 *dest;
17019 	u16 proto;
17020 	bool noencrypt;
17021 	u64 cookie = 0;
17022 	int link_id;
17023 	int err;
17024 
17025 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17026 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
17027 		return -EOPNOTSUPP;
17028 
17029 	if (!rdev->ops->tx_control_port)
17030 		return -EOPNOTSUPP;
17031 
17032 	if (!info->attrs[NL80211_ATTR_FRAME] ||
17033 	    !info->attrs[NL80211_ATTR_MAC] ||
17034 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
17035 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
17036 		return -EINVAL;
17037 	}
17038 
17039 	switch (wdev->iftype) {
17040 	case NL80211_IFTYPE_AP:
17041 	case NL80211_IFTYPE_P2P_GO:
17042 	case NL80211_IFTYPE_MESH_POINT:
17043 		break;
17044 	case NL80211_IFTYPE_ADHOC:
17045 		if (wdev->u.ibss.current_bss)
17046 			break;
17047 		return -ENOTCONN;
17048 	case NL80211_IFTYPE_STATION:
17049 	case NL80211_IFTYPE_P2P_CLIENT:
17050 		if (wdev->connected)
17051 			break;
17052 		return -ENOTCONN;
17053 	default:
17054 		return -EOPNOTSUPP;
17055 	}
17056 
17057 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17058 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17059 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17060 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
17061 	noencrypt =
17062 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
17063 
17064 	link_id = nl80211_link_id_or_invalid(info->attrs);
17065 
17066 	err = rdev_tx_control_port(rdev, dev, buf, len,
17067 				   dest, cpu_to_be16(proto), noencrypt, link_id,
17068 				   dont_wait_for_ack ? NULL : &cookie);
17069 	if (!err && !dont_wait_for_ack)
17070 		nl_set_extack_cookie_u64(info->extack, cookie);
17071 	return err;
17072 }
17073 
17074 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
17075 					   struct genl_info *info)
17076 {
17077 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17078 	struct net_device *dev = info->user_ptr[1];
17079 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17080 	struct cfg80211_ftm_responder_stats ftm_stats = {};
17081 	unsigned int link_id = nl80211_link_id(info->attrs);
17082 	struct sk_buff *msg;
17083 	void *hdr;
17084 	struct nlattr *ftm_stats_attr;
17085 	int err;
17086 
17087 	if (wdev->iftype != NL80211_IFTYPE_AP ||
17088 	    !wdev->links[link_id].ap.beacon_interval)
17089 		return -EOPNOTSUPP;
17090 
17091 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
17092 	if (err)
17093 		return err;
17094 
17095 	if (!ftm_stats.filled)
17096 		return -ENODATA;
17097 
17098 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17099 	if (!msg)
17100 		return -ENOMEM;
17101 
17102 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
17103 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
17104 	if (!hdr)
17105 		goto nla_put_failure;
17106 
17107 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17108 		goto nla_put_failure;
17109 
17110 	ftm_stats_attr = nla_nest_start_noflag(msg,
17111 					       NL80211_ATTR_FTM_RESPONDER_STATS);
17112 	if (!ftm_stats_attr)
17113 		goto nla_put_failure;
17114 
17115 #define SET_FTM(field, name, type)					 \
17116 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17117 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
17118 			     ftm_stats.field))				 \
17119 		goto nla_put_failure; } while (0)
17120 #define SET_FTM_U64(field, name)					 \
17121 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17122 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
17123 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
17124 		goto nla_put_failure; } while (0)
17125 
17126 	SET_FTM(success_num, SUCCESS_NUM, u32);
17127 	SET_FTM(partial_num, PARTIAL_NUM, u32);
17128 	SET_FTM(failed_num, FAILED_NUM, u32);
17129 	SET_FTM(asap_num, ASAP_NUM, u32);
17130 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
17131 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
17132 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
17133 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
17134 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
17135 #undef SET_FTM
17136 
17137 	nla_nest_end(msg, ftm_stats_attr);
17138 
17139 	genlmsg_end(msg, hdr);
17140 	return genlmsg_reply(msg, info);
17141 
17142 nla_put_failure:
17143 	nlmsg_free(msg);
17144 	return -ENOBUFS;
17145 }
17146 
17147 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
17148 {
17149 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17150 	struct cfg80211_update_owe_info owe_info;
17151 	struct net_device *dev = info->user_ptr[1];
17152 
17153 	if (!rdev->ops->update_owe_info)
17154 		return -EOPNOTSUPP;
17155 
17156 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
17157 	    !info->attrs[NL80211_ATTR_MAC])
17158 		return -EINVAL;
17159 
17160 	memset(&owe_info, 0, sizeof(owe_info));
17161 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17162 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
17163 
17164 	if (info->attrs[NL80211_ATTR_IE]) {
17165 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
17166 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
17167 	}
17168 
17169 	return rdev_update_owe_info(rdev, dev, &owe_info);
17170 }
17171 
17172 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
17173 {
17174 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17175 	struct net_device *dev = info->user_ptr[1];
17176 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17177 	struct station_info sinfo = {};
17178 	const u8 *buf;
17179 	size_t len;
17180 	u8 *dest;
17181 	int err;
17182 
17183 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
17184 		return -EOPNOTSUPP;
17185 
17186 	if (!info->attrs[NL80211_ATTR_MAC] ||
17187 	    !info->attrs[NL80211_ATTR_FRAME]) {
17188 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
17189 		return -EINVAL;
17190 	}
17191 
17192 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
17193 		return -EOPNOTSUPP;
17194 
17195 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17196 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17197 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17198 
17199 	if (len < sizeof(struct ethhdr))
17200 		return -EINVAL;
17201 
17202 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
17203 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
17204 		return -EINVAL;
17205 
17206 	err = rdev_get_station(rdev, dev, dest, &sinfo);
17207 	if (err)
17208 		return err;
17209 
17210 	cfg80211_sinfo_release_content(&sinfo);
17211 
17212 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
17213 }
17214 
17215 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
17216 			  struct nlattr *attrs[], struct net_device *dev,
17217 			  struct cfg80211_tid_cfg *tid_conf,
17218 			  struct genl_info *info, const u8 *peer,
17219 			  unsigned int link_id)
17220 {
17221 	struct netlink_ext_ack *extack = info->extack;
17222 	u64 mask;
17223 	int err;
17224 
17225 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
17226 		return -EINVAL;
17227 
17228 	tid_conf->config_override =
17229 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
17230 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
17231 
17232 	if (tid_conf->config_override) {
17233 		if (rdev->ops->reset_tid_config) {
17234 			err = rdev_reset_tid_config(rdev, dev, peer,
17235 						    tid_conf->tids);
17236 			if (err)
17237 				return err;
17238 		} else {
17239 			return -EINVAL;
17240 		}
17241 	}
17242 
17243 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
17244 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
17245 		tid_conf->noack =
17246 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
17247 	}
17248 
17249 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
17250 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
17251 		tid_conf->retry_short =
17252 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
17253 
17254 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
17255 			return -EINVAL;
17256 	}
17257 
17258 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
17259 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
17260 		tid_conf->retry_long =
17261 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
17262 
17263 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
17264 			return -EINVAL;
17265 	}
17266 
17267 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
17268 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
17269 		tid_conf->ampdu =
17270 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
17271 	}
17272 
17273 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
17274 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
17275 		tid_conf->rtscts =
17276 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
17277 	}
17278 
17279 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
17280 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
17281 		tid_conf->amsdu =
17282 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
17283 	}
17284 
17285 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
17286 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
17287 
17288 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
17289 
17290 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
17291 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
17292 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
17293 						    &tid_conf->txrate_mask, dev,
17294 						    true, link_id);
17295 			if (err)
17296 				return err;
17297 
17298 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
17299 		}
17300 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
17301 	}
17302 
17303 	if (peer)
17304 		mask = rdev->wiphy.tid_config_support.peer;
17305 	else
17306 		mask = rdev->wiphy.tid_config_support.vif;
17307 
17308 	if (tid_conf->mask & ~mask) {
17309 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
17310 		return -EOPNOTSUPP;
17311 	}
17312 
17313 	return 0;
17314 }
17315 
17316 static int nl80211_set_tid_config(struct sk_buff *skb,
17317 				  struct genl_info *info)
17318 {
17319 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17320 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
17321 	unsigned int link_id = nl80211_link_id(info->attrs);
17322 	struct net_device *dev = info->user_ptr[1];
17323 	struct cfg80211_tid_config *tid_config;
17324 	struct nlattr *tid;
17325 	int conf_idx = 0, rem_conf;
17326 	int ret = -EINVAL;
17327 	u32 num_conf = 0;
17328 
17329 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
17330 		return -EINVAL;
17331 
17332 	if (!rdev->ops->set_tid_config)
17333 		return -EOPNOTSUPP;
17334 
17335 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17336 			    rem_conf)
17337 		num_conf++;
17338 
17339 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
17340 			     GFP_KERNEL);
17341 	if (!tid_config)
17342 		return -ENOMEM;
17343 
17344 	tid_config->n_tid_conf = num_conf;
17345 
17346 	if (info->attrs[NL80211_ATTR_MAC])
17347 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17348 
17349 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17350 			    rem_conf) {
17351 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
17352 				       tid, NULL, NULL);
17353 
17354 		if (ret)
17355 			goto bad_tid_conf;
17356 
17357 		ret = parse_tid_conf(rdev, attrs, dev,
17358 				     &tid_config->tid_conf[conf_idx],
17359 				     info, tid_config->peer, link_id);
17360 		if (ret)
17361 			goto bad_tid_conf;
17362 
17363 		conf_idx++;
17364 	}
17365 
17366 	ret = rdev_set_tid_config(rdev, dev, tid_config);
17367 
17368 bad_tid_conf:
17369 	kfree(tid_config);
17370 	return ret;
17371 }
17372 
17373 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
17374 {
17375 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17376 	struct cfg80211_color_change_settings params = {};
17377 	struct net_device *dev = info->user_ptr[1];
17378 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17379 	struct nlattr **tb;
17380 	u16 offset;
17381 	int err;
17382 
17383 	if (!rdev->ops->color_change)
17384 		return -EOPNOTSUPP;
17385 
17386 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17387 				     NL80211_EXT_FEATURE_BSS_COLOR))
17388 		return -EOPNOTSUPP;
17389 
17390 	if (wdev->iftype != NL80211_IFTYPE_AP)
17391 		return -EOPNOTSUPP;
17392 
17393 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
17394 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
17395 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
17396 		return -EINVAL;
17397 
17398 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
17399 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
17400 
17401 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
17402 				   info->extack);
17403 	if (err)
17404 		return err;
17405 
17406 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
17407 	if (!tb)
17408 		return -ENOMEM;
17409 
17410 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
17411 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
17412 			       nl80211_policy, info->extack);
17413 	if (err)
17414 		goto out;
17415 
17416 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
17417 				   info->extack);
17418 	if (err)
17419 		goto out;
17420 
17421 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
17422 		err = -EINVAL;
17423 		goto out;
17424 	}
17425 
17426 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
17427 		err = -EINVAL;
17428 		goto out;
17429 	}
17430 
17431 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
17432 	if (offset >= params.beacon_color_change.tail_len) {
17433 		err = -EINVAL;
17434 		goto out;
17435 	}
17436 
17437 	if (params.beacon_color_change.tail[offset] != params.count) {
17438 		err = -EINVAL;
17439 		goto out;
17440 	}
17441 
17442 	params.counter_offset_beacon = offset;
17443 
17444 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
17445 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
17446 		    sizeof(u16)) {
17447 			err = -EINVAL;
17448 			goto out;
17449 		}
17450 
17451 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
17452 		if (offset >= params.beacon_color_change.probe_resp_len) {
17453 			err = -EINVAL;
17454 			goto out;
17455 		}
17456 
17457 		if (params.beacon_color_change.probe_resp[offset] !=
17458 		    params.count) {
17459 			err = -EINVAL;
17460 			goto out;
17461 		}
17462 
17463 		params.counter_offset_presp = offset;
17464 	}
17465 
17466 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
17467 		err = nl80211_parse_unsol_bcast_probe_resp(
17468 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
17469 			&params.unsol_bcast_probe_resp);
17470 		if (err)
17471 			goto out;
17472 	}
17473 
17474 	params.link_id = nl80211_link_id(info->attrs);
17475 	err = rdev_color_change(rdev, dev, &params);
17476 
17477 out:
17478 	kfree(params.beacon_next.mbssid_ies);
17479 	kfree(params.beacon_color_change.mbssid_ies);
17480 	kfree(params.beacon_next.rnr_ies);
17481 	kfree(params.beacon_color_change.rnr_ies);
17482 	kfree(tb);
17483 	return err;
17484 }
17485 
17486 static int nl80211_set_fils_aad(struct sk_buff *skb,
17487 				struct genl_info *info)
17488 {
17489 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17490 	struct net_device *dev = info->user_ptr[1];
17491 	struct cfg80211_fils_aad fils_aad = {};
17492 	u8 *nonces;
17493 
17494 	if (!info->attrs[NL80211_ATTR_MAC] ||
17495 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
17496 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
17497 		return -EINVAL;
17498 
17499 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17500 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
17501 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
17502 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
17503 	fils_aad.snonce = nonces;
17504 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
17505 
17506 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
17507 }
17508 
17509 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
17510 {
17511 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17512 	unsigned int link_id = nl80211_link_id(info->attrs);
17513 	struct net_device *dev = info->user_ptr[1];
17514 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17515 	int ret;
17516 
17517 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
17518 		return -EINVAL;
17519 
17520 	switch (wdev->iftype) {
17521 	case NL80211_IFTYPE_AP:
17522 		break;
17523 	default:
17524 		return -EINVAL;
17525 	}
17526 
17527 	if (!info->attrs[NL80211_ATTR_MAC] ||
17528 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
17529 		return -EINVAL;
17530 
17531 	wdev->valid_links |= BIT(link_id);
17532 	ether_addr_copy(wdev->links[link_id].addr,
17533 			nla_data(info->attrs[NL80211_ATTR_MAC]));
17534 
17535 	ret = rdev_add_intf_link(rdev, wdev, link_id);
17536 	if (ret) {
17537 		wdev->valid_links &= ~BIT(link_id);
17538 		eth_zero_addr(wdev->links[link_id].addr);
17539 	}
17540 
17541 	return ret;
17542 }
17543 
17544 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
17545 {
17546 	unsigned int link_id = nl80211_link_id(info->attrs);
17547 	struct net_device *dev = info->user_ptr[1];
17548 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17549 
17550 	/* cannot remove if there's no link */
17551 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17552 		return -EINVAL;
17553 
17554 	switch (wdev->iftype) {
17555 	case NL80211_IFTYPE_AP:
17556 		break;
17557 	default:
17558 		return -EINVAL;
17559 	}
17560 
17561 	cfg80211_remove_link(wdev, link_id);
17562 
17563 	return 0;
17564 }
17565 
17566 static int
17567 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
17568 			     bool add)
17569 {
17570 	struct link_station_parameters params = {};
17571 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17572 	struct net_device *dev = info->user_ptr[1];
17573 	int err;
17574 
17575 	if ((add && !rdev->ops->add_link_station) ||
17576 	    (!add && !rdev->ops->mod_link_station))
17577 		return -EOPNOTSUPP;
17578 
17579 	if (add && !info->attrs[NL80211_ATTR_MAC])
17580 		return -EINVAL;
17581 
17582 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
17583 		return -EINVAL;
17584 
17585 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
17586 		return -EINVAL;
17587 
17588 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17589 
17590 	if (info->attrs[NL80211_ATTR_MAC]) {
17591 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
17592 		if (!is_valid_ether_addr(params.link_mac))
17593 			return -EINVAL;
17594 	}
17595 
17596 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17597 		return -EINVAL;
17598 
17599 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17600 
17601 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
17602 		params.supported_rates =
17603 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17604 		params.supported_rates_len =
17605 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17606 	}
17607 
17608 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
17609 		params.ht_capa =
17610 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
17611 
17612 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
17613 		params.vht_capa =
17614 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
17615 
17616 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
17617 		params.he_capa =
17618 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17619 		params.he_capa_len =
17620 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17621 
17622 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
17623 			params.eht_capa =
17624 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17625 			params.eht_capa_len =
17626 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17627 
17628 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
17629 							(const u8 *)params.eht_capa,
17630 							params.eht_capa_len,
17631 							false))
17632 				return -EINVAL;
17633 		}
17634 	}
17635 
17636 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
17637 		params.he_6ghz_capa =
17638 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
17639 
17640 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
17641 		params.opmode_notif_used = true;
17642 		params.opmode_notif =
17643 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
17644 	}
17645 
17646 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
17647 						&params.txpwr_set);
17648 	if (err)
17649 		return err;
17650 
17651 	if (add)
17652 		return rdev_add_link_station(rdev, dev, &params);
17653 
17654 	return rdev_mod_link_station(rdev, dev, &params);
17655 }
17656 
17657 static int
17658 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
17659 {
17660 	return nl80211_add_mod_link_station(skb, info, true);
17661 }
17662 
17663 static int
17664 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
17665 {
17666 	return nl80211_add_mod_link_station(skb, info, false);
17667 }
17668 
17669 static int
17670 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
17671 {
17672 	struct link_station_del_parameters params = {};
17673 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17674 	struct net_device *dev = info->user_ptr[1];
17675 
17676 	if (!rdev->ops->del_link_station)
17677 		return -EOPNOTSUPP;
17678 
17679 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
17680 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
17681 		return -EINVAL;
17682 
17683 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17684 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17685 
17686 	return rdev_del_link_station(rdev, dev, &params);
17687 }
17688 
17689 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
17690 				    struct genl_info *info)
17691 {
17692 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17693 	struct net_device *dev = info->user_ptr[1];
17694 	struct cfg80211_set_hw_timestamp hwts = {};
17695 
17696 	if (!rdev->wiphy.hw_timestamp_max_peers)
17697 		return -EOPNOTSUPP;
17698 
17699 	if (!info->attrs[NL80211_ATTR_MAC] &&
17700 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
17701 		return -EOPNOTSUPP;
17702 
17703 	if (info->attrs[NL80211_ATTR_MAC])
17704 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17705 
17706 	hwts.enable =
17707 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
17708 
17709 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
17710 }
17711 
17712 static int
17713 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
17714 {
17715 	struct cfg80211_ttlm_params params = {};
17716 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17717 	struct net_device *dev = info->user_ptr[1];
17718 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17719 
17720 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17721 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17722 		return -EOPNOTSUPP;
17723 
17724 	if (!wdev->connected)
17725 		return -ENOLINK;
17726 
17727 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
17728 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
17729 		return -EINVAL;
17730 
17731 	nla_memcpy(params.dlink,
17732 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
17733 		   sizeof(params.dlink));
17734 	nla_memcpy(params.ulink,
17735 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
17736 		   sizeof(params.ulink));
17737 
17738 	return rdev_set_ttlm(rdev, dev, &params);
17739 }
17740 
17741 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
17742 {
17743 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17744 	struct net_device *dev = info->user_ptr[1];
17745 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17746 	struct cfg80211_ml_reconf_req req = {};
17747 	unsigned int link_id;
17748 	u16 add_links;
17749 	int err;
17750 
17751 	if (!wdev->valid_links)
17752 		return -EINVAL;
17753 
17754 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
17755 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
17756 		return -EPERM;
17757 
17758 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
17759 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
17760 		return -EOPNOTSUPP;
17761 
17762 	add_links = 0;
17763 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
17764 		err = nl80211_process_links(rdev, req.add_links,
17765 					    /* mark as MLO, but not assoc */
17766 					    IEEE80211_MLD_MAX_NUM_LINKS,
17767 					    NULL, 0, info);
17768 		if (err)
17769 			return err;
17770 
17771 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
17772 		     link_id++) {
17773 			if (!req.add_links[link_id].bss)
17774 				continue;
17775 			add_links |= BIT(link_id);
17776 		}
17777 	}
17778 
17779 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
17780 		req.rem_links =
17781 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
17782 
17783 	/* Validate that existing links are not added, removed links are valid
17784 	 * and don't allow adding and removing the same links
17785 	 */
17786 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
17787 	    (wdev->valid_links & add_links) ||
17788 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
17789 		err = -EINVAL;
17790 		goto out;
17791 	}
17792 
17793 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
17794 		req.ext_mld_capa_ops =
17795 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
17796 
17797 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
17798 
17799 out:
17800 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
17801 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
17802 
17803 	return err;
17804 }
17805 
17806 static int
17807 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
17808 {
17809 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17810 	struct net_device *dev = info->user_ptr[1];
17811 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17812 	bool val;
17813 
17814 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17815 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17816 		return -EOPNOTSUPP;
17817 
17818 	if (!wdev->connected)
17819 		return -ENOLINK;
17820 
17821 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
17822 
17823 	return rdev_set_epcs(rdev, dev, val);
17824 }
17825 
17826 #define NL80211_FLAG_NEED_WIPHY		0x01
17827 #define NL80211_FLAG_NEED_NETDEV	0x02
17828 #define NL80211_FLAG_NEED_RTNL		0x04
17829 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
17830 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
17831 					 NL80211_FLAG_CHECK_NETDEV_UP)
17832 #define NL80211_FLAG_NEED_WDEV		0x10
17833 /* If a netdev is associated, it must be UP, P2P must be started */
17834 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
17835 					 NL80211_FLAG_CHECK_NETDEV_UP)
17836 #define NL80211_FLAG_CLEAR_SKB		0x20
17837 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
17838 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
17839 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
17840 
17841 #define INTERNAL_FLAG_SELECTORS(__sel)			\
17842 	SELECTOR(__sel, NONE, 0) /* must be first */	\
17843 	SELECTOR(__sel, WIPHY,				\
17844 		 NL80211_FLAG_NEED_WIPHY)		\
17845 	SELECTOR(__sel, WDEV,				\
17846 		 NL80211_FLAG_NEED_WDEV)		\
17847 	SELECTOR(__sel, NETDEV,				\
17848 		 NL80211_FLAG_NEED_NETDEV)		\
17849 	SELECTOR(__sel, NETDEV_LINK,			\
17850 		 NL80211_FLAG_NEED_NETDEV |		\
17851 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17852 	SELECTOR(__sel, NETDEV_NO_MLO,			\
17853 		 NL80211_FLAG_NEED_NETDEV |		\
17854 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
17855 	SELECTOR(__sel, WIPHY_RTNL,			\
17856 		 NL80211_FLAG_NEED_WIPHY |		\
17857 		 NL80211_FLAG_NEED_RTNL)		\
17858 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
17859 		 NL80211_FLAG_NEED_WIPHY |		\
17860 		 NL80211_FLAG_NEED_RTNL |		\
17861 		 NL80211_FLAG_NO_WIPHY_MTX)		\
17862 	SELECTOR(__sel, WDEV_RTNL,			\
17863 		 NL80211_FLAG_NEED_WDEV |		\
17864 		 NL80211_FLAG_NEED_RTNL)		\
17865 	SELECTOR(__sel, NETDEV_RTNL,			\
17866 		 NL80211_FLAG_NEED_NETDEV |		\
17867 		 NL80211_FLAG_NEED_RTNL)		\
17868 	SELECTOR(__sel, NETDEV_UP,			\
17869 		 NL80211_FLAG_NEED_NETDEV_UP)		\
17870 	SELECTOR(__sel, NETDEV_UP_LINK,			\
17871 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17872 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17873 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
17874 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17875 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
17876 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
17877 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17878 		 NL80211_FLAG_CLEAR_SKB |		\
17879 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
17880 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
17881 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17882 		 NL80211_FLAG_NO_WIPHY_MTX)		\
17883 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
17884 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17885 		 NL80211_FLAG_NO_WIPHY_MTX |		\
17886 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17887 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
17888 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17889 		 NL80211_FLAG_CLEAR_SKB)		\
17890 	SELECTOR(__sel, WDEV_UP,			\
17891 		 NL80211_FLAG_NEED_WDEV_UP)		\
17892 	SELECTOR(__sel, WDEV_UP_LINK,			\
17893 		 NL80211_FLAG_NEED_WDEV_UP |		\
17894 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17895 	SELECTOR(__sel, WDEV_UP_RTNL,			\
17896 		 NL80211_FLAG_NEED_WDEV_UP |		\
17897 		 NL80211_FLAG_NEED_RTNL)		\
17898 	SELECTOR(__sel, WIPHY_CLEAR,			\
17899 		 NL80211_FLAG_NEED_WIPHY |		\
17900 		 NL80211_FLAG_CLEAR_SKB)
17901 
17902 enum nl80211_internal_flags_selector {
17903 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
17904 	INTERNAL_FLAG_SELECTORS(_)
17905 #undef SELECTOR
17906 };
17907 
17908 static u32 nl80211_internal_flags[] = {
17909 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
17910 	INTERNAL_FLAG_SELECTORS(_)
17911 #undef SELECTOR
17912 };
17913 
17914 static int nl80211_pre_doit(const struct genl_split_ops *ops,
17915 			    struct sk_buff *skb,
17916 			    struct genl_info *info)
17917 {
17918 	struct cfg80211_registered_device *rdev = NULL;
17919 	struct wireless_dev *wdev = NULL;
17920 	struct net_device *dev = NULL;
17921 	u32 internal_flags;
17922 	int err;
17923 
17924 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
17925 		return -EINVAL;
17926 
17927 	internal_flags = nl80211_internal_flags[ops->internal_flags];
17928 
17929 	rtnl_lock();
17930 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
17931 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
17932 		if (IS_ERR(rdev)) {
17933 			err = PTR_ERR(rdev);
17934 			goto out_unlock;
17935 		}
17936 		info->user_ptr[0] = rdev;
17937 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
17938 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
17939 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
17940 						  info->attrs);
17941 		if (IS_ERR(wdev)) {
17942 			err = PTR_ERR(wdev);
17943 			goto out_unlock;
17944 		}
17945 
17946 		dev = wdev->netdev;
17947 		dev_hold(dev);
17948 		rdev = wiphy_to_rdev(wdev->wiphy);
17949 
17950 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
17951 			if (!dev) {
17952 				err = -EINVAL;
17953 				goto out_unlock;
17954 			}
17955 
17956 			info->user_ptr[1] = dev;
17957 		} else {
17958 			info->user_ptr[1] = wdev;
17959 		}
17960 
17961 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
17962 		    !wdev_running(wdev)) {
17963 			err = -ENETDOWN;
17964 			goto out_unlock;
17965 		}
17966 
17967 		info->user_ptr[0] = rdev;
17968 	}
17969 
17970 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
17971 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
17972 
17973 		if (!wdev) {
17974 			err = -EINVAL;
17975 			goto out_unlock;
17976 		}
17977 
17978 		/* MLO -> require valid link ID */
17979 		if (wdev->valid_links &&
17980 		    (!link_id ||
17981 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
17982 			err = -EINVAL;
17983 			goto out_unlock;
17984 		}
17985 
17986 		/* non-MLO -> no link ID attribute accepted */
17987 		if (!wdev->valid_links && link_id) {
17988 			err = -EINVAL;
17989 			goto out_unlock;
17990 		}
17991 	}
17992 
17993 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
17994 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
17995 		    (wdev && wdev->valid_links)) {
17996 			err = -EINVAL;
17997 			goto out_unlock;
17998 		}
17999 	}
18000 
18001 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18002 		wiphy_lock(&rdev->wiphy);
18003 		/* we keep the mutex locked until post_doit */
18004 		__release(&rdev->wiphy.mtx);
18005 	}
18006 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
18007 		rtnl_unlock();
18008 
18009 	return 0;
18010 out_unlock:
18011 	rtnl_unlock();
18012 	dev_put(dev);
18013 	return err;
18014 }
18015 
18016 static void nl80211_post_doit(const struct genl_split_ops *ops,
18017 			      struct sk_buff *skb,
18018 			      struct genl_info *info)
18019 {
18020 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
18021 
18022 	if (info->user_ptr[1]) {
18023 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
18024 			struct wireless_dev *wdev = info->user_ptr[1];
18025 
18026 			dev_put(wdev->netdev);
18027 		} else {
18028 			dev_put(info->user_ptr[1]);
18029 		}
18030 	}
18031 
18032 	if (info->user_ptr[0] &&
18033 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18034 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
18035 
18036 		/* we kept the mutex locked since pre_doit */
18037 		__acquire(&rdev->wiphy.mtx);
18038 		wiphy_unlock(&rdev->wiphy);
18039 	}
18040 
18041 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
18042 		rtnl_unlock();
18043 
18044 	/* If needed, clear the netlink message payload from the SKB
18045 	 * as it might contain key data that shouldn't stick around on
18046 	 * the heap after the SKB is freed. The netlink message header
18047 	 * is still needed for further processing, so leave it intact.
18048 	 */
18049 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
18050 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
18051 
18052 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
18053 	}
18054 }
18055 
18056 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
18057 				     struct cfg80211_sar_specs *sar_specs,
18058 				     struct nlattr *spec[], int index)
18059 {
18060 	u32 range_index, i;
18061 
18062 	if (!sar_specs || !spec)
18063 		return -EINVAL;
18064 
18065 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
18066 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
18067 		return -EINVAL;
18068 
18069 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
18070 
18071 	/* check if range_index exceeds num_freq_ranges */
18072 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
18073 		return -EINVAL;
18074 
18075 	/* check if range_index duplicates */
18076 	for (i = 0; i < index; i++) {
18077 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
18078 			return -EINVAL;
18079 	}
18080 
18081 	sar_specs->sub_specs[index].power =
18082 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
18083 
18084 	sar_specs->sub_specs[index].freq_range_index = range_index;
18085 
18086 	return 0;
18087 }
18088 
18089 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
18090 {
18091 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18092 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
18093 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
18094 	struct cfg80211_sar_specs *sar_spec;
18095 	enum nl80211_sar_type type;
18096 	struct nlattr *spec_list;
18097 	u32 specs;
18098 	int rem, err;
18099 
18100 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
18101 		return -EOPNOTSUPP;
18102 
18103 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
18104 		return -EINVAL;
18105 
18106 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
18107 			 info->attrs[NL80211_ATTR_SAR_SPEC],
18108 			 NULL, NULL);
18109 
18110 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
18111 		return -EINVAL;
18112 
18113 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
18114 	if (type != rdev->wiphy.sar_capa->type)
18115 		return -EINVAL;
18116 
18117 	specs = 0;
18118 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
18119 		specs++;
18120 
18121 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
18122 		return -EINVAL;
18123 
18124 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
18125 	if (!sar_spec)
18126 		return -ENOMEM;
18127 
18128 	sar_spec->num_sub_specs = specs;
18129 	sar_spec->type = type;
18130 	specs = 0;
18131 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
18132 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
18133 				 spec_list, NULL, NULL);
18134 
18135 		switch (type) {
18136 		case NL80211_SAR_TYPE_POWER:
18137 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
18138 						      spec, specs)) {
18139 				err = -EINVAL;
18140 				goto error;
18141 			}
18142 			break;
18143 		default:
18144 			err = -EINVAL;
18145 			goto error;
18146 		}
18147 		specs++;
18148 	}
18149 
18150 	sar_spec->num_sub_specs = specs;
18151 
18152 	rdev->cur_cmd_info = info;
18153 	err = rdev_set_sar_specs(rdev, sar_spec);
18154 	rdev->cur_cmd_info = NULL;
18155 error:
18156 	kfree(sar_spec);
18157 	return err;
18158 }
18159 
18160 #define SELECTOR(__sel, name, value) \
18161 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
18162 int __missing_selector(void);
18163 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
18164 
18165 static const struct genl_ops nl80211_ops[] = {
18166 	{
18167 		.cmd = NL80211_CMD_GET_WIPHY,
18168 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18169 		.doit = nl80211_get_wiphy,
18170 		.dumpit = nl80211_dump_wiphy,
18171 		.done = nl80211_dump_wiphy_done,
18172 		/* can be retrieved by unprivileged users */
18173 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18174 	},
18175 };
18176 
18177 static const struct genl_small_ops nl80211_small_ops[] = {
18178 	{
18179 		.cmd = NL80211_CMD_SET_WIPHY,
18180 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18181 		.doit = nl80211_set_wiphy,
18182 		.flags = GENL_UNS_ADMIN_PERM,
18183 	},
18184 	{
18185 		.cmd = NL80211_CMD_GET_INTERFACE,
18186 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18187 		.doit = nl80211_get_interface,
18188 		.dumpit = nl80211_dump_interface,
18189 		/* can be retrieved by unprivileged users */
18190 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18191 	},
18192 	{
18193 		.cmd = NL80211_CMD_SET_INTERFACE,
18194 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18195 		.doit = nl80211_set_interface,
18196 		.flags = GENL_UNS_ADMIN_PERM,
18197 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18198 					 NL80211_FLAG_NEED_RTNL),
18199 	},
18200 	{
18201 		.cmd = NL80211_CMD_NEW_INTERFACE,
18202 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18203 		.doit = nl80211_new_interface,
18204 		.flags = GENL_UNS_ADMIN_PERM,
18205 		.internal_flags =
18206 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
18207 			       NL80211_FLAG_NEED_RTNL |
18208 			       /* we take the wiphy mutex later ourselves */
18209 			       NL80211_FLAG_NO_WIPHY_MTX),
18210 	},
18211 	{
18212 		.cmd = NL80211_CMD_DEL_INTERFACE,
18213 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18214 		.doit = nl80211_del_interface,
18215 		.flags = GENL_UNS_ADMIN_PERM,
18216 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18217 					 NL80211_FLAG_NEED_RTNL),
18218 	},
18219 	{
18220 		.cmd = NL80211_CMD_GET_KEY,
18221 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18222 		.doit = nl80211_get_key,
18223 		.flags = GENL_UNS_ADMIN_PERM,
18224 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18225 	},
18226 	{
18227 		.cmd = NL80211_CMD_SET_KEY,
18228 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18229 		.doit = nl80211_set_key,
18230 		.flags = GENL_UNS_ADMIN_PERM,
18231 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
18232 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18233 					 NL80211_FLAG_CLEAR_SKB),
18234 	},
18235 	{
18236 		.cmd = NL80211_CMD_NEW_KEY,
18237 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18238 		.doit = nl80211_new_key,
18239 		.flags = GENL_UNS_ADMIN_PERM,
18240 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18241 					 NL80211_FLAG_CLEAR_SKB),
18242 	},
18243 	{
18244 		.cmd = NL80211_CMD_DEL_KEY,
18245 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18246 		.doit = nl80211_del_key,
18247 		.flags = GENL_UNS_ADMIN_PERM,
18248 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18249 	},
18250 	{
18251 		.cmd = NL80211_CMD_SET_BEACON,
18252 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18253 		.flags = GENL_UNS_ADMIN_PERM,
18254 		.doit = nl80211_set_beacon,
18255 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18256 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18257 	},
18258 	{
18259 		.cmd = NL80211_CMD_START_AP,
18260 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18261 		.flags = GENL_UNS_ADMIN_PERM,
18262 		.doit = nl80211_start_ap,
18263 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18264 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18265 	},
18266 	{
18267 		.cmd = NL80211_CMD_STOP_AP,
18268 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18269 		.flags = GENL_UNS_ADMIN_PERM,
18270 		.doit = nl80211_stop_ap,
18271 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18272 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18273 	},
18274 	{
18275 		.cmd = NL80211_CMD_GET_STATION,
18276 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18277 		.doit = nl80211_get_station,
18278 		.dumpit = nl80211_dump_station,
18279 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18280 	},
18281 	{
18282 		.cmd = NL80211_CMD_SET_STATION,
18283 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18284 		.doit = nl80211_set_station,
18285 		.flags = GENL_UNS_ADMIN_PERM,
18286 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18287 	},
18288 	{
18289 		.cmd = NL80211_CMD_NEW_STATION,
18290 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18291 		.doit = nl80211_new_station,
18292 		.flags = GENL_UNS_ADMIN_PERM,
18293 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18294 	},
18295 	{
18296 		.cmd = NL80211_CMD_DEL_STATION,
18297 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18298 		.doit = nl80211_del_station,
18299 		.flags = GENL_UNS_ADMIN_PERM,
18300 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
18301 		 * whether MAC address is passed or not. If MAC address is
18302 		 * passed, then even during MLO, link ID is not required.
18303 		 */
18304 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18305 	},
18306 	{
18307 		.cmd = NL80211_CMD_GET_MPATH,
18308 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18309 		.doit = nl80211_get_mpath,
18310 		.dumpit = nl80211_dump_mpath,
18311 		.flags = GENL_UNS_ADMIN_PERM,
18312 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18313 	},
18314 	{
18315 		.cmd = NL80211_CMD_GET_MPP,
18316 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18317 		.doit = nl80211_get_mpp,
18318 		.dumpit = nl80211_dump_mpp,
18319 		.flags = GENL_UNS_ADMIN_PERM,
18320 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18321 	},
18322 	{
18323 		.cmd = NL80211_CMD_SET_MPATH,
18324 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18325 		.doit = nl80211_set_mpath,
18326 		.flags = GENL_UNS_ADMIN_PERM,
18327 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18328 	},
18329 	{
18330 		.cmd = NL80211_CMD_NEW_MPATH,
18331 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18332 		.doit = nl80211_new_mpath,
18333 		.flags = GENL_UNS_ADMIN_PERM,
18334 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18335 	},
18336 	{
18337 		.cmd = NL80211_CMD_DEL_MPATH,
18338 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18339 		.doit = nl80211_del_mpath,
18340 		.flags = GENL_UNS_ADMIN_PERM,
18341 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18342 	},
18343 	{
18344 		.cmd = NL80211_CMD_SET_BSS,
18345 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18346 		.doit = nl80211_set_bss,
18347 		.flags = GENL_UNS_ADMIN_PERM,
18348 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18349 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18350 	},
18351 	{
18352 		.cmd = NL80211_CMD_GET_REG,
18353 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18354 		.doit = nl80211_get_reg_do,
18355 		.dumpit = nl80211_get_reg_dump,
18356 		/* can be retrieved by unprivileged users */
18357 	},
18358 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
18359 	{
18360 		.cmd = NL80211_CMD_SET_REG,
18361 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18362 		.doit = nl80211_set_reg,
18363 		.flags = GENL_ADMIN_PERM,
18364 	},
18365 #endif
18366 	{
18367 		.cmd = NL80211_CMD_REQ_SET_REG,
18368 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18369 		.doit = nl80211_req_set_reg,
18370 		.flags = GENL_ADMIN_PERM,
18371 	},
18372 	{
18373 		.cmd = NL80211_CMD_RELOAD_REGDB,
18374 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18375 		.doit = nl80211_reload_regdb,
18376 		.flags = GENL_ADMIN_PERM,
18377 	},
18378 	{
18379 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
18380 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18381 		.doit = nl80211_get_mesh_config,
18382 		/* can be retrieved by unprivileged users */
18383 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18384 	},
18385 	{
18386 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
18387 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18388 		.doit = nl80211_update_mesh_config,
18389 		.flags = GENL_UNS_ADMIN_PERM,
18390 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18391 	},
18392 	{
18393 		.cmd = NL80211_CMD_TRIGGER_SCAN,
18394 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18395 		.doit = nl80211_trigger_scan,
18396 		.flags = GENL_UNS_ADMIN_PERM,
18397 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18398 	},
18399 	{
18400 		.cmd = NL80211_CMD_ABORT_SCAN,
18401 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18402 		.doit = nl80211_abort_scan,
18403 		.flags = GENL_UNS_ADMIN_PERM,
18404 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18405 	},
18406 	{
18407 		.cmd = NL80211_CMD_GET_SCAN,
18408 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18409 		.dumpit = nl80211_dump_scan,
18410 	},
18411 	{
18412 		.cmd = NL80211_CMD_START_SCHED_SCAN,
18413 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18414 		.doit = nl80211_start_sched_scan,
18415 		.flags = GENL_UNS_ADMIN_PERM,
18416 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18417 	},
18418 	{
18419 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
18420 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18421 		.doit = nl80211_stop_sched_scan,
18422 		.flags = GENL_UNS_ADMIN_PERM,
18423 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18424 	},
18425 	{
18426 		.cmd = NL80211_CMD_AUTHENTICATE,
18427 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18428 		.doit = nl80211_authenticate,
18429 		.flags = GENL_UNS_ADMIN_PERM,
18430 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18431 					 NL80211_FLAG_CLEAR_SKB),
18432 	},
18433 	{
18434 		.cmd = NL80211_CMD_ASSOCIATE,
18435 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18436 		.doit = nl80211_associate,
18437 		.flags = GENL_UNS_ADMIN_PERM,
18438 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18439 					 NL80211_FLAG_CLEAR_SKB),
18440 	},
18441 	{
18442 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18443 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18444 		.doit = nl80211_deauthenticate,
18445 		.flags = GENL_UNS_ADMIN_PERM,
18446 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18447 	},
18448 	{
18449 		.cmd = NL80211_CMD_DISASSOCIATE,
18450 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18451 		.doit = nl80211_disassociate,
18452 		.flags = GENL_UNS_ADMIN_PERM,
18453 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18454 	},
18455 	{
18456 		.cmd = NL80211_CMD_JOIN_IBSS,
18457 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18458 		.doit = nl80211_join_ibss,
18459 		.flags = GENL_UNS_ADMIN_PERM,
18460 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18461 	},
18462 	{
18463 		.cmd = NL80211_CMD_LEAVE_IBSS,
18464 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18465 		.doit = nl80211_leave_ibss,
18466 		.flags = GENL_UNS_ADMIN_PERM,
18467 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18468 	},
18469 #ifdef CONFIG_NL80211_TESTMODE
18470 	{
18471 		.cmd = NL80211_CMD_TESTMODE,
18472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18473 		.doit = nl80211_testmode_do,
18474 		.dumpit = nl80211_testmode_dump,
18475 		.flags = GENL_UNS_ADMIN_PERM,
18476 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18477 	},
18478 #endif
18479 	{
18480 		.cmd = NL80211_CMD_CONNECT,
18481 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18482 		.doit = nl80211_connect,
18483 		.flags = GENL_UNS_ADMIN_PERM,
18484 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18485 					 NL80211_FLAG_CLEAR_SKB),
18486 	},
18487 	{
18488 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
18489 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18490 		.doit = nl80211_update_connect_params,
18491 		.flags = GENL_ADMIN_PERM,
18492 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18493 					 NL80211_FLAG_CLEAR_SKB),
18494 	},
18495 	{
18496 		.cmd = NL80211_CMD_DISCONNECT,
18497 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18498 		.doit = nl80211_disconnect,
18499 		.flags = GENL_UNS_ADMIN_PERM,
18500 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18501 	},
18502 	{
18503 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
18504 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18505 		.doit = nl80211_wiphy_netns,
18506 		.flags = GENL_UNS_ADMIN_PERM,
18507 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18508 					 NL80211_FLAG_NEED_RTNL |
18509 					 NL80211_FLAG_NO_WIPHY_MTX),
18510 	},
18511 	{
18512 		.cmd = NL80211_CMD_GET_SURVEY,
18513 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18514 		.dumpit = nl80211_dump_survey,
18515 	},
18516 	{
18517 		.cmd = NL80211_CMD_SET_PMKSA,
18518 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18519 		.doit = nl80211_set_pmksa,
18520 		.flags = GENL_UNS_ADMIN_PERM,
18521 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18522 					 NL80211_FLAG_CLEAR_SKB),
18523 	},
18524 	{
18525 		.cmd = NL80211_CMD_DEL_PMKSA,
18526 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18527 		.doit = nl80211_del_pmksa,
18528 		.flags = GENL_UNS_ADMIN_PERM,
18529 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18530 	},
18531 	{
18532 		.cmd = NL80211_CMD_FLUSH_PMKSA,
18533 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18534 		.doit = nl80211_flush_pmksa,
18535 		.flags = GENL_UNS_ADMIN_PERM,
18536 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18537 	},
18538 	{
18539 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
18540 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18541 		.doit = nl80211_remain_on_channel,
18542 		.flags = GENL_UNS_ADMIN_PERM,
18543 		/* FIXME: requiring a link ID here is probably not good */
18544 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18545 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18546 	},
18547 	{
18548 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18550 		.doit = nl80211_cancel_remain_on_channel,
18551 		.flags = GENL_UNS_ADMIN_PERM,
18552 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18553 	},
18554 	{
18555 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
18556 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18557 		.doit = nl80211_set_tx_bitrate_mask,
18558 		.flags = GENL_UNS_ADMIN_PERM,
18559 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18560 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18561 	},
18562 	{
18563 		.cmd = NL80211_CMD_REGISTER_FRAME,
18564 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18565 		.doit = nl80211_register_mgmt,
18566 		.flags = GENL_UNS_ADMIN_PERM,
18567 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18568 	},
18569 	{
18570 		.cmd = NL80211_CMD_FRAME,
18571 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18572 		.doit = nl80211_tx_mgmt,
18573 		.flags = GENL_UNS_ADMIN_PERM,
18574 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18575 	},
18576 	{
18577 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
18578 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18579 		.doit = nl80211_tx_mgmt_cancel_wait,
18580 		.flags = GENL_UNS_ADMIN_PERM,
18581 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18582 	},
18583 	{
18584 		.cmd = NL80211_CMD_SET_POWER_SAVE,
18585 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18586 		.doit = nl80211_set_power_save,
18587 		.flags = GENL_UNS_ADMIN_PERM,
18588 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18589 	},
18590 	{
18591 		.cmd = NL80211_CMD_GET_POWER_SAVE,
18592 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18593 		.doit = nl80211_get_power_save,
18594 		/* can be retrieved by unprivileged users */
18595 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18596 	},
18597 	{
18598 		.cmd = NL80211_CMD_SET_CQM,
18599 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18600 		.doit = nl80211_set_cqm,
18601 		.flags = GENL_UNS_ADMIN_PERM,
18602 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18603 	},
18604 	{
18605 		.cmd = NL80211_CMD_SET_CHANNEL,
18606 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18607 		.doit = nl80211_set_channel,
18608 		.flags = GENL_UNS_ADMIN_PERM,
18609 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18610 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18611 	},
18612 	{
18613 		.cmd = NL80211_CMD_JOIN_MESH,
18614 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18615 		.doit = nl80211_join_mesh,
18616 		.flags = GENL_UNS_ADMIN_PERM,
18617 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18618 	},
18619 	{
18620 		.cmd = NL80211_CMD_LEAVE_MESH,
18621 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18622 		.doit = nl80211_leave_mesh,
18623 		.flags = GENL_UNS_ADMIN_PERM,
18624 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18625 	},
18626 	{
18627 		.cmd = NL80211_CMD_JOIN_OCB,
18628 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18629 		.doit = nl80211_join_ocb,
18630 		.flags = GENL_UNS_ADMIN_PERM,
18631 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18632 	},
18633 	{
18634 		.cmd = NL80211_CMD_LEAVE_OCB,
18635 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18636 		.doit = nl80211_leave_ocb,
18637 		.flags = GENL_UNS_ADMIN_PERM,
18638 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18639 	},
18640 #ifdef CONFIG_PM
18641 	{
18642 		.cmd = NL80211_CMD_GET_WOWLAN,
18643 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18644 		.doit = nl80211_get_wowlan,
18645 		/* can be retrieved by unprivileged users */
18646 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18647 	},
18648 	{
18649 		.cmd = NL80211_CMD_SET_WOWLAN,
18650 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18651 		.doit = nl80211_set_wowlan,
18652 		.flags = GENL_UNS_ADMIN_PERM,
18653 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18654 	},
18655 #endif
18656 	{
18657 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
18658 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18659 		.doit = nl80211_set_rekey_data,
18660 		.flags = GENL_UNS_ADMIN_PERM,
18661 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18662 					 NL80211_FLAG_CLEAR_SKB),
18663 	},
18664 	{
18665 		.cmd = NL80211_CMD_TDLS_MGMT,
18666 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18667 		.doit = nl80211_tdls_mgmt,
18668 		.flags = GENL_UNS_ADMIN_PERM,
18669 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18670 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18671 	},
18672 	{
18673 		.cmd = NL80211_CMD_TDLS_OPER,
18674 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18675 		.doit = nl80211_tdls_oper,
18676 		.flags = GENL_UNS_ADMIN_PERM,
18677 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18678 	},
18679 	{
18680 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
18681 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18682 		.doit = nl80211_register_unexpected_frame,
18683 		.flags = GENL_UNS_ADMIN_PERM,
18684 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18685 	},
18686 	{
18687 		.cmd = NL80211_CMD_PROBE_CLIENT,
18688 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18689 		.doit = nl80211_probe_client,
18690 		.flags = GENL_UNS_ADMIN_PERM,
18691 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18692 	},
18693 	{
18694 		.cmd = NL80211_CMD_REGISTER_BEACONS,
18695 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18696 		.doit = nl80211_register_beacons,
18697 		.flags = GENL_UNS_ADMIN_PERM,
18698 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18699 	},
18700 	{
18701 		.cmd = NL80211_CMD_SET_NOACK_MAP,
18702 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18703 		.doit = nl80211_set_noack_map,
18704 		.flags = GENL_UNS_ADMIN_PERM,
18705 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18706 	},
18707 	{
18708 		.cmd = NL80211_CMD_START_P2P_DEVICE,
18709 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18710 		.doit = nl80211_start_p2p_device,
18711 		.flags = GENL_UNS_ADMIN_PERM,
18712 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18713 					 NL80211_FLAG_NEED_RTNL),
18714 	},
18715 	{
18716 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
18717 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18718 		.doit = nl80211_stop_p2p_device,
18719 		.flags = GENL_UNS_ADMIN_PERM,
18720 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18721 					 NL80211_FLAG_NEED_RTNL),
18722 	},
18723 	{
18724 		.cmd = NL80211_CMD_START_NAN,
18725 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18726 		.doit = nl80211_start_nan,
18727 		.flags = GENL_ADMIN_PERM,
18728 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18729 					 NL80211_FLAG_NEED_RTNL),
18730 	},
18731 	{
18732 		.cmd = NL80211_CMD_STOP_NAN,
18733 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18734 		.doit = nl80211_stop_nan,
18735 		.flags = GENL_ADMIN_PERM,
18736 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18737 					 NL80211_FLAG_NEED_RTNL),
18738 	},
18739 	{
18740 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
18741 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18742 		.doit = nl80211_nan_add_func,
18743 		.flags = GENL_ADMIN_PERM,
18744 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18745 	},
18746 	{
18747 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
18748 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18749 		.doit = nl80211_nan_del_func,
18750 		.flags = GENL_ADMIN_PERM,
18751 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18752 	},
18753 	{
18754 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
18755 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18756 		.doit = nl80211_nan_change_config,
18757 		.flags = GENL_ADMIN_PERM,
18758 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18759 	},
18760 	{
18761 		.cmd = NL80211_CMD_SET_MCAST_RATE,
18762 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18763 		.doit = nl80211_set_mcast_rate,
18764 		.flags = GENL_UNS_ADMIN_PERM,
18765 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18766 	},
18767 	{
18768 		.cmd = NL80211_CMD_SET_MAC_ACL,
18769 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18770 		.doit = nl80211_set_mac_acl,
18771 		.flags = GENL_UNS_ADMIN_PERM,
18772 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18773 					 NL80211_FLAG_MLO_UNSUPPORTED),
18774 	},
18775 	{
18776 		.cmd = NL80211_CMD_RADAR_DETECT,
18777 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18778 		.doit = nl80211_start_radar_detection,
18779 		.flags = GENL_UNS_ADMIN_PERM,
18780 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18781 					 NL80211_FLAG_NO_WIPHY_MTX |
18782 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18783 	},
18784 	{
18785 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
18786 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18787 		.doit = nl80211_get_protocol_features,
18788 	},
18789 	{
18790 		.cmd = NL80211_CMD_UPDATE_FT_IES,
18791 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18792 		.doit = nl80211_update_ft_ies,
18793 		.flags = GENL_UNS_ADMIN_PERM,
18794 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18795 	},
18796 	{
18797 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
18798 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18799 		.doit = nl80211_crit_protocol_start,
18800 		.flags = GENL_UNS_ADMIN_PERM,
18801 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18802 	},
18803 	{
18804 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
18805 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18806 		.doit = nl80211_crit_protocol_stop,
18807 		.flags = GENL_UNS_ADMIN_PERM,
18808 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18809 	},
18810 	{
18811 		.cmd = NL80211_CMD_GET_COALESCE,
18812 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18813 		.doit = nl80211_get_coalesce,
18814 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18815 	},
18816 	{
18817 		.cmd = NL80211_CMD_SET_COALESCE,
18818 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18819 		.doit = nl80211_set_coalesce,
18820 		.flags = GENL_UNS_ADMIN_PERM,
18821 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18822 	},
18823 	{
18824 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
18825 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18826 		.doit = nl80211_channel_switch,
18827 		.flags = GENL_UNS_ADMIN_PERM,
18828 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18829 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18830 	},
18831 	{
18832 		.cmd = NL80211_CMD_VENDOR,
18833 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18834 		.doit = nl80211_vendor_cmd,
18835 		.dumpit = nl80211_vendor_cmd_dump,
18836 		.flags = GENL_UNS_ADMIN_PERM,
18837 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18838 					 NL80211_FLAG_CLEAR_SKB),
18839 	},
18840 	{
18841 		.cmd = NL80211_CMD_SET_QOS_MAP,
18842 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18843 		.doit = nl80211_set_qos_map,
18844 		.flags = GENL_UNS_ADMIN_PERM,
18845 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18846 	},
18847 	{
18848 		.cmd = NL80211_CMD_ADD_TX_TS,
18849 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18850 		.doit = nl80211_add_tx_ts,
18851 		.flags = GENL_UNS_ADMIN_PERM,
18852 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18853 					 NL80211_FLAG_MLO_UNSUPPORTED),
18854 	},
18855 	{
18856 		.cmd = NL80211_CMD_DEL_TX_TS,
18857 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18858 		.doit = nl80211_del_tx_ts,
18859 		.flags = GENL_UNS_ADMIN_PERM,
18860 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18861 	},
18862 	{
18863 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
18864 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18865 		.doit = nl80211_tdls_channel_switch,
18866 		.flags = GENL_UNS_ADMIN_PERM,
18867 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18868 	},
18869 	{
18870 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
18871 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18872 		.doit = nl80211_tdls_cancel_channel_switch,
18873 		.flags = GENL_UNS_ADMIN_PERM,
18874 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18875 	},
18876 	{
18877 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
18878 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18879 		.doit = nl80211_set_multicast_to_unicast,
18880 		.flags = GENL_UNS_ADMIN_PERM,
18881 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18882 	},
18883 	{
18884 		.cmd = NL80211_CMD_SET_PMK,
18885 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18886 		.doit = nl80211_set_pmk,
18887 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18888 					 NL80211_FLAG_CLEAR_SKB),
18889 	},
18890 	{
18891 		.cmd = NL80211_CMD_DEL_PMK,
18892 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18893 		.doit = nl80211_del_pmk,
18894 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18895 	},
18896 	{
18897 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
18898 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18899 		.doit = nl80211_external_auth,
18900 		.flags = GENL_ADMIN_PERM,
18901 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18902 	},
18903 	{
18904 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
18905 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18906 		.doit = nl80211_tx_control_port,
18907 		.flags = GENL_UNS_ADMIN_PERM,
18908 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18909 	},
18910 	{
18911 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
18912 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18913 		.doit = nl80211_get_ftm_responder_stats,
18914 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18915 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18916 	},
18917 	{
18918 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
18919 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18920 		.doit = nl80211_pmsr_start,
18921 		.flags = GENL_UNS_ADMIN_PERM,
18922 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18923 	},
18924 	{
18925 		.cmd = NL80211_CMD_NOTIFY_RADAR,
18926 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18927 		.doit = nl80211_notify_radar_detection,
18928 		.flags = GENL_UNS_ADMIN_PERM,
18929 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18930 	},
18931 	{
18932 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
18933 		.doit = nl80211_update_owe_info,
18934 		.flags = GENL_ADMIN_PERM,
18935 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18936 	},
18937 	{
18938 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
18939 		.doit = nl80211_probe_mesh_link,
18940 		.flags = GENL_UNS_ADMIN_PERM,
18941 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18942 	},
18943 	{
18944 		.cmd = NL80211_CMD_SET_TID_CONFIG,
18945 		.doit = nl80211_set_tid_config,
18946 		.flags = GENL_UNS_ADMIN_PERM,
18947 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18948 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18949 	},
18950 	{
18951 		.cmd = NL80211_CMD_SET_SAR_SPECS,
18952 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18953 		.doit = nl80211_set_sar_specs,
18954 		.flags = GENL_UNS_ADMIN_PERM,
18955 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18956 					 NL80211_FLAG_NEED_RTNL),
18957 	},
18958 	{
18959 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
18960 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18961 		.doit = nl80211_color_change,
18962 		.flags = GENL_UNS_ADMIN_PERM,
18963 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18964 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18965 	},
18966 	{
18967 		.cmd = NL80211_CMD_SET_FILS_AAD,
18968 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18969 		.doit = nl80211_set_fils_aad,
18970 		.flags = GENL_UNS_ADMIN_PERM,
18971 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18972 	},
18973 	{
18974 		.cmd = NL80211_CMD_ADD_LINK,
18975 		.doit = nl80211_add_link,
18976 		.flags = GENL_UNS_ADMIN_PERM,
18977 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18978 	},
18979 	{
18980 		.cmd = NL80211_CMD_REMOVE_LINK,
18981 		.doit = nl80211_remove_link,
18982 		.flags = GENL_UNS_ADMIN_PERM,
18983 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18984 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18985 	},
18986 	{
18987 		.cmd = NL80211_CMD_ADD_LINK_STA,
18988 		.doit = nl80211_add_link_station,
18989 		.flags = GENL_UNS_ADMIN_PERM,
18990 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18991 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18992 	},
18993 	{
18994 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
18995 		.doit = nl80211_modify_link_station,
18996 		.flags = GENL_UNS_ADMIN_PERM,
18997 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18998 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18999 	},
19000 	{
19001 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
19002 		.doit = nl80211_remove_link_station,
19003 		.flags = GENL_UNS_ADMIN_PERM,
19004 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19005 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19006 	},
19007 	{
19008 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
19009 		.doit = nl80211_set_hw_timestamp,
19010 		.flags = GENL_UNS_ADMIN_PERM,
19011 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19012 	},
19013 	{
19014 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
19015 		.doit = nl80211_set_ttlm,
19016 		.flags = GENL_UNS_ADMIN_PERM,
19017 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19018 	},
19019 	{
19020 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19021 		.doit = nl80211_assoc_ml_reconf,
19022 		.flags = GENL_UNS_ADMIN_PERM,
19023 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19024 	},
19025 	{
19026 		.cmd = NL80211_CMD_EPCS_CFG,
19027 		.doit = nl80211_epcs_cfg,
19028 		.flags = GENL_UNS_ADMIN_PERM,
19029 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19030 	},
19031 };
19032 
19033 static struct genl_family nl80211_fam __ro_after_init = {
19034 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
19035 	.hdrsize = 0,			/* no private header */
19036 	.version = 1,			/* no particular meaning now */
19037 	.maxattr = NL80211_ATTR_MAX,
19038 	.policy = nl80211_policy,
19039 	.netnsok = true,
19040 	.pre_doit = nl80211_pre_doit,
19041 	.post_doit = nl80211_post_doit,
19042 	.module = THIS_MODULE,
19043 	.ops = nl80211_ops,
19044 	.n_ops = ARRAY_SIZE(nl80211_ops),
19045 	.small_ops = nl80211_small_ops,
19046 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
19047 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
19048 	.mcgrps = nl80211_mcgrps,
19049 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
19050 	.parallel_ops = true,
19051 };
19052 
19053 /* notification functions */
19054 
19055 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
19056 			  enum nl80211_commands cmd)
19057 {
19058 	struct sk_buff *msg;
19059 	struct nl80211_dump_wiphy_state state = {};
19060 
19061 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
19062 		cmd != NL80211_CMD_DEL_WIPHY);
19063 
19064 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19065 	if (!msg)
19066 		return;
19067 
19068 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
19069 		nlmsg_free(msg);
19070 		return;
19071 	}
19072 
19073 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19074 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19075 }
19076 
19077 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
19078 				struct wireless_dev *wdev,
19079 				enum nl80211_commands cmd)
19080 {
19081 	struct sk_buff *msg;
19082 
19083 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19084 	if (!msg)
19085 		return;
19086 
19087 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
19088 		nlmsg_free(msg);
19089 		return;
19090 	}
19091 
19092 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19093 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19094 }
19095 
19096 static int nl80211_add_scan_req(struct sk_buff *msg,
19097 				struct cfg80211_registered_device *rdev)
19098 {
19099 	struct cfg80211_scan_request_int *req = rdev->scan_req;
19100 	struct nlattr *nest;
19101 	int i;
19102 	struct cfg80211_scan_info *info;
19103 
19104 	if (WARN_ON(!req))
19105 		return 0;
19106 
19107 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
19108 	if (!nest)
19109 		goto nla_put_failure;
19110 	for (i = 0; i < req->req.n_ssids; i++) {
19111 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
19112 			    req->req.ssids[i].ssid))
19113 			goto nla_put_failure;
19114 	}
19115 	nla_nest_end(msg, nest);
19116 
19117 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
19118 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
19119 		if (!nest)
19120 			goto nla_put_failure;
19121 		for (i = 0; i < req->req.n_channels; i++) {
19122 			if (nla_put_u32(msg, i,
19123 					ieee80211_channel_to_khz(req->req.channels[i])))
19124 				goto nla_put_failure;
19125 		}
19126 		nla_nest_end(msg, nest);
19127 	} else {
19128 		nest = nla_nest_start_noflag(msg,
19129 					     NL80211_ATTR_SCAN_FREQUENCIES);
19130 		if (!nest)
19131 			goto nla_put_failure;
19132 		for (i = 0; i < req->req.n_channels; i++) {
19133 			if (nla_put_u32(msg, i,
19134 					req->req.channels[i]->center_freq))
19135 				goto nla_put_failure;
19136 		}
19137 		nla_nest_end(msg, nest);
19138 	}
19139 
19140 	if (req->req.ie &&
19141 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
19142 		goto nla_put_failure;
19143 
19144 	if (req->req.flags &&
19145 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
19146 		goto nla_put_failure;
19147 
19148 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
19149 		&rdev->scan_req->info;
19150 	if (info->scan_start_tsf &&
19151 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
19152 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
19153 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
19154 		     info->tsf_bssid)))
19155 		goto nla_put_failure;
19156 
19157 	return 0;
19158  nla_put_failure:
19159 	return -ENOBUFS;
19160 }
19161 
19162 static int nl80211_prep_scan_msg(struct sk_buff *msg,
19163 				 struct cfg80211_registered_device *rdev,
19164 				 struct wireless_dev *wdev,
19165 				 u32 portid, u32 seq, int flags,
19166 				 u32 cmd)
19167 {
19168 	void *hdr;
19169 
19170 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
19171 	if (!hdr)
19172 		return -1;
19173 
19174 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19175 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19176 					 wdev->netdev->ifindex)) ||
19177 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19178 			      NL80211_ATTR_PAD))
19179 		goto nla_put_failure;
19180 
19181 	/* ignore errors and send incomplete event anyway */
19182 	nl80211_add_scan_req(msg, rdev);
19183 
19184 	genlmsg_end(msg, hdr);
19185 	return 0;
19186 
19187  nla_put_failure:
19188 	genlmsg_cancel(msg, hdr);
19189 	return -EMSGSIZE;
19190 }
19191 
19192 static int
19193 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
19194 			    struct cfg80211_sched_scan_request *req, u32 cmd)
19195 {
19196 	void *hdr;
19197 
19198 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19199 	if (!hdr)
19200 		return -1;
19201 
19202 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
19203 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
19204 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
19205 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
19206 			      NL80211_ATTR_PAD))
19207 		goto nla_put_failure;
19208 
19209 	genlmsg_end(msg, hdr);
19210 	return 0;
19211 
19212  nla_put_failure:
19213 	genlmsg_cancel(msg, hdr);
19214 	return -EMSGSIZE;
19215 }
19216 
19217 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
19218 			     struct wireless_dev *wdev)
19219 {
19220 	struct sk_buff *msg;
19221 
19222 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19223 	if (!msg)
19224 		return;
19225 
19226 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19227 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
19228 		nlmsg_free(msg);
19229 		return;
19230 	}
19231 
19232 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19233 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19234 }
19235 
19236 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
19237 				       struct wireless_dev *wdev, bool aborted)
19238 {
19239 	struct sk_buff *msg;
19240 
19241 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19242 	if (!msg)
19243 		return NULL;
19244 
19245 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19246 				  aborted ? NL80211_CMD_SCAN_ABORTED :
19247 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
19248 		nlmsg_free(msg);
19249 		return NULL;
19250 	}
19251 
19252 	return msg;
19253 }
19254 
19255 /* send message created by nl80211_build_scan_msg() */
19256 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
19257 			   struct sk_buff *msg)
19258 {
19259 	if (!msg)
19260 		return;
19261 
19262 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19263 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19264 }
19265 
19266 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
19267 {
19268 	struct sk_buff *msg;
19269 
19270 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19271 	if (!msg)
19272 		return;
19273 
19274 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
19275 		nlmsg_free(msg);
19276 		return;
19277 	}
19278 
19279 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
19280 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19281 }
19282 
19283 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
19284 					  struct regulatory_request *request)
19285 {
19286 	/* Userspace can always count this one always being set */
19287 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
19288 		goto nla_put_failure;
19289 
19290 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
19291 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19292 			       NL80211_REGDOM_TYPE_WORLD))
19293 			goto nla_put_failure;
19294 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
19295 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19296 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
19297 			goto nla_put_failure;
19298 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
19299 		   request->intersect) {
19300 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19301 			       NL80211_REGDOM_TYPE_INTERSECTION))
19302 			goto nla_put_failure;
19303 	} else {
19304 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19305 			       NL80211_REGDOM_TYPE_COUNTRY) ||
19306 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
19307 				   request->alpha2))
19308 			goto nla_put_failure;
19309 	}
19310 
19311 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
19312 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
19313 
19314 		if (wiphy &&
19315 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
19316 			goto nla_put_failure;
19317 
19318 		if (wiphy &&
19319 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
19320 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
19321 			goto nla_put_failure;
19322 	}
19323 
19324 	return true;
19325 
19326 nla_put_failure:
19327 	return false;
19328 }
19329 
19330 /*
19331  * This can happen on global regulatory changes or device specific settings
19332  * based on custom regulatory domains.
19333  */
19334 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
19335 				     struct regulatory_request *request)
19336 {
19337 	struct sk_buff *msg;
19338 	void *hdr;
19339 
19340 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19341 	if (!msg)
19342 		return;
19343 
19344 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
19345 	if (!hdr)
19346 		goto nla_put_failure;
19347 
19348 	if (!nl80211_reg_change_event_fill(msg, request))
19349 		goto nla_put_failure;
19350 
19351 	genlmsg_end(msg, hdr);
19352 
19353 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
19354 				NL80211_MCGRP_REGULATORY);
19355 
19356 	return;
19357 
19358 nla_put_failure:
19359 	nlmsg_free(msg);
19360 }
19361 
19362 struct nl80211_mlme_event {
19363 	enum nl80211_commands cmd;
19364 	const u8 *buf;
19365 	size_t buf_len;
19366 	int uapsd_queues;
19367 	const u8 *req_ies;
19368 	size_t req_ies_len;
19369 	bool reconnect;
19370 };
19371 
19372 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
19373 				    struct net_device *netdev,
19374 				    const struct nl80211_mlme_event *event,
19375 				    gfp_t gfp)
19376 {
19377 	struct sk_buff *msg;
19378 	void *hdr;
19379 
19380 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
19381 	if (!msg)
19382 		return;
19383 
19384 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
19385 	if (!hdr) {
19386 		nlmsg_free(msg);
19387 		return;
19388 	}
19389 
19390 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19391 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19392 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
19393 	    (event->req_ies &&
19394 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
19395 		     event->req_ies)))
19396 		goto nla_put_failure;
19397 
19398 	if (event->reconnect &&
19399 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
19400 		goto nla_put_failure;
19401 
19402 	if (event->uapsd_queues >= 0) {
19403 		struct nlattr *nla_wmm =
19404 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
19405 		if (!nla_wmm)
19406 			goto nla_put_failure;
19407 
19408 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
19409 			       event->uapsd_queues))
19410 			goto nla_put_failure;
19411 
19412 		nla_nest_end(msg, nla_wmm);
19413 	}
19414 
19415 	genlmsg_end(msg, hdr);
19416 
19417 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19418 				NL80211_MCGRP_MLME, gfp);
19419 	return;
19420 
19421  nla_put_failure:
19422 	nlmsg_free(msg);
19423 }
19424 
19425 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
19426 			  struct net_device *netdev, const u8 *buf,
19427 			  size_t len, gfp_t gfp)
19428 {
19429 	struct nl80211_mlme_event event = {
19430 		.cmd = NL80211_CMD_AUTHENTICATE,
19431 		.buf = buf,
19432 		.buf_len = len,
19433 		.uapsd_queues = -1,
19434 	};
19435 
19436 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19437 }
19438 
19439 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
19440 			   struct net_device *netdev,
19441 			   const struct cfg80211_rx_assoc_resp_data *data)
19442 {
19443 	struct nl80211_mlme_event event = {
19444 		.cmd = NL80211_CMD_ASSOCIATE,
19445 		.buf = data->buf,
19446 		.buf_len = data->len,
19447 		.uapsd_queues = data->uapsd_queues,
19448 		.req_ies = data->req_ies,
19449 		.req_ies_len = data->req_ies_len,
19450 	};
19451 
19452 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
19453 }
19454 
19455 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
19456 			 struct net_device *netdev, const u8 *buf,
19457 			 size_t len, bool reconnect, gfp_t gfp)
19458 {
19459 	struct nl80211_mlme_event event = {
19460 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19461 		.buf = buf,
19462 		.buf_len = len,
19463 		.reconnect = reconnect,
19464 		.uapsd_queues = -1,
19465 	};
19466 
19467 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19468 }
19469 
19470 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
19471 			   struct net_device *netdev, const u8 *buf,
19472 			   size_t len, bool reconnect, gfp_t gfp)
19473 {
19474 	struct nl80211_mlme_event event = {
19475 		.cmd = NL80211_CMD_DISASSOCIATE,
19476 		.buf = buf,
19477 		.buf_len = len,
19478 		.reconnect = reconnect,
19479 		.uapsd_queues = -1,
19480 	};
19481 
19482 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19483 }
19484 
19485 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
19486 				  size_t len)
19487 {
19488 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19489 	struct wiphy *wiphy = wdev->wiphy;
19490 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19491 	const struct ieee80211_mgmt *mgmt = (void *)buf;
19492 	struct nl80211_mlme_event event = {
19493 		.buf = buf,
19494 		.buf_len = len,
19495 		.uapsd_queues = -1,
19496 	};
19497 
19498 	if (WARN_ON(len < 2))
19499 		return;
19500 
19501 	if (ieee80211_is_deauth(mgmt->frame_control)) {
19502 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
19503 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
19504 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
19505 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
19506 		if (wdev->unprot_beacon_reported &&
19507 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
19508 			return;
19509 		event.cmd = NL80211_CMD_UNPROT_BEACON;
19510 		wdev->unprot_beacon_reported = jiffies;
19511 	} else {
19512 		return;
19513 	}
19514 
19515 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
19516 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
19517 }
19518 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
19519 
19520 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
19521 				      struct net_device *netdev, int cmd,
19522 				      const u8 *addr, gfp_t gfp)
19523 {
19524 	struct sk_buff *msg;
19525 	void *hdr;
19526 
19527 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19528 	if (!msg)
19529 		return;
19530 
19531 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19532 	if (!hdr) {
19533 		nlmsg_free(msg);
19534 		return;
19535 	}
19536 
19537 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19538 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19539 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19540 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19541 		goto nla_put_failure;
19542 
19543 	genlmsg_end(msg, hdr);
19544 
19545 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19546 				NL80211_MCGRP_MLME, gfp);
19547 	return;
19548 
19549  nla_put_failure:
19550 	nlmsg_free(msg);
19551 }
19552 
19553 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
19554 			       struct net_device *netdev, const u8 *addr,
19555 			       gfp_t gfp)
19556 {
19557 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
19558 				  addr, gfp);
19559 }
19560 
19561 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
19562 				struct net_device *netdev, const u8 *addr,
19563 				gfp_t gfp)
19564 {
19565 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
19566 				  addr, gfp);
19567 }
19568 
19569 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
19570 				 struct net_device *netdev,
19571 				 struct cfg80211_connect_resp_params *cr,
19572 				 gfp_t gfp)
19573 {
19574 	struct sk_buff *msg;
19575 	void *hdr;
19576 	unsigned int link;
19577 	size_t link_info_size = 0;
19578 	const u8 *connected_addr = cr->valid_links ?
19579 				   cr->ap_mld_addr : cr->links[0].bssid;
19580 
19581 	if (cr->valid_links) {
19582 		for_each_valid_link(cr, link) {
19583 			/* Nested attribute header */
19584 			link_info_size += NLA_HDRLEN;
19585 			/* Link ID */
19586 			link_info_size += nla_total_size(sizeof(u8));
19587 			link_info_size += cr->links[link].addr ?
19588 					  nla_total_size(ETH_ALEN) : 0;
19589 			link_info_size += (cr->links[link].bssid ||
19590 					   cr->links[link].bss) ?
19591 					  nla_total_size(ETH_ALEN) : 0;
19592 			link_info_size += nla_total_size(sizeof(u16));
19593 		}
19594 	}
19595 
19596 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
19597 			cr->fils.kek_len + cr->fils.pmk_len +
19598 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
19599 			gfp);
19600 	if (!msg)
19601 		return;
19602 
19603 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
19604 	if (!hdr) {
19605 		nlmsg_free(msg);
19606 		return;
19607 	}
19608 
19609 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19610 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19611 	    (connected_addr &&
19612 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
19613 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19614 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
19615 			cr->status) ||
19616 	    (cr->status < 0 &&
19617 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19618 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
19619 			  cr->timeout_reason))) ||
19620 	    (cr->req_ie &&
19621 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
19622 	    (cr->resp_ie &&
19623 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
19624 		     cr->resp_ie)) ||
19625 	    (cr->fils.update_erp_next_seq_num &&
19626 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19627 			 cr->fils.erp_next_seq_num)) ||
19628 	    (cr->status == WLAN_STATUS_SUCCESS &&
19629 	     ((cr->fils.kek &&
19630 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
19631 		       cr->fils.kek)) ||
19632 	      (cr->fils.pmk &&
19633 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
19634 	      (cr->fils.pmkid &&
19635 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
19636 		goto nla_put_failure;
19637 
19638 	if (cr->valid_links) {
19639 		int i = 1;
19640 		struct nlattr *nested;
19641 
19642 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19643 		if (!nested)
19644 			goto nla_put_failure;
19645 
19646 		for_each_valid_link(cr, link) {
19647 			struct nlattr *nested_mlo_links;
19648 			const u8 *bssid = cr->links[link].bss ?
19649 					  cr->links[link].bss->bssid :
19650 					  cr->links[link].bssid;
19651 
19652 			nested_mlo_links = nla_nest_start(msg, i);
19653 			if (!nested_mlo_links)
19654 				goto nla_put_failure;
19655 
19656 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19657 			    (bssid &&
19658 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19659 			    (cr->links[link].addr &&
19660 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19661 				     cr->links[link].addr)) ||
19662 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19663 					cr->links[link].status))
19664 				goto nla_put_failure;
19665 
19666 			nla_nest_end(msg, nested_mlo_links);
19667 			i++;
19668 		}
19669 		nla_nest_end(msg, nested);
19670 	}
19671 
19672 	genlmsg_end(msg, hdr);
19673 
19674 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19675 				NL80211_MCGRP_MLME, gfp);
19676 	return;
19677 
19678  nla_put_failure:
19679 	nlmsg_free(msg);
19680 }
19681 
19682 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
19683 			 struct net_device *netdev,
19684 			 struct cfg80211_roam_info *info, gfp_t gfp)
19685 {
19686 	struct sk_buff *msg;
19687 	void *hdr;
19688 	size_t link_info_size = 0;
19689 	unsigned int link;
19690 	const u8 *connected_addr = info->ap_mld_addr ?
19691 				   info->ap_mld_addr :
19692 				   (info->links[0].bss ?
19693 				    info->links[0].bss->bssid :
19694 				    info->links[0].bssid);
19695 
19696 	if (info->valid_links) {
19697 		for_each_valid_link(info, link) {
19698 			/* Nested attribute header */
19699 			link_info_size += NLA_HDRLEN;
19700 			/* Link ID */
19701 			link_info_size += nla_total_size(sizeof(u8));
19702 			link_info_size += info->links[link].addr ?
19703 					  nla_total_size(ETH_ALEN) : 0;
19704 			link_info_size += (info->links[link].bssid ||
19705 					   info->links[link].bss) ?
19706 					  nla_total_size(ETH_ALEN) : 0;
19707 		}
19708 	}
19709 
19710 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
19711 			info->fils.kek_len + info->fils.pmk_len +
19712 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
19713 			link_info_size, gfp);
19714 	if (!msg)
19715 		return;
19716 
19717 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
19718 	if (!hdr) {
19719 		nlmsg_free(msg);
19720 		return;
19721 	}
19722 
19723 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19724 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19725 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
19726 	    (info->req_ie &&
19727 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
19728 		     info->req_ie)) ||
19729 	    (info->resp_ie &&
19730 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
19731 		     info->resp_ie)) ||
19732 	    (info->fils.update_erp_next_seq_num &&
19733 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19734 			 info->fils.erp_next_seq_num)) ||
19735 	    (info->fils.kek &&
19736 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
19737 		     info->fils.kek)) ||
19738 	    (info->fils.pmk &&
19739 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
19740 	    (info->fils.pmkid &&
19741 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
19742 		goto nla_put_failure;
19743 
19744 	if (info->valid_links) {
19745 		int i = 1;
19746 		struct nlattr *nested;
19747 
19748 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19749 		if (!nested)
19750 			goto nla_put_failure;
19751 
19752 		for_each_valid_link(info, link) {
19753 			struct nlattr *nested_mlo_links;
19754 			const u8 *bssid = info->links[link].bss ?
19755 					  info->links[link].bss->bssid :
19756 					  info->links[link].bssid;
19757 
19758 			nested_mlo_links = nla_nest_start(msg, i);
19759 			if (!nested_mlo_links)
19760 				goto nla_put_failure;
19761 
19762 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19763 			    (bssid &&
19764 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19765 			    (info->links[link].addr &&
19766 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19767 				     info->links[link].addr)))
19768 				goto nla_put_failure;
19769 
19770 			nla_nest_end(msg, nested_mlo_links);
19771 			i++;
19772 		}
19773 		nla_nest_end(msg, nested);
19774 	}
19775 
19776 	genlmsg_end(msg, hdr);
19777 
19778 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19779 				NL80211_MCGRP_MLME, gfp);
19780 	return;
19781 
19782  nla_put_failure:
19783 	nlmsg_free(msg);
19784 }
19785 
19786 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
19787 				  struct net_device *netdev, const u8 *peer_addr,
19788 				  const u8 *td_bitmap, u8 td_bitmap_len)
19789 {
19790 	struct sk_buff *msg;
19791 	void *hdr;
19792 
19793 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19794 	if (!msg)
19795 		return;
19796 
19797 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
19798 	if (!hdr) {
19799 		nlmsg_free(msg);
19800 		return;
19801 	}
19802 
19803 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19804 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19805 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
19806 		goto nla_put_failure;
19807 
19808 	if (td_bitmap_len > 0 && td_bitmap &&
19809 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
19810 		goto nla_put_failure;
19811 
19812 	genlmsg_end(msg, hdr);
19813 
19814 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19815 				NL80211_MCGRP_MLME, GFP_KERNEL);
19816 	return;
19817 
19818  nla_put_failure:
19819 	nlmsg_free(msg);
19820 }
19821 
19822 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
19823 			       struct net_device *netdev, u16 reason,
19824 			       const u8 *ie, size_t ie_len, bool from_ap)
19825 {
19826 	struct sk_buff *msg;
19827 	void *hdr;
19828 
19829 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
19830 	if (!msg)
19831 		return;
19832 
19833 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
19834 	if (!hdr) {
19835 		nlmsg_free(msg);
19836 		return;
19837 	}
19838 
19839 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19840 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19841 	    (reason &&
19842 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
19843 	    (from_ap &&
19844 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
19845 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
19846 		goto nla_put_failure;
19847 
19848 	genlmsg_end(msg, hdr);
19849 
19850 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19851 				NL80211_MCGRP_MLME, GFP_KERNEL);
19852 	return;
19853 
19854  nla_put_failure:
19855 	nlmsg_free(msg);
19856 }
19857 
19858 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
19859 {
19860 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19861 	struct wiphy *wiphy = wdev->wiphy;
19862 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19863 	struct sk_buff *msg;
19864 	struct nlattr *links;
19865 	void *hdr;
19866 
19867 	lockdep_assert_wiphy(wdev->wiphy);
19868 	trace_cfg80211_links_removed(dev, link_mask);
19869 
19870 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
19871 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
19872 		return;
19873 
19874 	if (WARN_ON(!wdev->valid_links || !link_mask ||
19875 		    (wdev->valid_links & link_mask) != link_mask ||
19876 		    wdev->valid_links == link_mask))
19877 		return;
19878 
19879 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
19880 	wdev->valid_links &= ~link_mask;
19881 
19882 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19883 	if (!msg)
19884 		return;
19885 
19886 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
19887 	if (!hdr) {
19888 		nlmsg_free(msg);
19889 		return;
19890 	}
19891 
19892 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19893 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19894 		goto nla_put_failure;
19895 
19896 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19897 	if (!links)
19898 		goto nla_put_failure;
19899 
19900 	while (link_mask) {
19901 		struct nlattr *link;
19902 		int link_id = __ffs(link_mask);
19903 
19904 		link = nla_nest_start(msg, link_id + 1);
19905 		if (!link)
19906 			goto nla_put_failure;
19907 
19908 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19909 			goto nla_put_failure;
19910 
19911 		nla_nest_end(msg, link);
19912 		link_mask &= ~(1 << link_id);
19913 	}
19914 
19915 	nla_nest_end(msg, links);
19916 
19917 	genlmsg_end(msg, hdr);
19918 
19919 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19920 				NL80211_MCGRP_MLME, GFP_KERNEL);
19921 	return;
19922 
19923  nla_put_failure:
19924 	nlmsg_free(msg);
19925 }
19926 EXPORT_SYMBOL(cfg80211_links_removed);
19927 
19928 void nl80211_mlo_reconf_add_done(struct net_device *dev,
19929 				 struct cfg80211_mlo_reconf_done_data *data)
19930 {
19931 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19932 	struct wiphy *wiphy = wdev->wiphy;
19933 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19934 	struct nl80211_mlme_event event = {
19935 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19936 		.buf = data->buf,
19937 		.buf_len = data->len,
19938 		.uapsd_queues = -1,
19939 	};
19940 
19941 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
19942 }
19943 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
19944 
19945 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
19946 			     struct net_device *netdev, const u8 *bssid,
19947 			     gfp_t gfp)
19948 {
19949 	struct sk_buff *msg;
19950 	void *hdr;
19951 
19952 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19953 	if (!msg)
19954 		return;
19955 
19956 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
19957 	if (!hdr) {
19958 		nlmsg_free(msg);
19959 		return;
19960 	}
19961 
19962 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19963 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19964 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19965 		goto nla_put_failure;
19966 
19967 	genlmsg_end(msg, hdr);
19968 
19969 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19970 				NL80211_MCGRP_MLME, gfp);
19971 	return;
19972 
19973  nla_put_failure:
19974 	nlmsg_free(msg);
19975 }
19976 
19977 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
19978 					const u8 *ie, u8 ie_len,
19979 					int sig_dbm, gfp_t gfp)
19980 {
19981 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19982 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19983 	struct sk_buff *msg;
19984 	void *hdr;
19985 
19986 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
19987 		return;
19988 
19989 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
19990 
19991 	msg = nlmsg_new(100 + ie_len, gfp);
19992 	if (!msg)
19993 		return;
19994 
19995 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
19996 	if (!hdr) {
19997 		nlmsg_free(msg);
19998 		return;
19999 	}
20000 
20001 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20002 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20003 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20004 	    (ie_len && ie &&
20005 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
20006 	    (sig_dbm &&
20007 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
20008 		goto nla_put_failure;
20009 
20010 	genlmsg_end(msg, hdr);
20011 
20012 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20013 				NL80211_MCGRP_MLME, gfp);
20014 	return;
20015 
20016  nla_put_failure:
20017 	nlmsg_free(msg);
20018 }
20019 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
20020 
20021 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
20022 				 struct net_device *netdev, const u8 *addr,
20023 				 enum nl80211_key_type key_type, int key_id,
20024 				 const u8 *tsc, gfp_t gfp)
20025 {
20026 	struct sk_buff *msg;
20027 	void *hdr;
20028 
20029 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20030 	if (!msg)
20031 		return;
20032 
20033 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
20034 	if (!hdr) {
20035 		nlmsg_free(msg);
20036 		return;
20037 	}
20038 
20039 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20040 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20041 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
20042 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
20043 	    (key_id != -1 &&
20044 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
20045 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
20046 		goto nla_put_failure;
20047 
20048 	genlmsg_end(msg, hdr);
20049 
20050 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20051 				NL80211_MCGRP_MLME, gfp);
20052 	return;
20053 
20054  nla_put_failure:
20055 	nlmsg_free(msg);
20056 }
20057 
20058 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
20059 				    struct ieee80211_channel *channel_before,
20060 				    struct ieee80211_channel *channel_after)
20061 {
20062 	struct sk_buff *msg;
20063 	void *hdr;
20064 	struct nlattr *nl_freq;
20065 
20066 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
20067 	if (!msg)
20068 		return;
20069 
20070 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
20071 	if (!hdr) {
20072 		nlmsg_free(msg);
20073 		return;
20074 	}
20075 
20076 	/*
20077 	 * Since we are applying the beacon hint to a wiphy we know its
20078 	 * wiphy_idx is valid
20079 	 */
20080 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
20081 		goto nla_put_failure;
20082 
20083 	/* Before */
20084 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
20085 	if (!nl_freq)
20086 		goto nla_put_failure;
20087 
20088 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
20089 		goto nla_put_failure;
20090 	nla_nest_end(msg, nl_freq);
20091 
20092 	/* After */
20093 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
20094 	if (!nl_freq)
20095 		goto nla_put_failure;
20096 
20097 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
20098 		goto nla_put_failure;
20099 	nla_nest_end(msg, nl_freq);
20100 
20101 	genlmsg_end(msg, hdr);
20102 
20103 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
20104 				NL80211_MCGRP_REGULATORY);
20105 
20106 	return;
20107 
20108 nla_put_failure:
20109 	nlmsg_free(msg);
20110 }
20111 
20112 static void nl80211_send_remain_on_chan_event(
20113 	int cmd, struct cfg80211_registered_device *rdev,
20114 	struct wireless_dev *wdev, u64 cookie,
20115 	struct ieee80211_channel *chan,
20116 	unsigned int duration, gfp_t gfp)
20117 {
20118 	struct sk_buff *msg;
20119 	void *hdr;
20120 
20121 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20122 	if (!msg)
20123 		return;
20124 
20125 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20126 	if (!hdr) {
20127 		nlmsg_free(msg);
20128 		return;
20129 	}
20130 
20131 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20132 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20133 					 wdev->netdev->ifindex)) ||
20134 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20135 			      NL80211_ATTR_PAD) ||
20136 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
20137 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
20138 			NL80211_CHAN_NO_HT) ||
20139 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
20140 			      NL80211_ATTR_PAD))
20141 		goto nla_put_failure;
20142 
20143 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
20144 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
20145 		goto nla_put_failure;
20146 
20147 	genlmsg_end(msg, hdr);
20148 
20149 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20150 				NL80211_MCGRP_MLME, gfp);
20151 	return;
20152 
20153  nla_put_failure:
20154 	nlmsg_free(msg);
20155 }
20156 
20157 void cfg80211_assoc_comeback(struct net_device *netdev,
20158 			     const u8 *ap_addr, u32 timeout)
20159 {
20160 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20161 	struct wiphy *wiphy = wdev->wiphy;
20162 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20163 	struct sk_buff *msg;
20164 	void *hdr;
20165 
20166 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
20167 
20168 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20169 	if (!msg)
20170 		return;
20171 
20172 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
20173 	if (!hdr) {
20174 		nlmsg_free(msg);
20175 		return;
20176 	}
20177 
20178 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20179 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20180 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
20181 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
20182 		goto nla_put_failure;
20183 
20184 	genlmsg_end(msg, hdr);
20185 
20186 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20187 				NL80211_MCGRP_MLME, GFP_KERNEL);
20188 	return;
20189 
20190  nla_put_failure:
20191 	nlmsg_free(msg);
20192 }
20193 EXPORT_SYMBOL(cfg80211_assoc_comeback);
20194 
20195 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
20196 			       struct ieee80211_channel *chan,
20197 			       unsigned int duration, gfp_t gfp)
20198 {
20199 	struct wiphy *wiphy = wdev->wiphy;
20200 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20201 
20202 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
20203 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
20204 					  rdev, wdev, cookie, chan,
20205 					  duration, gfp);
20206 }
20207 EXPORT_SYMBOL(cfg80211_ready_on_channel);
20208 
20209 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
20210 					struct ieee80211_channel *chan,
20211 					gfp_t gfp)
20212 {
20213 	struct wiphy *wiphy = wdev->wiphy;
20214 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20215 
20216 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
20217 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
20218 					  rdev, wdev, cookie, chan, 0, gfp);
20219 }
20220 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
20221 
20222 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
20223 					struct ieee80211_channel *chan,
20224 					gfp_t gfp)
20225 {
20226 	struct wiphy *wiphy = wdev->wiphy;
20227 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20228 
20229 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
20230 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
20231 					  rdev, wdev, cookie, chan, 0, gfp);
20232 }
20233 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
20234 
20235 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
20236 		      struct station_info *sinfo, gfp_t gfp)
20237 {
20238 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20239 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20240 	struct sk_buff *msg;
20241 
20242 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
20243 
20244 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20245 	if (!msg)
20246 		return;
20247 
20248 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
20249 				 rdev, dev, mac_addr, sinfo, false) < 0) {
20250 		nlmsg_free(msg);
20251 		return;
20252 	}
20253 
20254 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20255 				NL80211_MCGRP_MLME, gfp);
20256 }
20257 EXPORT_SYMBOL(cfg80211_new_sta);
20258 
20259 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
20260 			    struct station_info *sinfo, gfp_t gfp)
20261 {
20262 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20263 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20264 	struct sk_buff *msg;
20265 	struct station_info empty_sinfo = {};
20266 
20267 	if (!sinfo)
20268 		sinfo = &empty_sinfo;
20269 
20270 	trace_cfg80211_del_sta(dev, mac_addr);
20271 
20272 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20273 	if (!msg) {
20274 		cfg80211_sinfo_release_content(sinfo);
20275 		return;
20276 	}
20277 
20278 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
20279 				 rdev, dev, mac_addr, sinfo, false) < 0) {
20280 		nlmsg_free(msg);
20281 		return;
20282 	}
20283 
20284 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20285 				NL80211_MCGRP_MLME, gfp);
20286 }
20287 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
20288 
20289 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
20290 			  enum nl80211_connect_failed_reason reason,
20291 			  gfp_t gfp)
20292 {
20293 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20294 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20295 	struct sk_buff *msg;
20296 	void *hdr;
20297 
20298 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
20299 	if (!msg)
20300 		return;
20301 
20302 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
20303 	if (!hdr) {
20304 		nlmsg_free(msg);
20305 		return;
20306 	}
20307 
20308 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20309 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
20310 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
20311 		goto nla_put_failure;
20312 
20313 	genlmsg_end(msg, hdr);
20314 
20315 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20316 				NL80211_MCGRP_MLME, gfp);
20317 	return;
20318 
20319  nla_put_failure:
20320 	nlmsg_free(msg);
20321 }
20322 EXPORT_SYMBOL(cfg80211_conn_failed);
20323 
20324 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
20325 				       const u8 *addr, int link_id, gfp_t gfp)
20326 {
20327 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20328 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20329 	struct sk_buff *msg;
20330 	void *hdr;
20331 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
20332 
20333 	if (!nlportid)
20334 		return false;
20335 
20336 	msg = nlmsg_new(100, gfp);
20337 	if (!msg)
20338 		return true;
20339 
20340 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20341 	if (!hdr) {
20342 		nlmsg_free(msg);
20343 		return true;
20344 	}
20345 
20346 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20347 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20348 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20349 	    (link_id >= 0 &&
20350 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20351 		goto nla_put_failure;
20352 
20353 	genlmsg_end(msg, hdr);
20354 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20355 	return true;
20356 
20357  nla_put_failure:
20358 	nlmsg_free(msg);
20359 	return true;
20360 }
20361 
20362 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
20363 				int link_id, gfp_t gfp)
20364 {
20365 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20366 	bool ret;
20367 
20368 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
20369 
20370 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20371 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
20372 		trace_cfg80211_return_bool(false);
20373 		return false;
20374 	}
20375 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
20376 					 addr, link_id, gfp);
20377 	trace_cfg80211_return_bool(ret);
20378 	return ret;
20379 }
20380 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
20381 
20382 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
20383 					int link_id, gfp_t gfp)
20384 {
20385 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20386 	bool ret;
20387 
20388 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
20389 
20390 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20391 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
20392 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
20393 		trace_cfg80211_return_bool(false);
20394 		return false;
20395 	}
20396 	ret = __nl80211_unexpected_frame(dev,
20397 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
20398 					 addr, link_id, gfp);
20399 	trace_cfg80211_return_bool(ret);
20400 	return ret;
20401 }
20402 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
20403 
20404 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
20405 		      struct wireless_dev *wdev, u32 nlportid,
20406 		      struct cfg80211_rx_info *info, gfp_t gfp)
20407 {
20408 	struct net_device *netdev = wdev->netdev;
20409 	struct sk_buff *msg;
20410 	void *hdr;
20411 
20412 	msg = nlmsg_new(100 + info->len, gfp);
20413 	if (!msg)
20414 		return -ENOMEM;
20415 
20416 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
20417 	if (!hdr) {
20418 		nlmsg_free(msg);
20419 		return -ENOMEM;
20420 	}
20421 
20422 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20423 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20424 					netdev->ifindex)) ||
20425 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20426 			      NL80211_ATTR_PAD) ||
20427 	    (info->have_link_id &&
20428 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
20429 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
20430 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
20431 	    (info->sig_dbm &&
20432 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
20433 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
20434 	    (info->flags &&
20435 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
20436 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
20437 						  NL80211_ATTR_RX_HW_TIMESTAMP,
20438 						  info->rx_tstamp,
20439 						  NL80211_ATTR_PAD)) ||
20440 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
20441 						   NL80211_ATTR_TX_HW_TIMESTAMP,
20442 						   info->ack_tstamp,
20443 						   NL80211_ATTR_PAD)))
20444 		goto nla_put_failure;
20445 
20446 	genlmsg_end(msg, hdr);
20447 
20448 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20449 
20450  nla_put_failure:
20451 	nlmsg_free(msg);
20452 	return -ENOBUFS;
20453 }
20454 
20455 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
20456 				    struct cfg80211_tx_status *status,
20457 				    gfp_t gfp, enum nl80211_commands command)
20458 {
20459 	struct wiphy *wiphy = wdev->wiphy;
20460 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20461 	struct net_device *netdev = wdev->netdev;
20462 	struct sk_buff *msg;
20463 	void *hdr;
20464 
20465 	if (command == NL80211_CMD_FRAME_TX_STATUS)
20466 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
20467 					      status->ack);
20468 	else
20469 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
20470 						      status->ack);
20471 
20472 	msg = nlmsg_new(100 + status->len, gfp);
20473 	if (!msg)
20474 		return;
20475 
20476 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
20477 	if (!hdr) {
20478 		nlmsg_free(msg);
20479 		return;
20480 	}
20481 
20482 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20483 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20484 				   netdev->ifindex)) ||
20485 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20486 			      NL80211_ATTR_PAD) ||
20487 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
20488 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
20489 			      NL80211_ATTR_PAD) ||
20490 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
20491 	    (status->tx_tstamp &&
20492 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
20493 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
20494 	    (status->ack_tstamp &&
20495 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
20496 			       status->ack_tstamp, NL80211_ATTR_PAD)))
20497 		goto nla_put_failure;
20498 
20499 	genlmsg_end(msg, hdr);
20500 
20501 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20502 				NL80211_MCGRP_MLME, gfp);
20503 	return;
20504 
20505 nla_put_failure:
20506 	nlmsg_free(msg);
20507 }
20508 
20509 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
20510 				     const u8 *buf, size_t len, bool ack,
20511 				     gfp_t gfp)
20512 {
20513 	struct cfg80211_tx_status status = {
20514 		.cookie = cookie,
20515 		.buf = buf,
20516 		.len = len,
20517 		.ack = ack
20518 	};
20519 
20520 	nl80211_frame_tx_status(wdev, &status, gfp,
20521 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
20522 }
20523 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
20524 
20525 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
20526 				 struct cfg80211_tx_status *status, gfp_t gfp)
20527 {
20528 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
20529 }
20530 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
20531 
20532 static int __nl80211_rx_control_port(struct net_device *dev,
20533 				     struct sk_buff *skb,
20534 				     bool unencrypted,
20535 				     int link_id,
20536 				     gfp_t gfp)
20537 {
20538 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20539 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20540 	struct ethhdr *ehdr = eth_hdr(skb);
20541 	const u8 *addr = ehdr->h_source;
20542 	u16 proto = be16_to_cpu(skb->protocol);
20543 	struct sk_buff *msg;
20544 	void *hdr;
20545 	struct nlattr *frame;
20546 
20547 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
20548 
20549 	if (!nlportid)
20550 		return -ENOENT;
20551 
20552 	msg = nlmsg_new(100 + skb->len, gfp);
20553 	if (!msg)
20554 		return -ENOMEM;
20555 
20556 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
20557 	if (!hdr) {
20558 		nlmsg_free(msg);
20559 		return -ENOBUFS;
20560 	}
20561 
20562 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20563 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20564 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20565 			      NL80211_ATTR_PAD) ||
20566 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20567 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
20568 	    (link_id >= 0 &&
20569 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
20570 	    (unencrypted && nla_put_flag(msg,
20571 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
20572 		goto nla_put_failure;
20573 
20574 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
20575 	if (!frame)
20576 		goto nla_put_failure;
20577 
20578 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
20579 	genlmsg_end(msg, hdr);
20580 
20581 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20582 
20583  nla_put_failure:
20584 	nlmsg_free(msg);
20585 	return -ENOBUFS;
20586 }
20587 
20588 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
20589 			      bool unencrypted, int link_id)
20590 {
20591 	int ret;
20592 
20593 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
20594 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
20595 					GFP_ATOMIC);
20596 	trace_cfg80211_return_bool(ret == 0);
20597 	return ret == 0;
20598 }
20599 EXPORT_SYMBOL(cfg80211_rx_control_port);
20600 
20601 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
20602 					    const char *mac, gfp_t gfp)
20603 {
20604 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20605 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20606 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20607 	void **cb;
20608 
20609 	if (!msg)
20610 		return NULL;
20611 
20612 	cb = (void **)msg->cb;
20613 
20614 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
20615 	if (!cb[0]) {
20616 		nlmsg_free(msg);
20617 		return NULL;
20618 	}
20619 
20620 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20621 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20622 		goto nla_put_failure;
20623 
20624 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
20625 		goto nla_put_failure;
20626 
20627 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
20628 	if (!cb[1])
20629 		goto nla_put_failure;
20630 
20631 	cb[2] = rdev;
20632 
20633 	return msg;
20634  nla_put_failure:
20635 	nlmsg_free(msg);
20636 	return NULL;
20637 }
20638 
20639 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
20640 {
20641 	void **cb = (void **)msg->cb;
20642 	struct cfg80211_registered_device *rdev = cb[2];
20643 
20644 	nla_nest_end(msg, cb[1]);
20645 	genlmsg_end(msg, cb[0]);
20646 
20647 	memset(msg->cb, 0, sizeof(msg->cb));
20648 
20649 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20650 				NL80211_MCGRP_MLME, gfp);
20651 }
20652 
20653 void cfg80211_cqm_rssi_notify(struct net_device *dev,
20654 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
20655 			      s32 rssi_level, gfp_t gfp)
20656 {
20657 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20658 	struct cfg80211_cqm_config *cqm_config;
20659 
20660 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
20661 
20662 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
20663 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
20664 		return;
20665 
20666 	rcu_read_lock();
20667 	cqm_config = rcu_dereference(wdev->cqm_config);
20668 	if (cqm_config) {
20669 		cqm_config->last_rssi_event_value = rssi_level;
20670 		cqm_config->last_rssi_event_type = rssi_event;
20671 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
20672 	}
20673 	rcu_read_unlock();
20674 }
20675 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
20676 
20677 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
20678 {
20679 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
20680 						 cqm_rssi_work);
20681 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20682 	enum nl80211_cqm_rssi_threshold_event rssi_event;
20683 	struct cfg80211_cqm_config *cqm_config;
20684 	struct sk_buff *msg;
20685 	s32 rssi_level;
20686 
20687 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
20688 	if (!cqm_config)
20689 		return;
20690 
20691 	if (cqm_config->use_range_api)
20692 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
20693 
20694 	rssi_level = cqm_config->last_rssi_event_value;
20695 	rssi_event = cqm_config->last_rssi_event_type;
20696 
20697 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
20698 	if (!msg)
20699 		return;
20700 
20701 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
20702 			rssi_event))
20703 		goto nla_put_failure;
20704 
20705 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
20706 				      rssi_level))
20707 		goto nla_put_failure;
20708 
20709 	cfg80211_send_cqm(msg, GFP_KERNEL);
20710 
20711 	return;
20712 
20713  nla_put_failure:
20714 	nlmsg_free(msg);
20715 }
20716 
20717 void cfg80211_cqm_txe_notify(struct net_device *dev,
20718 			     const u8 *peer, u32 num_packets,
20719 			     u32 rate, u32 intvl, gfp_t gfp)
20720 {
20721 	struct sk_buff *msg;
20722 
20723 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20724 	if (!msg)
20725 		return;
20726 
20727 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
20728 		goto nla_put_failure;
20729 
20730 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
20731 		goto nla_put_failure;
20732 
20733 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
20734 		goto nla_put_failure;
20735 
20736 	cfg80211_send_cqm(msg, gfp);
20737 	return;
20738 
20739  nla_put_failure:
20740 	nlmsg_free(msg);
20741 }
20742 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
20743 
20744 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
20745 				 const u8 *peer, u32 num_packets, gfp_t gfp)
20746 {
20747 	struct sk_buff *msg;
20748 
20749 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
20750 
20751 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20752 	if (!msg)
20753 		return;
20754 
20755 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
20756 		goto nla_put_failure;
20757 
20758 	cfg80211_send_cqm(msg, gfp);
20759 	return;
20760 
20761  nla_put_failure:
20762 	nlmsg_free(msg);
20763 }
20764 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
20765 
20766 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
20767 {
20768 	struct sk_buff *msg;
20769 
20770 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
20771 	if (!msg)
20772 		return;
20773 
20774 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
20775 		goto nla_put_failure;
20776 
20777 	cfg80211_send_cqm(msg, gfp);
20778 	return;
20779 
20780  nla_put_failure:
20781 	nlmsg_free(msg);
20782 }
20783 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
20784 
20785 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
20786 				     struct net_device *netdev, const u8 *bssid,
20787 				     const u8 *replay_ctr, gfp_t gfp)
20788 {
20789 	struct sk_buff *msg;
20790 	struct nlattr *rekey_attr;
20791 	void *hdr;
20792 
20793 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20794 	if (!msg)
20795 		return;
20796 
20797 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
20798 	if (!hdr) {
20799 		nlmsg_free(msg);
20800 		return;
20801 	}
20802 
20803 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20804 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20805 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20806 		goto nla_put_failure;
20807 
20808 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
20809 	if (!rekey_attr)
20810 		goto nla_put_failure;
20811 
20812 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
20813 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
20814 		goto nla_put_failure;
20815 
20816 	nla_nest_end(msg, rekey_attr);
20817 
20818 	genlmsg_end(msg, hdr);
20819 
20820 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20821 				NL80211_MCGRP_MLME, gfp);
20822 	return;
20823 
20824  nla_put_failure:
20825 	nlmsg_free(msg);
20826 }
20827 
20828 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
20829 			       const u8 *replay_ctr, gfp_t gfp)
20830 {
20831 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20832 	struct wiphy *wiphy = wdev->wiphy;
20833 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20834 
20835 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
20836 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
20837 }
20838 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
20839 
20840 static void
20841 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
20842 			       struct net_device *netdev, int index,
20843 			       const u8 *bssid, bool preauth, gfp_t gfp)
20844 {
20845 	struct sk_buff *msg;
20846 	struct nlattr *attr;
20847 	void *hdr;
20848 
20849 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20850 	if (!msg)
20851 		return;
20852 
20853 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
20854 	if (!hdr) {
20855 		nlmsg_free(msg);
20856 		return;
20857 	}
20858 
20859 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20860 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
20861 		goto nla_put_failure;
20862 
20863 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
20864 	if (!attr)
20865 		goto nla_put_failure;
20866 
20867 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
20868 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
20869 	    (preauth &&
20870 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
20871 		goto nla_put_failure;
20872 
20873 	nla_nest_end(msg, attr);
20874 
20875 	genlmsg_end(msg, hdr);
20876 
20877 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20878 				NL80211_MCGRP_MLME, gfp);
20879 	return;
20880 
20881  nla_put_failure:
20882 	nlmsg_free(msg);
20883 }
20884 
20885 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
20886 				     const u8 *bssid, bool preauth, gfp_t gfp)
20887 {
20888 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20889 	struct wiphy *wiphy = wdev->wiphy;
20890 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20891 
20892 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
20893 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
20894 }
20895 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
20896 
20897 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
20898 				     struct net_device *netdev,
20899 				     unsigned int link_id,
20900 				     struct cfg80211_chan_def *chandef,
20901 				     gfp_t gfp,
20902 				     enum nl80211_commands notif,
20903 				     u8 count, bool quiet)
20904 {
20905 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20906 	struct sk_buff *msg;
20907 	void *hdr;
20908 
20909 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20910 	if (!msg)
20911 		return;
20912 
20913 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
20914 	if (!hdr) {
20915 		nlmsg_free(msg);
20916 		return;
20917 	}
20918 
20919 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
20920 		goto nla_put_failure;
20921 
20922 	if (wdev->valid_links &&
20923 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20924 		goto nla_put_failure;
20925 
20926 	if (nl80211_send_chandef(msg, chandef))
20927 		goto nla_put_failure;
20928 
20929 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
20930 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
20931 			goto nla_put_failure;
20932 		if (quiet &&
20933 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
20934 			goto nla_put_failure;
20935 	}
20936 
20937 	genlmsg_end(msg, hdr);
20938 
20939 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20940 				NL80211_MCGRP_MLME, gfp);
20941 	return;
20942 
20943  nla_put_failure:
20944 	nlmsg_free(msg);
20945 }
20946 
20947 void cfg80211_ch_switch_notify(struct net_device *dev,
20948 			       struct cfg80211_chan_def *chandef,
20949 			       unsigned int link_id)
20950 {
20951 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20952 	struct wiphy *wiphy = wdev->wiphy;
20953 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20954 
20955 	lockdep_assert_wiphy(wdev->wiphy);
20956 	WARN_INVALID_LINK_ID(wdev, link_id);
20957 
20958 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
20959 
20960 	switch (wdev->iftype) {
20961 	case NL80211_IFTYPE_STATION:
20962 	case NL80211_IFTYPE_P2P_CLIENT:
20963 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
20964 			cfg80211_update_assoc_bss_entry(wdev, link_id,
20965 							chandef->chan);
20966 		break;
20967 	case NL80211_IFTYPE_MESH_POINT:
20968 		wdev->u.mesh.chandef = *chandef;
20969 		wdev->u.mesh.preset_chandef = *chandef;
20970 		break;
20971 	case NL80211_IFTYPE_AP:
20972 	case NL80211_IFTYPE_P2P_GO:
20973 		wdev->links[link_id].ap.chandef = *chandef;
20974 		break;
20975 	case NL80211_IFTYPE_ADHOC:
20976 		wdev->u.ibss.chandef = *chandef;
20977 		break;
20978 	default:
20979 		WARN_ON(1);
20980 		break;
20981 	}
20982 
20983 	cfg80211_schedule_channels_check(wdev);
20984 	cfg80211_sched_dfs_chan_update(rdev);
20985 
20986 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
20987 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
20988 }
20989 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
20990 
20991 void cfg80211_ch_switch_started_notify(struct net_device *dev,
20992 				       struct cfg80211_chan_def *chandef,
20993 				       unsigned int link_id, u8 count,
20994 				       bool quiet)
20995 {
20996 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20997 	struct wiphy *wiphy = wdev->wiphy;
20998 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20999 
21000 	lockdep_assert_wiphy(wdev->wiphy);
21001 	WARN_INVALID_LINK_ID(wdev, link_id);
21002 
21003 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
21004 
21005 
21006 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21007 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
21008 				 count, quiet);
21009 }
21010 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
21011 
21012 int cfg80211_bss_color_notify(struct net_device *dev,
21013 			      enum nl80211_commands cmd, u8 count,
21014 			      u64 color_bitmap, u8 link_id)
21015 {
21016 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21017 	struct wiphy *wiphy = wdev->wiphy;
21018 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21019 	struct sk_buff *msg;
21020 	void *hdr;
21021 
21022 	lockdep_assert_wiphy(wdev->wiphy);
21023 
21024 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
21025 
21026 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21027 	if (!msg)
21028 		return -ENOMEM;
21029 
21030 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21031 	if (!hdr)
21032 		goto nla_put_failure;
21033 
21034 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21035 		goto nla_put_failure;
21036 
21037 	if (wdev->valid_links &&
21038 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21039 		goto nla_put_failure;
21040 
21041 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
21042 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
21043 		goto nla_put_failure;
21044 
21045 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
21046 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
21047 			      color_bitmap, NL80211_ATTR_PAD))
21048 		goto nla_put_failure;
21049 
21050 	genlmsg_end(msg, hdr);
21051 
21052 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
21053 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
21054 
21055 nla_put_failure:
21056 	nlmsg_free(msg);
21057 	return -EINVAL;
21058 }
21059 EXPORT_SYMBOL(cfg80211_bss_color_notify);
21060 
21061 void
21062 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
21063 		     const struct cfg80211_chan_def *chandef,
21064 		     enum nl80211_radar_event event,
21065 		     struct net_device *netdev, gfp_t gfp)
21066 {
21067 	struct sk_buff *msg;
21068 	void *hdr;
21069 
21070 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21071 	if (!msg)
21072 		return;
21073 
21074 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
21075 	if (!hdr) {
21076 		nlmsg_free(msg);
21077 		return;
21078 	}
21079 
21080 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21081 		goto nla_put_failure;
21082 
21083 	/* NOP and radar events don't need a netdev parameter */
21084 	if (netdev) {
21085 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
21086 
21087 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21088 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21089 				      NL80211_ATTR_PAD))
21090 			goto nla_put_failure;
21091 	}
21092 
21093 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
21094 		goto nla_put_failure;
21095 
21096 	if (nl80211_send_chandef(msg, chandef))
21097 		goto nla_put_failure;
21098 
21099 	genlmsg_end(msg, hdr);
21100 
21101 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21102 				NL80211_MCGRP_MLME, gfp);
21103 	return;
21104 
21105  nla_put_failure:
21106 	nlmsg_free(msg);
21107 }
21108 
21109 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
21110 				       struct sta_opmode_info *sta_opmode,
21111 				       gfp_t gfp)
21112 {
21113 	struct sk_buff *msg;
21114 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21115 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21116 	void *hdr;
21117 
21118 	if (WARN_ON(!mac))
21119 		return;
21120 
21121 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21122 	if (!msg)
21123 		return;
21124 
21125 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
21126 	if (!hdr) {
21127 		nlmsg_free(msg);
21128 		return;
21129 	}
21130 
21131 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21132 		goto nla_put_failure;
21133 
21134 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21135 		goto nla_put_failure;
21136 
21137 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
21138 		goto nla_put_failure;
21139 
21140 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
21141 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
21142 		goto nla_put_failure;
21143 
21144 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
21145 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
21146 		goto nla_put_failure;
21147 
21148 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
21149 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
21150 		goto nla_put_failure;
21151 
21152 	genlmsg_end(msg, hdr);
21153 
21154 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21155 				NL80211_MCGRP_MLME, gfp);
21156 
21157 	return;
21158 
21159 nla_put_failure:
21160 	nlmsg_free(msg);
21161 }
21162 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
21163 
21164 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
21165 			   u64 cookie, bool acked, s32 ack_signal,
21166 			   bool is_valid_ack_signal, gfp_t gfp)
21167 {
21168 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21169 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21170 	struct sk_buff *msg;
21171 	void *hdr;
21172 
21173 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
21174 
21175 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21176 
21177 	if (!msg)
21178 		return;
21179 
21180 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
21181 	if (!hdr) {
21182 		nlmsg_free(msg);
21183 		return;
21184 	}
21185 
21186 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21187 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21188 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21189 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
21190 			      NL80211_ATTR_PAD) ||
21191 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
21192 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
21193 						ack_signal)))
21194 		goto nla_put_failure;
21195 
21196 	genlmsg_end(msg, hdr);
21197 
21198 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21199 				NL80211_MCGRP_MLME, gfp);
21200 	return;
21201 
21202  nla_put_failure:
21203 	nlmsg_free(msg);
21204 }
21205 EXPORT_SYMBOL(cfg80211_probe_status);
21206 
21207 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
21208 				     size_t len, int freq, int sig_dbm)
21209 {
21210 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21211 	struct sk_buff *msg;
21212 	void *hdr;
21213 	struct cfg80211_beacon_registration *reg;
21214 
21215 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
21216 
21217 	spin_lock_bh(&rdev->beacon_registrations_lock);
21218 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
21219 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
21220 		if (!msg) {
21221 			spin_unlock_bh(&rdev->beacon_registrations_lock);
21222 			return;
21223 		}
21224 
21225 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
21226 		if (!hdr)
21227 			goto nla_put_failure;
21228 
21229 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21230 		    (freq &&
21231 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
21232 				  KHZ_TO_MHZ(freq)) ||
21233 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
21234 				  freq % 1000))) ||
21235 		    (sig_dbm &&
21236 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
21237 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
21238 			goto nla_put_failure;
21239 
21240 		genlmsg_end(msg, hdr);
21241 
21242 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
21243 	}
21244 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21245 	return;
21246 
21247  nla_put_failure:
21248 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21249 	nlmsg_free(msg);
21250 }
21251 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
21252 
21253 #ifdef CONFIG_PM
21254 static int cfg80211_net_detect_results(struct sk_buff *msg,
21255 				       struct cfg80211_wowlan_wakeup *wakeup)
21256 {
21257 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
21258 	struct nlattr *nl_results, *nl_match, *nl_freqs;
21259 	int i, j;
21260 
21261 	nl_results = nla_nest_start_noflag(msg,
21262 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
21263 	if (!nl_results)
21264 		return -EMSGSIZE;
21265 
21266 	for (i = 0; i < nd->n_matches; i++) {
21267 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
21268 
21269 		nl_match = nla_nest_start_noflag(msg, i);
21270 		if (!nl_match)
21271 			break;
21272 
21273 		/* The SSID attribute is optional in nl80211, but for
21274 		 * simplicity reasons it's always present in the
21275 		 * cfg80211 structure.  If a driver can't pass the
21276 		 * SSID, that needs to be changed.  A zero length SSID
21277 		 * is still a valid SSID (wildcard), so it cannot be
21278 		 * used for this purpose.
21279 		 */
21280 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
21281 			    match->ssid.ssid)) {
21282 			nla_nest_cancel(msg, nl_match);
21283 			goto out;
21284 		}
21285 
21286 		if (match->n_channels) {
21287 			nl_freqs = nla_nest_start_noflag(msg,
21288 							 NL80211_ATTR_SCAN_FREQUENCIES);
21289 			if (!nl_freqs) {
21290 				nla_nest_cancel(msg, nl_match);
21291 				goto out;
21292 			}
21293 
21294 			for (j = 0; j < match->n_channels; j++) {
21295 				if (nla_put_u32(msg, j, match->channels[j])) {
21296 					nla_nest_cancel(msg, nl_freqs);
21297 					nla_nest_cancel(msg, nl_match);
21298 					goto out;
21299 				}
21300 			}
21301 
21302 			nla_nest_end(msg, nl_freqs);
21303 		}
21304 
21305 		nla_nest_end(msg, nl_match);
21306 	}
21307 
21308 out:
21309 	nla_nest_end(msg, nl_results);
21310 	return 0;
21311 }
21312 
21313 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
21314 				   struct cfg80211_wowlan_wakeup *wakeup,
21315 				   gfp_t gfp)
21316 {
21317 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21318 	struct sk_buff *msg;
21319 	void *hdr;
21320 	int size = 200;
21321 
21322 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
21323 
21324 	if (wakeup)
21325 		size += wakeup->packet_present_len;
21326 
21327 	msg = nlmsg_new(size, gfp);
21328 	if (!msg)
21329 		return;
21330 
21331 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
21332 	if (!hdr)
21333 		goto free_msg;
21334 
21335 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21336 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21337 			      NL80211_ATTR_PAD))
21338 		goto free_msg;
21339 
21340 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21341 					wdev->netdev->ifindex))
21342 		goto free_msg;
21343 
21344 	if (wakeup) {
21345 		struct nlattr *reasons;
21346 
21347 		reasons = nla_nest_start_noflag(msg,
21348 						NL80211_ATTR_WOWLAN_TRIGGERS);
21349 		if (!reasons)
21350 			goto free_msg;
21351 
21352 		if (wakeup->disconnect &&
21353 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
21354 			goto free_msg;
21355 		if (wakeup->magic_pkt &&
21356 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
21357 			goto free_msg;
21358 		if (wakeup->gtk_rekey_failure &&
21359 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
21360 			goto free_msg;
21361 		if (wakeup->eap_identity_req &&
21362 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
21363 			goto free_msg;
21364 		if (wakeup->four_way_handshake &&
21365 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
21366 			goto free_msg;
21367 		if (wakeup->rfkill_release &&
21368 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
21369 			goto free_msg;
21370 
21371 		if (wakeup->pattern_idx >= 0 &&
21372 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
21373 				wakeup->pattern_idx))
21374 			goto free_msg;
21375 
21376 		if (wakeup->tcp_match &&
21377 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
21378 			goto free_msg;
21379 
21380 		if (wakeup->tcp_connlost &&
21381 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
21382 			goto free_msg;
21383 
21384 		if (wakeup->tcp_nomoretokens &&
21385 		    nla_put_flag(msg,
21386 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
21387 			goto free_msg;
21388 
21389 		if (wakeup->unprot_deauth_disassoc &&
21390 		    nla_put_flag(msg,
21391 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
21392 			goto free_msg;
21393 
21394 		if (wakeup->packet) {
21395 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
21396 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
21397 
21398 			if (!wakeup->packet_80211) {
21399 				pkt_attr =
21400 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
21401 				len_attr =
21402 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
21403 			}
21404 
21405 			if (wakeup->packet_len &&
21406 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
21407 				goto free_msg;
21408 
21409 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
21410 				    wakeup->packet))
21411 				goto free_msg;
21412 		}
21413 
21414 		if (wakeup->net_detect &&
21415 		    cfg80211_net_detect_results(msg, wakeup))
21416 				goto free_msg;
21417 
21418 		nla_nest_end(msg, reasons);
21419 	}
21420 
21421 	genlmsg_end(msg, hdr);
21422 
21423 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21424 				NL80211_MCGRP_MLME, gfp);
21425 	return;
21426 
21427  free_msg:
21428 	nlmsg_free(msg);
21429 }
21430 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
21431 #endif
21432 
21433 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
21434 				enum nl80211_tdls_operation oper,
21435 				u16 reason_code, gfp_t gfp)
21436 {
21437 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21438 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21439 	struct sk_buff *msg;
21440 	void *hdr;
21441 
21442 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
21443 					 reason_code);
21444 
21445 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21446 	if (!msg)
21447 		return;
21448 
21449 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
21450 	if (!hdr) {
21451 		nlmsg_free(msg);
21452 		return;
21453 	}
21454 
21455 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21456 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21457 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
21458 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
21459 	    (reason_code > 0 &&
21460 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
21461 		goto nla_put_failure;
21462 
21463 	genlmsg_end(msg, hdr);
21464 
21465 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21466 				NL80211_MCGRP_MLME, gfp);
21467 	return;
21468 
21469  nla_put_failure:
21470 	nlmsg_free(msg);
21471 }
21472 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
21473 
21474 static int nl80211_netlink_notify(struct notifier_block * nb,
21475 				  unsigned long state,
21476 				  void *_notify)
21477 {
21478 	struct netlink_notify *notify = _notify;
21479 	struct cfg80211_registered_device *rdev;
21480 	struct wireless_dev *wdev;
21481 	struct cfg80211_beacon_registration *reg, *tmp;
21482 
21483 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
21484 		return NOTIFY_DONE;
21485 
21486 	rcu_read_lock();
21487 
21488 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
21489 		struct cfg80211_sched_scan_request *sched_scan_req;
21490 
21491 		list_for_each_entry_rcu(sched_scan_req,
21492 					&rdev->sched_scan_req_list,
21493 					list) {
21494 			if (sched_scan_req->owner_nlportid == notify->portid) {
21495 				sched_scan_req->nl_owner_dead = true;
21496 				wiphy_work_queue(&rdev->wiphy,
21497 						 &rdev->sched_scan_stop_wk);
21498 			}
21499 		}
21500 
21501 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
21502 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
21503 
21504 			if (wdev->owner_nlportid == notify->portid) {
21505 				wdev->nl_owner_dead = true;
21506 				schedule_work(&rdev->destroy_work);
21507 			} else if (wdev->conn_owner_nlportid == notify->portid) {
21508 				schedule_work(&wdev->disconnect_wk);
21509 			}
21510 
21511 			cfg80211_release_pmsr(wdev, notify->portid);
21512 		}
21513 
21514 		spin_lock_bh(&rdev->beacon_registrations_lock);
21515 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
21516 					 list) {
21517 			if (reg->nlportid == notify->portid) {
21518 				list_del(&reg->list);
21519 				kfree(reg);
21520 				break;
21521 			}
21522 		}
21523 		spin_unlock_bh(&rdev->beacon_registrations_lock);
21524 	}
21525 
21526 	rcu_read_unlock();
21527 
21528 	/*
21529 	 * It is possible that the user space process that is controlling the
21530 	 * indoor setting disappeared, so notify the regulatory core.
21531 	 */
21532 	regulatory_netlink_notify(notify->portid);
21533 	return NOTIFY_OK;
21534 }
21535 
21536 static struct notifier_block nl80211_netlink_notifier = {
21537 	.notifier_call = nl80211_netlink_notify,
21538 };
21539 
21540 void cfg80211_ft_event(struct net_device *netdev,
21541 		       struct cfg80211_ft_event_params *ft_event)
21542 {
21543 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21544 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21545 	struct sk_buff *msg;
21546 	void *hdr;
21547 
21548 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
21549 
21550 	if (!ft_event->target_ap)
21551 		return;
21552 
21553 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
21554 			GFP_KERNEL);
21555 	if (!msg)
21556 		return;
21557 
21558 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
21559 	if (!hdr)
21560 		goto out;
21561 
21562 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21563 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21564 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
21565 		goto out;
21566 
21567 	if (ft_event->ies &&
21568 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
21569 		goto out;
21570 	if (ft_event->ric_ies &&
21571 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
21572 		    ft_event->ric_ies))
21573 		goto out;
21574 
21575 	genlmsg_end(msg, hdr);
21576 
21577 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21578 				NL80211_MCGRP_MLME, GFP_KERNEL);
21579 	return;
21580  out:
21581 	nlmsg_free(msg);
21582 }
21583 EXPORT_SYMBOL(cfg80211_ft_event);
21584 
21585 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
21586 {
21587 	struct cfg80211_registered_device *rdev;
21588 	struct sk_buff *msg;
21589 	void *hdr;
21590 	u32 nlportid;
21591 
21592 	rdev = wiphy_to_rdev(wdev->wiphy);
21593 	if (!rdev->crit_proto_nlportid)
21594 		return;
21595 
21596 	nlportid = rdev->crit_proto_nlportid;
21597 	rdev->crit_proto_nlportid = 0;
21598 
21599 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21600 	if (!msg)
21601 		return;
21602 
21603 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
21604 	if (!hdr)
21605 		goto nla_put_failure;
21606 
21607 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21608 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21609 			      NL80211_ATTR_PAD))
21610 		goto nla_put_failure;
21611 
21612 	genlmsg_end(msg, hdr);
21613 
21614 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21615 	return;
21616 
21617  nla_put_failure:
21618 	nlmsg_free(msg);
21619 }
21620 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
21621 
21622 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
21623 {
21624 	struct wiphy *wiphy = wdev->wiphy;
21625 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21626 	struct sk_buff *msg;
21627 	void *hdr;
21628 
21629 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21630 	if (!msg)
21631 		return;
21632 
21633 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
21634 	if (!hdr)
21635 		goto out;
21636 
21637 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21638 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
21639 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21640 			      NL80211_ATTR_PAD) ||
21641 	    (wdev->valid_links &&
21642 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21643 		goto out;
21644 
21645 	genlmsg_end(msg, hdr);
21646 
21647 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
21648 				NL80211_MCGRP_MLME, GFP_KERNEL);
21649 	return;
21650  out:
21651 	nlmsg_free(msg);
21652 }
21653 
21654 int cfg80211_external_auth_request(struct net_device *dev,
21655 				   struct cfg80211_external_auth_params *params,
21656 				   gfp_t gfp)
21657 {
21658 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21659 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21660 	struct sk_buff *msg;
21661 	void *hdr;
21662 
21663 	if (!wdev->conn_owner_nlportid)
21664 		return -EINVAL;
21665 
21666 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21667 	if (!msg)
21668 		return -ENOMEM;
21669 
21670 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
21671 	if (!hdr)
21672 		goto nla_put_failure;
21673 
21674 	/* Some historical mistakes in drivers <-> userspace interface (notably
21675 	 * between drivers and wpa_supplicant) led to a big-endian conversion
21676 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
21677 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
21678 	 * benefit of older wpa_supplicant versions, send this particular value
21679 	 * in big-endian. Note that newer wpa_supplicant will also detect this
21680 	 * particular value in big endian still, so it all continues to work.
21681 	 */
21682 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
21683 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
21684 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
21685 			goto nla_put_failure;
21686 	} else {
21687 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
21688 				params->key_mgmt_suite))
21689 			goto nla_put_failure;
21690 	}
21691 
21692 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21693 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21694 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
21695 			params->action) ||
21696 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
21697 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
21698 		    params->ssid.ssid) ||
21699 	    (!is_zero_ether_addr(params->mld_addr) &&
21700 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
21701 		goto nla_put_failure;
21702 
21703 	genlmsg_end(msg, hdr);
21704 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
21705 			wdev->conn_owner_nlportid);
21706 	return 0;
21707 
21708  nla_put_failure:
21709 	nlmsg_free(msg);
21710 	return -ENOBUFS;
21711 }
21712 EXPORT_SYMBOL(cfg80211_external_auth_request);
21713 
21714 void cfg80211_update_owe_info_event(struct net_device *netdev,
21715 				    struct cfg80211_update_owe_info *owe_info,
21716 				    gfp_t gfp)
21717 {
21718 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21719 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21720 	struct sk_buff *msg;
21721 	void *hdr;
21722 
21723 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
21724 
21725 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21726 	if (!msg)
21727 		return;
21728 
21729 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
21730 	if (!hdr)
21731 		goto nla_put_failure;
21732 
21733 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21734 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21735 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
21736 		goto nla_put_failure;
21737 
21738 	if (!owe_info->ie_len ||
21739 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
21740 		goto nla_put_failure;
21741 
21742 	if (owe_info->assoc_link_id != -1) {
21743 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
21744 			       owe_info->assoc_link_id))
21745 			goto nla_put_failure;
21746 
21747 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
21748 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
21749 			    owe_info->peer_mld_addr))
21750 			goto nla_put_failure;
21751 	}
21752 
21753 	genlmsg_end(msg, hdr);
21754 
21755 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21756 				NL80211_MCGRP_MLME, gfp);
21757 	return;
21758 
21759 nla_put_failure:
21760 	genlmsg_cancel(msg, hdr);
21761 	nlmsg_free(msg);
21762 }
21763 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
21764 
21765 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
21766 {
21767 	struct wiphy *wiphy = wdev->wiphy;
21768 
21769 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
21770 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
21771 	    (wiphy_ext_feature_isset(wiphy,
21772 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
21773 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
21774 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
21775 		reg_check_channels();
21776 }
21777 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
21778 
21779 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
21780 {
21781 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21782 	struct wiphy *wiphy = wdev->wiphy;
21783 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21784 	struct sk_buff *msg;
21785 	void *hdr;
21786 
21787 	trace_cfg80211_epcs_changed(wdev, enabled);
21788 
21789 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21790 	if (!msg)
21791 		return;
21792 
21793 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
21794 	if (!hdr) {
21795 		nlmsg_free(msg);
21796 		return;
21797 	}
21798 
21799 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
21800 		goto nla_put_failure;
21801 
21802 	genlmsg_end(msg, hdr);
21803 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21804 				NL80211_MCGRP_MLME, GFP_KERNEL);
21805 	return;
21806 
21807  nla_put_failure:
21808 	nlmsg_free(msg);
21809 }
21810 EXPORT_SYMBOL(cfg80211_epcs_changed);
21811 
21812 void cfg80211_next_nan_dw_notif(struct wireless_dev *wdev,
21813 				struct ieee80211_channel *chan, gfp_t gfp)
21814 {
21815 	struct wiphy *wiphy = wdev->wiphy;
21816 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21817 	struct sk_buff *msg;
21818 	void *hdr;
21819 
21820 	trace_cfg80211_next_nan_dw_notif(wdev, chan);
21821 
21822 	if (!wdev->owner_nlportid)
21823 		return;
21824 
21825 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21826 	if (!msg)
21827 		return;
21828 
21829 	hdr = nl80211hdr_put(msg, 0, 0, 0,
21830 			     NL80211_CMD_NAN_NEXT_DW_NOTIFICATION);
21831 	if (!hdr)
21832 		goto nla_put_failure;
21833 
21834 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21835 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21836 			      NL80211_ATTR_PAD) ||
21837 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq))
21838 		goto nla_put_failure;
21839 
21840 	genlmsg_end(msg, hdr);
21841 
21842 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
21843 
21844 	return;
21845 
21846  nla_put_failure:
21847 	nlmsg_free(msg);
21848 }
21849 EXPORT_SYMBOL(cfg80211_next_nan_dw_notif);
21850 
21851 void cfg80211_nan_cluster_joined(struct wireless_dev *wdev,
21852 				 const u8 *cluster_id, bool new_cluster,
21853 				 gfp_t gfp)
21854 {
21855 	struct wiphy *wiphy = wdev->wiphy;
21856 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21857 	struct sk_buff *msg;
21858 	void *hdr;
21859 
21860 	trace_cfg80211_nan_cluster_joined(wdev, cluster_id, new_cluster);
21861 
21862 	memcpy(wdev->u.nan.cluster_id, cluster_id, ETH_ALEN);
21863 
21864 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21865 	if (!msg)
21866 		return;
21867 
21868 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CLUSTER_JOINED);
21869 	if (!hdr)
21870 		goto nla_put_failure;
21871 
21872 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21873 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21874 			      NL80211_ATTR_PAD) ||
21875 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cluster_id) ||
21876 	    (new_cluster && nla_put_flag(msg, NL80211_ATTR_NAN_NEW_CLUSTER)))
21877 		goto nla_put_failure;
21878 
21879 	genlmsg_end(msg, hdr);
21880 
21881 	if (!wdev->owner_nlportid)
21882 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy),
21883 					msg, 0, NL80211_MCGRP_NAN, gfp);
21884 	else
21885 		genlmsg_unicast(wiphy_net(wiphy), msg,
21886 				wdev->owner_nlportid);
21887 	return;
21888 
21889  nla_put_failure:
21890 	nlmsg_free(msg);
21891 }
21892 EXPORT_SYMBOL(cfg80211_nan_cluster_joined);
21893 
21894 /* initialisation/exit functions */
21895 
21896 int __init nl80211_init(void)
21897 {
21898 	int err;
21899 
21900 	err = genl_register_family(&nl80211_fam);
21901 	if (err)
21902 		return err;
21903 
21904 	err = netlink_register_notifier(&nl80211_netlink_notifier);
21905 	if (err)
21906 		goto err_out;
21907 
21908 	return 0;
21909  err_out:
21910 	genl_unregister_family(&nl80211_fam);
21911 	return err;
21912 }
21913 
21914 void nl80211_exit(void)
21915 {
21916 	netlink_unregister_notifier(&nl80211_netlink_notifier);
21917 	genl_unregister_family(&nl80211_fam);
21918 }
21919