xref: /linux/net/wireless/nl80211.c (revision 60684c2bd35064043360e6f716d1b7c20e967b7d) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
466 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
467 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
469 				      .len = 20-1 },
470 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
471 
472 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
473 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
474 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
475 						NL80211_EDMG_CHANNELS_MIN,
476 						NL80211_EDMG_CHANNELS_MAX),
477 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
478 						NL80211_EDMG_BW_CONFIG_MIN,
479 						NL80211_EDMG_BW_CONFIG_MAX),
480 
481 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
482 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
483 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
484 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
485 
486 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
487 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
488 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
489 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
490 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
491 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
492 
493 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
494 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
495 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
496 
497 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
498 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
499 
500 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
501 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
502 				    .len = WLAN_MAX_KEY_LEN },
503 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
504 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
505 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
506 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
507 	[NL80211_ATTR_KEY_TYPE] =
508 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
509 
510 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
511 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
512 	[NL80211_ATTR_BEACON_HEAD] =
513 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
514 				       IEEE80211_MAX_DATA_LEN),
515 	[NL80211_ATTR_BEACON_TAIL] =
516 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
517 				       IEEE80211_MAX_DATA_LEN),
518 	[NL80211_ATTR_STA_AID] =
519 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
520 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
521 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
522 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
523 					       .len = NL80211_MAX_SUPP_RATES },
524 	[NL80211_ATTR_STA_PLINK_ACTION] =
525 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
526 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
527 		NLA_POLICY_RANGE(NLA_U8,
528 				 NL80211_TX_POWER_AUTOMATIC,
529 				 NL80211_TX_POWER_FIXED),
530 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
531 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
532 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
533 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
534 				   .len = IEEE80211_MAX_MESH_ID_LEN },
535 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
536 
537 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
538 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
539 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
540 
541 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
542 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
543 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
544 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
545 					   .len = NL80211_MAX_SUPP_RATES },
546 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
547 
548 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
549 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
550 
551 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
552 
553 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
554 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
555 						   validate_ie_attr,
556 						   IEEE80211_MAX_DATA_LEN),
557 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
558 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
559 
560 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
561 				.len = IEEE80211_MAX_SSID_LEN },
562 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
563 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
564 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
565 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
566 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
567 						  NL80211_MFP_NO,
568 						  NL80211_MFP_OPTIONAL),
569 	[NL80211_ATTR_STA_FLAGS2] =
570 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
571 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
572 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
573 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
575 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
576 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
577 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
578 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
579 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
580 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
581 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
582 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
583 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
584 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
585 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
586 				 .len = IEEE80211_MAX_DATA_LEN },
587 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
588 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
589 						   NL80211_PS_DISABLED,
590 						   NL80211_PS_ENABLED),
591 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
592 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
593 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
594 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
595 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
596 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
597 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
598 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
599 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
600 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
601 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
602 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
603 	[NL80211_ATTR_STA_PLINK_STATE] =
604 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
605 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
606 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
607 	[NL80211_ATTR_MESH_PEER_AID] =
608 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
609 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
610 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
611 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
612 	[NL80211_ATTR_HIDDEN_SSID] =
613 		NLA_POLICY_RANGE(NLA_U32,
614 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
615 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
616 	[NL80211_ATTR_IE_PROBE_RESP] =
617 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
618 				       IEEE80211_MAX_DATA_LEN),
619 	[NL80211_ATTR_IE_ASSOC_RESP] =
620 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
621 				       IEEE80211_MAX_DATA_LEN),
622 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
623 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
624 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
625 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
627 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
628 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
629 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
630 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
632 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
633 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
634 				      .len = IEEE80211_MAX_DATA_LEN },
635 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
636 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
637 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
638 		.len = NL80211_HT_CAPABILITY_LEN
639 	},
640 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
641 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
642 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
643 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
644 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
645 
646 	/* need to include at least Auth Transaction and Status Code */
647 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
648 
649 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
650 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
651 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
652 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
653 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
654 		NLA_POLICY_RANGE(NLA_U32,
655 				 NL80211_MESH_POWER_UNKNOWN + 1,
656 				 NL80211_MESH_POWER_MAX),
657 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
658 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
659 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
660 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
661 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
662 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
663 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
664 		.len = NL80211_VHT_CAPABILITY_LEN,
665 	},
666 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
667 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
668 				  .len = IEEE80211_MAX_DATA_LEN },
669 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
670 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
671 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
672 	[NL80211_ATTR_PEER_AID] =
673 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
674 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
675 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
676 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
677 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
678 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
679 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
680 	/*
681 	 * The value of the Length field of the Supported Operating
682 	 * Classes element is between 2 and 253.
683 	 */
684 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
685 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
686 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
687 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
688 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
689 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
690 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
691 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
692 						  IEEE80211_QOS_MAP_LEN_MIN,
693 						  IEEE80211_QOS_MAP_LEN_MAX),
694 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
695 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
696 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
697 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
698 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
699 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
700 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
701 	[NL80211_ATTR_USER_PRIO] =
702 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
703 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
704 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
705 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
706 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
707 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
708 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
709 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
710 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
711 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
712 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
713 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
714 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
715 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
716 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
717 	},
718 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
719 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
720 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
721 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
722 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
723 				    .len = FILS_MAX_KEK_LEN },
724 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
725 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
726 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
727 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
728 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
729 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
730 	},
731 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
732 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
733 					     .len = FILS_ERP_MAX_USERNAME_LEN },
734 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
735 					  .len = FILS_ERP_MAX_REALM_LEN },
736 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
737 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
738 					.len = FILS_ERP_MAX_RRK_LEN },
739 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
740 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
741 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
742 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
743 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
744 
745 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
746 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
747 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
748 	[NL80211_ATTR_HE_CAPABILITY] =
749 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
750 				       NL80211_HE_MAX_CAPABILITY_LEN),
751 	[NL80211_ATTR_FTM_RESPONDER] =
752 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
753 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
754 	[NL80211_ATTR_PEER_MEASUREMENTS] =
755 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
756 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
757 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
758 					.len = SAE_PASSWORD_MAX_LEN },
759 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
760 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
761 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
762 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
763 	[NL80211_ATTR_TID_CONFIG] =
764 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
765 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
766 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
767 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
768 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
769 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
770 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
771 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
772 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
773 	[NL80211_ATTR_FILS_DISCOVERY] =
774 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
775 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
776 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
777 	[NL80211_ATTR_S1G_CAPABILITY] =
778 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
779 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
780 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
781 	[NL80211_ATTR_SAE_PWE] =
782 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
783 				 NL80211_SAE_PWE_BOTH),
784 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
785 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
786 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
787 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
788 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
789 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
790 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
791 	[NL80211_ATTR_MBSSID_CONFIG] =
792 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
793 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
794 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
795 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
796 	[NL80211_ATTR_EHT_CAPABILITY] =
797 		NLA_POLICY_RANGE(NLA_BINARY,
798 				 NL80211_EHT_MIN_CAPABILITY_LEN,
799 				 NL80211_EHT_MAX_CAPABILITY_LEN),
800 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
801 	[NL80211_ATTR_MLO_LINKS] =
802 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
803 	[NL80211_ATTR_MLO_LINK_ID] =
804 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
805 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
806 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
807 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
808 	[NL80211_ATTR_PUNCT_BITMAP] = NLA_POLICY_RANGE(NLA_U8, 0, 0xffff),
809 };
810 
811 /* policy for the key attributes */
812 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
813 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
814 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
815 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
816 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
817 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
818 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
819 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
820 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
821 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
822 };
823 
824 /* policy for the key default flags */
825 static const struct nla_policy
826 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
827 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
828 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
829 };
830 
831 #ifdef CONFIG_PM
832 /* policy for WoWLAN attributes */
833 static const struct nla_policy
834 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
835 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
836 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
837 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
838 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
839 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
840 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
841 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
842 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
843 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
844 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
845 };
846 
847 static const struct nla_policy
848 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
849 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
850 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
851 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
852 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
853 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
854 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
855 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
856 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
857 	},
858 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
859 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
860 	},
861 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
862 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
863 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
864 };
865 #endif /* CONFIG_PM */
866 
867 /* policy for coalesce rule attributes */
868 static const struct nla_policy
869 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
870 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
871 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
872 		NLA_POLICY_RANGE(NLA_U32,
873 				 NL80211_COALESCE_CONDITION_MATCH,
874 				 NL80211_COALESCE_CONDITION_NO_MATCH),
875 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
876 };
877 
878 /* policy for GTK rekey offload attributes */
879 static const struct nla_policy
880 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
881 	[NL80211_REKEY_DATA_KEK] = {
882 		.type = NLA_BINARY,
883 		.len = NL80211_KEK_EXT_LEN
884 	},
885 	[NL80211_REKEY_DATA_KCK] = {
886 		.type = NLA_BINARY,
887 		.len = NL80211_KCK_EXT_LEN_32
888 	},
889 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
890 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
891 };
892 
893 static const struct nla_policy
894 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
895 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
896 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
897 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
898 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
899 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
900 };
901 
902 static const struct nla_policy
903 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
904 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
905 						 .len = IEEE80211_MAX_SSID_LEN },
906 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
907 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
908 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
909 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
910 };
911 
912 static const struct nla_policy
913 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
914 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
915 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
916 };
917 
918 static const struct nla_policy
919 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
920 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
921 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
922 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
923 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
924 	},
925 };
926 
927 /* policy for NAN function attributes */
928 static const struct nla_policy
929 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
930 	[NL80211_NAN_FUNC_TYPE] =
931 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
932 	[NL80211_NAN_FUNC_SERVICE_ID] = {
933 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
934 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
935 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
936 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
937 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
938 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
939 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
940 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
941 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
942 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
943 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
944 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
945 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
946 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
947 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
948 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
949 };
950 
951 /* policy for Service Response Filter attributes */
952 static const struct nla_policy
953 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
954 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
955 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
956 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
957 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
958 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
959 };
960 
961 /* policy for packet pattern attributes */
962 static const struct nla_policy
963 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
964 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
965 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
966 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
967 };
968 
969 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
970 				     struct cfg80211_registered_device **rdev,
971 				     struct wireless_dev **wdev,
972 				     struct nlattr **attrbuf)
973 {
974 	int err;
975 
976 	if (!cb->args[0]) {
977 		struct nlattr **attrbuf_free = NULL;
978 
979 		if (!attrbuf) {
980 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
981 					  GFP_KERNEL);
982 			if (!attrbuf)
983 				return -ENOMEM;
984 			attrbuf_free = attrbuf;
985 		}
986 
987 		err = nlmsg_parse_deprecated(cb->nlh,
988 					     GENL_HDRLEN + nl80211_fam.hdrsize,
989 					     attrbuf, nl80211_fam.maxattr,
990 					     nl80211_policy, NULL);
991 		if (err) {
992 			kfree(attrbuf_free);
993 			return err;
994 		}
995 
996 		rtnl_lock();
997 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
998 						   attrbuf);
999 		kfree(attrbuf_free);
1000 		if (IS_ERR(*wdev)) {
1001 			rtnl_unlock();
1002 			return PTR_ERR(*wdev);
1003 		}
1004 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1005 		mutex_lock(&(*rdev)->wiphy.mtx);
1006 		rtnl_unlock();
1007 		/* 0 is the first index - add 1 to parse only once */
1008 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1009 		cb->args[1] = (*wdev)->identifier;
1010 	} else {
1011 		/* subtract the 1 again here */
1012 		struct wiphy *wiphy;
1013 		struct wireless_dev *tmp;
1014 
1015 		rtnl_lock();
1016 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1017 		if (!wiphy) {
1018 			rtnl_unlock();
1019 			return -ENODEV;
1020 		}
1021 		*rdev = wiphy_to_rdev(wiphy);
1022 		*wdev = NULL;
1023 
1024 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1025 			if (tmp->identifier == cb->args[1]) {
1026 				*wdev = tmp;
1027 				break;
1028 			}
1029 		}
1030 
1031 		if (!*wdev) {
1032 			rtnl_unlock();
1033 			return -ENODEV;
1034 		}
1035 		mutex_lock(&(*rdev)->wiphy.mtx);
1036 		rtnl_unlock();
1037 	}
1038 
1039 	return 0;
1040 }
1041 
1042 /* message building helper */
1043 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1044 		     int flags, u8 cmd)
1045 {
1046 	/* since there is no private header just add the generic one */
1047 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1048 }
1049 
1050 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1051 				     const struct ieee80211_reg_rule *rule)
1052 {
1053 	int j;
1054 	struct nlattr *nl_wmm_rules =
1055 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1056 
1057 	if (!nl_wmm_rules)
1058 		goto nla_put_failure;
1059 
1060 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1061 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1062 
1063 		if (!nl_wmm_rule)
1064 			goto nla_put_failure;
1065 
1066 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1067 				rule->wmm_rule.client[j].cw_min) ||
1068 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1069 				rule->wmm_rule.client[j].cw_max) ||
1070 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1071 			       rule->wmm_rule.client[j].aifsn) ||
1072 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1073 			        rule->wmm_rule.client[j].cot))
1074 			goto nla_put_failure;
1075 
1076 		nla_nest_end(msg, nl_wmm_rule);
1077 	}
1078 	nla_nest_end(msg, nl_wmm_rules);
1079 
1080 	return 0;
1081 
1082 nla_put_failure:
1083 	return -ENOBUFS;
1084 }
1085 
1086 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1087 				   struct ieee80211_channel *chan,
1088 				   bool large)
1089 {
1090 	/* Some channels must be completely excluded from the
1091 	 * list to protect old user-space tools from breaking
1092 	 */
1093 	if (!large && chan->flags &
1094 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1095 		return 0;
1096 	if (!large && chan->freq_offset)
1097 		return 0;
1098 
1099 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1100 			chan->center_freq))
1101 		goto nla_put_failure;
1102 
1103 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1104 		goto nla_put_failure;
1105 
1106 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1107 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1108 		goto nla_put_failure;
1109 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1110 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1111 			goto nla_put_failure;
1112 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1113 			goto nla_put_failure;
1114 	}
1115 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1116 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1117 			goto nla_put_failure;
1118 		if (large) {
1119 			u32 time;
1120 
1121 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1122 
1123 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1124 					chan->dfs_state))
1125 				goto nla_put_failure;
1126 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1127 					time))
1128 				goto nla_put_failure;
1129 			if (nla_put_u32(msg,
1130 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1131 					chan->dfs_cac_ms))
1132 				goto nla_put_failure;
1133 		}
1134 	}
1135 
1136 	if (large) {
1137 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1138 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1139 			goto nla_put_failure;
1140 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1141 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1142 			goto nla_put_failure;
1143 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1144 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1145 			goto nla_put_failure;
1146 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1147 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1148 			goto nla_put_failure;
1149 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1150 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1151 			goto nla_put_failure;
1152 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1153 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1154 			goto nla_put_failure;
1155 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1156 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1157 			goto nla_put_failure;
1158 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1159 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1160 			goto nla_put_failure;
1161 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1162 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1163 			goto nla_put_failure;
1164 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1165 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1166 			goto nla_put_failure;
1167 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1168 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1169 			goto nla_put_failure;
1170 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1171 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1172 			goto nla_put_failure;
1173 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1174 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1175 			goto nla_put_failure;
1176 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1177 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1178 			goto nla_put_failure;
1179 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1180 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1181 			goto nla_put_failure;
1182 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1183 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1184 			goto nla_put_failure;
1185 	}
1186 
1187 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1188 			DBM_TO_MBM(chan->max_power)))
1189 		goto nla_put_failure;
1190 
1191 	if (large) {
1192 		const struct ieee80211_reg_rule *rule =
1193 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1194 
1195 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1196 			if (nl80211_msg_put_wmm_rules(msg, rule))
1197 				goto nla_put_failure;
1198 		}
1199 	}
1200 
1201 	return 0;
1202 
1203  nla_put_failure:
1204 	return -ENOBUFS;
1205 }
1206 
1207 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1208 				  struct cfg80211_txq_stats *txqstats,
1209 				  int attrtype)
1210 {
1211 	struct nlattr *txqattr;
1212 
1213 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1214 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1215 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1216 		return false;						  \
1217 	} while (0)
1218 
1219 	txqattr = nla_nest_start_noflag(msg, attrtype);
1220 	if (!txqattr)
1221 		return false;
1222 
1223 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1224 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1225 	PUT_TXQVAL_U32(FLOWS, flows);
1226 	PUT_TXQVAL_U32(DROPS, drops);
1227 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1228 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1229 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1230 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1231 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1232 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1233 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1234 	nla_nest_end(msg, txqattr);
1235 
1236 #undef PUT_TXQVAL_U32
1237 	return true;
1238 }
1239 
1240 /* netlink command implementations */
1241 
1242 /**
1243  * nl80211_link_id - return link ID
1244  * @attrs: attributes to look at
1245  *
1246  * Returns: the link ID or 0 if not given
1247  *
1248  * Note this function doesn't do any validation of the link
1249  * ID validity wrt. links that were actually added, so it must
1250  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1251  * or if additional validation is done.
1252  */
1253 static unsigned int nl80211_link_id(struct nlattr **attrs)
1254 {
1255 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1256 
1257 	if (!linkid)
1258 		return 0;
1259 
1260 	return nla_get_u8(linkid);
1261 }
1262 
1263 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1264 {
1265 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1266 
1267 	if (!linkid)
1268 		return -1;
1269 
1270 	return nla_get_u8(linkid);
1271 }
1272 
1273 struct key_parse {
1274 	struct key_params p;
1275 	int idx;
1276 	int type;
1277 	bool def, defmgmt, defbeacon;
1278 	bool def_uni, def_multi;
1279 };
1280 
1281 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1282 				 struct key_parse *k)
1283 {
1284 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1285 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1286 					      nl80211_key_policy,
1287 					      info->extack);
1288 	if (err)
1289 		return err;
1290 
1291 	k->def = !!tb[NL80211_KEY_DEFAULT];
1292 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1293 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1294 
1295 	if (k->def) {
1296 		k->def_uni = true;
1297 		k->def_multi = true;
1298 	}
1299 	if (k->defmgmt || k->defbeacon)
1300 		k->def_multi = true;
1301 
1302 	if (tb[NL80211_KEY_IDX])
1303 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1304 
1305 	if (tb[NL80211_KEY_DATA]) {
1306 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1307 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1308 	}
1309 
1310 	if (tb[NL80211_KEY_SEQ]) {
1311 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1312 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1313 	}
1314 
1315 	if (tb[NL80211_KEY_CIPHER])
1316 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1317 
1318 	if (tb[NL80211_KEY_TYPE])
1319 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1320 
1321 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1322 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1323 
1324 		err = nla_parse_nested_deprecated(kdt,
1325 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1326 						  tb[NL80211_KEY_DEFAULT_TYPES],
1327 						  nl80211_key_default_policy,
1328 						  info->extack);
1329 		if (err)
1330 			return err;
1331 
1332 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1333 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1334 	}
1335 
1336 	if (tb[NL80211_KEY_MODE])
1337 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1338 
1339 	return 0;
1340 }
1341 
1342 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1343 {
1344 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1345 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1346 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1347 	}
1348 
1349 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1350 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1351 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1352 	}
1353 
1354 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1355 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1356 
1357 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1358 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1359 
1360 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1361 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1362 
1363 	if (k->def) {
1364 		k->def_uni = true;
1365 		k->def_multi = true;
1366 	}
1367 	if (k->defmgmt)
1368 		k->def_multi = true;
1369 
1370 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1371 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1372 
1373 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1374 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1375 		int err = nla_parse_nested_deprecated(kdt,
1376 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1377 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1378 						      nl80211_key_default_policy,
1379 						      info->extack);
1380 		if (err)
1381 			return err;
1382 
1383 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1384 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1385 	}
1386 
1387 	return 0;
1388 }
1389 
1390 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1391 {
1392 	int err;
1393 
1394 	memset(k, 0, sizeof(*k));
1395 	k->idx = -1;
1396 	k->type = -1;
1397 
1398 	if (info->attrs[NL80211_ATTR_KEY])
1399 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1400 	else
1401 		err = nl80211_parse_key_old(info, k);
1402 
1403 	if (err)
1404 		return err;
1405 
1406 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1407 	    (k->defbeacon ? 1 : 0) > 1) {
1408 		GENL_SET_ERR_MSG(info,
1409 				 "key with multiple default flags is invalid");
1410 		return -EINVAL;
1411 	}
1412 
1413 	if (k->defmgmt || k->defbeacon) {
1414 		if (k->def_uni || !k->def_multi) {
1415 			GENL_SET_ERR_MSG(info,
1416 					 "defmgmt/defbeacon key must be mcast");
1417 			return -EINVAL;
1418 		}
1419 	}
1420 
1421 	if (k->idx != -1) {
1422 		if (k->defmgmt) {
1423 			if (k->idx < 4 || k->idx > 5) {
1424 				GENL_SET_ERR_MSG(info,
1425 						 "defmgmt key idx not 4 or 5");
1426 				return -EINVAL;
1427 			}
1428 		} else if (k->defbeacon) {
1429 			if (k->idx < 6 || k->idx > 7) {
1430 				GENL_SET_ERR_MSG(info,
1431 						 "defbeacon key idx not 6 or 7");
1432 				return -EINVAL;
1433 			}
1434 		} else if (k->def) {
1435 			if (k->idx < 0 || k->idx > 3) {
1436 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1437 				return -EINVAL;
1438 			}
1439 		} else {
1440 			if (k->idx < 0 || k->idx > 7) {
1441 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1442 				return -EINVAL;
1443 			}
1444 		}
1445 	}
1446 
1447 	return 0;
1448 }
1449 
1450 static struct cfg80211_cached_keys *
1451 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1452 		       struct genl_info *info, bool *no_ht)
1453 {
1454 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1455 	struct key_parse parse;
1456 	struct nlattr *key;
1457 	struct cfg80211_cached_keys *result;
1458 	int rem, err, def = 0;
1459 	bool have_key = false;
1460 
1461 	nla_for_each_nested(key, keys, rem) {
1462 		have_key = true;
1463 		break;
1464 	}
1465 
1466 	if (!have_key)
1467 		return NULL;
1468 
1469 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1470 	if (!result)
1471 		return ERR_PTR(-ENOMEM);
1472 
1473 	result->def = -1;
1474 
1475 	nla_for_each_nested(key, keys, rem) {
1476 		memset(&parse, 0, sizeof(parse));
1477 		parse.idx = -1;
1478 
1479 		err = nl80211_parse_key_new(info, key, &parse);
1480 		if (err)
1481 			goto error;
1482 		err = -EINVAL;
1483 		if (!parse.p.key)
1484 			goto error;
1485 		if (parse.idx < 0 || parse.idx > 3) {
1486 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1487 			goto error;
1488 		}
1489 		if (parse.def) {
1490 			if (def) {
1491 				GENL_SET_ERR_MSG(info,
1492 						 "only one key can be default");
1493 				goto error;
1494 			}
1495 			def = 1;
1496 			result->def = parse.idx;
1497 			if (!parse.def_uni || !parse.def_multi)
1498 				goto error;
1499 		} else if (parse.defmgmt)
1500 			goto error;
1501 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1502 						     parse.idx, false, NULL);
1503 		if (err)
1504 			goto error;
1505 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1506 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1507 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1508 			err = -EINVAL;
1509 			goto error;
1510 		}
1511 		result->params[parse.idx].cipher = parse.p.cipher;
1512 		result->params[parse.idx].key_len = parse.p.key_len;
1513 		result->params[parse.idx].key = result->data[parse.idx];
1514 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1515 
1516 		/* must be WEP key if we got here */
1517 		if (no_ht)
1518 			*no_ht = true;
1519 	}
1520 
1521 	if (result->def < 0) {
1522 		err = -EINVAL;
1523 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1524 		goto error;
1525 	}
1526 
1527 	return result;
1528  error:
1529 	kfree(result);
1530 	return ERR_PTR(err);
1531 }
1532 
1533 static int nl80211_key_allowed(struct wireless_dev *wdev)
1534 {
1535 	ASSERT_WDEV_LOCK(wdev);
1536 
1537 	switch (wdev->iftype) {
1538 	case NL80211_IFTYPE_AP:
1539 	case NL80211_IFTYPE_AP_VLAN:
1540 	case NL80211_IFTYPE_P2P_GO:
1541 	case NL80211_IFTYPE_MESH_POINT:
1542 		break;
1543 	case NL80211_IFTYPE_ADHOC:
1544 		if (wdev->u.ibss.current_bss)
1545 			return 0;
1546 		return -ENOLINK;
1547 	case NL80211_IFTYPE_STATION:
1548 	case NL80211_IFTYPE_P2P_CLIENT:
1549 		if (wdev->connected)
1550 			return 0;
1551 		return -ENOLINK;
1552 	case NL80211_IFTYPE_NAN:
1553 		if (wiphy_ext_feature_isset(wdev->wiphy,
1554 					    NL80211_EXT_FEATURE_SECURE_NAN))
1555 			return 0;
1556 		return -EINVAL;
1557 	case NL80211_IFTYPE_UNSPECIFIED:
1558 	case NL80211_IFTYPE_OCB:
1559 	case NL80211_IFTYPE_MONITOR:
1560 	case NL80211_IFTYPE_P2P_DEVICE:
1561 	case NL80211_IFTYPE_WDS:
1562 	case NUM_NL80211_IFTYPES:
1563 		return -EINVAL;
1564 	}
1565 
1566 	return 0;
1567 }
1568 
1569 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1570 							u32 freq)
1571 {
1572 	struct ieee80211_channel *chan;
1573 
1574 	chan = ieee80211_get_channel_khz(wiphy, freq);
1575 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1576 		return NULL;
1577 	return chan;
1578 }
1579 
1580 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1581 {
1582 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1583 	int i;
1584 
1585 	if (!nl_modes)
1586 		goto nla_put_failure;
1587 
1588 	i = 0;
1589 	while (ifmodes) {
1590 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1591 			goto nla_put_failure;
1592 		ifmodes >>= 1;
1593 		i++;
1594 	}
1595 
1596 	nla_nest_end(msg, nl_modes);
1597 	return 0;
1598 
1599 nla_put_failure:
1600 	return -ENOBUFS;
1601 }
1602 
1603 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1604 					  struct sk_buff *msg,
1605 					  bool large)
1606 {
1607 	struct nlattr *nl_combis;
1608 	int i, j;
1609 
1610 	nl_combis = nla_nest_start_noflag(msg,
1611 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1612 	if (!nl_combis)
1613 		goto nla_put_failure;
1614 
1615 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1616 		const struct ieee80211_iface_combination *c;
1617 		struct nlattr *nl_combi, *nl_limits;
1618 
1619 		c = &wiphy->iface_combinations[i];
1620 
1621 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1622 		if (!nl_combi)
1623 			goto nla_put_failure;
1624 
1625 		nl_limits = nla_nest_start_noflag(msg,
1626 						  NL80211_IFACE_COMB_LIMITS);
1627 		if (!nl_limits)
1628 			goto nla_put_failure;
1629 
1630 		for (j = 0; j < c->n_limits; j++) {
1631 			struct nlattr *nl_limit;
1632 
1633 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1634 			if (!nl_limit)
1635 				goto nla_put_failure;
1636 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1637 					c->limits[j].max))
1638 				goto nla_put_failure;
1639 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1640 						c->limits[j].types))
1641 				goto nla_put_failure;
1642 			nla_nest_end(msg, nl_limit);
1643 		}
1644 
1645 		nla_nest_end(msg, nl_limits);
1646 
1647 		if (c->beacon_int_infra_match &&
1648 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1649 			goto nla_put_failure;
1650 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1651 				c->num_different_channels) ||
1652 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1653 				c->max_interfaces))
1654 			goto nla_put_failure;
1655 		if (large &&
1656 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1657 				c->radar_detect_widths) ||
1658 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1659 				c->radar_detect_regions)))
1660 			goto nla_put_failure;
1661 		if (c->beacon_int_min_gcd &&
1662 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1663 				c->beacon_int_min_gcd))
1664 			goto nla_put_failure;
1665 
1666 		nla_nest_end(msg, nl_combi);
1667 	}
1668 
1669 	nla_nest_end(msg, nl_combis);
1670 
1671 	return 0;
1672 nla_put_failure:
1673 	return -ENOBUFS;
1674 }
1675 
1676 #ifdef CONFIG_PM
1677 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1678 					struct sk_buff *msg)
1679 {
1680 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1681 	struct nlattr *nl_tcp;
1682 
1683 	if (!tcp)
1684 		return 0;
1685 
1686 	nl_tcp = nla_nest_start_noflag(msg,
1687 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1688 	if (!nl_tcp)
1689 		return -ENOBUFS;
1690 
1691 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1692 			tcp->data_payload_max))
1693 		return -ENOBUFS;
1694 
1695 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1696 			tcp->data_payload_max))
1697 		return -ENOBUFS;
1698 
1699 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1700 		return -ENOBUFS;
1701 
1702 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1703 				sizeof(*tcp->tok), tcp->tok))
1704 		return -ENOBUFS;
1705 
1706 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1707 			tcp->data_interval_max))
1708 		return -ENOBUFS;
1709 
1710 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1711 			tcp->wake_payload_max))
1712 		return -ENOBUFS;
1713 
1714 	nla_nest_end(msg, nl_tcp);
1715 	return 0;
1716 }
1717 
1718 static int nl80211_send_wowlan(struct sk_buff *msg,
1719 			       struct cfg80211_registered_device *rdev,
1720 			       bool large)
1721 {
1722 	struct nlattr *nl_wowlan;
1723 
1724 	if (!rdev->wiphy.wowlan)
1725 		return 0;
1726 
1727 	nl_wowlan = nla_nest_start_noflag(msg,
1728 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1729 	if (!nl_wowlan)
1730 		return -ENOBUFS;
1731 
1732 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1733 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1734 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1735 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1736 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1737 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1738 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1739 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1740 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1741 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1742 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1743 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1744 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1745 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1746 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1747 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1748 		return -ENOBUFS;
1749 
1750 	if (rdev->wiphy.wowlan->n_patterns) {
1751 		struct nl80211_pattern_support pat = {
1752 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1753 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1754 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1755 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1756 		};
1757 
1758 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1759 			    sizeof(pat), &pat))
1760 			return -ENOBUFS;
1761 	}
1762 
1763 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1764 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1765 			rdev->wiphy.wowlan->max_nd_match_sets))
1766 		return -ENOBUFS;
1767 
1768 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1769 		return -ENOBUFS;
1770 
1771 	nla_nest_end(msg, nl_wowlan);
1772 
1773 	return 0;
1774 }
1775 #endif
1776 
1777 static int nl80211_send_coalesce(struct sk_buff *msg,
1778 				 struct cfg80211_registered_device *rdev)
1779 {
1780 	struct nl80211_coalesce_rule_support rule;
1781 
1782 	if (!rdev->wiphy.coalesce)
1783 		return 0;
1784 
1785 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1786 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1787 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1788 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1789 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1790 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1791 
1792 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1793 		return -ENOBUFS;
1794 
1795 	return 0;
1796 }
1797 
1798 static int
1799 nl80211_send_iftype_data(struct sk_buff *msg,
1800 			 const struct ieee80211_supported_band *sband,
1801 			 const struct ieee80211_sband_iftype_data *iftdata)
1802 {
1803 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1804 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1805 
1806 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1807 				iftdata->types_mask))
1808 		return -ENOBUFS;
1809 
1810 	if (he_cap->has_he) {
1811 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1812 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1813 			    he_cap->he_cap_elem.mac_cap_info) ||
1814 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1815 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1816 			    he_cap->he_cap_elem.phy_cap_info) ||
1817 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1818 			    sizeof(he_cap->he_mcs_nss_supp),
1819 			    &he_cap->he_mcs_nss_supp) ||
1820 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1821 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1822 			return -ENOBUFS;
1823 	}
1824 
1825 	if (eht_cap->has_eht && he_cap->has_he) {
1826 		u8 mcs_nss_size, ppe_thresh_size;
1827 		u16 ppe_thres_hdr;
1828 		bool is_ap;
1829 
1830 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1831 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1832 
1833 		mcs_nss_size =
1834 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1835 						   &eht_cap->eht_cap_elem,
1836 						   is_ap);
1837 
1838 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1839 		ppe_thresh_size =
1840 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1841 					       eht_cap->eht_cap_elem.phy_cap_info);
1842 
1843 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1844 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1845 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1846 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1847 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1848 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1849 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1850 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1851 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1852 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1853 			return -ENOBUFS;
1854 	}
1855 
1856 	if (sband->band == NL80211_BAND_6GHZ &&
1857 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1858 		    sizeof(iftdata->he_6ghz_capa),
1859 		    &iftdata->he_6ghz_capa))
1860 		return -ENOBUFS;
1861 
1862 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1863 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1864 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1865 		return -ENOBUFS;
1866 
1867 	return 0;
1868 }
1869 
1870 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1871 				      struct ieee80211_supported_band *sband,
1872 				      bool large)
1873 {
1874 	struct nlattr *nl_rates, *nl_rate;
1875 	struct ieee80211_rate *rate;
1876 	int i;
1877 
1878 	/* add HT info */
1879 	if (sband->ht_cap.ht_supported &&
1880 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1881 		     sizeof(sband->ht_cap.mcs),
1882 		     &sband->ht_cap.mcs) ||
1883 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1884 			 sband->ht_cap.cap) ||
1885 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1886 			sband->ht_cap.ampdu_factor) ||
1887 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1888 			sband->ht_cap.ampdu_density)))
1889 		return -ENOBUFS;
1890 
1891 	/* add VHT info */
1892 	if (sband->vht_cap.vht_supported &&
1893 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1894 		     sizeof(sband->vht_cap.vht_mcs),
1895 		     &sband->vht_cap.vht_mcs) ||
1896 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1897 			 sband->vht_cap.cap)))
1898 		return -ENOBUFS;
1899 
1900 	if (large && sband->n_iftype_data) {
1901 		struct nlattr *nl_iftype_data =
1902 			nla_nest_start_noflag(msg,
1903 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1904 		int err;
1905 
1906 		if (!nl_iftype_data)
1907 			return -ENOBUFS;
1908 
1909 		for (i = 0; i < sband->n_iftype_data; i++) {
1910 			struct nlattr *iftdata;
1911 
1912 			iftdata = nla_nest_start_noflag(msg, i + 1);
1913 			if (!iftdata)
1914 				return -ENOBUFS;
1915 
1916 			err = nl80211_send_iftype_data(msg, sband,
1917 						       &sband->iftype_data[i]);
1918 			if (err)
1919 				return err;
1920 
1921 			nla_nest_end(msg, iftdata);
1922 		}
1923 
1924 		nla_nest_end(msg, nl_iftype_data);
1925 	}
1926 
1927 	/* add EDMG info */
1928 	if (large && sband->edmg_cap.channels &&
1929 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1930 		       sband->edmg_cap.channels) ||
1931 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1932 		       sband->edmg_cap.bw_config)))
1933 
1934 		return -ENOBUFS;
1935 
1936 	/* add bitrates */
1937 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1938 	if (!nl_rates)
1939 		return -ENOBUFS;
1940 
1941 	for (i = 0; i < sband->n_bitrates; i++) {
1942 		nl_rate = nla_nest_start_noflag(msg, i);
1943 		if (!nl_rate)
1944 			return -ENOBUFS;
1945 
1946 		rate = &sband->bitrates[i];
1947 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1948 				rate->bitrate))
1949 			return -ENOBUFS;
1950 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1951 		    nla_put_flag(msg,
1952 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1953 			return -ENOBUFS;
1954 
1955 		nla_nest_end(msg, nl_rate);
1956 	}
1957 
1958 	nla_nest_end(msg, nl_rates);
1959 
1960 	return 0;
1961 }
1962 
1963 static int
1964 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1965 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1966 {
1967 	u16 stypes;
1968 	struct nlattr *nl_ftypes, *nl_ifs;
1969 	enum nl80211_iftype ift;
1970 	int i;
1971 
1972 	if (!mgmt_stypes)
1973 		return 0;
1974 
1975 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1976 	if (!nl_ifs)
1977 		return -ENOBUFS;
1978 
1979 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1980 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1981 		if (!nl_ftypes)
1982 			return -ENOBUFS;
1983 		i = 0;
1984 		stypes = mgmt_stypes[ift].tx;
1985 		while (stypes) {
1986 			if ((stypes & 1) &&
1987 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1988 					(i << 4) | IEEE80211_FTYPE_MGMT))
1989 				return -ENOBUFS;
1990 			stypes >>= 1;
1991 			i++;
1992 		}
1993 		nla_nest_end(msg, nl_ftypes);
1994 	}
1995 
1996 	nla_nest_end(msg, nl_ifs);
1997 
1998 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1999 	if (!nl_ifs)
2000 		return -ENOBUFS;
2001 
2002 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2003 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2004 		if (!nl_ftypes)
2005 			return -ENOBUFS;
2006 		i = 0;
2007 		stypes = mgmt_stypes[ift].rx;
2008 		while (stypes) {
2009 			if ((stypes & 1) &&
2010 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2011 					(i << 4) | IEEE80211_FTYPE_MGMT))
2012 				return -ENOBUFS;
2013 			stypes >>= 1;
2014 			i++;
2015 		}
2016 		nla_nest_end(msg, nl_ftypes);
2017 	}
2018 	nla_nest_end(msg, nl_ifs);
2019 
2020 	return 0;
2021 }
2022 
2023 #define CMD(op, n)							\
2024 	 do {								\
2025 		if (rdev->ops->op) {					\
2026 			i++;						\
2027 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2028 				goto nla_put_failure;			\
2029 		}							\
2030 	} while (0)
2031 
2032 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2033 					struct sk_buff *msg)
2034 {
2035 	int i = 0;
2036 
2037 	/*
2038 	 * do *NOT* add anything into this function, new things need to be
2039 	 * advertised only to new versions of userspace that can deal with
2040 	 * the split (and they can't possibly care about new features...
2041 	 */
2042 	CMD(add_virtual_intf, NEW_INTERFACE);
2043 	CMD(change_virtual_intf, SET_INTERFACE);
2044 	CMD(add_key, NEW_KEY);
2045 	CMD(start_ap, START_AP);
2046 	CMD(add_station, NEW_STATION);
2047 	CMD(add_mpath, NEW_MPATH);
2048 	CMD(update_mesh_config, SET_MESH_CONFIG);
2049 	CMD(change_bss, SET_BSS);
2050 	CMD(auth, AUTHENTICATE);
2051 	CMD(assoc, ASSOCIATE);
2052 	CMD(deauth, DEAUTHENTICATE);
2053 	CMD(disassoc, DISASSOCIATE);
2054 	CMD(join_ibss, JOIN_IBSS);
2055 	CMD(join_mesh, JOIN_MESH);
2056 	CMD(set_pmksa, SET_PMKSA);
2057 	CMD(del_pmksa, DEL_PMKSA);
2058 	CMD(flush_pmksa, FLUSH_PMKSA);
2059 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2060 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2061 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2062 	CMD(mgmt_tx, FRAME);
2063 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2064 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2065 		i++;
2066 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2067 			goto nla_put_failure;
2068 	}
2069 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2070 	    rdev->ops->join_mesh) {
2071 		i++;
2072 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2073 			goto nla_put_failure;
2074 	}
2075 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2076 		CMD(tdls_mgmt, TDLS_MGMT);
2077 		CMD(tdls_oper, TDLS_OPER);
2078 	}
2079 	if (rdev->wiphy.max_sched_scan_reqs)
2080 		CMD(sched_scan_start, START_SCHED_SCAN);
2081 	CMD(probe_client, PROBE_CLIENT);
2082 	CMD(set_noack_map, SET_NOACK_MAP);
2083 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2084 		i++;
2085 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2086 			goto nla_put_failure;
2087 	}
2088 	CMD(start_p2p_device, START_P2P_DEVICE);
2089 	CMD(set_mcast_rate, SET_MCAST_RATE);
2090 #ifdef CONFIG_NL80211_TESTMODE
2091 	CMD(testmode_cmd, TESTMODE);
2092 #endif
2093 
2094 	if (rdev->ops->connect || rdev->ops->auth) {
2095 		i++;
2096 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2097 			goto nla_put_failure;
2098 	}
2099 
2100 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2101 		i++;
2102 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2103 			goto nla_put_failure;
2104 	}
2105 
2106 	return i;
2107  nla_put_failure:
2108 	return -ENOBUFS;
2109 }
2110 
2111 static int
2112 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2113 			   struct sk_buff *msg)
2114 {
2115 	struct nlattr *ftm;
2116 
2117 	if (!cap->ftm.supported)
2118 		return 0;
2119 
2120 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2121 	if (!ftm)
2122 		return -ENOBUFS;
2123 
2124 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2125 		return -ENOBUFS;
2126 	if (cap->ftm.non_asap &&
2127 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2128 		return -ENOBUFS;
2129 	if (cap->ftm.request_lci &&
2130 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2131 		return -ENOBUFS;
2132 	if (cap->ftm.request_civicloc &&
2133 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2134 		return -ENOBUFS;
2135 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2136 			cap->ftm.preambles))
2137 		return -ENOBUFS;
2138 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2139 			cap->ftm.bandwidths))
2140 		return -ENOBUFS;
2141 	if (cap->ftm.max_bursts_exponent >= 0 &&
2142 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2143 			cap->ftm.max_bursts_exponent))
2144 		return -ENOBUFS;
2145 	if (cap->ftm.max_ftms_per_burst &&
2146 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2147 			cap->ftm.max_ftms_per_burst))
2148 		return -ENOBUFS;
2149 	if (cap->ftm.trigger_based &&
2150 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2151 		return -ENOBUFS;
2152 	if (cap->ftm.non_trigger_based &&
2153 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2154 		return -ENOBUFS;
2155 
2156 	nla_nest_end(msg, ftm);
2157 	return 0;
2158 }
2159 
2160 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2161 				  struct sk_buff *msg)
2162 {
2163 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2164 	struct nlattr *pmsr, *caps;
2165 
2166 	if (!cap)
2167 		return 0;
2168 
2169 	/*
2170 	 * we don't need to clean up anything here since the caller
2171 	 * will genlmsg_cancel() if we fail
2172 	 */
2173 
2174 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2175 	if (!pmsr)
2176 		return -ENOBUFS;
2177 
2178 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2179 		return -ENOBUFS;
2180 
2181 	if (cap->report_ap_tsf &&
2182 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2183 		return -ENOBUFS;
2184 
2185 	if (cap->randomize_mac_addr &&
2186 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2187 		return -ENOBUFS;
2188 
2189 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2190 	if (!caps)
2191 		return -ENOBUFS;
2192 
2193 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2194 		return -ENOBUFS;
2195 
2196 	nla_nest_end(msg, caps);
2197 	nla_nest_end(msg, pmsr);
2198 
2199 	return 0;
2200 }
2201 
2202 static int
2203 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2204 			      struct sk_buff *msg)
2205 {
2206 	int i;
2207 	struct nlattr *nested, *nested_akms;
2208 	const struct wiphy_iftype_akm_suites *iftype_akms;
2209 
2210 	if (!rdev->wiphy.num_iftype_akm_suites ||
2211 	    !rdev->wiphy.iftype_akm_suites)
2212 		return 0;
2213 
2214 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2215 	if (!nested)
2216 		return -ENOBUFS;
2217 
2218 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2219 		nested_akms = nla_nest_start(msg, i + 1);
2220 		if (!nested_akms)
2221 			return -ENOBUFS;
2222 
2223 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2224 
2225 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2226 					iftype_akms->iftypes_mask))
2227 			return -ENOBUFS;
2228 
2229 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2230 			    sizeof(u32) * iftype_akms->n_akm_suites,
2231 			    iftype_akms->akm_suites)) {
2232 			return -ENOBUFS;
2233 		}
2234 		nla_nest_end(msg, nested_akms);
2235 	}
2236 
2237 	nla_nest_end(msg, nested);
2238 
2239 	return 0;
2240 }
2241 
2242 static int
2243 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2244 			       struct sk_buff *msg)
2245 {
2246 	struct nlattr *supp;
2247 
2248 	if (!rdev->wiphy.tid_config_support.vif &&
2249 	    !rdev->wiphy.tid_config_support.peer)
2250 		return 0;
2251 
2252 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2253 	if (!supp)
2254 		return -ENOSPC;
2255 
2256 	if (rdev->wiphy.tid_config_support.vif &&
2257 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2258 			      rdev->wiphy.tid_config_support.vif,
2259 			      NL80211_TID_CONFIG_ATTR_PAD))
2260 		goto fail;
2261 
2262 	if (rdev->wiphy.tid_config_support.peer &&
2263 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2264 			      rdev->wiphy.tid_config_support.peer,
2265 			      NL80211_TID_CONFIG_ATTR_PAD))
2266 		goto fail;
2267 
2268 	/* for now we just use the same value ... makes more sense */
2269 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2270 		       rdev->wiphy.tid_config_support.max_retry))
2271 		goto fail;
2272 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2273 		       rdev->wiphy.tid_config_support.max_retry))
2274 		goto fail;
2275 
2276 	nla_nest_end(msg, supp);
2277 
2278 	return 0;
2279 fail:
2280 	nla_nest_cancel(msg, supp);
2281 	return -ENOBUFS;
2282 }
2283 
2284 static int
2285 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2286 		      struct sk_buff *msg)
2287 {
2288 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2289 	u8 num_freq_ranges;
2290 	int i;
2291 
2292 	if (!rdev->wiphy.sar_capa)
2293 		return 0;
2294 
2295 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2296 
2297 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2298 	if (!sar_capa)
2299 		return -ENOSPC;
2300 
2301 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2302 		goto fail;
2303 
2304 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2305 	if (!specs)
2306 		goto fail;
2307 
2308 	/* report supported freq_ranges */
2309 	for (i = 0; i < num_freq_ranges; i++) {
2310 		sub_freq_range = nla_nest_start(msg, i + 1);
2311 		if (!sub_freq_range)
2312 			goto fail;
2313 
2314 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2315 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2316 			goto fail;
2317 
2318 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2319 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2320 			goto fail;
2321 
2322 		nla_nest_end(msg, sub_freq_range);
2323 	}
2324 
2325 	nla_nest_end(msg, specs);
2326 	nla_nest_end(msg, sar_capa);
2327 
2328 	return 0;
2329 fail:
2330 	nla_nest_cancel(msg, sar_capa);
2331 	return -ENOBUFS;
2332 }
2333 
2334 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2335 {
2336 	struct nlattr *config;
2337 
2338 	if (!wiphy->mbssid_max_interfaces)
2339 		return 0;
2340 
2341 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2342 	if (!config)
2343 		return -ENOBUFS;
2344 
2345 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2346 		       wiphy->mbssid_max_interfaces))
2347 		goto fail;
2348 
2349 	if (wiphy->ema_max_profile_periodicity &&
2350 	    nla_put_u8(msg,
2351 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2352 		       wiphy->ema_max_profile_periodicity))
2353 		goto fail;
2354 
2355 	nla_nest_end(msg, config);
2356 	return 0;
2357 
2358 fail:
2359 	nla_nest_cancel(msg, config);
2360 	return -ENOBUFS;
2361 }
2362 
2363 struct nl80211_dump_wiphy_state {
2364 	s64 filter_wiphy;
2365 	long start;
2366 	long split_start, band_start, chan_start, capa_start;
2367 	bool split;
2368 };
2369 
2370 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2371 			      enum nl80211_commands cmd,
2372 			      struct sk_buff *msg, u32 portid, u32 seq,
2373 			      int flags, struct nl80211_dump_wiphy_state *state)
2374 {
2375 	void *hdr;
2376 	struct nlattr *nl_bands, *nl_band;
2377 	struct nlattr *nl_freqs, *nl_freq;
2378 	struct nlattr *nl_cmds;
2379 	enum nl80211_band band;
2380 	struct ieee80211_channel *chan;
2381 	int i;
2382 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2383 				rdev->wiphy.mgmt_stypes;
2384 	u32 features;
2385 
2386 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2387 	if (!hdr)
2388 		return -ENOBUFS;
2389 
2390 	if (WARN_ON(!state))
2391 		return -EINVAL;
2392 
2393 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2394 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2395 			   wiphy_name(&rdev->wiphy)) ||
2396 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2397 			cfg80211_rdev_list_generation))
2398 		goto nla_put_failure;
2399 
2400 	if (cmd != NL80211_CMD_NEW_WIPHY)
2401 		goto finish;
2402 
2403 	switch (state->split_start) {
2404 	case 0:
2405 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2406 			       rdev->wiphy.retry_short) ||
2407 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2408 			       rdev->wiphy.retry_long) ||
2409 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2410 				rdev->wiphy.frag_threshold) ||
2411 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2412 				rdev->wiphy.rts_threshold) ||
2413 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2414 			       rdev->wiphy.coverage_class) ||
2415 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2416 			       rdev->wiphy.max_scan_ssids) ||
2417 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2418 			       rdev->wiphy.max_sched_scan_ssids) ||
2419 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2420 				rdev->wiphy.max_scan_ie_len) ||
2421 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2422 				rdev->wiphy.max_sched_scan_ie_len) ||
2423 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2424 			       rdev->wiphy.max_match_sets))
2425 			goto nla_put_failure;
2426 
2427 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2428 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2429 			goto nla_put_failure;
2430 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2431 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2432 			goto nla_put_failure;
2433 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2434 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2435 			goto nla_put_failure;
2436 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2437 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2438 			goto nla_put_failure;
2439 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2440 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2441 			goto nla_put_failure;
2442 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2443 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2444 			goto nla_put_failure;
2445 		state->split_start++;
2446 		if (state->split)
2447 			break;
2448 		fallthrough;
2449 	case 1:
2450 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2451 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2452 			    rdev->wiphy.cipher_suites))
2453 			goto nla_put_failure;
2454 
2455 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2456 			       rdev->wiphy.max_num_pmkids))
2457 			goto nla_put_failure;
2458 
2459 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2460 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2461 			goto nla_put_failure;
2462 
2463 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2464 				rdev->wiphy.available_antennas_tx) ||
2465 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2466 				rdev->wiphy.available_antennas_rx))
2467 			goto nla_put_failure;
2468 
2469 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2470 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2471 				rdev->wiphy.probe_resp_offload))
2472 			goto nla_put_failure;
2473 
2474 		if ((rdev->wiphy.available_antennas_tx ||
2475 		     rdev->wiphy.available_antennas_rx) &&
2476 		    rdev->ops->get_antenna) {
2477 			u32 tx_ant = 0, rx_ant = 0;
2478 			int res;
2479 
2480 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2481 			if (!res) {
2482 				if (nla_put_u32(msg,
2483 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2484 						tx_ant) ||
2485 				    nla_put_u32(msg,
2486 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2487 						rx_ant))
2488 					goto nla_put_failure;
2489 			}
2490 		}
2491 
2492 		state->split_start++;
2493 		if (state->split)
2494 			break;
2495 		fallthrough;
2496 	case 2:
2497 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2498 					rdev->wiphy.interface_modes))
2499 				goto nla_put_failure;
2500 		state->split_start++;
2501 		if (state->split)
2502 			break;
2503 		fallthrough;
2504 	case 3:
2505 		nl_bands = nla_nest_start_noflag(msg,
2506 						 NL80211_ATTR_WIPHY_BANDS);
2507 		if (!nl_bands)
2508 			goto nla_put_failure;
2509 
2510 		for (band = state->band_start;
2511 		     band < (state->split ?
2512 				NUM_NL80211_BANDS :
2513 				NL80211_BAND_60GHZ + 1);
2514 		     band++) {
2515 			struct ieee80211_supported_band *sband;
2516 
2517 			/* omit higher bands for ancient software */
2518 			if (band > NL80211_BAND_5GHZ && !state->split)
2519 				break;
2520 
2521 			sband = rdev->wiphy.bands[band];
2522 
2523 			if (!sband)
2524 				continue;
2525 
2526 			nl_band = nla_nest_start_noflag(msg, band);
2527 			if (!nl_band)
2528 				goto nla_put_failure;
2529 
2530 			switch (state->chan_start) {
2531 			case 0:
2532 				if (nl80211_send_band_rateinfo(msg, sband,
2533 							       state->split))
2534 					goto nla_put_failure;
2535 				state->chan_start++;
2536 				if (state->split)
2537 					break;
2538 				fallthrough;
2539 			default:
2540 				/* add frequencies */
2541 				nl_freqs = nla_nest_start_noflag(msg,
2542 								 NL80211_BAND_ATTR_FREQS);
2543 				if (!nl_freqs)
2544 					goto nla_put_failure;
2545 
2546 				for (i = state->chan_start - 1;
2547 				     i < sband->n_channels;
2548 				     i++) {
2549 					nl_freq = nla_nest_start_noflag(msg,
2550 									i);
2551 					if (!nl_freq)
2552 						goto nla_put_failure;
2553 
2554 					chan = &sband->channels[i];
2555 
2556 					if (nl80211_msg_put_channel(
2557 							msg, &rdev->wiphy, chan,
2558 							state->split))
2559 						goto nla_put_failure;
2560 
2561 					nla_nest_end(msg, nl_freq);
2562 					if (state->split)
2563 						break;
2564 				}
2565 				if (i < sband->n_channels)
2566 					state->chan_start = i + 2;
2567 				else
2568 					state->chan_start = 0;
2569 				nla_nest_end(msg, nl_freqs);
2570 			}
2571 
2572 			nla_nest_end(msg, nl_band);
2573 
2574 			if (state->split) {
2575 				/* start again here */
2576 				if (state->chan_start)
2577 					band--;
2578 				break;
2579 			}
2580 		}
2581 		nla_nest_end(msg, nl_bands);
2582 
2583 		if (band < NUM_NL80211_BANDS)
2584 			state->band_start = band + 1;
2585 		else
2586 			state->band_start = 0;
2587 
2588 		/* if bands & channels are done, continue outside */
2589 		if (state->band_start == 0 && state->chan_start == 0)
2590 			state->split_start++;
2591 		if (state->split)
2592 			break;
2593 		fallthrough;
2594 	case 4:
2595 		nl_cmds = nla_nest_start_noflag(msg,
2596 						NL80211_ATTR_SUPPORTED_COMMANDS);
2597 		if (!nl_cmds)
2598 			goto nla_put_failure;
2599 
2600 		i = nl80211_add_commands_unsplit(rdev, msg);
2601 		if (i < 0)
2602 			goto nla_put_failure;
2603 		if (state->split) {
2604 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2605 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2606 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2607 				CMD(channel_switch, CHANNEL_SWITCH);
2608 			CMD(set_qos_map, SET_QOS_MAP);
2609 			if (rdev->wiphy.features &
2610 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2611 				CMD(add_tx_ts, ADD_TX_TS);
2612 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2613 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2614 			CMD(update_ft_ies, UPDATE_FT_IES);
2615 			if (rdev->wiphy.sar_capa)
2616 				CMD(set_sar_specs, SET_SAR_SPECS);
2617 		}
2618 #undef CMD
2619 
2620 		nla_nest_end(msg, nl_cmds);
2621 		state->split_start++;
2622 		if (state->split)
2623 			break;
2624 		fallthrough;
2625 	case 5:
2626 		if (rdev->ops->remain_on_channel &&
2627 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2628 		    nla_put_u32(msg,
2629 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2630 				rdev->wiphy.max_remain_on_channel_duration))
2631 			goto nla_put_failure;
2632 
2633 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2634 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2635 			goto nla_put_failure;
2636 
2637 		state->split_start++;
2638 		if (state->split)
2639 			break;
2640 		fallthrough;
2641 	case 6:
2642 #ifdef CONFIG_PM
2643 		if (nl80211_send_wowlan(msg, rdev, state->split))
2644 			goto nla_put_failure;
2645 		state->split_start++;
2646 		if (state->split)
2647 			break;
2648 #else
2649 		state->split_start++;
2650 #endif
2651 		fallthrough;
2652 	case 7:
2653 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2654 					rdev->wiphy.software_iftypes))
2655 			goto nla_put_failure;
2656 
2657 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2658 						   state->split))
2659 			goto nla_put_failure;
2660 
2661 		state->split_start++;
2662 		if (state->split)
2663 			break;
2664 		fallthrough;
2665 	case 8:
2666 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2667 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2668 				rdev->wiphy.ap_sme_capa))
2669 			goto nla_put_failure;
2670 
2671 		features = rdev->wiphy.features;
2672 		/*
2673 		 * We can only add the per-channel limit information if the
2674 		 * dump is split, otherwise it makes it too big. Therefore
2675 		 * only advertise it in that case.
2676 		 */
2677 		if (state->split)
2678 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2679 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2680 			goto nla_put_failure;
2681 
2682 		if (rdev->wiphy.ht_capa_mod_mask &&
2683 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2684 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2685 			    rdev->wiphy.ht_capa_mod_mask))
2686 			goto nla_put_failure;
2687 
2688 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2689 		    rdev->wiphy.max_acl_mac_addrs &&
2690 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2691 				rdev->wiphy.max_acl_mac_addrs))
2692 			goto nla_put_failure;
2693 
2694 		/*
2695 		 * Any information below this point is only available to
2696 		 * applications that can deal with it being split. This
2697 		 * helps ensure that newly added capabilities don't break
2698 		 * older tools by overrunning their buffers.
2699 		 *
2700 		 * We still increment split_start so that in the split
2701 		 * case we'll continue with more data in the next round,
2702 		 * but break unconditionally so unsplit data stops here.
2703 		 */
2704 		if (state->split)
2705 			state->split_start++;
2706 		else
2707 			state->split_start = 0;
2708 		break;
2709 	case 9:
2710 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2711 			goto nla_put_failure;
2712 
2713 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2714 				rdev->wiphy.max_sched_scan_plans) ||
2715 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2716 				rdev->wiphy.max_sched_scan_plan_interval) ||
2717 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2718 				rdev->wiphy.max_sched_scan_plan_iterations))
2719 			goto nla_put_failure;
2720 
2721 		if (rdev->wiphy.extended_capabilities &&
2722 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2723 			     rdev->wiphy.extended_capabilities_len,
2724 			     rdev->wiphy.extended_capabilities) ||
2725 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2726 			     rdev->wiphy.extended_capabilities_len,
2727 			     rdev->wiphy.extended_capabilities_mask)))
2728 			goto nla_put_failure;
2729 
2730 		if (rdev->wiphy.vht_capa_mod_mask &&
2731 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2732 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2733 			    rdev->wiphy.vht_capa_mod_mask))
2734 			goto nla_put_failure;
2735 
2736 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2737 			    rdev->wiphy.perm_addr))
2738 			goto nla_put_failure;
2739 
2740 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2741 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2742 			    rdev->wiphy.addr_mask))
2743 			goto nla_put_failure;
2744 
2745 		if (rdev->wiphy.n_addresses > 1) {
2746 			void *attr;
2747 
2748 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2749 			if (!attr)
2750 				goto nla_put_failure;
2751 
2752 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2753 				if (nla_put(msg, i + 1, ETH_ALEN,
2754 					    rdev->wiphy.addresses[i].addr))
2755 					goto nla_put_failure;
2756 
2757 			nla_nest_end(msg, attr);
2758 		}
2759 
2760 		state->split_start++;
2761 		break;
2762 	case 10:
2763 		if (nl80211_send_coalesce(msg, rdev))
2764 			goto nla_put_failure;
2765 
2766 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2767 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2768 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2769 			goto nla_put_failure;
2770 
2771 		if (rdev->wiphy.max_ap_assoc_sta &&
2772 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2773 				rdev->wiphy.max_ap_assoc_sta))
2774 			goto nla_put_failure;
2775 
2776 		state->split_start++;
2777 		break;
2778 	case 11:
2779 		if (rdev->wiphy.n_vendor_commands) {
2780 			const struct nl80211_vendor_cmd_info *info;
2781 			struct nlattr *nested;
2782 
2783 			nested = nla_nest_start_noflag(msg,
2784 						       NL80211_ATTR_VENDOR_DATA);
2785 			if (!nested)
2786 				goto nla_put_failure;
2787 
2788 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2789 				info = &rdev->wiphy.vendor_commands[i].info;
2790 				if (nla_put(msg, i + 1, sizeof(*info), info))
2791 					goto nla_put_failure;
2792 			}
2793 			nla_nest_end(msg, nested);
2794 		}
2795 
2796 		if (rdev->wiphy.n_vendor_events) {
2797 			const struct nl80211_vendor_cmd_info *info;
2798 			struct nlattr *nested;
2799 
2800 			nested = nla_nest_start_noflag(msg,
2801 						       NL80211_ATTR_VENDOR_EVENTS);
2802 			if (!nested)
2803 				goto nla_put_failure;
2804 
2805 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2806 				info = &rdev->wiphy.vendor_events[i];
2807 				if (nla_put(msg, i + 1, sizeof(*info), info))
2808 					goto nla_put_failure;
2809 			}
2810 			nla_nest_end(msg, nested);
2811 		}
2812 		state->split_start++;
2813 		break;
2814 	case 12:
2815 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2816 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2817 			       rdev->wiphy.max_num_csa_counters))
2818 			goto nla_put_failure;
2819 
2820 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2821 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2822 			goto nla_put_failure;
2823 
2824 		if (rdev->wiphy.max_sched_scan_reqs &&
2825 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2826 				rdev->wiphy.max_sched_scan_reqs))
2827 			goto nla_put_failure;
2828 
2829 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2830 			    sizeof(rdev->wiphy.ext_features),
2831 			    rdev->wiphy.ext_features))
2832 			goto nla_put_failure;
2833 
2834 		if (rdev->wiphy.bss_select_support) {
2835 			struct nlattr *nested;
2836 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2837 
2838 			nested = nla_nest_start_noflag(msg,
2839 						       NL80211_ATTR_BSS_SELECT);
2840 			if (!nested)
2841 				goto nla_put_failure;
2842 
2843 			i = 0;
2844 			while (bss_select_support) {
2845 				if ((bss_select_support & 1) &&
2846 				    nla_put_flag(msg, i))
2847 					goto nla_put_failure;
2848 				i++;
2849 				bss_select_support >>= 1;
2850 			}
2851 			nla_nest_end(msg, nested);
2852 		}
2853 
2854 		state->split_start++;
2855 		break;
2856 	case 13:
2857 		if (rdev->wiphy.num_iftype_ext_capab &&
2858 		    rdev->wiphy.iftype_ext_capab) {
2859 			struct nlattr *nested_ext_capab, *nested;
2860 
2861 			nested = nla_nest_start_noflag(msg,
2862 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2863 			if (!nested)
2864 				goto nla_put_failure;
2865 
2866 			for (i = state->capa_start;
2867 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2868 				const struct wiphy_iftype_ext_capab *capab;
2869 
2870 				capab = &rdev->wiphy.iftype_ext_capab[i];
2871 
2872 				nested_ext_capab = nla_nest_start_noflag(msg,
2873 									 i);
2874 				if (!nested_ext_capab ||
2875 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2876 						capab->iftype) ||
2877 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2878 					    capab->extended_capabilities_len,
2879 					    capab->extended_capabilities) ||
2880 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2881 					    capab->extended_capabilities_len,
2882 					    capab->extended_capabilities_mask))
2883 					goto nla_put_failure;
2884 
2885 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2886 				    (nla_put_u16(msg,
2887 						 NL80211_ATTR_EML_CAPABILITY,
2888 						 capab->eml_capabilities) ||
2889 				     nla_put_u16(msg,
2890 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2891 						 capab->mld_capa_and_ops)))
2892 					goto nla_put_failure;
2893 
2894 				nla_nest_end(msg, nested_ext_capab);
2895 				if (state->split)
2896 					break;
2897 			}
2898 			nla_nest_end(msg, nested);
2899 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2900 				state->capa_start = i + 1;
2901 				break;
2902 			}
2903 		}
2904 
2905 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2906 				rdev->wiphy.nan_supported_bands))
2907 			goto nla_put_failure;
2908 
2909 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2910 					    NL80211_EXT_FEATURE_TXQS)) {
2911 			struct cfg80211_txq_stats txqstats = {};
2912 			int res;
2913 
2914 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2915 			if (!res &&
2916 			    !nl80211_put_txq_stats(msg, &txqstats,
2917 						   NL80211_ATTR_TXQ_STATS))
2918 				goto nla_put_failure;
2919 
2920 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2921 					rdev->wiphy.txq_limit))
2922 				goto nla_put_failure;
2923 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2924 					rdev->wiphy.txq_memory_limit))
2925 				goto nla_put_failure;
2926 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2927 					rdev->wiphy.txq_quantum))
2928 				goto nla_put_failure;
2929 		}
2930 
2931 		state->split_start++;
2932 		break;
2933 	case 14:
2934 		if (nl80211_send_pmsr_capa(rdev, msg))
2935 			goto nla_put_failure;
2936 
2937 		state->split_start++;
2938 		break;
2939 	case 15:
2940 		if (rdev->wiphy.akm_suites &&
2941 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2942 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2943 			    rdev->wiphy.akm_suites))
2944 			goto nla_put_failure;
2945 
2946 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2947 			goto nla_put_failure;
2948 
2949 		if (nl80211_put_tid_config_support(rdev, msg))
2950 			goto nla_put_failure;
2951 		state->split_start++;
2952 		break;
2953 	case 16:
2954 		if (nl80211_put_sar_specs(rdev, msg))
2955 			goto nla_put_failure;
2956 
2957 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2958 			goto nla_put_failure;
2959 
2960 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2961 				rdev->wiphy.max_num_akm_suites))
2962 			goto nla_put_failure;
2963 
2964 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
2965 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
2966 
2967 		/* done */
2968 		state->split_start = 0;
2969 		break;
2970 	}
2971  finish:
2972 	genlmsg_end(msg, hdr);
2973 	return 0;
2974 
2975  nla_put_failure:
2976 	genlmsg_cancel(msg, hdr);
2977 	return -EMSGSIZE;
2978 }
2979 
2980 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2981 				    struct netlink_callback *cb,
2982 				    struct nl80211_dump_wiphy_state *state)
2983 {
2984 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2985 	int ret;
2986 
2987 	if (!tb)
2988 		return -ENOMEM;
2989 
2990 	ret = nlmsg_parse_deprecated(cb->nlh,
2991 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2992 				     tb, nl80211_fam.maxattr,
2993 				     nl80211_policy, NULL);
2994 	/* ignore parse errors for backward compatibility */
2995 	if (ret) {
2996 		ret = 0;
2997 		goto out;
2998 	}
2999 
3000 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3001 	if (tb[NL80211_ATTR_WIPHY])
3002 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3003 	if (tb[NL80211_ATTR_WDEV])
3004 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3005 	if (tb[NL80211_ATTR_IFINDEX]) {
3006 		struct net_device *netdev;
3007 		struct cfg80211_registered_device *rdev;
3008 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3009 
3010 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3011 		if (!netdev) {
3012 			ret = -ENODEV;
3013 			goto out;
3014 		}
3015 		if (netdev->ieee80211_ptr) {
3016 			rdev = wiphy_to_rdev(
3017 				netdev->ieee80211_ptr->wiphy);
3018 			state->filter_wiphy = rdev->wiphy_idx;
3019 		}
3020 	}
3021 
3022 	ret = 0;
3023 out:
3024 	kfree(tb);
3025 	return ret;
3026 }
3027 
3028 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3029 {
3030 	int idx = 0, ret;
3031 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3032 	struct cfg80211_registered_device *rdev;
3033 
3034 	rtnl_lock();
3035 	if (!state) {
3036 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3037 		if (!state) {
3038 			rtnl_unlock();
3039 			return -ENOMEM;
3040 		}
3041 		state->filter_wiphy = -1;
3042 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3043 		if (ret) {
3044 			kfree(state);
3045 			rtnl_unlock();
3046 			return ret;
3047 		}
3048 		cb->args[0] = (long)state;
3049 	}
3050 
3051 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3052 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3053 			continue;
3054 		if (++idx <= state->start)
3055 			continue;
3056 		if (state->filter_wiphy != -1 &&
3057 		    state->filter_wiphy != rdev->wiphy_idx)
3058 			continue;
3059 		/* attempt to fit multiple wiphy data chunks into the skb */
3060 		do {
3061 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3062 						 skb,
3063 						 NETLINK_CB(cb->skb).portid,
3064 						 cb->nlh->nlmsg_seq,
3065 						 NLM_F_MULTI, state);
3066 			if (ret < 0) {
3067 				/*
3068 				 * If sending the wiphy data didn't fit (ENOBUFS
3069 				 * or EMSGSIZE returned), this SKB is still
3070 				 * empty (so it's not too big because another
3071 				 * wiphy dataset is already in the skb) and
3072 				 * we've not tried to adjust the dump allocation
3073 				 * yet ... then adjust the alloc size to be
3074 				 * bigger, and return 1 but with the empty skb.
3075 				 * This results in an empty message being RX'ed
3076 				 * in userspace, but that is ignored.
3077 				 *
3078 				 * We can then retry with the larger buffer.
3079 				 */
3080 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3081 				    !skb->len && !state->split &&
3082 				    cb->min_dump_alloc < 4096) {
3083 					cb->min_dump_alloc = 4096;
3084 					state->split_start = 0;
3085 					rtnl_unlock();
3086 					return 1;
3087 				}
3088 				idx--;
3089 				break;
3090 			}
3091 		} while (state->split_start > 0);
3092 		break;
3093 	}
3094 	rtnl_unlock();
3095 
3096 	state->start = idx;
3097 
3098 	return skb->len;
3099 }
3100 
3101 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3102 {
3103 	kfree((void *)cb->args[0]);
3104 	return 0;
3105 }
3106 
3107 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3108 {
3109 	struct sk_buff *msg;
3110 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3111 	struct nl80211_dump_wiphy_state state = {};
3112 
3113 	msg = nlmsg_new(4096, GFP_KERNEL);
3114 	if (!msg)
3115 		return -ENOMEM;
3116 
3117 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3118 			       info->snd_portid, info->snd_seq, 0,
3119 			       &state) < 0) {
3120 		nlmsg_free(msg);
3121 		return -ENOBUFS;
3122 	}
3123 
3124 	return genlmsg_reply(msg, info);
3125 }
3126 
3127 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3128 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3129 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3130 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3131 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3132 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3133 };
3134 
3135 static int parse_txq_params(struct nlattr *tb[],
3136 			    struct ieee80211_txq_params *txq_params)
3137 {
3138 	u8 ac;
3139 
3140 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3141 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3142 	    !tb[NL80211_TXQ_ATTR_AIFS])
3143 		return -EINVAL;
3144 
3145 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3146 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3147 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3148 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3149 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3150 
3151 	if (ac >= NL80211_NUM_ACS)
3152 		return -EINVAL;
3153 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3154 	return 0;
3155 }
3156 
3157 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3158 {
3159 	/*
3160 	 * You can only set the channel explicitly for some interfaces,
3161 	 * most have their channel managed via their respective
3162 	 * "establish a connection" command (connect, join, ...)
3163 	 *
3164 	 * For AP/GO and mesh mode, the channel can be set with the
3165 	 * channel userspace API, but is only stored and passed to the
3166 	 * low-level driver when the AP starts or the mesh is joined.
3167 	 * This is for backward compatibility, userspace can also give
3168 	 * the channel in the start-ap or join-mesh commands instead.
3169 	 *
3170 	 * Monitors are special as they are normally slaved to
3171 	 * whatever else is going on, so they have their own special
3172 	 * operation to set the monitor channel if possible.
3173 	 */
3174 	return !wdev ||
3175 		wdev->iftype == NL80211_IFTYPE_AP ||
3176 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3177 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3178 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3179 }
3180 
3181 static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev,
3182 				      struct genl_info *info,
3183 				      const struct cfg80211_chan_def *chandef,
3184 				      u16 *punct_bitmap)
3185 {
3186 	if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT))
3187 		return -EINVAL;
3188 
3189 	*punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3190 	if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef))
3191 		return -EINVAL;
3192 
3193 	return 0;
3194 }
3195 
3196 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3197 			  struct genl_info *info,
3198 			  struct cfg80211_chan_def *chandef)
3199 {
3200 	struct netlink_ext_ack *extack = info->extack;
3201 	struct nlattr **attrs = info->attrs;
3202 	u32 control_freq;
3203 
3204 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3205 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3206 				    "Frequency is missing");
3207 		return -EINVAL;
3208 	}
3209 
3210 	control_freq = MHZ_TO_KHZ(
3211 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3212 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3213 		control_freq +=
3214 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3215 
3216 	memset(chandef, 0, sizeof(*chandef));
3217 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3218 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3219 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3220 	chandef->freq1_offset = control_freq % 1000;
3221 	chandef->center_freq2 = 0;
3222 
3223 	/* Primary channel not allowed */
3224 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3225 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3226 				    "Channel is disabled");
3227 		return -EINVAL;
3228 	}
3229 
3230 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3231 		enum nl80211_channel_type chantype;
3232 
3233 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3234 
3235 		switch (chantype) {
3236 		case NL80211_CHAN_NO_HT:
3237 		case NL80211_CHAN_HT20:
3238 		case NL80211_CHAN_HT40PLUS:
3239 		case NL80211_CHAN_HT40MINUS:
3240 			cfg80211_chandef_create(chandef, chandef->chan,
3241 						chantype);
3242 			/* user input for center_freq is incorrect */
3243 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3244 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3245 				NL_SET_ERR_MSG_ATTR(extack,
3246 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3247 						    "bad center frequency 1");
3248 				return -EINVAL;
3249 			}
3250 			/* center_freq2 must be zero */
3251 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3252 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3253 				NL_SET_ERR_MSG_ATTR(extack,
3254 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3255 						    "center frequency 2 can't be used");
3256 				return -EINVAL;
3257 			}
3258 			break;
3259 		default:
3260 			NL_SET_ERR_MSG_ATTR(extack,
3261 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3262 					    "invalid channel type");
3263 			return -EINVAL;
3264 		}
3265 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3266 		chandef->width =
3267 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3268 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3269 			/* User input error for channel width doesn't match channel  */
3270 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3271 				NL_SET_ERR_MSG_ATTR(extack,
3272 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3273 						    "bad channel width");
3274 				return -EINVAL;
3275 			}
3276 		}
3277 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3278 			chandef->center_freq1 =
3279 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3280 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3281 				chandef->freq1_offset = nla_get_u32(
3282 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3283 			else
3284 				chandef->freq1_offset = 0;
3285 		}
3286 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3287 			chandef->center_freq2 =
3288 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3289 	}
3290 
3291 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3292 		chandef->edmg.channels =
3293 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3294 
3295 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3296 			chandef->edmg.bw_config =
3297 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3298 	} else {
3299 		chandef->edmg.bw_config = 0;
3300 		chandef->edmg.channels = 0;
3301 	}
3302 
3303 	if (!cfg80211_chandef_valid(chandef)) {
3304 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3305 		return -EINVAL;
3306 	}
3307 
3308 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3309 				     IEEE80211_CHAN_DISABLED)) {
3310 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3311 		return -EINVAL;
3312 	}
3313 
3314 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3315 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3316 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3317 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3318 		return -EINVAL;
3319 	}
3320 
3321 	return 0;
3322 }
3323 
3324 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3325 				 struct net_device *dev,
3326 				 struct genl_info *info,
3327 				 int _link_id)
3328 {
3329 	struct cfg80211_chan_def chandef;
3330 	int result;
3331 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3332 	struct wireless_dev *wdev = NULL;
3333 	int link_id = _link_id;
3334 
3335 	if (dev)
3336 		wdev = dev->ieee80211_ptr;
3337 	if (!nl80211_can_set_dev_channel(wdev))
3338 		return -EOPNOTSUPP;
3339 	if (wdev)
3340 		iftype = wdev->iftype;
3341 
3342 	if (link_id < 0) {
3343 		if (wdev && wdev->valid_links)
3344 			return -EINVAL;
3345 		link_id = 0;
3346 	}
3347 
3348 	result = nl80211_parse_chandef(rdev, info, &chandef);
3349 	if (result)
3350 		return result;
3351 
3352 	switch (iftype) {
3353 	case NL80211_IFTYPE_AP:
3354 	case NL80211_IFTYPE_P2P_GO:
3355 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3356 						   iftype))
3357 			return -EINVAL;
3358 		if (wdev->links[link_id].ap.beacon_interval) {
3359 			struct ieee80211_channel *cur_chan;
3360 
3361 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3362 			    !(rdev->wiphy.features &
3363 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3364 				return -EBUSY;
3365 
3366 			/* Only allow dynamic channel width changes */
3367 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3368 			if (chandef.chan != cur_chan)
3369 				return -EBUSY;
3370 
3371 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3372 						       &chandef);
3373 			if (result)
3374 				return result;
3375 			wdev->links[link_id].ap.chandef = chandef;
3376 		} else {
3377 			wdev->u.ap.preset_chandef = chandef;
3378 		}
3379 		return 0;
3380 	case NL80211_IFTYPE_MESH_POINT:
3381 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3382 	case NL80211_IFTYPE_MONITOR:
3383 		return cfg80211_set_monitor_channel(rdev, &chandef);
3384 	default:
3385 		break;
3386 	}
3387 
3388 	return -EINVAL;
3389 }
3390 
3391 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3392 {
3393 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3394 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3395 	struct net_device *netdev = info->user_ptr[1];
3396 	int ret;
3397 
3398 	wdev_lock(netdev->ieee80211_ptr);
3399 	ret = __nl80211_set_channel(rdev, netdev, info, link_id);
3400 	wdev_unlock(netdev->ieee80211_ptr);
3401 
3402 	return ret;
3403 }
3404 
3405 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3406 {
3407 	struct cfg80211_registered_device *rdev = NULL;
3408 	struct net_device *netdev = NULL;
3409 	struct wireless_dev *wdev;
3410 	int result = 0, rem_txq_params = 0;
3411 	struct nlattr *nl_txq_params;
3412 	u32 changed;
3413 	u8 retry_short = 0, retry_long = 0;
3414 	u32 frag_threshold = 0, rts_threshold = 0;
3415 	u8 coverage_class = 0;
3416 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3417 
3418 	rtnl_lock();
3419 	/*
3420 	 * Try to find the wiphy and netdev. Normally this
3421 	 * function shouldn't need the netdev, but this is
3422 	 * done for backward compatibility -- previously
3423 	 * setting the channel was done per wiphy, but now
3424 	 * it is per netdev. Previous userland like hostapd
3425 	 * also passed a netdev to set_wiphy, so that it is
3426 	 * possible to let that go to the right netdev!
3427 	 */
3428 
3429 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3430 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3431 
3432 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3433 		if (netdev && netdev->ieee80211_ptr)
3434 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3435 		else
3436 			netdev = NULL;
3437 	}
3438 
3439 	if (!netdev) {
3440 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3441 						  info->attrs);
3442 		if (IS_ERR(rdev)) {
3443 			rtnl_unlock();
3444 			return PTR_ERR(rdev);
3445 		}
3446 		wdev = NULL;
3447 		netdev = NULL;
3448 		result = 0;
3449 	} else
3450 		wdev = netdev->ieee80211_ptr;
3451 
3452 	wiphy_lock(&rdev->wiphy);
3453 
3454 	/*
3455 	 * end workaround code, by now the rdev is available
3456 	 * and locked, and wdev may or may not be NULL.
3457 	 */
3458 
3459 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3460 		result = cfg80211_dev_rename(
3461 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3462 	rtnl_unlock();
3463 
3464 	if (result)
3465 		goto out;
3466 
3467 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3468 		struct ieee80211_txq_params txq_params;
3469 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3470 
3471 		if (!rdev->ops->set_txq_params) {
3472 			result = -EOPNOTSUPP;
3473 			goto out;
3474 		}
3475 
3476 		if (!netdev) {
3477 			result = -EINVAL;
3478 			goto out;
3479 		}
3480 
3481 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3482 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3483 			result = -EINVAL;
3484 			goto out;
3485 		}
3486 
3487 		if (!netif_running(netdev)) {
3488 			result = -ENETDOWN;
3489 			goto out;
3490 		}
3491 
3492 		nla_for_each_nested(nl_txq_params,
3493 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3494 				    rem_txq_params) {
3495 			result = nla_parse_nested_deprecated(tb,
3496 							     NL80211_TXQ_ATTR_MAX,
3497 							     nl_txq_params,
3498 							     txq_params_policy,
3499 							     info->extack);
3500 			if (result)
3501 				goto out;
3502 			result = parse_txq_params(tb, &txq_params);
3503 			if (result)
3504 				goto out;
3505 
3506 			txq_params.link_id =
3507 				nl80211_link_id_or_invalid(info->attrs);
3508 
3509 			wdev_lock(netdev->ieee80211_ptr);
3510 			if (txq_params.link_id >= 0 &&
3511 			    !(netdev->ieee80211_ptr->valid_links &
3512 			      BIT(txq_params.link_id)))
3513 				result = -ENOLINK;
3514 			else if (txq_params.link_id >= 0 &&
3515 				 !netdev->ieee80211_ptr->valid_links)
3516 				result = -EINVAL;
3517 			else
3518 				result = rdev_set_txq_params(rdev, netdev,
3519 							     &txq_params);
3520 			wdev_unlock(netdev->ieee80211_ptr);
3521 			if (result)
3522 				goto out;
3523 		}
3524 	}
3525 
3526 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3527 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3528 
3529 		if (wdev) {
3530 			wdev_lock(wdev);
3531 			result = __nl80211_set_channel(
3532 				rdev,
3533 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3534 				info, link_id);
3535 			wdev_unlock(wdev);
3536 		} else {
3537 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3538 		}
3539 
3540 		if (result)
3541 			goto out;
3542 	}
3543 
3544 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3545 		struct wireless_dev *txp_wdev = wdev;
3546 		enum nl80211_tx_power_setting type;
3547 		int idx, mbm = 0;
3548 
3549 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3550 			txp_wdev = NULL;
3551 
3552 		if (!rdev->ops->set_tx_power) {
3553 			result = -EOPNOTSUPP;
3554 			goto out;
3555 		}
3556 
3557 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3558 		type = nla_get_u32(info->attrs[idx]);
3559 
3560 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3561 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3562 			result = -EINVAL;
3563 			goto out;
3564 		}
3565 
3566 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3567 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3568 			mbm = nla_get_u32(info->attrs[idx]);
3569 		}
3570 
3571 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3572 		if (result)
3573 			goto out;
3574 	}
3575 
3576 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3577 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3578 		u32 tx_ant, rx_ant;
3579 
3580 		if ((!rdev->wiphy.available_antennas_tx &&
3581 		     !rdev->wiphy.available_antennas_rx) ||
3582 		    !rdev->ops->set_antenna) {
3583 			result = -EOPNOTSUPP;
3584 			goto out;
3585 		}
3586 
3587 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3588 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3589 
3590 		/* reject antenna configurations which don't match the
3591 		 * available antenna masks, except for the "all" mask */
3592 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3593 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3594 			result = -EINVAL;
3595 			goto out;
3596 		}
3597 
3598 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3599 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3600 
3601 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3602 		if (result)
3603 			goto out;
3604 	}
3605 
3606 	changed = 0;
3607 
3608 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3609 		retry_short = nla_get_u8(
3610 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3611 
3612 		changed |= WIPHY_PARAM_RETRY_SHORT;
3613 	}
3614 
3615 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3616 		retry_long = nla_get_u8(
3617 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3618 
3619 		changed |= WIPHY_PARAM_RETRY_LONG;
3620 	}
3621 
3622 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3623 		frag_threshold = nla_get_u32(
3624 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3625 		if (frag_threshold < 256) {
3626 			result = -EINVAL;
3627 			goto out;
3628 		}
3629 
3630 		if (frag_threshold != (u32) -1) {
3631 			/*
3632 			 * Fragments (apart from the last one) are required to
3633 			 * have even length. Make the fragmentation code
3634 			 * simpler by stripping LSB should someone try to use
3635 			 * odd threshold value.
3636 			 */
3637 			frag_threshold &= ~0x1;
3638 		}
3639 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3640 	}
3641 
3642 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3643 		rts_threshold = nla_get_u32(
3644 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3645 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3646 	}
3647 
3648 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3649 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3650 			result = -EINVAL;
3651 			goto out;
3652 		}
3653 
3654 		coverage_class = nla_get_u8(
3655 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3656 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3657 	}
3658 
3659 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3660 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3661 			result = -EOPNOTSUPP;
3662 			goto out;
3663 		}
3664 
3665 		changed |= WIPHY_PARAM_DYN_ACK;
3666 	}
3667 
3668 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3669 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3670 					     NL80211_EXT_FEATURE_TXQS)) {
3671 			result = -EOPNOTSUPP;
3672 			goto out;
3673 		}
3674 		txq_limit = nla_get_u32(
3675 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3676 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3677 	}
3678 
3679 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3680 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3681 					     NL80211_EXT_FEATURE_TXQS)) {
3682 			result = -EOPNOTSUPP;
3683 			goto out;
3684 		}
3685 		txq_memory_limit = nla_get_u32(
3686 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3687 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3688 	}
3689 
3690 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3691 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3692 					     NL80211_EXT_FEATURE_TXQS)) {
3693 			result = -EOPNOTSUPP;
3694 			goto out;
3695 		}
3696 		txq_quantum = nla_get_u32(
3697 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3698 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3699 	}
3700 
3701 	if (changed) {
3702 		u8 old_retry_short, old_retry_long;
3703 		u32 old_frag_threshold, old_rts_threshold;
3704 		u8 old_coverage_class;
3705 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3706 
3707 		if (!rdev->ops->set_wiphy_params) {
3708 			result = -EOPNOTSUPP;
3709 			goto out;
3710 		}
3711 
3712 		old_retry_short = rdev->wiphy.retry_short;
3713 		old_retry_long = rdev->wiphy.retry_long;
3714 		old_frag_threshold = rdev->wiphy.frag_threshold;
3715 		old_rts_threshold = rdev->wiphy.rts_threshold;
3716 		old_coverage_class = rdev->wiphy.coverage_class;
3717 		old_txq_limit = rdev->wiphy.txq_limit;
3718 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3719 		old_txq_quantum = rdev->wiphy.txq_quantum;
3720 
3721 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3722 			rdev->wiphy.retry_short = retry_short;
3723 		if (changed & WIPHY_PARAM_RETRY_LONG)
3724 			rdev->wiphy.retry_long = retry_long;
3725 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3726 			rdev->wiphy.frag_threshold = frag_threshold;
3727 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3728 			rdev->wiphy.rts_threshold = rts_threshold;
3729 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3730 			rdev->wiphy.coverage_class = coverage_class;
3731 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3732 			rdev->wiphy.txq_limit = txq_limit;
3733 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3734 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3735 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3736 			rdev->wiphy.txq_quantum = txq_quantum;
3737 
3738 		result = rdev_set_wiphy_params(rdev, changed);
3739 		if (result) {
3740 			rdev->wiphy.retry_short = old_retry_short;
3741 			rdev->wiphy.retry_long = old_retry_long;
3742 			rdev->wiphy.frag_threshold = old_frag_threshold;
3743 			rdev->wiphy.rts_threshold = old_rts_threshold;
3744 			rdev->wiphy.coverage_class = old_coverage_class;
3745 			rdev->wiphy.txq_limit = old_txq_limit;
3746 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3747 			rdev->wiphy.txq_quantum = old_txq_quantum;
3748 			goto out;
3749 		}
3750 	}
3751 
3752 	result = 0;
3753 
3754 out:
3755 	wiphy_unlock(&rdev->wiphy);
3756 	return result;
3757 }
3758 
3759 static int nl80211_send_chandef(struct sk_buff *msg,
3760 				const struct cfg80211_chan_def *chandef)
3761 {
3762 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3763 		return -EINVAL;
3764 
3765 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3766 			chandef->chan->center_freq))
3767 		return -ENOBUFS;
3768 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3769 			chandef->chan->freq_offset))
3770 		return -ENOBUFS;
3771 	switch (chandef->width) {
3772 	case NL80211_CHAN_WIDTH_20_NOHT:
3773 	case NL80211_CHAN_WIDTH_20:
3774 	case NL80211_CHAN_WIDTH_40:
3775 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3776 				cfg80211_get_chandef_type(chandef)))
3777 			return -ENOBUFS;
3778 		break;
3779 	default:
3780 		break;
3781 	}
3782 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3783 		return -ENOBUFS;
3784 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3785 		return -ENOBUFS;
3786 	if (chandef->center_freq2 &&
3787 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3788 		return -ENOBUFS;
3789 	return 0;
3790 }
3791 
3792 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3793 			      struct cfg80211_registered_device *rdev,
3794 			      struct wireless_dev *wdev,
3795 			      enum nl80211_commands cmd)
3796 {
3797 	struct net_device *dev = wdev->netdev;
3798 	void *hdr;
3799 
3800 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3801 		cmd != NL80211_CMD_DEL_INTERFACE &&
3802 		cmd != NL80211_CMD_SET_INTERFACE);
3803 
3804 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3805 	if (!hdr)
3806 		return -1;
3807 
3808 	if (dev &&
3809 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3810 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3811 		goto nla_put_failure;
3812 
3813 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3814 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3815 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3816 			      NL80211_ATTR_PAD) ||
3817 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3818 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3819 			rdev->devlist_generation ^
3820 			(cfg80211_rdev_list_generation << 2)) ||
3821 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3822 		goto nla_put_failure;
3823 
3824 	if (rdev->ops->get_channel && !wdev->valid_links) {
3825 		struct cfg80211_chan_def chandef = {};
3826 		int ret;
3827 
3828 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3829 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3830 			goto nla_put_failure;
3831 	}
3832 
3833 	if (rdev->ops->get_tx_power) {
3834 		int dbm, ret;
3835 
3836 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3837 		if (ret == 0 &&
3838 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3839 				DBM_TO_MBM(dbm)))
3840 			goto nla_put_failure;
3841 	}
3842 
3843 	wdev_lock(wdev);
3844 	switch (wdev->iftype) {
3845 	case NL80211_IFTYPE_AP:
3846 	case NL80211_IFTYPE_P2P_GO:
3847 		if (wdev->u.ap.ssid_len &&
3848 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3849 			    wdev->u.ap.ssid))
3850 			goto nla_put_failure_locked;
3851 		break;
3852 	case NL80211_IFTYPE_STATION:
3853 	case NL80211_IFTYPE_P2P_CLIENT:
3854 		if (wdev->u.client.ssid_len &&
3855 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3856 			    wdev->u.client.ssid))
3857 			goto nla_put_failure_locked;
3858 		break;
3859 	case NL80211_IFTYPE_ADHOC:
3860 		if (wdev->u.ibss.ssid_len &&
3861 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3862 			    wdev->u.ibss.ssid))
3863 			goto nla_put_failure_locked;
3864 		break;
3865 	default:
3866 		/* nothing */
3867 		break;
3868 	}
3869 	wdev_unlock(wdev);
3870 
3871 	if (rdev->ops->get_txq_stats) {
3872 		struct cfg80211_txq_stats txqstats = {};
3873 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3874 
3875 		if (ret == 0 &&
3876 		    !nl80211_put_txq_stats(msg, &txqstats,
3877 					   NL80211_ATTR_TXQ_STATS))
3878 			goto nla_put_failure;
3879 	}
3880 
3881 	if (wdev->valid_links) {
3882 		unsigned int link_id;
3883 		struct nlattr *links = nla_nest_start(msg,
3884 						      NL80211_ATTR_MLO_LINKS);
3885 
3886 		if (!links)
3887 			goto nla_put_failure;
3888 
3889 		for_each_valid_link(wdev, link_id) {
3890 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3891 			struct cfg80211_chan_def chandef = {};
3892 			int ret;
3893 
3894 			if (!link)
3895 				goto nla_put_failure;
3896 
3897 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3898 				goto nla_put_failure;
3899 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3900 				    wdev->links[link_id].addr))
3901 				goto nla_put_failure;
3902 
3903 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
3904 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3905 				goto nla_put_failure;
3906 
3907 			nla_nest_end(msg, link);
3908 		}
3909 
3910 		nla_nest_end(msg, links);
3911 	}
3912 
3913 	genlmsg_end(msg, hdr);
3914 	return 0;
3915 
3916  nla_put_failure_locked:
3917 	wdev_unlock(wdev);
3918  nla_put_failure:
3919 	genlmsg_cancel(msg, hdr);
3920 	return -EMSGSIZE;
3921 }
3922 
3923 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3924 {
3925 	int wp_idx = 0;
3926 	int if_idx = 0;
3927 	int wp_start = cb->args[0];
3928 	int if_start = cb->args[1];
3929 	int filter_wiphy = -1;
3930 	struct cfg80211_registered_device *rdev;
3931 	struct wireless_dev *wdev;
3932 	int ret;
3933 
3934 	rtnl_lock();
3935 	if (!cb->args[2]) {
3936 		struct nl80211_dump_wiphy_state state = {
3937 			.filter_wiphy = -1,
3938 		};
3939 
3940 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3941 		if (ret)
3942 			goto out_unlock;
3943 
3944 		filter_wiphy = state.filter_wiphy;
3945 
3946 		/*
3947 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3948 		 * value needed to determine that parsing is necessary.
3949 		 */
3950 		if (filter_wiphy >= 0)
3951 			cb->args[2] = filter_wiphy + 1;
3952 		else
3953 			cb->args[2] = -1;
3954 	} else if (cb->args[2] > 0) {
3955 		filter_wiphy = cb->args[2] - 1;
3956 	}
3957 
3958 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3959 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3960 			continue;
3961 		if (wp_idx < wp_start) {
3962 			wp_idx++;
3963 			continue;
3964 		}
3965 
3966 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3967 			continue;
3968 
3969 		if_idx = 0;
3970 
3971 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3972 			if (if_idx < if_start) {
3973 				if_idx++;
3974 				continue;
3975 			}
3976 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3977 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3978 					       rdev, wdev,
3979 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3980 				goto out;
3981 			}
3982 			if_idx++;
3983 		}
3984 
3985 		wp_idx++;
3986 	}
3987  out:
3988 	cb->args[0] = wp_idx;
3989 	cb->args[1] = if_idx;
3990 
3991 	ret = skb->len;
3992  out_unlock:
3993 	rtnl_unlock();
3994 
3995 	return ret;
3996 }
3997 
3998 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3999 {
4000 	struct sk_buff *msg;
4001 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4002 	struct wireless_dev *wdev = info->user_ptr[1];
4003 
4004 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4005 	if (!msg)
4006 		return -ENOMEM;
4007 
4008 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4009 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4010 		nlmsg_free(msg);
4011 		return -ENOBUFS;
4012 	}
4013 
4014 	return genlmsg_reply(msg, info);
4015 }
4016 
4017 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4018 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4019 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4020 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4021 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4022 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4023 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4024 };
4025 
4026 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4027 {
4028 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4029 	int flag;
4030 
4031 	*mntrflags = 0;
4032 
4033 	if (!nla)
4034 		return -EINVAL;
4035 
4036 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4037 		return -EINVAL;
4038 
4039 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4040 		if (flags[flag])
4041 			*mntrflags |= (1<<flag);
4042 
4043 	*mntrflags |= MONITOR_FLAG_CHANGED;
4044 
4045 	return 0;
4046 }
4047 
4048 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4049 				     enum nl80211_iftype type,
4050 				     struct genl_info *info,
4051 				     struct vif_params *params)
4052 {
4053 	bool change = false;
4054 	int err;
4055 
4056 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4057 		if (type != NL80211_IFTYPE_MONITOR)
4058 			return -EINVAL;
4059 
4060 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4061 					  &params->flags);
4062 		if (err)
4063 			return err;
4064 
4065 		change = true;
4066 	}
4067 
4068 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4069 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4070 		return -EOPNOTSUPP;
4071 
4072 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4073 		const u8 *mumimo_groups;
4074 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4075 
4076 		if (type != NL80211_IFTYPE_MONITOR)
4077 			return -EINVAL;
4078 
4079 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4080 			return -EOPNOTSUPP;
4081 
4082 		mumimo_groups =
4083 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4084 
4085 		/* bits 0 and 63 are reserved and must be zero */
4086 		if ((mumimo_groups[0] & BIT(0)) ||
4087 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4088 			return -EINVAL;
4089 
4090 		params->vht_mumimo_groups = mumimo_groups;
4091 		change = true;
4092 	}
4093 
4094 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4095 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4096 
4097 		if (type != NL80211_IFTYPE_MONITOR)
4098 			return -EINVAL;
4099 
4100 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4101 			return -EOPNOTSUPP;
4102 
4103 		params->vht_mumimo_follow_addr =
4104 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4105 		change = true;
4106 	}
4107 
4108 	return change ? 1 : 0;
4109 }
4110 
4111 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4112 			       struct net_device *netdev, u8 use_4addr,
4113 			       enum nl80211_iftype iftype)
4114 {
4115 	if (!use_4addr) {
4116 		if (netdev && netif_is_bridge_port(netdev))
4117 			return -EBUSY;
4118 		return 0;
4119 	}
4120 
4121 	switch (iftype) {
4122 	case NL80211_IFTYPE_AP_VLAN:
4123 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4124 			return 0;
4125 		break;
4126 	case NL80211_IFTYPE_STATION:
4127 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4128 			return 0;
4129 		break;
4130 	default:
4131 		break;
4132 	}
4133 
4134 	return -EOPNOTSUPP;
4135 }
4136 
4137 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4138 {
4139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4140 	struct vif_params params;
4141 	int err;
4142 	enum nl80211_iftype otype, ntype;
4143 	struct net_device *dev = info->user_ptr[1];
4144 	bool change = false;
4145 
4146 	memset(&params, 0, sizeof(params));
4147 
4148 	otype = ntype = dev->ieee80211_ptr->iftype;
4149 
4150 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4151 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4152 		if (otype != ntype)
4153 			change = true;
4154 	}
4155 
4156 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4157 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4158 
4159 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4160 			return -EINVAL;
4161 		if (netif_running(dev))
4162 			return -EBUSY;
4163 
4164 		wdev_lock(wdev);
4165 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4166 			     IEEE80211_MAX_MESH_ID_LEN);
4167 		wdev->u.mesh.id_up_len =
4168 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4169 		memcpy(wdev->u.mesh.id,
4170 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4171 		       wdev->u.mesh.id_up_len);
4172 		wdev_unlock(wdev);
4173 	}
4174 
4175 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4176 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4177 		change = true;
4178 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4179 		if (err)
4180 			return err;
4181 	} else {
4182 		params.use_4addr = -1;
4183 	}
4184 
4185 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4186 	if (err < 0)
4187 		return err;
4188 	if (err > 0)
4189 		change = true;
4190 
4191 	if (change)
4192 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4193 	else
4194 		err = 0;
4195 
4196 	if (!err && params.use_4addr != -1)
4197 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4198 
4199 	if (change && !err) {
4200 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4201 
4202 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4203 	}
4204 
4205 	return err;
4206 }
4207 
4208 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4209 {
4210 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4211 	struct vif_params params;
4212 	struct wireless_dev *wdev;
4213 	struct sk_buff *msg;
4214 	int err;
4215 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4216 
4217 	memset(&params, 0, sizeof(params));
4218 
4219 	if (!info->attrs[NL80211_ATTR_IFNAME])
4220 		return -EINVAL;
4221 
4222 	if (info->attrs[NL80211_ATTR_IFTYPE])
4223 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4224 
4225 	if (!rdev->ops->add_virtual_intf)
4226 		return -EOPNOTSUPP;
4227 
4228 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4229 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4230 	    info->attrs[NL80211_ATTR_MAC]) {
4231 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4232 			   ETH_ALEN);
4233 		if (!is_valid_ether_addr(params.macaddr))
4234 			return -EADDRNOTAVAIL;
4235 	}
4236 
4237 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4238 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4239 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4240 		if (err)
4241 			return err;
4242 	}
4243 
4244 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4245 		return -EOPNOTSUPP;
4246 
4247 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4248 	if (err < 0)
4249 		return err;
4250 
4251 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4252 	if (!msg)
4253 		return -ENOMEM;
4254 
4255 	wdev = rdev_add_virtual_intf(rdev,
4256 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4257 				NET_NAME_USER, type, &params);
4258 	if (WARN_ON(!wdev)) {
4259 		nlmsg_free(msg);
4260 		return -EPROTO;
4261 	} else if (IS_ERR(wdev)) {
4262 		nlmsg_free(msg);
4263 		return PTR_ERR(wdev);
4264 	}
4265 
4266 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4267 		wdev->owner_nlportid = info->snd_portid;
4268 
4269 	switch (type) {
4270 	case NL80211_IFTYPE_MESH_POINT:
4271 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4272 			break;
4273 		wdev_lock(wdev);
4274 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4275 			     IEEE80211_MAX_MESH_ID_LEN);
4276 		wdev->u.mesh.id_up_len =
4277 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4278 		memcpy(wdev->u.mesh.id,
4279 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4280 		       wdev->u.mesh.id_up_len);
4281 		wdev_unlock(wdev);
4282 		break;
4283 	case NL80211_IFTYPE_NAN:
4284 	case NL80211_IFTYPE_P2P_DEVICE:
4285 		/*
4286 		 * P2P Device and NAN do not have a netdev, so don't go
4287 		 * through the netdev notifier and must be added here
4288 		 */
4289 		cfg80211_init_wdev(wdev);
4290 		cfg80211_register_wdev(rdev, wdev);
4291 		break;
4292 	default:
4293 		break;
4294 	}
4295 
4296 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4297 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4298 		nlmsg_free(msg);
4299 		return -ENOBUFS;
4300 	}
4301 
4302 	return genlmsg_reply(msg, info);
4303 }
4304 
4305 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4306 {
4307 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4308 	int ret;
4309 
4310 	/* to avoid failing a new interface creation due to pending removal */
4311 	cfg80211_destroy_ifaces(rdev);
4312 
4313 	wiphy_lock(&rdev->wiphy);
4314 	ret = _nl80211_new_interface(skb, info);
4315 	wiphy_unlock(&rdev->wiphy);
4316 
4317 	return ret;
4318 }
4319 
4320 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4321 {
4322 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4323 	struct wireless_dev *wdev = info->user_ptr[1];
4324 
4325 	if (!rdev->ops->del_virtual_intf)
4326 		return -EOPNOTSUPP;
4327 
4328 	/*
4329 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4330 	 * reach 0, and thus the rdev cannot be deleted.
4331 	 *
4332 	 * We need to do it for the dev_close(), since that will call
4333 	 * the netdev notifiers, and we need to acquire the mutex there
4334 	 * but don't know if we get there from here or from some other
4335 	 * place (e.g. "ip link set ... down").
4336 	 */
4337 	mutex_unlock(&rdev->wiphy.mtx);
4338 
4339 	/*
4340 	 * If we remove a wireless device without a netdev then clear
4341 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4342 	 * to check if it needs to do dev_put(). Otherwise it crashes
4343 	 * since the wdev has been freed, unlike with a netdev where
4344 	 * we need the dev_put() for the netdev to really be freed.
4345 	 */
4346 	if (!wdev->netdev)
4347 		info->user_ptr[1] = NULL;
4348 	else
4349 		dev_close(wdev->netdev);
4350 
4351 	mutex_lock(&rdev->wiphy.mtx);
4352 
4353 	return cfg80211_remove_virtual_intf(rdev, wdev);
4354 }
4355 
4356 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4357 {
4358 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4359 	struct net_device *dev = info->user_ptr[1];
4360 	u16 noack_map;
4361 
4362 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4363 		return -EINVAL;
4364 
4365 	if (!rdev->ops->set_noack_map)
4366 		return -EOPNOTSUPP;
4367 
4368 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4369 
4370 	return rdev_set_noack_map(rdev, dev, noack_map);
4371 }
4372 
4373 static int nl80211_validate_key_link_id(struct genl_info *info,
4374 					struct wireless_dev *wdev,
4375 					int link_id, bool pairwise)
4376 {
4377 	if (pairwise) {
4378 		if (link_id != -1) {
4379 			GENL_SET_ERR_MSG(info,
4380 					 "link ID not allowed for pairwise key");
4381 			return -EINVAL;
4382 		}
4383 
4384 		return 0;
4385 	}
4386 
4387 	if (wdev->valid_links) {
4388 		if (link_id == -1) {
4389 			GENL_SET_ERR_MSG(info,
4390 					 "link ID must for MLO group key");
4391 			return -EINVAL;
4392 		}
4393 		if (!(wdev->valid_links & BIT(link_id))) {
4394 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4395 			return -EINVAL;
4396 		}
4397 	} else if (link_id != -1) {
4398 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4399 		return -EINVAL;
4400 	}
4401 
4402 	return 0;
4403 }
4404 
4405 struct get_key_cookie {
4406 	struct sk_buff *msg;
4407 	int error;
4408 	int idx;
4409 };
4410 
4411 static void get_key_callback(void *c, struct key_params *params)
4412 {
4413 	struct nlattr *key;
4414 	struct get_key_cookie *cookie = c;
4415 
4416 	if ((params->key &&
4417 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4418 		     params->key_len, params->key)) ||
4419 	    (params->seq &&
4420 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4421 		     params->seq_len, params->seq)) ||
4422 	    (params->cipher &&
4423 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4424 			 params->cipher)))
4425 		goto nla_put_failure;
4426 
4427 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4428 	if (!key)
4429 		goto nla_put_failure;
4430 
4431 	if ((params->key &&
4432 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4433 		     params->key_len, params->key)) ||
4434 	    (params->seq &&
4435 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4436 		     params->seq_len, params->seq)) ||
4437 	    (params->cipher &&
4438 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4439 			 params->cipher)))
4440 		goto nla_put_failure;
4441 
4442 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4443 		goto nla_put_failure;
4444 
4445 	nla_nest_end(cookie->msg, key);
4446 
4447 	return;
4448  nla_put_failure:
4449 	cookie->error = 1;
4450 }
4451 
4452 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4453 {
4454 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4455 	int err;
4456 	struct net_device *dev = info->user_ptr[1];
4457 	u8 key_idx = 0;
4458 	const u8 *mac_addr = NULL;
4459 	bool pairwise;
4460 	struct get_key_cookie cookie = {
4461 		.error = 0,
4462 	};
4463 	void *hdr;
4464 	struct sk_buff *msg;
4465 	bool bigtk_support = false;
4466 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4467 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4468 
4469 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4470 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4471 		bigtk_support = true;
4472 
4473 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4474 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4475 	    wiphy_ext_feature_isset(&rdev->wiphy,
4476 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4477 		bigtk_support = true;
4478 
4479 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4480 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4481 
4482 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4483 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4484 			return -EINVAL;
4485 		}
4486 	}
4487 
4488 	if (info->attrs[NL80211_ATTR_MAC])
4489 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4490 
4491 	pairwise = !!mac_addr;
4492 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4493 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4494 
4495 		if (kt != NL80211_KEYTYPE_GROUP &&
4496 		    kt != NL80211_KEYTYPE_PAIRWISE)
4497 			return -EINVAL;
4498 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4499 	}
4500 
4501 	if (!rdev->ops->get_key)
4502 		return -EOPNOTSUPP;
4503 
4504 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4505 		return -ENOENT;
4506 
4507 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4508 	if (!msg)
4509 		return -ENOMEM;
4510 
4511 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4512 			     NL80211_CMD_NEW_KEY);
4513 	if (!hdr)
4514 		goto nla_put_failure;
4515 
4516 	cookie.msg = msg;
4517 	cookie.idx = key_idx;
4518 
4519 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4520 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4521 		goto nla_put_failure;
4522 	if (mac_addr &&
4523 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4524 		goto nla_put_failure;
4525 
4526 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4527 	if (err)
4528 		goto free_msg;
4529 
4530 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4531 			   &cookie, get_key_callback);
4532 
4533 	if (err)
4534 		goto free_msg;
4535 
4536 	if (cookie.error)
4537 		goto nla_put_failure;
4538 
4539 	genlmsg_end(msg, hdr);
4540 	return genlmsg_reply(msg, info);
4541 
4542  nla_put_failure:
4543 	err = -ENOBUFS;
4544  free_msg:
4545 	nlmsg_free(msg);
4546 	return err;
4547 }
4548 
4549 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4550 {
4551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4552 	struct key_parse key;
4553 	int err;
4554 	struct net_device *dev = info->user_ptr[1];
4555 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4556 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4557 
4558 	err = nl80211_parse_key(info, &key);
4559 	if (err)
4560 		return err;
4561 
4562 	if (key.idx < 0)
4563 		return -EINVAL;
4564 
4565 	/* Only support setting default key and
4566 	 * Extended Key ID action NL80211_KEY_SET_TX.
4567 	 */
4568 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4569 	    !(key.p.mode == NL80211_KEY_SET_TX))
4570 		return -EINVAL;
4571 
4572 	wdev_lock(wdev);
4573 
4574 	if (key.def) {
4575 		if (!rdev->ops->set_default_key) {
4576 			err = -EOPNOTSUPP;
4577 			goto out;
4578 		}
4579 
4580 		err = nl80211_key_allowed(wdev);
4581 		if (err)
4582 			goto out;
4583 
4584 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4585 		if (err)
4586 			goto out;
4587 
4588 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4589 					   key.def_uni, key.def_multi);
4590 
4591 		if (err)
4592 			goto out;
4593 
4594 #ifdef CONFIG_CFG80211_WEXT
4595 		wdev->wext.default_key = key.idx;
4596 #endif
4597 	} else if (key.defmgmt) {
4598 		if (key.def_uni || !key.def_multi) {
4599 			err = -EINVAL;
4600 			goto out;
4601 		}
4602 
4603 		if (!rdev->ops->set_default_mgmt_key) {
4604 			err = -EOPNOTSUPP;
4605 			goto out;
4606 		}
4607 
4608 		err = nl80211_key_allowed(wdev);
4609 		if (err)
4610 			goto out;
4611 
4612 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4613 		if (err)
4614 			goto out;
4615 
4616 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4617 		if (err)
4618 			goto out;
4619 
4620 #ifdef CONFIG_CFG80211_WEXT
4621 		wdev->wext.default_mgmt_key = key.idx;
4622 #endif
4623 	} else if (key.defbeacon) {
4624 		if (key.def_uni || !key.def_multi) {
4625 			err = -EINVAL;
4626 			goto out;
4627 		}
4628 
4629 		if (!rdev->ops->set_default_beacon_key) {
4630 			err = -EOPNOTSUPP;
4631 			goto out;
4632 		}
4633 
4634 		err = nl80211_key_allowed(wdev);
4635 		if (err)
4636 			goto out;
4637 
4638 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4639 		if (err)
4640 			goto out;
4641 
4642 		err = rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4643 		if (err)
4644 			goto out;
4645 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4646 		   wiphy_ext_feature_isset(&rdev->wiphy,
4647 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4648 		u8 *mac_addr = NULL;
4649 
4650 		if (info->attrs[NL80211_ATTR_MAC])
4651 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4652 
4653 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4654 			err = -EINVAL;
4655 			goto out;
4656 		}
4657 
4658 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4659 		if (err)
4660 			goto out;
4661 
4662 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4663 				   NL80211_KEYTYPE_PAIRWISE,
4664 				   mac_addr, &key.p);
4665 	} else {
4666 		err = -EINVAL;
4667 	}
4668  out:
4669 	wdev_unlock(wdev);
4670 
4671 	return err;
4672 }
4673 
4674 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4675 {
4676 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4677 	int err;
4678 	struct net_device *dev = info->user_ptr[1];
4679 	struct key_parse key;
4680 	const u8 *mac_addr = NULL;
4681 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4682 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4683 
4684 	err = nl80211_parse_key(info, &key);
4685 	if (err)
4686 		return err;
4687 
4688 	if (!key.p.key) {
4689 		GENL_SET_ERR_MSG(info, "no key");
4690 		return -EINVAL;
4691 	}
4692 
4693 	if (info->attrs[NL80211_ATTR_MAC])
4694 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4695 
4696 	if (key.type == -1) {
4697 		if (mac_addr)
4698 			key.type = NL80211_KEYTYPE_PAIRWISE;
4699 		else
4700 			key.type = NL80211_KEYTYPE_GROUP;
4701 	}
4702 
4703 	/* for now */
4704 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4705 	    key.type != NL80211_KEYTYPE_GROUP) {
4706 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4707 		return -EINVAL;
4708 	}
4709 
4710 	if (key.type == NL80211_KEYTYPE_GROUP &&
4711 	    info->attrs[NL80211_ATTR_VLAN_ID])
4712 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4713 
4714 	if (!rdev->ops->add_key)
4715 		return -EOPNOTSUPP;
4716 
4717 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4718 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4719 					   mac_addr)) {
4720 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4721 		return -EINVAL;
4722 	}
4723 
4724 	wdev_lock(wdev);
4725 	err = nl80211_key_allowed(wdev);
4726 	if (err)
4727 		GENL_SET_ERR_MSG(info, "key not allowed");
4728 
4729 	if (!err)
4730 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4731 				key.type == NL80211_KEYTYPE_PAIRWISE);
4732 
4733 	if (!err) {
4734 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4735 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4736 				    mac_addr, &key.p);
4737 		if (err)
4738 			GENL_SET_ERR_MSG(info, "key addition failed");
4739 	}
4740 	wdev_unlock(wdev);
4741 
4742 	return err;
4743 }
4744 
4745 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4746 {
4747 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4748 	int err;
4749 	struct net_device *dev = info->user_ptr[1];
4750 	u8 *mac_addr = NULL;
4751 	struct key_parse key;
4752 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4753 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4754 
4755 	err = nl80211_parse_key(info, &key);
4756 	if (err)
4757 		return err;
4758 
4759 	if (info->attrs[NL80211_ATTR_MAC])
4760 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4761 
4762 	if (key.type == -1) {
4763 		if (mac_addr)
4764 			key.type = NL80211_KEYTYPE_PAIRWISE;
4765 		else
4766 			key.type = NL80211_KEYTYPE_GROUP;
4767 	}
4768 
4769 	/* for now */
4770 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4771 	    key.type != NL80211_KEYTYPE_GROUP)
4772 		return -EINVAL;
4773 
4774 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4775 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4776 		return -EINVAL;
4777 
4778 	if (!rdev->ops->del_key)
4779 		return -EOPNOTSUPP;
4780 
4781 	wdev_lock(wdev);
4782 	err = nl80211_key_allowed(wdev);
4783 
4784 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4785 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4786 		err = -ENOENT;
4787 
4788 	if (!err)
4789 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4790 				key.type == NL80211_KEYTYPE_PAIRWISE);
4791 
4792 	if (!err)
4793 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4794 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4795 				   mac_addr);
4796 
4797 #ifdef CONFIG_CFG80211_WEXT
4798 	if (!err) {
4799 		if (key.idx == wdev->wext.default_key)
4800 			wdev->wext.default_key = -1;
4801 		else if (key.idx == wdev->wext.default_mgmt_key)
4802 			wdev->wext.default_mgmt_key = -1;
4803 	}
4804 #endif
4805 	wdev_unlock(wdev);
4806 
4807 	return err;
4808 }
4809 
4810 /* This function returns an error or the number of nested attributes */
4811 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4812 {
4813 	struct nlattr *attr;
4814 	int n_entries = 0, tmp;
4815 
4816 	nla_for_each_nested(attr, nl_attr, tmp) {
4817 		if (nla_len(attr) != ETH_ALEN)
4818 			return -EINVAL;
4819 
4820 		n_entries++;
4821 	}
4822 
4823 	return n_entries;
4824 }
4825 
4826 /*
4827  * This function parses ACL information and allocates memory for ACL data.
4828  * On successful return, the calling function is responsible to free the
4829  * ACL buffer returned by this function.
4830  */
4831 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4832 						struct genl_info *info)
4833 {
4834 	enum nl80211_acl_policy acl_policy;
4835 	struct nlattr *attr;
4836 	struct cfg80211_acl_data *acl;
4837 	int i = 0, n_entries, tmp;
4838 
4839 	if (!wiphy->max_acl_mac_addrs)
4840 		return ERR_PTR(-EOPNOTSUPP);
4841 
4842 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4843 		return ERR_PTR(-EINVAL);
4844 
4845 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4846 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4847 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4848 		return ERR_PTR(-EINVAL);
4849 
4850 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4851 		return ERR_PTR(-EINVAL);
4852 
4853 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4854 	if (n_entries < 0)
4855 		return ERR_PTR(n_entries);
4856 
4857 	if (n_entries > wiphy->max_acl_mac_addrs)
4858 		return ERR_PTR(-ENOTSUPP);
4859 
4860 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4861 	if (!acl)
4862 		return ERR_PTR(-ENOMEM);
4863 
4864 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4865 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4866 		i++;
4867 	}
4868 
4869 	acl->n_acl_entries = n_entries;
4870 	acl->acl_policy = acl_policy;
4871 
4872 	return acl;
4873 }
4874 
4875 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4876 {
4877 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4878 	struct net_device *dev = info->user_ptr[1];
4879 	struct cfg80211_acl_data *acl;
4880 	int err;
4881 
4882 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4883 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4884 		return -EOPNOTSUPP;
4885 
4886 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4887 		return -EINVAL;
4888 
4889 	acl = parse_acl_data(&rdev->wiphy, info);
4890 	if (IS_ERR(acl))
4891 		return PTR_ERR(acl);
4892 
4893 	err = rdev_set_mac_acl(rdev, dev, acl);
4894 
4895 	kfree(acl);
4896 
4897 	return err;
4898 }
4899 
4900 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4901 			   u8 *rates, u8 rates_len)
4902 {
4903 	u8 i;
4904 	u32 mask = 0;
4905 
4906 	for (i = 0; i < rates_len; i++) {
4907 		int rate = (rates[i] & 0x7f) * 5;
4908 		int ridx;
4909 
4910 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4911 			struct ieee80211_rate *srate =
4912 				&sband->bitrates[ridx];
4913 			if (rate == srate->bitrate) {
4914 				mask |= 1 << ridx;
4915 				break;
4916 			}
4917 		}
4918 		if (ridx == sband->n_bitrates)
4919 			return 0; /* rate not found */
4920 	}
4921 
4922 	return mask;
4923 }
4924 
4925 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4926 			       u8 *rates, u8 rates_len,
4927 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4928 {
4929 	u8 i;
4930 
4931 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4932 
4933 	for (i = 0; i < rates_len; i++) {
4934 		int ridx, rbit;
4935 
4936 		ridx = rates[i] / 8;
4937 		rbit = BIT(rates[i] % 8);
4938 
4939 		/* check validity */
4940 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4941 			return false;
4942 
4943 		/* check availability */
4944 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4945 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4946 			mcs[ridx] |= rbit;
4947 		else
4948 			return false;
4949 	}
4950 
4951 	return true;
4952 }
4953 
4954 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4955 {
4956 	u16 mcs_mask = 0;
4957 
4958 	switch (vht_mcs_map) {
4959 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4960 		break;
4961 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4962 		mcs_mask = 0x00FF;
4963 		break;
4964 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4965 		mcs_mask = 0x01FF;
4966 		break;
4967 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4968 		mcs_mask = 0x03FF;
4969 		break;
4970 	default:
4971 		break;
4972 	}
4973 
4974 	return mcs_mask;
4975 }
4976 
4977 static void vht_build_mcs_mask(u16 vht_mcs_map,
4978 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4979 {
4980 	u8 nss;
4981 
4982 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4983 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4984 		vht_mcs_map >>= 2;
4985 	}
4986 }
4987 
4988 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4989 			     struct nl80211_txrate_vht *txrate,
4990 			     u16 mcs[NL80211_VHT_NSS_MAX])
4991 {
4992 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4993 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4994 	u8 i;
4995 
4996 	if (!sband->vht_cap.vht_supported)
4997 		return false;
4998 
4999 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5000 
5001 	/* Build vht_mcs_mask from VHT capabilities */
5002 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5003 
5004 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5005 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5006 			mcs[i] = txrate->mcs[i];
5007 		else
5008 			return false;
5009 	}
5010 
5011 	return true;
5012 }
5013 
5014 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5015 {
5016 	switch (he_mcs_map) {
5017 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5018 		return 0;
5019 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5020 		return 0x00FF;
5021 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5022 		return 0x03FF;
5023 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5024 		return 0xFFF;
5025 	default:
5026 		break;
5027 	}
5028 	return 0;
5029 }
5030 
5031 static void he_build_mcs_mask(u16 he_mcs_map,
5032 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5033 {
5034 	u8 nss;
5035 
5036 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5037 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5038 		he_mcs_map >>= 2;
5039 	}
5040 }
5041 
5042 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5043 			   const struct ieee80211_sta_he_cap *he_cap)
5044 {
5045 	struct net_device *dev = info->user_ptr[1];
5046 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5047 	struct cfg80211_chan_def *chandef;
5048 	__le16 tx_mcs;
5049 
5050 	chandef = wdev_chandef(wdev, link_id);
5051 	if (!chandef) {
5052 		/*
5053 		 * This is probably broken, but we never maintained
5054 		 * a chandef in these cases, so it always was.
5055 		 */
5056 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5057 	}
5058 
5059 	switch (chandef->width) {
5060 	case NL80211_CHAN_WIDTH_80P80:
5061 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5062 		break;
5063 	case NL80211_CHAN_WIDTH_160:
5064 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5065 		break;
5066 	default:
5067 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5068 		break;
5069 	}
5070 
5071 	return le16_to_cpu(tx_mcs);
5072 }
5073 
5074 static bool he_set_mcs_mask(struct genl_info *info,
5075 			    struct wireless_dev *wdev,
5076 			    struct ieee80211_supported_band *sband,
5077 			    struct nl80211_txrate_he *txrate,
5078 			    u16 mcs[NL80211_HE_NSS_MAX],
5079 			    unsigned int link_id)
5080 {
5081 	const struct ieee80211_sta_he_cap *he_cap;
5082 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5083 	u16 tx_mcs_map = 0;
5084 	u8 i;
5085 
5086 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5087 	if (!he_cap)
5088 		return false;
5089 
5090 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5091 
5092 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5093 
5094 	/* Build he_mcs_mask from HE capabilities */
5095 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5096 
5097 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5098 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5099 			mcs[i] = txrate->mcs[i];
5100 		else
5101 			return false;
5102 	}
5103 
5104 	return true;
5105 }
5106 
5107 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5108 					 struct nlattr *attrs[],
5109 					 enum nl80211_attrs attr,
5110 					 struct cfg80211_bitrate_mask *mask,
5111 					 struct net_device *dev,
5112 					 bool default_all_enabled,
5113 					 unsigned int link_id)
5114 {
5115 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5116 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5117 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5118 	int rem, i;
5119 	struct nlattr *tx_rates;
5120 	struct ieee80211_supported_band *sband;
5121 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5122 
5123 	memset(mask, 0, sizeof(*mask));
5124 	/* Default to all rates enabled */
5125 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5126 		const struct ieee80211_sta_he_cap *he_cap;
5127 
5128 		if (!default_all_enabled)
5129 			break;
5130 
5131 		sband = rdev->wiphy.bands[i];
5132 
5133 		if (!sband)
5134 			continue;
5135 
5136 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5137 		memcpy(mask->control[i].ht_mcs,
5138 		       sband->ht_cap.mcs.rx_mask,
5139 		       sizeof(mask->control[i].ht_mcs));
5140 
5141 		if (sband->vht_cap.vht_supported) {
5142 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5143 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5144 		}
5145 
5146 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5147 		if (!he_cap)
5148 			continue;
5149 
5150 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5151 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5152 
5153 		mask->control[i].he_gi = 0xFF;
5154 		mask->control[i].he_ltf = 0xFF;
5155 	}
5156 
5157 	/* if no rates are given set it back to the defaults */
5158 	if (!attrs[attr])
5159 		goto out;
5160 
5161 	/* The nested attribute uses enum nl80211_band as the index. This maps
5162 	 * directly to the enum nl80211_band values used in cfg80211.
5163 	 */
5164 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5165 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5166 		enum nl80211_band band = nla_type(tx_rates);
5167 		int err;
5168 
5169 		if (band < 0 || band >= NUM_NL80211_BANDS)
5170 			return -EINVAL;
5171 		sband = rdev->wiphy.bands[band];
5172 		if (sband == NULL)
5173 			return -EINVAL;
5174 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5175 						  tx_rates,
5176 						  nl80211_txattr_policy,
5177 						  info->extack);
5178 		if (err)
5179 			return err;
5180 		if (tb[NL80211_TXRATE_LEGACY]) {
5181 			mask->control[band].legacy = rateset_to_mask(
5182 				sband,
5183 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5184 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5185 			if ((mask->control[band].legacy == 0) &&
5186 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5187 				return -EINVAL;
5188 		}
5189 		if (tb[NL80211_TXRATE_HT]) {
5190 			if (!ht_rateset_to_mask(
5191 					sband,
5192 					nla_data(tb[NL80211_TXRATE_HT]),
5193 					nla_len(tb[NL80211_TXRATE_HT]),
5194 					mask->control[band].ht_mcs))
5195 				return -EINVAL;
5196 		}
5197 
5198 		if (tb[NL80211_TXRATE_VHT]) {
5199 			if (!vht_set_mcs_mask(
5200 					sband,
5201 					nla_data(tb[NL80211_TXRATE_VHT]),
5202 					mask->control[band].vht_mcs))
5203 				return -EINVAL;
5204 		}
5205 
5206 		if (tb[NL80211_TXRATE_GI]) {
5207 			mask->control[band].gi =
5208 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5209 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5210 				return -EINVAL;
5211 		}
5212 		if (tb[NL80211_TXRATE_HE] &&
5213 		    !he_set_mcs_mask(info, wdev, sband,
5214 				     nla_data(tb[NL80211_TXRATE_HE]),
5215 				     mask->control[band].he_mcs,
5216 				     link_id))
5217 			return -EINVAL;
5218 
5219 		if (tb[NL80211_TXRATE_HE_GI])
5220 			mask->control[band].he_gi =
5221 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5222 		if (tb[NL80211_TXRATE_HE_LTF])
5223 			mask->control[band].he_ltf =
5224 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5225 
5226 		if (mask->control[band].legacy == 0) {
5227 			/* don't allow empty legacy rates if HT, VHT or HE
5228 			 * are not even supported.
5229 			 */
5230 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5231 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5232 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5233 				return -EINVAL;
5234 
5235 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5236 				if (mask->control[band].ht_mcs[i])
5237 					goto out;
5238 
5239 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5240 				if (mask->control[band].vht_mcs[i])
5241 					goto out;
5242 
5243 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5244 				if (mask->control[band].he_mcs[i])
5245 					goto out;
5246 
5247 			/* legacy and mcs rates may not be both empty */
5248 			return -EINVAL;
5249 		}
5250 	}
5251 
5252 out:
5253 	return 0;
5254 }
5255 
5256 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5257 				   enum nl80211_band band,
5258 				   struct cfg80211_bitrate_mask *beacon_rate)
5259 {
5260 	u32 count_ht, count_vht, count_he, i;
5261 	u32 rate = beacon_rate->control[band].legacy;
5262 
5263 	/* Allow only one rate */
5264 	if (hweight32(rate) > 1)
5265 		return -EINVAL;
5266 
5267 	count_ht = 0;
5268 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5269 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5270 			return -EINVAL;
5271 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5272 			count_ht++;
5273 			if (count_ht > 1)
5274 				return -EINVAL;
5275 		}
5276 		if (count_ht && rate)
5277 			return -EINVAL;
5278 	}
5279 
5280 	count_vht = 0;
5281 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5282 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5283 			return -EINVAL;
5284 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5285 			count_vht++;
5286 			if (count_vht > 1)
5287 				return -EINVAL;
5288 		}
5289 		if (count_vht && rate)
5290 			return -EINVAL;
5291 	}
5292 
5293 	count_he = 0;
5294 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5295 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5296 			return -EINVAL;
5297 		} else if (beacon_rate->control[band].he_mcs[i]) {
5298 			count_he++;
5299 			if (count_he > 1)
5300 				return -EINVAL;
5301 		}
5302 		if (count_he && rate)
5303 			return -EINVAL;
5304 	}
5305 
5306 	if ((count_ht && count_vht && count_he) ||
5307 	    (!rate && !count_ht && !count_vht && !count_he))
5308 		return -EINVAL;
5309 
5310 	if (rate &&
5311 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5312 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5313 		return -EINVAL;
5314 	if (count_ht &&
5315 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5316 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5317 		return -EINVAL;
5318 	if (count_vht &&
5319 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5320 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5321 		return -EINVAL;
5322 	if (count_he &&
5323 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5324 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5325 		return -EINVAL;
5326 
5327 	return 0;
5328 }
5329 
5330 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5331 				       struct net_device *dev,
5332 				       struct nlattr *attrs,
5333 				       struct cfg80211_mbssid_config *config,
5334 				       u8 num_elems)
5335 {
5336 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5337 
5338 	if (!wiphy->mbssid_max_interfaces)
5339 		return -EOPNOTSUPP;
5340 
5341 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5342 			     NULL) ||
5343 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5344 		return -EINVAL;
5345 
5346 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5347 	if (config->ema) {
5348 		if (!wiphy->ema_max_profile_periodicity)
5349 			return -EOPNOTSUPP;
5350 
5351 		if (num_elems > wiphy->ema_max_profile_periodicity)
5352 			return -EINVAL;
5353 	}
5354 
5355 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5356 	if (config->index >= wiphy->mbssid_max_interfaces ||
5357 	    (!config->index && !num_elems))
5358 		return -EINVAL;
5359 
5360 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5361 		u32 tx_ifindex =
5362 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5363 
5364 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5365 		    (config->index && tx_ifindex == dev->ifindex))
5366 			return -EINVAL;
5367 
5368 		if (tx_ifindex != dev->ifindex) {
5369 			struct net_device *tx_netdev =
5370 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5371 
5372 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5373 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5374 			    tx_netdev->ieee80211_ptr->iftype !=
5375 							NL80211_IFTYPE_AP) {
5376 				dev_put(tx_netdev);
5377 				return -EINVAL;
5378 			}
5379 
5380 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5381 		} else {
5382 			config->tx_wdev = dev->ieee80211_ptr;
5383 		}
5384 	} else if (!config->index) {
5385 		config->tx_wdev = dev->ieee80211_ptr;
5386 	} else {
5387 		return -EINVAL;
5388 	}
5389 
5390 	return 0;
5391 }
5392 
5393 static struct cfg80211_mbssid_elems *
5394 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5395 {
5396 	struct nlattr *nl_elems;
5397 	struct cfg80211_mbssid_elems *elems;
5398 	int rem_elems;
5399 	u8 i = 0, num_elems = 0;
5400 
5401 	if (!wiphy->mbssid_max_interfaces)
5402 		return ERR_PTR(-EINVAL);
5403 
5404 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5405 		num_elems++;
5406 
5407 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5408 	if (!elems)
5409 		return ERR_PTR(-ENOMEM);
5410 
5411 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5412 		elems->elem[i].data = nla_data(nl_elems);
5413 		elems->elem[i].len = nla_len(nl_elems);
5414 		i++;
5415 	}
5416 	elems->cnt = num_elems;
5417 	return elems;
5418 }
5419 
5420 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5421 				      struct cfg80211_he_bss_color *he_bss_color)
5422 {
5423 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5424 	int err;
5425 
5426 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5427 			       he_bss_color_policy, NULL);
5428 	if (err)
5429 		return err;
5430 
5431 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5432 		return -EINVAL;
5433 
5434 	he_bss_color->color =
5435 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5436 	he_bss_color->enabled =
5437 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5438 	he_bss_color->partial =
5439 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5440 
5441 	return 0;
5442 }
5443 
5444 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5445 				struct nlattr *attrs[],
5446 				struct cfg80211_beacon_data *bcn)
5447 {
5448 	bool haveinfo = false;
5449 	int err;
5450 
5451 	memset(bcn, 0, sizeof(*bcn));
5452 
5453 	bcn->link_id = nl80211_link_id(attrs);
5454 
5455 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5456 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5457 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5458 		if (!bcn->head_len)
5459 			return -EINVAL;
5460 		haveinfo = true;
5461 	}
5462 
5463 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5464 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5465 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5466 		haveinfo = true;
5467 	}
5468 
5469 	if (!haveinfo)
5470 		return -EINVAL;
5471 
5472 	if (attrs[NL80211_ATTR_IE]) {
5473 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5474 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5475 	}
5476 
5477 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5478 		bcn->proberesp_ies =
5479 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5480 		bcn->proberesp_ies_len =
5481 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5482 	}
5483 
5484 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5485 		bcn->assocresp_ies =
5486 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5487 		bcn->assocresp_ies_len =
5488 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5489 	}
5490 
5491 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5492 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5493 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5494 	}
5495 
5496 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5497 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5498 
5499 		err = nla_parse_nested_deprecated(tb,
5500 						  NL80211_FTM_RESP_ATTR_MAX,
5501 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5502 						  NULL, NULL);
5503 		if (err)
5504 			return err;
5505 
5506 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5507 		    wiphy_ext_feature_isset(&rdev->wiphy,
5508 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5509 			bcn->ftm_responder = 1;
5510 		else
5511 			return -EOPNOTSUPP;
5512 
5513 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5514 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5515 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5516 		}
5517 
5518 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5519 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5520 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5521 		}
5522 	} else {
5523 		bcn->ftm_responder = -1;
5524 	}
5525 
5526 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5527 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5528 						 &bcn->he_bss_color);
5529 		if (err)
5530 			return err;
5531 		bcn->he_bss_color_valid = true;
5532 	}
5533 
5534 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5535 		struct cfg80211_mbssid_elems *mbssid =
5536 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5537 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5538 
5539 		if (IS_ERR(mbssid))
5540 			return PTR_ERR(mbssid);
5541 
5542 		bcn->mbssid_ies = mbssid;
5543 	}
5544 
5545 	return 0;
5546 }
5547 
5548 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5549 				    struct ieee80211_he_obss_pd *he_obss_pd)
5550 {
5551 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5552 	int err;
5553 
5554 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5555 			       he_obss_pd_policy, NULL);
5556 	if (err)
5557 		return err;
5558 
5559 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5560 		return -EINVAL;
5561 
5562 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5563 
5564 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5565 		he_obss_pd->min_offset =
5566 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5567 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5568 		he_obss_pd->max_offset =
5569 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5570 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5571 		he_obss_pd->non_srg_max_offset =
5572 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5573 
5574 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5575 		return -EINVAL;
5576 
5577 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5578 		memcpy(he_obss_pd->bss_color_bitmap,
5579 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5580 		       sizeof(he_obss_pd->bss_color_bitmap));
5581 
5582 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5583 		memcpy(he_obss_pd->partial_bssid_bitmap,
5584 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5585 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5586 
5587 	he_obss_pd->enable = true;
5588 
5589 	return 0;
5590 }
5591 
5592 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5593 					struct nlattr *attrs,
5594 					struct cfg80211_ap_settings *params)
5595 {
5596 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5597 	int ret;
5598 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5599 
5600 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5601 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5602 		return -EINVAL;
5603 
5604 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5605 			       NULL, NULL);
5606 	if (ret)
5607 		return ret;
5608 
5609 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5610 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5611 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5612 		return -EINVAL;
5613 
5614 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5615 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5616 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5617 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5618 
5619 	return 0;
5620 }
5621 
5622 static int
5623 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5624 				     struct nlattr *attrs,
5625 				     struct cfg80211_ap_settings *params)
5626 {
5627 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5628 	int ret;
5629 	struct cfg80211_unsol_bcast_probe_resp *presp =
5630 					&params->unsol_bcast_probe_resp;
5631 
5632 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5633 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5634 		return -EINVAL;
5635 
5636 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5637 			       attrs, NULL, NULL);
5638 	if (ret)
5639 		return ret;
5640 
5641 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5642 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5643 		return -EINVAL;
5644 
5645 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5646 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5647 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5648 	return 0;
5649 }
5650 
5651 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5652 					    const struct element *rates)
5653 {
5654 	int i;
5655 
5656 	if (!rates)
5657 		return;
5658 
5659 	for (i = 0; i < rates->datalen; i++) {
5660 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5661 			params->ht_required = true;
5662 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5663 			params->vht_required = true;
5664 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5665 			params->he_required = true;
5666 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5667 			params->sae_h2e_required = true;
5668 	}
5669 }
5670 
5671 /*
5672  * Since the nl80211 API didn't include, from the beginning, attributes about
5673  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5674  * benefit of drivers that rebuild IEs in the firmware.
5675  */
5676 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5677 {
5678 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5679 	size_t ies_len = bcn->tail_len;
5680 	const u8 *ies = bcn->tail;
5681 	const struct element *rates;
5682 	const struct element *cap;
5683 
5684 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5685 	nl80211_check_ap_rate_selectors(params, rates);
5686 
5687 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5688 	nl80211_check_ap_rate_selectors(params, rates);
5689 
5690 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5691 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5692 		params->ht_cap = (void *)cap->data;
5693 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5694 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5695 		params->vht_cap = (void *)cap->data;
5696 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5697 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5698 		params->he_cap = (void *)(cap->data + 1);
5699 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5700 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5701 		params->he_oper = (void *)(cap->data + 1);
5702 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5703 	if (cap) {
5704 		if (!cap->datalen)
5705 			return -EINVAL;
5706 		params->eht_cap = (void *)(cap->data + 1);
5707 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5708 						(const u8 *)params->eht_cap,
5709 						cap->datalen - 1, true))
5710 			return -EINVAL;
5711 	}
5712 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5713 	if (cap) {
5714 		if (!cap->datalen)
5715 			return -EINVAL;
5716 		params->eht_oper = (void *)(cap->data + 1);
5717 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5718 						cap->datalen - 1))
5719 			return -EINVAL;
5720 	}
5721 	return 0;
5722 }
5723 
5724 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5725 				   struct cfg80211_ap_settings *params)
5726 {
5727 	struct wireless_dev *wdev;
5728 
5729 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5730 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5731 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5732 			continue;
5733 
5734 		if (!wdev->u.ap.preset_chandef.chan)
5735 			continue;
5736 
5737 		params->chandef = wdev->u.ap.preset_chandef;
5738 		return true;
5739 	}
5740 
5741 	return false;
5742 }
5743 
5744 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5745 				    enum nl80211_auth_type auth_type,
5746 				    enum nl80211_commands cmd)
5747 {
5748 	if (auth_type > NL80211_AUTHTYPE_MAX)
5749 		return false;
5750 
5751 	switch (cmd) {
5752 	case NL80211_CMD_AUTHENTICATE:
5753 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5754 		    auth_type == NL80211_AUTHTYPE_SAE)
5755 			return false;
5756 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5757 					     NL80211_EXT_FEATURE_FILS_STA) &&
5758 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5759 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5760 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5761 			return false;
5762 		return true;
5763 	case NL80211_CMD_CONNECT:
5764 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5765 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5766 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5767 		    auth_type == NL80211_AUTHTYPE_SAE)
5768 			return false;
5769 
5770 		/* FILS with SK PFS or PK not supported yet */
5771 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5772 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5773 			return false;
5774 		if (!wiphy_ext_feature_isset(
5775 			    &rdev->wiphy,
5776 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5777 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5778 			return false;
5779 		return true;
5780 	case NL80211_CMD_START_AP:
5781 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5782 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5783 		    auth_type == NL80211_AUTHTYPE_SAE)
5784 			return false;
5785 		/* FILS not supported yet */
5786 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5787 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5788 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5789 			return false;
5790 		return true;
5791 	default:
5792 		return false;
5793 	}
5794 }
5795 
5796 static void nl80211_send_ap_started(struct wireless_dev *wdev,
5797 				    unsigned int link_id)
5798 {
5799 	struct wiphy *wiphy = wdev->wiphy;
5800 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
5801 	struct sk_buff *msg;
5802 	void *hdr;
5803 
5804 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5805 	if (!msg)
5806 		return;
5807 
5808 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
5809 	if (!hdr)
5810 		goto out;
5811 
5812 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
5813 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
5814 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5815 			      NL80211_ATTR_PAD) ||
5816 	    (wdev->u.ap.ssid_len &&
5817 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
5818 		     wdev->u.ap.ssid)) ||
5819 	    (wdev->valid_links &&
5820 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
5821 		goto out;
5822 
5823 	genlmsg_end(msg, hdr);
5824 
5825 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
5826 				NL80211_MCGRP_MLME, GFP_KERNEL);
5827 	return;
5828 out:
5829 	nlmsg_free(msg);
5830 }
5831 
5832 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5833 {
5834 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5835 	unsigned int link_id = nl80211_link_id(info->attrs);
5836 	struct net_device *dev = info->user_ptr[1];
5837 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5838 	struct cfg80211_ap_settings *params;
5839 	int err;
5840 
5841 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5842 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5843 		return -EOPNOTSUPP;
5844 
5845 	if (!rdev->ops->start_ap)
5846 		return -EOPNOTSUPP;
5847 
5848 	if (wdev->links[link_id].ap.beacon_interval)
5849 		return -EALREADY;
5850 
5851 	/* these are required for START_AP */
5852 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5853 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5854 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5855 		return -EINVAL;
5856 
5857 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5858 	if (!params)
5859 		return -ENOMEM;
5860 
5861 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5862 	if (err)
5863 		goto out;
5864 
5865 	params->beacon_interval =
5866 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5867 	params->dtim_period =
5868 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5869 
5870 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5871 					   params->beacon_interval);
5872 	if (err)
5873 		goto out;
5874 
5875 	/*
5876 	 * In theory, some of these attributes should be required here
5877 	 * but since they were not used when the command was originally
5878 	 * added, keep them optional for old user space programs to let
5879 	 * them continue to work with drivers that do not need the
5880 	 * additional information -- drivers must check!
5881 	 */
5882 	if (info->attrs[NL80211_ATTR_SSID]) {
5883 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5884 		params->ssid_len =
5885 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5886 		if (params->ssid_len == 0) {
5887 			err = -EINVAL;
5888 			goto out;
5889 		}
5890 
5891 		if (wdev->u.ap.ssid_len &&
5892 		    (wdev->u.ap.ssid_len != params->ssid_len ||
5893 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
5894 			/* require identical SSID for MLO */
5895 			err = -EINVAL;
5896 			goto out;
5897 		}
5898 	} else if (wdev->valid_links) {
5899 		/* require SSID for MLO */
5900 		err = -EINVAL;
5901 		goto out;
5902 	}
5903 
5904 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5905 		params->hidden_ssid = nla_get_u32(
5906 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5907 
5908 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5909 
5910 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5911 		params->auth_type = nla_get_u32(
5912 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5913 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5914 					     NL80211_CMD_START_AP)) {
5915 			err = -EINVAL;
5916 			goto out;
5917 		}
5918 	} else
5919 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5920 
5921 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5922 				      NL80211_MAX_NR_CIPHER_SUITES);
5923 	if (err)
5924 		goto out;
5925 
5926 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5927 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5928 			err = -EOPNOTSUPP;
5929 			goto out;
5930 		}
5931 		params->inactivity_timeout = nla_get_u16(
5932 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5933 	}
5934 
5935 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5936 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5937 			err = -EINVAL;
5938 			goto out;
5939 		}
5940 		params->p2p_ctwindow =
5941 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5942 		if (params->p2p_ctwindow != 0 &&
5943 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5944 			err = -EINVAL;
5945 			goto out;
5946 		}
5947 	}
5948 
5949 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5950 		u8 tmp;
5951 
5952 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5953 			err = -EINVAL;
5954 			goto out;
5955 		}
5956 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5957 		params->p2p_opp_ps = tmp;
5958 		if (params->p2p_opp_ps != 0 &&
5959 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5960 			err = -EINVAL;
5961 			goto out;
5962 		}
5963 	}
5964 
5965 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5966 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5967 		if (err)
5968 			goto out;
5969 	} else if (wdev->valid_links) {
5970 		/* with MLD need to specify the channel configuration */
5971 		err = -EINVAL;
5972 		goto out;
5973 	} else if (wdev->u.ap.preset_chandef.chan) {
5974 		params->chandef = wdev->u.ap.preset_chandef;
5975 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5976 		err = -EINVAL;
5977 		goto out;
5978 	}
5979 
5980 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
5981 		err = nl80211_parse_punct_bitmap(rdev, info,
5982 						 &params->chandef,
5983 						 &params->punct_bitmap);
5984 		if (err)
5985 			goto out;
5986 	}
5987 
5988 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5989 					   wdev->iftype)) {
5990 		err = -EINVAL;
5991 		goto out;
5992 	}
5993 
5994 	wdev_lock(wdev);
5995 
5996 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5997 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5998 						    NL80211_ATTR_TX_RATES,
5999 						    &params->beacon_rate,
6000 						    dev, false, link_id);
6001 		if (err)
6002 			goto out_unlock;
6003 
6004 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6005 					      &params->beacon_rate);
6006 		if (err)
6007 			goto out_unlock;
6008 	}
6009 
6010 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6011 		params->smps_mode =
6012 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6013 		switch (params->smps_mode) {
6014 		case NL80211_SMPS_OFF:
6015 			break;
6016 		case NL80211_SMPS_STATIC:
6017 			if (!(rdev->wiphy.features &
6018 			      NL80211_FEATURE_STATIC_SMPS)) {
6019 				err = -EINVAL;
6020 				goto out_unlock;
6021 			}
6022 			break;
6023 		case NL80211_SMPS_DYNAMIC:
6024 			if (!(rdev->wiphy.features &
6025 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6026 				err = -EINVAL;
6027 				goto out_unlock;
6028 			}
6029 			break;
6030 		default:
6031 			err = -EINVAL;
6032 			goto out_unlock;
6033 		}
6034 	} else {
6035 		params->smps_mode = NL80211_SMPS_OFF;
6036 	}
6037 
6038 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6039 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6040 		err = -EOPNOTSUPP;
6041 		goto out_unlock;
6042 	}
6043 
6044 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6045 		params->acl = parse_acl_data(&rdev->wiphy, info);
6046 		if (IS_ERR(params->acl)) {
6047 			err = PTR_ERR(params->acl);
6048 			params->acl = NULL;
6049 			goto out_unlock;
6050 		}
6051 	}
6052 
6053 	params->twt_responder =
6054 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6055 
6056 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6057 		err = nl80211_parse_he_obss_pd(
6058 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6059 					&params->he_obss_pd);
6060 		if (err)
6061 			goto out_unlock;
6062 	}
6063 
6064 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6065 		err = nl80211_parse_fils_discovery(rdev,
6066 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6067 						   params);
6068 		if (err)
6069 			goto out_unlock;
6070 	}
6071 
6072 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6073 		err = nl80211_parse_unsol_bcast_probe_resp(
6074 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6075 			params);
6076 		if (err)
6077 			goto out_unlock;
6078 	}
6079 
6080 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6081 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6082 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6083 						  &params->mbssid_config,
6084 						  params->beacon.mbssid_ies ?
6085 							params->beacon.mbssid_ies->cnt :
6086 							0);
6087 		if (err)
6088 			goto out_unlock;
6089 	}
6090 
6091 	err = nl80211_calculate_ap_params(params);
6092 	if (err)
6093 		goto out_unlock;
6094 
6095 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6096 		params->flags = nla_get_u32(
6097 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6098 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6099 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6100 
6101 	if (wdev->conn_owner_nlportid &&
6102 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6103 	    wdev->conn_owner_nlportid != info->snd_portid) {
6104 		err = -EINVAL;
6105 		goto out_unlock;
6106 	}
6107 
6108 	/* FIXME: validate MLO/link-id against driver capabilities */
6109 
6110 	err = rdev_start_ap(rdev, dev, params);
6111 	if (!err) {
6112 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6113 		wdev->links[link_id].ap.chandef = params->chandef;
6114 		wdev->u.ap.ssid_len = params->ssid_len;
6115 		memcpy(wdev->u.ap.ssid, params->ssid,
6116 		       params->ssid_len);
6117 
6118 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6119 			wdev->conn_owner_nlportid = info->snd_portid;
6120 
6121 		nl80211_send_ap_started(wdev, link_id);
6122 	}
6123 out_unlock:
6124 	wdev_unlock(wdev);
6125 out:
6126 	kfree(params->acl);
6127 	kfree(params->beacon.mbssid_ies);
6128 	if (params->mbssid_config.tx_wdev &&
6129 	    params->mbssid_config.tx_wdev->netdev &&
6130 	    params->mbssid_config.tx_wdev->netdev != dev)
6131 		dev_put(params->mbssid_config.tx_wdev->netdev);
6132 	kfree(params);
6133 
6134 	return err;
6135 }
6136 
6137 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6138 {
6139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6140 	unsigned int link_id = nl80211_link_id(info->attrs);
6141 	struct net_device *dev = info->user_ptr[1];
6142 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6143 	struct cfg80211_beacon_data params;
6144 	int err;
6145 
6146 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6147 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6148 		return -EOPNOTSUPP;
6149 
6150 	if (!rdev->ops->change_beacon)
6151 		return -EOPNOTSUPP;
6152 
6153 	if (!wdev->links[link_id].ap.beacon_interval)
6154 		return -EINVAL;
6155 
6156 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
6157 	if (err)
6158 		goto out;
6159 
6160 	wdev_lock(wdev);
6161 	err = rdev_change_beacon(rdev, dev, &params);
6162 	wdev_unlock(wdev);
6163 
6164 out:
6165 	kfree(params.mbssid_ies);
6166 	return err;
6167 }
6168 
6169 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6170 {
6171 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6172 	unsigned int link_id = nl80211_link_id(info->attrs);
6173 	struct net_device *dev = info->user_ptr[1];
6174 
6175 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6176 }
6177 
6178 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6179 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6180 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6181 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6182 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6183 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6184 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6185 };
6186 
6187 static int parse_station_flags(struct genl_info *info,
6188 			       enum nl80211_iftype iftype,
6189 			       struct station_parameters *params)
6190 {
6191 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6192 	struct nlattr *nla;
6193 	int flag;
6194 
6195 	/*
6196 	 * Try parsing the new attribute first so userspace
6197 	 * can specify both for older kernels.
6198 	 */
6199 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6200 	if (nla) {
6201 		struct nl80211_sta_flag_update *sta_flags;
6202 
6203 		sta_flags = nla_data(nla);
6204 		params->sta_flags_mask = sta_flags->mask;
6205 		params->sta_flags_set = sta_flags->set;
6206 		params->sta_flags_set &= params->sta_flags_mask;
6207 		if ((params->sta_flags_mask |
6208 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6209 			return -EINVAL;
6210 		return 0;
6211 	}
6212 
6213 	/* if present, parse the old attribute */
6214 
6215 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6216 	if (!nla)
6217 		return 0;
6218 
6219 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6220 		return -EINVAL;
6221 
6222 	/*
6223 	 * Only allow certain flags for interface types so that
6224 	 * other attributes are silently ignored. Remember that
6225 	 * this is backward compatibility code with old userspace
6226 	 * and shouldn't be hit in other cases anyway.
6227 	 */
6228 	switch (iftype) {
6229 	case NL80211_IFTYPE_AP:
6230 	case NL80211_IFTYPE_AP_VLAN:
6231 	case NL80211_IFTYPE_P2P_GO:
6232 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6233 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6234 					 BIT(NL80211_STA_FLAG_WME) |
6235 					 BIT(NL80211_STA_FLAG_MFP);
6236 		break;
6237 	case NL80211_IFTYPE_P2P_CLIENT:
6238 	case NL80211_IFTYPE_STATION:
6239 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6240 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6241 		break;
6242 	case NL80211_IFTYPE_MESH_POINT:
6243 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6244 					 BIT(NL80211_STA_FLAG_MFP) |
6245 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6246 		break;
6247 	default:
6248 		return -EINVAL;
6249 	}
6250 
6251 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6252 		if (flags[flag]) {
6253 			params->sta_flags_set |= (1<<flag);
6254 
6255 			/* no longer support new API additions in old API */
6256 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6257 				return -EINVAL;
6258 		}
6259 	}
6260 
6261 	return 0;
6262 }
6263 
6264 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6265 {
6266 	struct nlattr *rate;
6267 	u32 bitrate;
6268 	u16 bitrate_compat;
6269 	enum nl80211_rate_info rate_flg;
6270 
6271 	rate = nla_nest_start_noflag(msg, attr);
6272 	if (!rate)
6273 		return false;
6274 
6275 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6276 	bitrate = cfg80211_calculate_bitrate(info);
6277 	/* report 16-bit bitrate only if we can */
6278 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6279 	if (bitrate > 0 &&
6280 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6281 		return false;
6282 	if (bitrate_compat > 0 &&
6283 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6284 		return false;
6285 
6286 	switch (info->bw) {
6287 	case RATE_INFO_BW_5:
6288 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6289 		break;
6290 	case RATE_INFO_BW_10:
6291 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6292 		break;
6293 	default:
6294 		WARN_ON(1);
6295 		fallthrough;
6296 	case RATE_INFO_BW_20:
6297 		rate_flg = 0;
6298 		break;
6299 	case RATE_INFO_BW_40:
6300 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6301 		break;
6302 	case RATE_INFO_BW_80:
6303 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6304 		break;
6305 	case RATE_INFO_BW_160:
6306 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6307 		break;
6308 	case RATE_INFO_BW_HE_RU:
6309 		rate_flg = 0;
6310 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6311 		break;
6312 	case RATE_INFO_BW_320:
6313 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6314 		break;
6315 	case RATE_INFO_BW_EHT_RU:
6316 		rate_flg = 0;
6317 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6318 		break;
6319 	}
6320 
6321 	if (rate_flg && nla_put_flag(msg, rate_flg))
6322 		return false;
6323 
6324 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6325 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6326 			return false;
6327 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6328 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6329 			return false;
6330 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6331 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6332 			return false;
6333 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6334 			return false;
6335 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6336 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6337 			return false;
6338 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6339 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6340 			return false;
6341 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6342 			return false;
6343 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6344 			return false;
6345 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6346 			return false;
6347 		if (info->bw == RATE_INFO_BW_HE_RU &&
6348 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6349 			       info->he_ru_alloc))
6350 			return false;
6351 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6352 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6353 			return false;
6354 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6355 			return false;
6356 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6357 			return false;
6358 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6359 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6360 			       info->eht_ru_alloc))
6361 			return false;
6362 	}
6363 
6364 	nla_nest_end(msg, rate);
6365 	return true;
6366 }
6367 
6368 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6369 			       int id)
6370 {
6371 	void *attr;
6372 	int i = 0;
6373 
6374 	if (!mask)
6375 		return true;
6376 
6377 	attr = nla_nest_start_noflag(msg, id);
6378 	if (!attr)
6379 		return false;
6380 
6381 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6382 		if (!(mask & BIT(i)))
6383 			continue;
6384 
6385 		if (nla_put_u8(msg, i, signal[i]))
6386 			return false;
6387 	}
6388 
6389 	nla_nest_end(msg, attr);
6390 
6391 	return true;
6392 }
6393 
6394 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6395 				u32 seq, int flags,
6396 				struct cfg80211_registered_device *rdev,
6397 				struct net_device *dev,
6398 				const u8 *mac_addr, struct station_info *sinfo)
6399 {
6400 	void *hdr;
6401 	struct nlattr *sinfoattr, *bss_param;
6402 
6403 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6404 	if (!hdr) {
6405 		cfg80211_sinfo_release_content(sinfo);
6406 		return -1;
6407 	}
6408 
6409 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6410 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6411 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6412 		goto nla_put_failure;
6413 
6414 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6415 	if (!sinfoattr)
6416 		goto nla_put_failure;
6417 
6418 #define PUT_SINFO(attr, memb, type) do {				\
6419 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6420 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6421 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6422 			     sinfo->memb))				\
6423 		goto nla_put_failure;					\
6424 	} while (0)
6425 #define PUT_SINFO_U64(attr, memb) do {					\
6426 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6427 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6428 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6429 		goto nla_put_failure;					\
6430 	} while (0)
6431 
6432 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6433 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6434 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6435 
6436 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6437 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6438 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6439 			(u32)sinfo->rx_bytes))
6440 		goto nla_put_failure;
6441 
6442 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6443 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6444 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6445 			(u32)sinfo->tx_bytes))
6446 		goto nla_put_failure;
6447 
6448 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6449 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6450 	PUT_SINFO(LLID, llid, u16);
6451 	PUT_SINFO(PLID, plid, u16);
6452 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6453 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6454 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6455 
6456 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6457 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6458 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6459 
6460 	switch (rdev->wiphy.signal_type) {
6461 	case CFG80211_SIGNAL_TYPE_MBM:
6462 		PUT_SINFO(SIGNAL, signal, u8);
6463 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6464 		break;
6465 	default:
6466 		break;
6467 	}
6468 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6469 		if (!nl80211_put_signal(msg, sinfo->chains,
6470 					sinfo->chain_signal,
6471 					NL80211_STA_INFO_CHAIN_SIGNAL))
6472 			goto nla_put_failure;
6473 	}
6474 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6475 		if (!nl80211_put_signal(msg, sinfo->chains,
6476 					sinfo->chain_signal_avg,
6477 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6478 			goto nla_put_failure;
6479 	}
6480 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6481 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6482 					  NL80211_STA_INFO_TX_BITRATE))
6483 			goto nla_put_failure;
6484 	}
6485 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6486 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6487 					  NL80211_STA_INFO_RX_BITRATE))
6488 			goto nla_put_failure;
6489 	}
6490 
6491 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6492 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6493 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6494 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6495 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6496 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6497 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6498 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6499 	PUT_SINFO(PEER_PM, peer_pm, u32);
6500 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6501 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6502 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6503 
6504 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6505 		bss_param = nla_nest_start_noflag(msg,
6506 						  NL80211_STA_INFO_BSS_PARAM);
6507 		if (!bss_param)
6508 			goto nla_put_failure;
6509 
6510 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6511 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6512 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6513 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6514 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6515 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6516 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6517 			       sinfo->bss_param.dtim_period) ||
6518 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6519 				sinfo->bss_param.beacon_interval))
6520 			goto nla_put_failure;
6521 
6522 		nla_nest_end(msg, bss_param);
6523 	}
6524 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6525 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6526 		    sizeof(struct nl80211_sta_flag_update),
6527 		    &sinfo->sta_flags))
6528 		goto nla_put_failure;
6529 
6530 	PUT_SINFO_U64(T_OFFSET, t_offset);
6531 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6532 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6533 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6534 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6535 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6536 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6537 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6538 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6539 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6540 	}
6541 
6542 #undef PUT_SINFO
6543 #undef PUT_SINFO_U64
6544 
6545 	if (sinfo->pertid) {
6546 		struct nlattr *tidsattr;
6547 		int tid;
6548 
6549 		tidsattr = nla_nest_start_noflag(msg,
6550 						 NL80211_STA_INFO_TID_STATS);
6551 		if (!tidsattr)
6552 			goto nla_put_failure;
6553 
6554 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6555 			struct cfg80211_tid_stats *tidstats;
6556 			struct nlattr *tidattr;
6557 
6558 			tidstats = &sinfo->pertid[tid];
6559 
6560 			if (!tidstats->filled)
6561 				continue;
6562 
6563 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6564 			if (!tidattr)
6565 				goto nla_put_failure;
6566 
6567 #define PUT_TIDVAL_U64(attr, memb) do {					\
6568 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6569 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6570 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6571 		goto nla_put_failure;					\
6572 	} while (0)
6573 
6574 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6575 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6576 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6577 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6578 
6579 #undef PUT_TIDVAL_U64
6580 			if ((tidstats->filled &
6581 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6582 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6583 						   NL80211_TID_STATS_TXQ_STATS))
6584 				goto nla_put_failure;
6585 
6586 			nla_nest_end(msg, tidattr);
6587 		}
6588 
6589 		nla_nest_end(msg, tidsattr);
6590 	}
6591 
6592 	nla_nest_end(msg, sinfoattr);
6593 
6594 	if (sinfo->assoc_req_ies_len &&
6595 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6596 		    sinfo->assoc_req_ies))
6597 		goto nla_put_failure;
6598 
6599 	if (sinfo->assoc_resp_ies_len &&
6600 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6601 		    sinfo->assoc_resp_ies))
6602 		goto nla_put_failure;
6603 
6604 	if (sinfo->mlo_params_valid) {
6605 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6606 			       sinfo->assoc_link_id))
6607 			goto nla_put_failure;
6608 
6609 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6610 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6611 			    sinfo->mld_addr))
6612 			goto nla_put_failure;
6613 	}
6614 
6615 	cfg80211_sinfo_release_content(sinfo);
6616 	genlmsg_end(msg, hdr);
6617 	return 0;
6618 
6619  nla_put_failure:
6620 	cfg80211_sinfo_release_content(sinfo);
6621 	genlmsg_cancel(msg, hdr);
6622 	return -EMSGSIZE;
6623 }
6624 
6625 static int nl80211_dump_station(struct sk_buff *skb,
6626 				struct netlink_callback *cb)
6627 {
6628 	struct station_info sinfo;
6629 	struct cfg80211_registered_device *rdev;
6630 	struct wireless_dev *wdev;
6631 	u8 mac_addr[ETH_ALEN];
6632 	int sta_idx = cb->args[2];
6633 	int err;
6634 
6635 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6636 	if (err)
6637 		return err;
6638 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6639 	__acquire(&rdev->wiphy.mtx);
6640 
6641 	if (!wdev->netdev) {
6642 		err = -EINVAL;
6643 		goto out_err;
6644 	}
6645 
6646 	if (!rdev->ops->dump_station) {
6647 		err = -EOPNOTSUPP;
6648 		goto out_err;
6649 	}
6650 
6651 	while (1) {
6652 		memset(&sinfo, 0, sizeof(sinfo));
6653 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6654 					mac_addr, &sinfo);
6655 		if (err == -ENOENT)
6656 			break;
6657 		if (err)
6658 			goto out_err;
6659 
6660 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6661 				NETLINK_CB(cb->skb).portid,
6662 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6663 				rdev, wdev->netdev, mac_addr,
6664 				&sinfo) < 0)
6665 			goto out;
6666 
6667 		sta_idx++;
6668 	}
6669 
6670  out:
6671 	cb->args[2] = sta_idx;
6672 	err = skb->len;
6673  out_err:
6674 	wiphy_unlock(&rdev->wiphy);
6675 
6676 	return err;
6677 }
6678 
6679 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6680 {
6681 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6682 	struct net_device *dev = info->user_ptr[1];
6683 	struct station_info sinfo;
6684 	struct sk_buff *msg;
6685 	u8 *mac_addr = NULL;
6686 	int err;
6687 
6688 	memset(&sinfo, 0, sizeof(sinfo));
6689 
6690 	if (!info->attrs[NL80211_ATTR_MAC])
6691 		return -EINVAL;
6692 
6693 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6694 
6695 	if (!rdev->ops->get_station)
6696 		return -EOPNOTSUPP;
6697 
6698 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6699 	if (err)
6700 		return err;
6701 
6702 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6703 	if (!msg) {
6704 		cfg80211_sinfo_release_content(&sinfo);
6705 		return -ENOMEM;
6706 	}
6707 
6708 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6709 				 info->snd_portid, info->snd_seq, 0,
6710 				 rdev, dev, mac_addr, &sinfo) < 0) {
6711 		nlmsg_free(msg);
6712 		return -ENOBUFS;
6713 	}
6714 
6715 	return genlmsg_reply(msg, info);
6716 }
6717 
6718 int cfg80211_check_station_change(struct wiphy *wiphy,
6719 				  struct station_parameters *params,
6720 				  enum cfg80211_station_type statype)
6721 {
6722 	if (params->listen_interval != -1 &&
6723 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6724 		return -EINVAL;
6725 
6726 	if (params->support_p2p_ps != -1 &&
6727 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6728 		return -EINVAL;
6729 
6730 	if (params->aid &&
6731 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6732 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6733 		return -EINVAL;
6734 
6735 	/* When you run into this, adjust the code below for the new flag */
6736 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6737 
6738 	switch (statype) {
6739 	case CFG80211_STA_MESH_PEER_KERNEL:
6740 	case CFG80211_STA_MESH_PEER_USER:
6741 		/*
6742 		 * No ignoring the TDLS flag here -- the userspace mesh
6743 		 * code doesn't have the bug of including TDLS in the
6744 		 * mask everywhere.
6745 		 */
6746 		if (params->sta_flags_mask &
6747 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6748 				  BIT(NL80211_STA_FLAG_MFP) |
6749 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6750 			return -EINVAL;
6751 		break;
6752 	case CFG80211_STA_TDLS_PEER_SETUP:
6753 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6754 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6755 			return -EINVAL;
6756 		/* ignore since it can't change */
6757 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6758 		break;
6759 	default:
6760 		/* disallow mesh-specific things */
6761 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6762 			return -EINVAL;
6763 		if (params->local_pm)
6764 			return -EINVAL;
6765 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6766 			return -EINVAL;
6767 	}
6768 
6769 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6770 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6771 		/* TDLS can't be set, ... */
6772 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6773 			return -EINVAL;
6774 		/*
6775 		 * ... but don't bother the driver with it. This works around
6776 		 * a hostapd/wpa_supplicant issue -- it always includes the
6777 		 * TLDS_PEER flag in the mask even for AP mode.
6778 		 */
6779 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6780 	}
6781 
6782 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6783 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6784 		/* reject other things that can't change */
6785 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6786 			return -EINVAL;
6787 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6788 			return -EINVAL;
6789 		if (params->link_sta_params.supported_rates)
6790 			return -EINVAL;
6791 		if (params->ext_capab || params->link_sta_params.ht_capa ||
6792 		    params->link_sta_params.vht_capa ||
6793 		    params->link_sta_params.he_capa ||
6794 		    params->link_sta_params.eht_capa)
6795 			return -EINVAL;
6796 	}
6797 
6798 	if (statype != CFG80211_STA_AP_CLIENT &&
6799 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6800 		if (params->vlan)
6801 			return -EINVAL;
6802 	}
6803 
6804 	switch (statype) {
6805 	case CFG80211_STA_AP_MLME_CLIENT:
6806 		/* Use this only for authorizing/unauthorizing a station */
6807 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6808 			return -EOPNOTSUPP;
6809 		break;
6810 	case CFG80211_STA_AP_CLIENT:
6811 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6812 		/* accept only the listed bits */
6813 		if (params->sta_flags_mask &
6814 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6815 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6816 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6817 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6818 				  BIT(NL80211_STA_FLAG_WME) |
6819 				  BIT(NL80211_STA_FLAG_MFP)))
6820 			return -EINVAL;
6821 
6822 		/* but authenticated/associated only if driver handles it */
6823 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6824 		    params->sta_flags_mask &
6825 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6826 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6827 			return -EINVAL;
6828 		break;
6829 	case CFG80211_STA_IBSS:
6830 	case CFG80211_STA_AP_STA:
6831 		/* reject any changes other than AUTHORIZED */
6832 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6833 			return -EINVAL;
6834 		break;
6835 	case CFG80211_STA_TDLS_PEER_SETUP:
6836 		/* reject any changes other than AUTHORIZED or WME */
6837 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6838 					       BIT(NL80211_STA_FLAG_WME)))
6839 			return -EINVAL;
6840 		/* force (at least) rates when authorizing */
6841 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6842 		    !params->link_sta_params.supported_rates)
6843 			return -EINVAL;
6844 		break;
6845 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6846 		/* reject any changes */
6847 		return -EINVAL;
6848 	case CFG80211_STA_MESH_PEER_KERNEL:
6849 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6850 			return -EINVAL;
6851 		break;
6852 	case CFG80211_STA_MESH_PEER_USER:
6853 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6854 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6855 			return -EINVAL;
6856 		break;
6857 	}
6858 
6859 	/*
6860 	 * Older kernel versions ignored this attribute entirely, so don't
6861 	 * reject attempts to update it but mark it as unused instead so the
6862 	 * driver won't look at the data.
6863 	 */
6864 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6865 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6866 		params->link_sta_params.opmode_notif_used = false;
6867 
6868 	return 0;
6869 }
6870 EXPORT_SYMBOL(cfg80211_check_station_change);
6871 
6872 /*
6873  * Get vlan interface making sure it is running and on the right wiphy.
6874  */
6875 static struct net_device *get_vlan(struct genl_info *info,
6876 				   struct cfg80211_registered_device *rdev)
6877 {
6878 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6879 	struct net_device *v;
6880 	int ret;
6881 
6882 	if (!vlanattr)
6883 		return NULL;
6884 
6885 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6886 	if (!v)
6887 		return ERR_PTR(-ENODEV);
6888 
6889 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6890 		ret = -EINVAL;
6891 		goto error;
6892 	}
6893 
6894 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6895 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6896 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6897 		ret = -EINVAL;
6898 		goto error;
6899 	}
6900 
6901 	if (!netif_running(v)) {
6902 		ret = -ENETDOWN;
6903 		goto error;
6904 	}
6905 
6906 	return v;
6907  error:
6908 	dev_put(v);
6909 	return ERR_PTR(ret);
6910 }
6911 
6912 static int nl80211_parse_sta_wme(struct genl_info *info,
6913 				 struct station_parameters *params)
6914 {
6915 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6916 	struct nlattr *nla;
6917 	int err;
6918 
6919 	/* parse WME attributes if present */
6920 	if (!info->attrs[NL80211_ATTR_STA_WME])
6921 		return 0;
6922 
6923 	nla = info->attrs[NL80211_ATTR_STA_WME];
6924 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6925 					  nl80211_sta_wme_policy,
6926 					  info->extack);
6927 	if (err)
6928 		return err;
6929 
6930 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6931 		params->uapsd_queues = nla_get_u8(
6932 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6933 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6934 		return -EINVAL;
6935 
6936 	if (tb[NL80211_STA_WME_MAX_SP])
6937 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6938 
6939 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6940 		return -EINVAL;
6941 
6942 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6943 
6944 	return 0;
6945 }
6946 
6947 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6948 				      struct station_parameters *params)
6949 {
6950 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6951 		params->supported_channels =
6952 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6953 		params->supported_channels_len =
6954 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6955 		/*
6956 		 * Need to include at least one (first channel, number of
6957 		 * channels) tuple for each subband (checked in policy),
6958 		 * and must have proper tuples for the rest of the data as well.
6959 		 */
6960 		if (params->supported_channels_len % 2)
6961 			return -EINVAL;
6962 	}
6963 
6964 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6965 		params->supported_oper_classes =
6966 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6967 		params->supported_oper_classes_len =
6968 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6969 	}
6970 	return 0;
6971 }
6972 
6973 static int nl80211_set_station_tdls(struct genl_info *info,
6974 				    struct station_parameters *params)
6975 {
6976 	int err;
6977 	/* Dummy STA entry gets updated once the peer capabilities are known */
6978 	if (info->attrs[NL80211_ATTR_PEER_AID])
6979 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6980 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6981 		params->link_sta_params.ht_capa =
6982 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6983 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6984 		params->link_sta_params.vht_capa =
6985 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6986 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6987 		params->link_sta_params.he_capa =
6988 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6989 		params->link_sta_params.he_capa_len =
6990 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6991 
6992 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6993 			params->link_sta_params.eht_capa =
6994 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6995 			params->link_sta_params.eht_capa_len =
6996 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6997 
6998 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
6999 							(const u8 *)params->link_sta_params.eht_capa,
7000 							params->link_sta_params.eht_capa_len,
7001 							false))
7002 				return -EINVAL;
7003 		}
7004 	}
7005 
7006 	err = nl80211_parse_sta_channel_info(info, params);
7007 	if (err)
7008 		return err;
7009 
7010 	return nl80211_parse_sta_wme(info, params);
7011 }
7012 
7013 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7014 					     struct sta_txpwr *txpwr,
7015 					     bool *txpwr_set)
7016 {
7017 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7018 	int idx;
7019 
7020 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7021 		if (!rdev->ops->set_tx_power ||
7022 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7023 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7024 			return -EOPNOTSUPP;
7025 
7026 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7027 		txpwr->type = nla_get_u8(info->attrs[idx]);
7028 
7029 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7030 			idx = NL80211_ATTR_STA_TX_POWER;
7031 
7032 			if (info->attrs[idx])
7033 				txpwr->power = nla_get_s16(info->attrs[idx]);
7034 			else
7035 				return -EINVAL;
7036 		}
7037 
7038 		*txpwr_set = true;
7039 	} else {
7040 		*txpwr_set = false;
7041 	}
7042 
7043 	return 0;
7044 }
7045 
7046 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7047 {
7048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7049 	struct net_device *dev = info->user_ptr[1];
7050 	struct station_parameters params;
7051 	u8 *mac_addr;
7052 	int err;
7053 
7054 	memset(&params, 0, sizeof(params));
7055 
7056 	if (!rdev->ops->change_station)
7057 		return -EOPNOTSUPP;
7058 
7059 	/*
7060 	 * AID and listen_interval properties can be set only for unassociated
7061 	 * station. Include these parameters here and will check them in
7062 	 * cfg80211_check_station_change().
7063 	 */
7064 	if (info->attrs[NL80211_ATTR_STA_AID])
7065 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7066 
7067 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7068 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7069 
7070 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7071 		params.listen_interval =
7072 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7073 	else
7074 		params.listen_interval = -1;
7075 
7076 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7077 		params.support_p2p_ps =
7078 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7079 	else
7080 		params.support_p2p_ps = -1;
7081 
7082 	if (!info->attrs[NL80211_ATTR_MAC])
7083 		return -EINVAL;
7084 
7085 	params.link_sta_params.link_id =
7086 		nl80211_link_id_or_invalid(info->attrs);
7087 
7088 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7089 		/* If MLD_ADDR attribute is set then this is an MLD station
7090 		 * and the MLD_ADDR attribute holds the MLD address and the
7091 		 * MAC attribute holds for the LINK address.
7092 		 * In that case, the link_id is also expected to be valid.
7093 		 */
7094 		if (params.link_sta_params.link_id < 0)
7095 			return -EINVAL;
7096 
7097 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7098 		params.link_sta_params.mld_mac = mac_addr;
7099 		params.link_sta_params.link_mac =
7100 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7101 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7102 			return -EINVAL;
7103 	} else {
7104 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7105 	}
7106 
7107 
7108 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7109 		params.link_sta_params.supported_rates =
7110 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7111 		params.link_sta_params.supported_rates_len =
7112 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7113 	}
7114 
7115 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7116 		params.capability =
7117 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7118 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7119 	}
7120 
7121 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7122 		params.ext_capab =
7123 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7124 		params.ext_capab_len =
7125 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7126 	}
7127 
7128 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7129 		return -EINVAL;
7130 
7131 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7132 		params.plink_action =
7133 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7134 
7135 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7136 		params.plink_state =
7137 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7138 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7139 			params.peer_aid = nla_get_u16(
7140 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7141 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7142 	}
7143 
7144 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7145 		params.local_pm = nla_get_u32(
7146 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7147 
7148 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7149 		params.link_sta_params.opmode_notif_used = true;
7150 		params.link_sta_params.opmode_notif =
7151 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7152 	}
7153 
7154 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7155 		params.link_sta_params.he_6ghz_capa =
7156 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7157 
7158 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7159 		params.airtime_weight =
7160 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7161 
7162 	if (params.airtime_weight &&
7163 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7164 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7165 		return -EOPNOTSUPP;
7166 
7167 	err = nl80211_parse_sta_txpower_setting(info,
7168 						&params.link_sta_params.txpwr,
7169 						&params.link_sta_params.txpwr_set);
7170 	if (err)
7171 		return err;
7172 
7173 	/* Include parameters for TDLS peer (will check later) */
7174 	err = nl80211_set_station_tdls(info, &params);
7175 	if (err)
7176 		return err;
7177 
7178 	params.vlan = get_vlan(info, rdev);
7179 	if (IS_ERR(params.vlan))
7180 		return PTR_ERR(params.vlan);
7181 
7182 	switch (dev->ieee80211_ptr->iftype) {
7183 	case NL80211_IFTYPE_AP:
7184 	case NL80211_IFTYPE_AP_VLAN:
7185 	case NL80211_IFTYPE_P2P_GO:
7186 	case NL80211_IFTYPE_P2P_CLIENT:
7187 	case NL80211_IFTYPE_STATION:
7188 	case NL80211_IFTYPE_ADHOC:
7189 	case NL80211_IFTYPE_MESH_POINT:
7190 		break;
7191 	default:
7192 		err = -EOPNOTSUPP;
7193 		goto out_put_vlan;
7194 	}
7195 
7196 	/* driver will call cfg80211_check_station_change() */
7197 	wdev_lock(dev->ieee80211_ptr);
7198 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7199 	wdev_unlock(dev->ieee80211_ptr);
7200 
7201  out_put_vlan:
7202 	dev_put(params.vlan);
7203 
7204 	return err;
7205 }
7206 
7207 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7208 {
7209 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7210 	int err;
7211 	struct net_device *dev = info->user_ptr[1];
7212 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7213 	struct station_parameters params;
7214 	u8 *mac_addr = NULL;
7215 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7216 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7217 
7218 	memset(&params, 0, sizeof(params));
7219 
7220 	if (!rdev->ops->add_station)
7221 		return -EOPNOTSUPP;
7222 
7223 	if (!info->attrs[NL80211_ATTR_MAC])
7224 		return -EINVAL;
7225 
7226 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7227 		return -EINVAL;
7228 
7229 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7230 		return -EINVAL;
7231 
7232 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7233 	    !info->attrs[NL80211_ATTR_PEER_AID])
7234 		return -EINVAL;
7235 
7236 	params.link_sta_params.link_id =
7237 		nl80211_link_id_or_invalid(info->attrs);
7238 
7239 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7240 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7241 		params.link_sta_params.mld_mac = mac_addr;
7242 		params.link_sta_params.link_mac =
7243 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7244 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7245 			return -EINVAL;
7246 	} else {
7247 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7248 	}
7249 
7250 	params.link_sta_params.supported_rates =
7251 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7252 	params.link_sta_params.supported_rates_len =
7253 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7254 	params.listen_interval =
7255 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7256 
7257 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7258 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7259 
7260 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7261 		params.support_p2p_ps =
7262 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7263 	} else {
7264 		/*
7265 		 * if not specified, assume it's supported for P2P GO interface,
7266 		 * and is NOT supported for AP interface
7267 		 */
7268 		params.support_p2p_ps =
7269 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7270 	}
7271 
7272 	if (info->attrs[NL80211_ATTR_PEER_AID])
7273 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7274 	else
7275 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7276 
7277 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7278 		params.capability =
7279 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7280 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7281 	}
7282 
7283 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7284 		params.ext_capab =
7285 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7286 		params.ext_capab_len =
7287 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7288 	}
7289 
7290 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7291 		params.link_sta_params.ht_capa =
7292 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7293 
7294 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7295 		params.link_sta_params.vht_capa =
7296 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7297 
7298 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7299 		params.link_sta_params.he_capa =
7300 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7301 		params.link_sta_params.he_capa_len =
7302 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7303 
7304 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7305 			params.link_sta_params.eht_capa =
7306 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7307 			params.link_sta_params.eht_capa_len =
7308 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7309 
7310 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7311 							(const u8 *)params.link_sta_params.eht_capa,
7312 							params.link_sta_params.eht_capa_len,
7313 							false))
7314 				return -EINVAL;
7315 		}
7316 	}
7317 
7318 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7319 		params.link_sta_params.he_6ghz_capa =
7320 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7321 
7322 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7323 		params.link_sta_params.opmode_notif_used = true;
7324 		params.link_sta_params.opmode_notif =
7325 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7326 	}
7327 
7328 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7329 		params.plink_action =
7330 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7331 
7332 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7333 		params.airtime_weight =
7334 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7335 
7336 	if (params.airtime_weight &&
7337 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7338 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7339 		return -EOPNOTSUPP;
7340 
7341 	err = nl80211_parse_sta_txpower_setting(info,
7342 						&params.link_sta_params.txpwr,
7343 						&params.link_sta_params.txpwr_set);
7344 	if (err)
7345 		return err;
7346 
7347 	err = nl80211_parse_sta_channel_info(info, &params);
7348 	if (err)
7349 		return err;
7350 
7351 	err = nl80211_parse_sta_wme(info, &params);
7352 	if (err)
7353 		return err;
7354 
7355 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7356 		return -EINVAL;
7357 
7358 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7359 	 * as userspace might just pass through the capabilities from the IEs
7360 	 * directly, rather than enforcing this restriction and returning an
7361 	 * error in this case.
7362 	 */
7363 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7364 		params.link_sta_params.ht_capa = NULL;
7365 		params.link_sta_params.vht_capa = NULL;
7366 
7367 		/* HE and EHT require WME */
7368 		if (params.link_sta_params.he_capa_len ||
7369 		    params.link_sta_params.he_6ghz_capa ||
7370 		    params.link_sta_params.eht_capa_len)
7371 			return -EINVAL;
7372 	}
7373 
7374 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7375 	if (params.link_sta_params.he_6ghz_capa &&
7376 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7377 		return -EINVAL;
7378 
7379 	/* When you run into this, adjust the code below for the new flag */
7380 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7381 
7382 	switch (dev->ieee80211_ptr->iftype) {
7383 	case NL80211_IFTYPE_AP:
7384 	case NL80211_IFTYPE_AP_VLAN:
7385 	case NL80211_IFTYPE_P2P_GO:
7386 		/* ignore WME attributes if iface/sta is not capable */
7387 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7388 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7389 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7390 
7391 		/* TDLS peers cannot be added */
7392 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7393 		    info->attrs[NL80211_ATTR_PEER_AID])
7394 			return -EINVAL;
7395 		/* but don't bother the driver with it */
7396 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7397 
7398 		/* allow authenticated/associated only if driver handles it */
7399 		if (!(rdev->wiphy.features &
7400 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7401 		    params.sta_flags_mask & auth_assoc)
7402 			return -EINVAL;
7403 
7404 		/* Older userspace, or userspace wanting to be compatible with
7405 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7406 		 * and assoc flags in the mask, but assumes the station will be
7407 		 * added as associated anyway since this was the required driver
7408 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7409 		 * introduced.
7410 		 * In order to not bother drivers with this quirk in the API
7411 		 * set the flags in both the mask and set for new stations in
7412 		 * this case.
7413 		 */
7414 		if (!(params.sta_flags_mask & auth_assoc)) {
7415 			params.sta_flags_mask |= auth_assoc;
7416 			params.sta_flags_set |= auth_assoc;
7417 		}
7418 
7419 		/* must be last in here for error handling */
7420 		params.vlan = get_vlan(info, rdev);
7421 		if (IS_ERR(params.vlan))
7422 			return PTR_ERR(params.vlan);
7423 		break;
7424 	case NL80211_IFTYPE_MESH_POINT:
7425 		/* ignore uAPSD data */
7426 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7427 
7428 		/* associated is disallowed */
7429 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7430 			return -EINVAL;
7431 		/* TDLS peers cannot be added */
7432 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7433 		    info->attrs[NL80211_ATTR_PEER_AID])
7434 			return -EINVAL;
7435 		break;
7436 	case NL80211_IFTYPE_STATION:
7437 	case NL80211_IFTYPE_P2P_CLIENT:
7438 		/* ignore uAPSD data */
7439 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7440 
7441 		/* these are disallowed */
7442 		if (params.sta_flags_mask &
7443 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7444 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7445 			return -EINVAL;
7446 		/* Only TDLS peers can be added */
7447 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7448 			return -EINVAL;
7449 		/* Can only add if TDLS ... */
7450 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7451 			return -EOPNOTSUPP;
7452 		/* ... with external setup is supported */
7453 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7454 			return -EOPNOTSUPP;
7455 		/*
7456 		 * Older wpa_supplicant versions always mark the TDLS peer
7457 		 * as authorized, but it shouldn't yet be.
7458 		 */
7459 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7460 		break;
7461 	default:
7462 		return -EOPNOTSUPP;
7463 	}
7464 
7465 	/* be aware of params.vlan when changing code here */
7466 
7467 	wdev_lock(dev->ieee80211_ptr);
7468 	if (wdev->valid_links) {
7469 		if (params.link_sta_params.link_id < 0) {
7470 			err = -EINVAL;
7471 			goto out;
7472 		}
7473 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7474 			err = -ENOLINK;
7475 			goto out;
7476 		}
7477 	} else {
7478 		if (params.link_sta_params.link_id >= 0) {
7479 			err = -EINVAL;
7480 			goto out;
7481 		}
7482 	}
7483 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7484 out:
7485 	wdev_unlock(dev->ieee80211_ptr);
7486 	dev_put(params.vlan);
7487 	return err;
7488 }
7489 
7490 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7491 {
7492 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7493 	struct net_device *dev = info->user_ptr[1];
7494 	struct station_del_parameters params;
7495 	int ret;
7496 
7497 	memset(&params, 0, sizeof(params));
7498 
7499 	if (info->attrs[NL80211_ATTR_MAC])
7500 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7501 
7502 	switch (dev->ieee80211_ptr->iftype) {
7503 	case NL80211_IFTYPE_AP:
7504 	case NL80211_IFTYPE_AP_VLAN:
7505 	case NL80211_IFTYPE_MESH_POINT:
7506 	case NL80211_IFTYPE_P2P_GO:
7507 		/* always accept these */
7508 		break;
7509 	case NL80211_IFTYPE_ADHOC:
7510 		/* conditionally accept */
7511 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7512 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7513 			break;
7514 		return -EINVAL;
7515 	default:
7516 		return -EINVAL;
7517 	}
7518 
7519 	if (!rdev->ops->del_station)
7520 		return -EOPNOTSUPP;
7521 
7522 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7523 		params.subtype =
7524 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7525 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7526 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7527 			return -EINVAL;
7528 	} else {
7529 		/* Default to Deauthentication frame */
7530 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7531 	}
7532 
7533 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7534 		params.reason_code =
7535 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7536 		if (params.reason_code == 0)
7537 			return -EINVAL; /* 0 is reserved */
7538 	} else {
7539 		/* Default to reason code 2 */
7540 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7541 	}
7542 
7543 	wdev_lock(dev->ieee80211_ptr);
7544 	ret = rdev_del_station(rdev, dev, &params);
7545 	wdev_unlock(dev->ieee80211_ptr);
7546 
7547 	return ret;
7548 }
7549 
7550 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7551 				int flags, struct net_device *dev,
7552 				u8 *dst, u8 *next_hop,
7553 				struct mpath_info *pinfo)
7554 {
7555 	void *hdr;
7556 	struct nlattr *pinfoattr;
7557 
7558 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7559 	if (!hdr)
7560 		return -1;
7561 
7562 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7563 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7564 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7565 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7566 		goto nla_put_failure;
7567 
7568 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7569 	if (!pinfoattr)
7570 		goto nla_put_failure;
7571 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7572 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7573 			pinfo->frame_qlen))
7574 		goto nla_put_failure;
7575 	if (((pinfo->filled & MPATH_INFO_SN) &&
7576 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7577 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7578 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7579 			 pinfo->metric)) ||
7580 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7581 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7582 			 pinfo->exptime)) ||
7583 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7584 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7585 			pinfo->flags)) ||
7586 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7587 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7588 			 pinfo->discovery_timeout)) ||
7589 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7590 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7591 			pinfo->discovery_retries)) ||
7592 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7593 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7594 			pinfo->hop_count)) ||
7595 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7596 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7597 			 pinfo->path_change_count)))
7598 		goto nla_put_failure;
7599 
7600 	nla_nest_end(msg, pinfoattr);
7601 
7602 	genlmsg_end(msg, hdr);
7603 	return 0;
7604 
7605  nla_put_failure:
7606 	genlmsg_cancel(msg, hdr);
7607 	return -EMSGSIZE;
7608 }
7609 
7610 static int nl80211_dump_mpath(struct sk_buff *skb,
7611 			      struct netlink_callback *cb)
7612 {
7613 	struct mpath_info pinfo;
7614 	struct cfg80211_registered_device *rdev;
7615 	struct wireless_dev *wdev;
7616 	u8 dst[ETH_ALEN];
7617 	u8 next_hop[ETH_ALEN];
7618 	int path_idx = cb->args[2];
7619 	int err;
7620 
7621 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7622 	if (err)
7623 		return err;
7624 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7625 	__acquire(&rdev->wiphy.mtx);
7626 
7627 	if (!rdev->ops->dump_mpath) {
7628 		err = -EOPNOTSUPP;
7629 		goto out_err;
7630 	}
7631 
7632 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7633 		err = -EOPNOTSUPP;
7634 		goto out_err;
7635 	}
7636 
7637 	while (1) {
7638 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7639 				      next_hop, &pinfo);
7640 		if (err == -ENOENT)
7641 			break;
7642 		if (err)
7643 			goto out_err;
7644 
7645 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7646 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7647 				       wdev->netdev, dst, next_hop,
7648 				       &pinfo) < 0)
7649 			goto out;
7650 
7651 		path_idx++;
7652 	}
7653 
7654  out:
7655 	cb->args[2] = path_idx;
7656 	err = skb->len;
7657  out_err:
7658 	wiphy_unlock(&rdev->wiphy);
7659 	return err;
7660 }
7661 
7662 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7663 {
7664 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7665 	int err;
7666 	struct net_device *dev = info->user_ptr[1];
7667 	struct mpath_info pinfo;
7668 	struct sk_buff *msg;
7669 	u8 *dst = NULL;
7670 	u8 next_hop[ETH_ALEN];
7671 
7672 	memset(&pinfo, 0, sizeof(pinfo));
7673 
7674 	if (!info->attrs[NL80211_ATTR_MAC])
7675 		return -EINVAL;
7676 
7677 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7678 
7679 	if (!rdev->ops->get_mpath)
7680 		return -EOPNOTSUPP;
7681 
7682 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7683 		return -EOPNOTSUPP;
7684 
7685 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7686 	if (err)
7687 		return err;
7688 
7689 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7690 	if (!msg)
7691 		return -ENOMEM;
7692 
7693 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7694 				 dev, dst, next_hop, &pinfo) < 0) {
7695 		nlmsg_free(msg);
7696 		return -ENOBUFS;
7697 	}
7698 
7699 	return genlmsg_reply(msg, info);
7700 }
7701 
7702 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7703 {
7704 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7705 	struct net_device *dev = info->user_ptr[1];
7706 	u8 *dst = NULL;
7707 	u8 *next_hop = NULL;
7708 
7709 	if (!info->attrs[NL80211_ATTR_MAC])
7710 		return -EINVAL;
7711 
7712 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7713 		return -EINVAL;
7714 
7715 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7716 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7717 
7718 	if (!rdev->ops->change_mpath)
7719 		return -EOPNOTSUPP;
7720 
7721 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7722 		return -EOPNOTSUPP;
7723 
7724 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7725 }
7726 
7727 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7728 {
7729 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7730 	struct net_device *dev = info->user_ptr[1];
7731 	u8 *dst = NULL;
7732 	u8 *next_hop = NULL;
7733 
7734 	if (!info->attrs[NL80211_ATTR_MAC])
7735 		return -EINVAL;
7736 
7737 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7738 		return -EINVAL;
7739 
7740 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7741 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7742 
7743 	if (!rdev->ops->add_mpath)
7744 		return -EOPNOTSUPP;
7745 
7746 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7747 		return -EOPNOTSUPP;
7748 
7749 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7750 }
7751 
7752 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7753 {
7754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7755 	struct net_device *dev = info->user_ptr[1];
7756 	u8 *dst = NULL;
7757 
7758 	if (info->attrs[NL80211_ATTR_MAC])
7759 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7760 
7761 	if (!rdev->ops->del_mpath)
7762 		return -EOPNOTSUPP;
7763 
7764 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7765 		return -EOPNOTSUPP;
7766 
7767 	return rdev_del_mpath(rdev, dev, dst);
7768 }
7769 
7770 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7771 {
7772 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7773 	int err;
7774 	struct net_device *dev = info->user_ptr[1];
7775 	struct mpath_info pinfo;
7776 	struct sk_buff *msg;
7777 	u8 *dst = NULL;
7778 	u8 mpp[ETH_ALEN];
7779 
7780 	memset(&pinfo, 0, sizeof(pinfo));
7781 
7782 	if (!info->attrs[NL80211_ATTR_MAC])
7783 		return -EINVAL;
7784 
7785 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7786 
7787 	if (!rdev->ops->get_mpp)
7788 		return -EOPNOTSUPP;
7789 
7790 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7791 		return -EOPNOTSUPP;
7792 
7793 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7794 	if (err)
7795 		return err;
7796 
7797 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7798 	if (!msg)
7799 		return -ENOMEM;
7800 
7801 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7802 			       dev, dst, mpp, &pinfo) < 0) {
7803 		nlmsg_free(msg);
7804 		return -ENOBUFS;
7805 	}
7806 
7807 	return genlmsg_reply(msg, info);
7808 }
7809 
7810 static int nl80211_dump_mpp(struct sk_buff *skb,
7811 			    struct netlink_callback *cb)
7812 {
7813 	struct mpath_info pinfo;
7814 	struct cfg80211_registered_device *rdev;
7815 	struct wireless_dev *wdev;
7816 	u8 dst[ETH_ALEN];
7817 	u8 mpp[ETH_ALEN];
7818 	int path_idx = cb->args[2];
7819 	int err;
7820 
7821 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7822 	if (err)
7823 		return err;
7824 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7825 	__acquire(&rdev->wiphy.mtx);
7826 
7827 	if (!rdev->ops->dump_mpp) {
7828 		err = -EOPNOTSUPP;
7829 		goto out_err;
7830 	}
7831 
7832 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7833 		err = -EOPNOTSUPP;
7834 		goto out_err;
7835 	}
7836 
7837 	while (1) {
7838 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7839 				    mpp, &pinfo);
7840 		if (err == -ENOENT)
7841 			break;
7842 		if (err)
7843 			goto out_err;
7844 
7845 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7846 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7847 				       wdev->netdev, dst, mpp,
7848 				       &pinfo) < 0)
7849 			goto out;
7850 
7851 		path_idx++;
7852 	}
7853 
7854  out:
7855 	cb->args[2] = path_idx;
7856 	err = skb->len;
7857  out_err:
7858 	wiphy_unlock(&rdev->wiphy);
7859 	return err;
7860 }
7861 
7862 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7863 {
7864 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7865 	struct net_device *dev = info->user_ptr[1];
7866 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7867 	struct bss_parameters params;
7868 	int err;
7869 
7870 	memset(&params, 0, sizeof(params));
7871 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
7872 	/* default to not changing parameters */
7873 	params.use_cts_prot = -1;
7874 	params.use_short_preamble = -1;
7875 	params.use_short_slot_time = -1;
7876 	params.ap_isolate = -1;
7877 	params.ht_opmode = -1;
7878 	params.p2p_ctwindow = -1;
7879 	params.p2p_opp_ps = -1;
7880 
7881 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7882 		params.use_cts_prot =
7883 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7884 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7885 		params.use_short_preamble =
7886 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7887 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7888 		params.use_short_slot_time =
7889 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7890 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7891 		params.basic_rates =
7892 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7893 		params.basic_rates_len =
7894 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7895 	}
7896 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7897 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7898 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7899 		params.ht_opmode =
7900 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7901 
7902 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7903 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7904 			return -EINVAL;
7905 		params.p2p_ctwindow =
7906 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7907 		if (params.p2p_ctwindow != 0 &&
7908 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7909 			return -EINVAL;
7910 	}
7911 
7912 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7913 		u8 tmp;
7914 
7915 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7916 			return -EINVAL;
7917 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7918 		params.p2p_opp_ps = tmp;
7919 		if (params.p2p_opp_ps &&
7920 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7921 			return -EINVAL;
7922 	}
7923 
7924 	if (!rdev->ops->change_bss)
7925 		return -EOPNOTSUPP;
7926 
7927 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7928 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7929 		return -EOPNOTSUPP;
7930 
7931 	wdev_lock(wdev);
7932 	err = rdev_change_bss(rdev, dev, &params);
7933 	wdev_unlock(wdev);
7934 
7935 	return err;
7936 }
7937 
7938 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7939 {
7940 	char *data = NULL;
7941 	bool is_indoor;
7942 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7943 	u32 owner_nlportid;
7944 
7945 	/*
7946 	 * You should only get this when cfg80211 hasn't yet initialized
7947 	 * completely when built-in to the kernel right between the time
7948 	 * window between nl80211_init() and regulatory_init(), if that is
7949 	 * even possible.
7950 	 */
7951 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7952 		return -EINPROGRESS;
7953 
7954 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7955 		user_reg_hint_type =
7956 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7957 	else
7958 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7959 
7960 	switch (user_reg_hint_type) {
7961 	case NL80211_USER_REG_HINT_USER:
7962 	case NL80211_USER_REG_HINT_CELL_BASE:
7963 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7964 			return -EINVAL;
7965 
7966 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7967 		return regulatory_hint_user(data, user_reg_hint_type);
7968 	case NL80211_USER_REG_HINT_INDOOR:
7969 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7970 			owner_nlportid = info->snd_portid;
7971 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7972 		} else {
7973 			owner_nlportid = 0;
7974 			is_indoor = true;
7975 		}
7976 
7977 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7978 	default:
7979 		return -EINVAL;
7980 	}
7981 }
7982 
7983 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7984 {
7985 	return reg_reload_regdb();
7986 }
7987 
7988 static int nl80211_get_mesh_config(struct sk_buff *skb,
7989 				   struct genl_info *info)
7990 {
7991 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7992 	struct net_device *dev = info->user_ptr[1];
7993 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7994 	struct mesh_config cur_params;
7995 	int err = 0;
7996 	void *hdr;
7997 	struct nlattr *pinfoattr;
7998 	struct sk_buff *msg;
7999 
8000 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8001 		return -EOPNOTSUPP;
8002 
8003 	if (!rdev->ops->get_mesh_config)
8004 		return -EOPNOTSUPP;
8005 
8006 	wdev_lock(wdev);
8007 	/* If not connected, get default parameters */
8008 	if (!wdev->u.mesh.id_len)
8009 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8010 	else
8011 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8012 	wdev_unlock(wdev);
8013 
8014 	if (err)
8015 		return err;
8016 
8017 	/* Draw up a netlink message to send back */
8018 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8019 	if (!msg)
8020 		return -ENOMEM;
8021 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8022 			     NL80211_CMD_GET_MESH_CONFIG);
8023 	if (!hdr)
8024 		goto out;
8025 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8026 	if (!pinfoattr)
8027 		goto nla_put_failure;
8028 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8029 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8030 			cur_params.dot11MeshRetryTimeout) ||
8031 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8032 			cur_params.dot11MeshConfirmTimeout) ||
8033 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8034 			cur_params.dot11MeshHoldingTimeout) ||
8035 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8036 			cur_params.dot11MeshMaxPeerLinks) ||
8037 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8038 		       cur_params.dot11MeshMaxRetries) ||
8039 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8040 		       cur_params.dot11MeshTTL) ||
8041 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8042 		       cur_params.element_ttl) ||
8043 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8044 		       cur_params.auto_open_plinks) ||
8045 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8046 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8047 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8048 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8049 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8050 			cur_params.path_refresh_time) ||
8051 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8052 			cur_params.min_discovery_timeout) ||
8053 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8054 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8055 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8056 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8057 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8058 			cur_params.dot11MeshHWMPperrMinInterval) ||
8059 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8060 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8061 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8062 		       cur_params.dot11MeshHWMPRootMode) ||
8063 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8064 			cur_params.dot11MeshHWMPRannInterval) ||
8065 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8066 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8067 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8068 		       cur_params.dot11MeshForwarding) ||
8069 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8070 			cur_params.rssi_threshold) ||
8071 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8072 			cur_params.ht_opmode) ||
8073 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8074 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8075 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8076 			cur_params.dot11MeshHWMProotInterval) ||
8077 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8078 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8079 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8080 			cur_params.power_mode) ||
8081 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8082 			cur_params.dot11MeshAwakeWindowDuration) ||
8083 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8084 			cur_params.plink_timeout) ||
8085 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8086 		       cur_params.dot11MeshConnectedToMeshGate) ||
8087 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8088 		       cur_params.dot11MeshNolearn) ||
8089 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8090 		       cur_params.dot11MeshConnectedToAuthServer))
8091 		goto nla_put_failure;
8092 	nla_nest_end(msg, pinfoattr);
8093 	genlmsg_end(msg, hdr);
8094 	return genlmsg_reply(msg, info);
8095 
8096  nla_put_failure:
8097  out:
8098 	nlmsg_free(msg);
8099 	return -ENOBUFS;
8100 }
8101 
8102 static const struct nla_policy
8103 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8104 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8105 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8106 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8107 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8108 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8109 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8110 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8111 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8112 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8113 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8114 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8115 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8116 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8117 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8118 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8119 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8120 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8121 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8122 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8123 		NLA_POLICY_MIN(NLA_U16, 1),
8124 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8125 		NLA_POLICY_MIN(NLA_U16, 1),
8126 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8127 		NLA_POLICY_MIN(NLA_U16, 1),
8128 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8129 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8130 		NLA_POLICY_MIN(NLA_U16, 1),
8131 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8132 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8133 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8134 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8135 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8136 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8137 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8138 		NLA_POLICY_MIN(NLA_U16, 1),
8139 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8140 		NLA_POLICY_MIN(NLA_U16, 1),
8141 	[NL80211_MESHCONF_POWER_MODE] =
8142 		NLA_POLICY_RANGE(NLA_U32,
8143 				 NL80211_MESH_POWER_ACTIVE,
8144 				 NL80211_MESH_POWER_MAX),
8145 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8146 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8147 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8148 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8149 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8150 };
8151 
8152 static const struct nla_policy
8153 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8154 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8155 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8156 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8157 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8158 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8159 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8160 	[NL80211_MESH_SETUP_IE] =
8161 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8162 				       IEEE80211_MAX_DATA_LEN),
8163 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8164 };
8165 
8166 static int nl80211_parse_mesh_config(struct genl_info *info,
8167 				     struct mesh_config *cfg,
8168 				     u32 *mask_out)
8169 {
8170 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8171 	u32 mask = 0;
8172 	u16 ht_opmode;
8173 
8174 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8175 do {									\
8176 	if (tb[attr]) {							\
8177 		cfg->param = fn(tb[attr]);				\
8178 		mask |= BIT((attr) - 1);				\
8179 	}								\
8180 } while (0)
8181 
8182 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8183 		return -EINVAL;
8184 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8185 		return -EINVAL;
8186 
8187 	/* This makes sure that there aren't more than 32 mesh config
8188 	 * parameters (otherwise our bitfield scheme would not work.) */
8189 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8190 
8191 	/* Fill in the params struct */
8192 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8193 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8194 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8195 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8196 				  nla_get_u16);
8197 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8198 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8199 				  nla_get_u16);
8200 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8201 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8202 				  nla_get_u16);
8203 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8204 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8205 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8206 				  NL80211_MESHCONF_TTL, nla_get_u8);
8207 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8208 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8209 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8210 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8211 				  nla_get_u8);
8212 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8213 				  mask,
8214 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8215 				  nla_get_u32);
8216 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8217 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8218 				  nla_get_u8);
8219 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8220 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8221 				  nla_get_u32);
8222 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8223 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8224 		return -EINVAL;
8225 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8226 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8227 				  nla_get_u16);
8228 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8229 				  mask,
8230 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8231 				  nla_get_u32);
8232 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8233 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8234 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8235 		return -EINVAL;
8236 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8237 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8238 				  nla_get_u16);
8239 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8240 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8241 				  nla_get_u16);
8242 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8243 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8244 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8245 				  nla_get_u16);
8246 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8247 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8248 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8249 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8250 				  nla_get_u16);
8251 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8252 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8253 				  nla_get_u8);
8254 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8255 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8256 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8257 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8258 				  nla_get_s32);
8259 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8260 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8261 				  nla_get_u8);
8262 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8263 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8264 				  nla_get_u8);
8265 	/*
8266 	 * Check HT operation mode based on
8267 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8268 	 */
8269 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8270 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8271 
8272 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8273 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8274 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8275 			return -EINVAL;
8276 
8277 		/* NON_HT_STA bit is reserved, but some programs set it */
8278 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8279 
8280 		cfg->ht_opmode = ht_opmode;
8281 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8282 	}
8283 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8284 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8285 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8286 				  nla_get_u32);
8287 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8288 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8289 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8290 		return -EINVAL;
8291 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8292 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8293 				  nla_get_u16);
8294 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8295 				  mask,
8296 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8297 				  nla_get_u16);
8298 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8299 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8300 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8301 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8302 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8303 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8304 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8305 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8306 	if (mask_out)
8307 		*mask_out = mask;
8308 
8309 	return 0;
8310 
8311 #undef FILL_IN_MESH_PARAM_IF_SET
8312 }
8313 
8314 static int nl80211_parse_mesh_setup(struct genl_info *info,
8315 				     struct mesh_setup *setup)
8316 {
8317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8318 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8319 
8320 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8321 		return -EINVAL;
8322 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8323 		return -EINVAL;
8324 
8325 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8326 		setup->sync_method =
8327 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8328 		 IEEE80211_SYNC_METHOD_VENDOR :
8329 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8330 
8331 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8332 		setup->path_sel_proto =
8333 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8334 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8335 		 IEEE80211_PATH_PROTOCOL_HWMP;
8336 
8337 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8338 		setup->path_metric =
8339 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8340 		 IEEE80211_PATH_METRIC_VENDOR :
8341 		 IEEE80211_PATH_METRIC_AIRTIME;
8342 
8343 	if (tb[NL80211_MESH_SETUP_IE]) {
8344 		struct nlattr *ieattr =
8345 			tb[NL80211_MESH_SETUP_IE];
8346 		setup->ie = nla_data(ieattr);
8347 		setup->ie_len = nla_len(ieattr);
8348 	}
8349 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8350 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8351 		return -EINVAL;
8352 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8353 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8354 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8355 	if (setup->is_secure)
8356 		setup->user_mpm = true;
8357 
8358 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8359 		if (!setup->user_mpm)
8360 			return -EINVAL;
8361 		setup->auth_id =
8362 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8363 	}
8364 
8365 	return 0;
8366 }
8367 
8368 static int nl80211_update_mesh_config(struct sk_buff *skb,
8369 				      struct genl_info *info)
8370 {
8371 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8372 	struct net_device *dev = info->user_ptr[1];
8373 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8374 	struct mesh_config cfg;
8375 	u32 mask;
8376 	int err;
8377 
8378 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8379 		return -EOPNOTSUPP;
8380 
8381 	if (!rdev->ops->update_mesh_config)
8382 		return -EOPNOTSUPP;
8383 
8384 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8385 	if (err)
8386 		return err;
8387 
8388 	wdev_lock(wdev);
8389 	if (!wdev->u.mesh.id_len)
8390 		err = -ENOLINK;
8391 
8392 	if (!err)
8393 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8394 
8395 	wdev_unlock(wdev);
8396 
8397 	return err;
8398 }
8399 
8400 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8401 			      struct sk_buff *msg)
8402 {
8403 	struct nlattr *nl_reg_rules;
8404 	unsigned int i;
8405 
8406 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8407 	    (regdom->dfs_region &&
8408 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8409 		goto nla_put_failure;
8410 
8411 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8412 	if (!nl_reg_rules)
8413 		goto nla_put_failure;
8414 
8415 	for (i = 0; i < regdom->n_reg_rules; i++) {
8416 		struct nlattr *nl_reg_rule;
8417 		const struct ieee80211_reg_rule *reg_rule;
8418 		const struct ieee80211_freq_range *freq_range;
8419 		const struct ieee80211_power_rule *power_rule;
8420 		unsigned int max_bandwidth_khz;
8421 
8422 		reg_rule = &regdom->reg_rules[i];
8423 		freq_range = &reg_rule->freq_range;
8424 		power_rule = &reg_rule->power_rule;
8425 
8426 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8427 		if (!nl_reg_rule)
8428 			goto nla_put_failure;
8429 
8430 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8431 		if (!max_bandwidth_khz)
8432 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8433 								  reg_rule);
8434 
8435 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8436 				reg_rule->flags) ||
8437 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8438 				freq_range->start_freq_khz) ||
8439 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8440 				freq_range->end_freq_khz) ||
8441 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8442 				max_bandwidth_khz) ||
8443 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8444 				power_rule->max_antenna_gain) ||
8445 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8446 				power_rule->max_eirp) ||
8447 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8448 				reg_rule->dfs_cac_ms))
8449 			goto nla_put_failure;
8450 
8451 		nla_nest_end(msg, nl_reg_rule);
8452 	}
8453 
8454 	nla_nest_end(msg, nl_reg_rules);
8455 	return 0;
8456 
8457 nla_put_failure:
8458 	return -EMSGSIZE;
8459 }
8460 
8461 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8462 {
8463 	const struct ieee80211_regdomain *regdom = NULL;
8464 	struct cfg80211_registered_device *rdev;
8465 	struct wiphy *wiphy = NULL;
8466 	struct sk_buff *msg;
8467 	int err = -EMSGSIZE;
8468 	void *hdr;
8469 
8470 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8471 	if (!msg)
8472 		return -ENOBUFS;
8473 
8474 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8475 			     NL80211_CMD_GET_REG);
8476 	if (!hdr)
8477 		goto put_failure;
8478 
8479 	rtnl_lock();
8480 
8481 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8482 		bool self_managed;
8483 
8484 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8485 		if (IS_ERR(rdev)) {
8486 			err = PTR_ERR(rdev);
8487 			goto nla_put_failure;
8488 		}
8489 
8490 		wiphy = &rdev->wiphy;
8491 		self_managed = wiphy->regulatory_flags &
8492 			       REGULATORY_WIPHY_SELF_MANAGED;
8493 
8494 		rcu_read_lock();
8495 
8496 		regdom = get_wiphy_regdom(wiphy);
8497 
8498 		/* a self-managed-reg device must have a private regdom */
8499 		if (WARN_ON(!regdom && self_managed)) {
8500 			err = -EINVAL;
8501 			goto nla_put_failure_rcu;
8502 		}
8503 
8504 		if (regdom &&
8505 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8506 			goto nla_put_failure_rcu;
8507 	} else {
8508 		rcu_read_lock();
8509 	}
8510 
8511 	if (!wiphy && reg_last_request_cell_base() &&
8512 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8513 			NL80211_USER_REG_HINT_CELL_BASE))
8514 		goto nla_put_failure_rcu;
8515 
8516 	if (!regdom)
8517 		regdom = rcu_dereference(cfg80211_regdomain);
8518 
8519 	if (nl80211_put_regdom(regdom, msg))
8520 		goto nla_put_failure_rcu;
8521 
8522 	rcu_read_unlock();
8523 
8524 	genlmsg_end(msg, hdr);
8525 	rtnl_unlock();
8526 	return genlmsg_reply(msg, info);
8527 
8528 nla_put_failure_rcu:
8529 	rcu_read_unlock();
8530 nla_put_failure:
8531 	rtnl_unlock();
8532 put_failure:
8533 	nlmsg_free(msg);
8534 	return err;
8535 }
8536 
8537 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8538 			       u32 seq, int flags, struct wiphy *wiphy,
8539 			       const struct ieee80211_regdomain *regdom)
8540 {
8541 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8542 				   NL80211_CMD_GET_REG);
8543 
8544 	if (!hdr)
8545 		return -1;
8546 
8547 	genl_dump_check_consistent(cb, hdr);
8548 
8549 	if (nl80211_put_regdom(regdom, msg))
8550 		goto nla_put_failure;
8551 
8552 	if (!wiphy && reg_last_request_cell_base() &&
8553 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8554 			NL80211_USER_REG_HINT_CELL_BASE))
8555 		goto nla_put_failure;
8556 
8557 	if (wiphy &&
8558 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8559 		goto nla_put_failure;
8560 
8561 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8562 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8563 		goto nla_put_failure;
8564 
8565 	genlmsg_end(msg, hdr);
8566 	return 0;
8567 
8568 nla_put_failure:
8569 	genlmsg_cancel(msg, hdr);
8570 	return -EMSGSIZE;
8571 }
8572 
8573 static int nl80211_get_reg_dump(struct sk_buff *skb,
8574 				struct netlink_callback *cb)
8575 {
8576 	const struct ieee80211_regdomain *regdom = NULL;
8577 	struct cfg80211_registered_device *rdev;
8578 	int err, reg_idx, start = cb->args[2];
8579 
8580 	rcu_read_lock();
8581 
8582 	if (cfg80211_regdomain && start == 0) {
8583 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8584 					  NLM_F_MULTI, NULL,
8585 					  rcu_dereference(cfg80211_regdomain));
8586 		if (err < 0)
8587 			goto out_err;
8588 	}
8589 
8590 	/* the global regdom is idx 0 */
8591 	reg_idx = 1;
8592 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8593 		regdom = get_wiphy_regdom(&rdev->wiphy);
8594 		if (!regdom)
8595 			continue;
8596 
8597 		if (++reg_idx <= start)
8598 			continue;
8599 
8600 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8601 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8602 		if (err < 0) {
8603 			reg_idx--;
8604 			break;
8605 		}
8606 	}
8607 
8608 	cb->args[2] = reg_idx;
8609 	err = skb->len;
8610 out_err:
8611 	rcu_read_unlock();
8612 	return err;
8613 }
8614 
8615 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8616 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8617 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8618 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8619 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8620 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8621 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8622 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8623 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8624 };
8625 
8626 static int parse_reg_rule(struct nlattr *tb[],
8627 	struct ieee80211_reg_rule *reg_rule)
8628 {
8629 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8630 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8631 
8632 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8633 		return -EINVAL;
8634 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8635 		return -EINVAL;
8636 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8637 		return -EINVAL;
8638 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8639 		return -EINVAL;
8640 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8641 		return -EINVAL;
8642 
8643 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8644 
8645 	freq_range->start_freq_khz =
8646 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8647 	freq_range->end_freq_khz =
8648 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8649 	freq_range->max_bandwidth_khz =
8650 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8651 
8652 	power_rule->max_eirp =
8653 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8654 
8655 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8656 		power_rule->max_antenna_gain =
8657 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8658 
8659 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8660 		reg_rule->dfs_cac_ms =
8661 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8662 
8663 	return 0;
8664 }
8665 
8666 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8667 {
8668 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8669 	struct nlattr *nl_reg_rule;
8670 	char *alpha2;
8671 	int rem_reg_rules, r;
8672 	u32 num_rules = 0, rule_idx = 0;
8673 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8674 	struct ieee80211_regdomain *rd;
8675 
8676 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8677 		return -EINVAL;
8678 
8679 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8680 		return -EINVAL;
8681 
8682 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8683 
8684 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8685 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8686 
8687 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8688 			    rem_reg_rules) {
8689 		num_rules++;
8690 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8691 			return -EINVAL;
8692 	}
8693 
8694 	rtnl_lock();
8695 	if (!reg_is_valid_request(alpha2)) {
8696 		r = -EINVAL;
8697 		goto out;
8698 	}
8699 
8700 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8701 	if (!rd) {
8702 		r = -ENOMEM;
8703 		goto out;
8704 	}
8705 
8706 	rd->n_reg_rules = num_rules;
8707 	rd->alpha2[0] = alpha2[0];
8708 	rd->alpha2[1] = alpha2[1];
8709 
8710 	/*
8711 	 * Disable DFS master mode if the DFS region was
8712 	 * not supported or known on this kernel.
8713 	 */
8714 	if (reg_supported_dfs_region(dfs_region))
8715 		rd->dfs_region = dfs_region;
8716 
8717 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8718 			    rem_reg_rules) {
8719 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8720 						nl_reg_rule, reg_rule_policy,
8721 						info->extack);
8722 		if (r)
8723 			goto bad_reg;
8724 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8725 		if (r)
8726 			goto bad_reg;
8727 
8728 		rule_idx++;
8729 
8730 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8731 			r = -EINVAL;
8732 			goto bad_reg;
8733 		}
8734 	}
8735 
8736 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8737 	/* set_regdom takes ownership of rd */
8738 	rd = NULL;
8739  bad_reg:
8740 	kfree(rd);
8741  out:
8742 	rtnl_unlock();
8743 	return r;
8744 }
8745 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8746 
8747 static int validate_scan_freqs(struct nlattr *freqs)
8748 {
8749 	struct nlattr *attr1, *attr2;
8750 	int n_channels = 0, tmp1, tmp2;
8751 
8752 	nla_for_each_nested(attr1, freqs, tmp1)
8753 		if (nla_len(attr1) != sizeof(u32))
8754 			return 0;
8755 
8756 	nla_for_each_nested(attr1, freqs, tmp1) {
8757 		n_channels++;
8758 		/*
8759 		 * Some hardware has a limited channel list for
8760 		 * scanning, and it is pretty much nonsensical
8761 		 * to scan for a channel twice, so disallow that
8762 		 * and don't require drivers to check that the
8763 		 * channel list they get isn't longer than what
8764 		 * they can scan, as long as they can scan all
8765 		 * the channels they registered at once.
8766 		 */
8767 		nla_for_each_nested(attr2, freqs, tmp2)
8768 			if (attr1 != attr2 &&
8769 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8770 				return 0;
8771 	}
8772 
8773 	return n_channels;
8774 }
8775 
8776 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8777 {
8778 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8779 }
8780 
8781 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8782 			    struct cfg80211_bss_selection *bss_select)
8783 {
8784 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8785 	struct nlattr *nest;
8786 	int err;
8787 	bool found = false;
8788 	int i;
8789 
8790 	/* only process one nested attribute */
8791 	nest = nla_data(nla);
8792 	if (!nla_ok(nest, nla_len(nest)))
8793 		return -EINVAL;
8794 
8795 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8796 					  nest, nl80211_bss_select_policy,
8797 					  NULL);
8798 	if (err)
8799 		return err;
8800 
8801 	/* only one attribute may be given */
8802 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8803 		if (attr[i]) {
8804 			if (found)
8805 				return -EINVAL;
8806 			found = true;
8807 		}
8808 	}
8809 
8810 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8811 
8812 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8813 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8814 
8815 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8816 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8817 		bss_select->param.band_pref =
8818 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8819 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8820 			return -EINVAL;
8821 	}
8822 
8823 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8824 		struct nl80211_bss_select_rssi_adjust *adj_param;
8825 
8826 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8827 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8828 		bss_select->param.adjust.band = adj_param->band;
8829 		bss_select->param.adjust.delta = adj_param->delta;
8830 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8831 			return -EINVAL;
8832 	}
8833 
8834 	/* user-space did not provide behaviour attribute */
8835 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8836 		return -EINVAL;
8837 
8838 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8839 		return -EINVAL;
8840 
8841 	return 0;
8842 }
8843 
8844 int nl80211_parse_random_mac(struct nlattr **attrs,
8845 			     u8 *mac_addr, u8 *mac_addr_mask)
8846 {
8847 	int i;
8848 
8849 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8850 		eth_zero_addr(mac_addr);
8851 		eth_zero_addr(mac_addr_mask);
8852 		mac_addr[0] = 0x2;
8853 		mac_addr_mask[0] = 0x3;
8854 
8855 		return 0;
8856 	}
8857 
8858 	/* need both or none */
8859 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8860 		return -EINVAL;
8861 
8862 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8863 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8864 
8865 	/* don't allow or configure an mcast address */
8866 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8867 	    is_multicast_ether_addr(mac_addr))
8868 		return -EINVAL;
8869 
8870 	/*
8871 	 * allow users to pass a MAC address that has bits set outside
8872 	 * of the mask, but don't bother drivers with having to deal
8873 	 * with such bits
8874 	 */
8875 	for (i = 0; i < ETH_ALEN; i++)
8876 		mac_addr[i] &= mac_addr_mask[i];
8877 
8878 	return 0;
8879 }
8880 
8881 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
8882 					      struct ieee80211_channel *chan)
8883 {
8884 	unsigned int link_id;
8885 	bool all_ok = true;
8886 
8887 	ASSERT_WDEV_LOCK(wdev);
8888 
8889 	if (!cfg80211_beaconing_iface_active(wdev))
8890 		return true;
8891 
8892 	/*
8893 	 * FIXME: check if we have a free HW resource/link for chan
8894 	 *
8895 	 * This, as well as the FIXME below, requires knowing the link
8896 	 * capabilities of the hardware.
8897 	 */
8898 
8899 	/* we cannot leave radar channels */
8900 	for_each_valid_link(wdev, link_id) {
8901 		struct cfg80211_chan_def *chandef;
8902 
8903 		chandef = wdev_chandef(wdev, link_id);
8904 		if (!chandef)
8905 			continue;
8906 
8907 		/*
8908 		 * FIXME: don't require all_ok, but rather check only the
8909 		 *	  correct HW resource/link onto which 'chan' falls,
8910 		 *	  as only that link leaves the channel for doing
8911 		 *	  the off-channel operation.
8912 		 */
8913 
8914 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
8915 			all_ok = false;
8916 	}
8917 
8918 	if (all_ok)
8919 		return true;
8920 
8921 	return regulatory_pre_cac_allowed(wdev->wiphy);
8922 }
8923 
8924 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8925 				    enum nl80211_ext_feature_index feat)
8926 {
8927 	if (!(flags & flag))
8928 		return true;
8929 	if (wiphy_ext_feature_isset(wiphy, feat))
8930 		return true;
8931 	return false;
8932 }
8933 
8934 static int
8935 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8936 			 void *request, struct nlattr **attrs,
8937 			 bool is_sched_scan)
8938 {
8939 	u8 *mac_addr, *mac_addr_mask;
8940 	u32 *flags;
8941 	enum nl80211_feature_flags randomness_flag;
8942 
8943 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8944 		return 0;
8945 
8946 	if (is_sched_scan) {
8947 		struct cfg80211_sched_scan_request *req = request;
8948 
8949 		randomness_flag = wdev ?
8950 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8951 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8952 		flags = &req->flags;
8953 		mac_addr = req->mac_addr;
8954 		mac_addr_mask = req->mac_addr_mask;
8955 	} else {
8956 		struct cfg80211_scan_request *req = request;
8957 
8958 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8959 		flags = &req->flags;
8960 		mac_addr = req->mac_addr;
8961 		mac_addr_mask = req->mac_addr_mask;
8962 	}
8963 
8964 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8965 
8966 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8967 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8968 	    !nl80211_check_scan_feat(wiphy, *flags,
8969 				     NL80211_SCAN_FLAG_LOW_SPAN,
8970 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8971 	    !nl80211_check_scan_feat(wiphy, *flags,
8972 				     NL80211_SCAN_FLAG_LOW_POWER,
8973 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8974 	    !nl80211_check_scan_feat(wiphy, *flags,
8975 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8976 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8977 	    !nl80211_check_scan_feat(wiphy, *flags,
8978 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8979 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8980 	    !nl80211_check_scan_feat(wiphy, *flags,
8981 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8982 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8983 	    !nl80211_check_scan_feat(wiphy, *flags,
8984 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8985 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8986 	    !nl80211_check_scan_feat(wiphy, *flags,
8987 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8988 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8989 	    !nl80211_check_scan_feat(wiphy, *flags,
8990 				     NL80211_SCAN_FLAG_RANDOM_SN,
8991 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8992 	    !nl80211_check_scan_feat(wiphy, *flags,
8993 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8994 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8995 		return -EOPNOTSUPP;
8996 
8997 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8998 		int err;
8999 
9000 		if (!(wiphy->features & randomness_flag) ||
9001 		    (wdev && wdev->connected))
9002 			return -EOPNOTSUPP;
9003 
9004 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9005 		if (err)
9006 			return err;
9007 	}
9008 
9009 	return 0;
9010 }
9011 
9012 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9013 {
9014 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9015 	struct wireless_dev *wdev = info->user_ptr[1];
9016 	struct cfg80211_scan_request *request;
9017 	struct nlattr *scan_freqs = NULL;
9018 	bool scan_freqs_khz = false;
9019 	struct nlattr *attr;
9020 	struct wiphy *wiphy;
9021 	int err, tmp, n_ssids = 0, n_channels, i;
9022 	size_t ie_len;
9023 
9024 	wiphy = &rdev->wiphy;
9025 
9026 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9027 		return -EOPNOTSUPP;
9028 
9029 	if (!rdev->ops->scan)
9030 		return -EOPNOTSUPP;
9031 
9032 	if (rdev->scan_req || rdev->scan_msg)
9033 		return -EBUSY;
9034 
9035 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9036 		if (!wiphy_ext_feature_isset(wiphy,
9037 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9038 			return -EOPNOTSUPP;
9039 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9040 		scan_freqs_khz = true;
9041 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9042 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9043 
9044 	if (scan_freqs) {
9045 		n_channels = validate_scan_freqs(scan_freqs);
9046 		if (!n_channels)
9047 			return -EINVAL;
9048 	} else {
9049 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9050 	}
9051 
9052 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9053 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9054 			n_ssids++;
9055 
9056 	if (n_ssids > wiphy->max_scan_ssids)
9057 		return -EINVAL;
9058 
9059 	if (info->attrs[NL80211_ATTR_IE])
9060 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9061 	else
9062 		ie_len = 0;
9063 
9064 	if (ie_len > wiphy->max_scan_ie_len)
9065 		return -EINVAL;
9066 
9067 	request = kzalloc(sizeof(*request)
9068 			+ sizeof(*request->ssids) * n_ssids
9069 			+ sizeof(*request->channels) * n_channels
9070 			+ ie_len, GFP_KERNEL);
9071 	if (!request)
9072 		return -ENOMEM;
9073 
9074 	if (n_ssids)
9075 		request->ssids = (void *)&request->channels[n_channels];
9076 	request->n_ssids = n_ssids;
9077 	if (ie_len) {
9078 		if (n_ssids)
9079 			request->ie = (void *)(request->ssids + n_ssids);
9080 		else
9081 			request->ie = (void *)(request->channels + n_channels);
9082 	}
9083 
9084 	i = 0;
9085 	if (scan_freqs) {
9086 		/* user specified, bail out if channel not found */
9087 		nla_for_each_nested(attr, scan_freqs, tmp) {
9088 			struct ieee80211_channel *chan;
9089 			int freq = nla_get_u32(attr);
9090 
9091 			if (!scan_freqs_khz)
9092 				freq = MHZ_TO_KHZ(freq);
9093 
9094 			chan = ieee80211_get_channel_khz(wiphy, freq);
9095 			if (!chan) {
9096 				err = -EINVAL;
9097 				goto out_free;
9098 			}
9099 
9100 			/* ignore disabled channels */
9101 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9102 				continue;
9103 
9104 			request->channels[i] = chan;
9105 			i++;
9106 		}
9107 	} else {
9108 		enum nl80211_band band;
9109 
9110 		/* all channels */
9111 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9112 			int j;
9113 
9114 			if (!wiphy->bands[band])
9115 				continue;
9116 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9117 				struct ieee80211_channel *chan;
9118 
9119 				chan = &wiphy->bands[band]->channels[j];
9120 
9121 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9122 					continue;
9123 
9124 				request->channels[i] = chan;
9125 				i++;
9126 			}
9127 		}
9128 	}
9129 
9130 	if (!i) {
9131 		err = -EINVAL;
9132 		goto out_free;
9133 	}
9134 
9135 	request->n_channels = i;
9136 
9137 	wdev_lock(wdev);
9138 	for (i = 0; i < request->n_channels; i++) {
9139 		struct ieee80211_channel *chan = request->channels[i];
9140 
9141 		/* if we can go off-channel to the target channel we're good */
9142 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9143 			continue;
9144 
9145 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9146 			wdev_unlock(wdev);
9147 			err = -EBUSY;
9148 			goto out_free;
9149 		}
9150 	}
9151 	wdev_unlock(wdev);
9152 
9153 	i = 0;
9154 	if (n_ssids) {
9155 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9156 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9157 				err = -EINVAL;
9158 				goto out_free;
9159 			}
9160 			request->ssids[i].ssid_len = nla_len(attr);
9161 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9162 			i++;
9163 		}
9164 	}
9165 
9166 	if (info->attrs[NL80211_ATTR_IE]) {
9167 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9168 		memcpy((void *)request->ie,
9169 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9170 		       request->ie_len);
9171 	}
9172 
9173 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9174 		if (wiphy->bands[i])
9175 			request->rates[i] =
9176 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9177 
9178 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9179 		nla_for_each_nested(attr,
9180 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9181 				    tmp) {
9182 			enum nl80211_band band = nla_type(attr);
9183 
9184 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9185 				err = -EINVAL;
9186 				goto out_free;
9187 			}
9188 
9189 			if (!wiphy->bands[band])
9190 				continue;
9191 
9192 			err = ieee80211_get_ratemask(wiphy->bands[band],
9193 						     nla_data(attr),
9194 						     nla_len(attr),
9195 						     &request->rates[band]);
9196 			if (err)
9197 				goto out_free;
9198 		}
9199 	}
9200 
9201 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9202 		request->duration =
9203 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9204 		request->duration_mandatory =
9205 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9206 	}
9207 
9208 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9209 				       false);
9210 	if (err)
9211 		goto out_free;
9212 
9213 	request->no_cck =
9214 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9215 
9216 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9217 	 * BSSID to scan for. This was problematic because that same attribute
9218 	 * was already used for another purpose (local random MAC address). The
9219 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9220 	 * compatibility with older userspace components, also use the
9221 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9222 	 * the specific BSSID use case instead of the random MAC address
9223 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9224 	 */
9225 	if (info->attrs[NL80211_ATTR_BSSID])
9226 		memcpy(request->bssid,
9227 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9228 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9229 		 info->attrs[NL80211_ATTR_MAC])
9230 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9231 		       ETH_ALEN);
9232 	else
9233 		eth_broadcast_addr(request->bssid);
9234 
9235 	request->wdev = wdev;
9236 	request->wiphy = &rdev->wiphy;
9237 	request->scan_start = jiffies;
9238 
9239 	rdev->scan_req = request;
9240 	err = cfg80211_scan(rdev);
9241 
9242 	if (err)
9243 		goto out_free;
9244 
9245 	nl80211_send_scan_start(rdev, wdev);
9246 	dev_hold(wdev->netdev);
9247 
9248 	return 0;
9249 
9250  out_free:
9251 	rdev->scan_req = NULL;
9252 	kfree(request);
9253 
9254 	return err;
9255 }
9256 
9257 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9258 {
9259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9260 	struct wireless_dev *wdev = info->user_ptr[1];
9261 
9262 	if (!rdev->ops->abort_scan)
9263 		return -EOPNOTSUPP;
9264 
9265 	if (rdev->scan_msg)
9266 		return 0;
9267 
9268 	if (!rdev->scan_req)
9269 		return -ENOENT;
9270 
9271 	rdev_abort_scan(rdev, wdev);
9272 	return 0;
9273 }
9274 
9275 static int
9276 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9277 			       struct cfg80211_sched_scan_request *request,
9278 			       struct nlattr **attrs)
9279 {
9280 	int tmp, err, i = 0;
9281 	struct nlattr *attr;
9282 
9283 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9284 		u32 interval;
9285 
9286 		/*
9287 		 * If scan plans are not specified,
9288 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9289 		 * case one scan plan will be set with the specified scan
9290 		 * interval and infinite number of iterations.
9291 		 */
9292 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9293 		if (!interval)
9294 			return -EINVAL;
9295 
9296 		request->scan_plans[0].interval =
9297 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9298 		if (!request->scan_plans[0].interval)
9299 			return -EINVAL;
9300 
9301 		if (request->scan_plans[0].interval >
9302 		    wiphy->max_sched_scan_plan_interval)
9303 			request->scan_plans[0].interval =
9304 				wiphy->max_sched_scan_plan_interval;
9305 
9306 		return 0;
9307 	}
9308 
9309 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9310 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9311 
9312 		if (WARN_ON(i >= n_plans))
9313 			return -EINVAL;
9314 
9315 		err = nla_parse_nested_deprecated(plan,
9316 						  NL80211_SCHED_SCAN_PLAN_MAX,
9317 						  attr, nl80211_plan_policy,
9318 						  NULL);
9319 		if (err)
9320 			return err;
9321 
9322 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9323 			return -EINVAL;
9324 
9325 		request->scan_plans[i].interval =
9326 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9327 		if (!request->scan_plans[i].interval ||
9328 		    request->scan_plans[i].interval >
9329 		    wiphy->max_sched_scan_plan_interval)
9330 			return -EINVAL;
9331 
9332 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9333 			request->scan_plans[i].iterations =
9334 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9335 			if (!request->scan_plans[i].iterations ||
9336 			    (request->scan_plans[i].iterations >
9337 			     wiphy->max_sched_scan_plan_iterations))
9338 				return -EINVAL;
9339 		} else if (i < n_plans - 1) {
9340 			/*
9341 			 * All scan plans but the last one must specify
9342 			 * a finite number of iterations
9343 			 */
9344 			return -EINVAL;
9345 		}
9346 
9347 		i++;
9348 	}
9349 
9350 	/*
9351 	 * The last scan plan must not specify the number of
9352 	 * iterations, it is supposed to run infinitely
9353 	 */
9354 	if (request->scan_plans[n_plans - 1].iterations)
9355 		return  -EINVAL;
9356 
9357 	return 0;
9358 }
9359 
9360 static int
9361 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9362 				       struct cfg80211_match_set *match_sets,
9363 				       struct nlattr *tb_band_rssi,
9364 				       s32 rssi_thold)
9365 {
9366 	struct nlattr *attr;
9367 	int i, tmp, ret = 0;
9368 
9369 	if (!wiphy_ext_feature_isset(wiphy,
9370 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9371 		if (tb_band_rssi)
9372 			ret = -EOPNOTSUPP;
9373 		else
9374 			for (i = 0; i < NUM_NL80211_BANDS; i++)
9375 				match_sets->per_band_rssi_thold[i] =
9376 					NL80211_SCAN_RSSI_THOLD_OFF;
9377 		return ret;
9378 	}
9379 
9380 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9381 		match_sets->per_band_rssi_thold[i] = rssi_thold;
9382 
9383 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9384 		enum nl80211_band band = nla_type(attr);
9385 
9386 		if (band < 0 || band >= NUM_NL80211_BANDS)
9387 			return -EINVAL;
9388 
9389 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9390 	}
9391 
9392 	return 0;
9393 }
9394 
9395 static struct cfg80211_sched_scan_request *
9396 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9397 			 struct nlattr **attrs, int max_match_sets)
9398 {
9399 	struct cfg80211_sched_scan_request *request;
9400 	struct nlattr *attr;
9401 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9402 	enum nl80211_band band;
9403 	size_t ie_len;
9404 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9405 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9406 
9407 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9408 		n_channels = validate_scan_freqs(
9409 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9410 		if (!n_channels)
9411 			return ERR_PTR(-EINVAL);
9412 	} else {
9413 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9414 	}
9415 
9416 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9417 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9418 				    tmp)
9419 			n_ssids++;
9420 
9421 	if (n_ssids > wiphy->max_sched_scan_ssids)
9422 		return ERR_PTR(-EINVAL);
9423 
9424 	/*
9425 	 * First, count the number of 'real' matchsets. Due to an issue with
9426 	 * the old implementation, matchsets containing only the RSSI attribute
9427 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9428 	 * RSSI for all matchsets, rather than their own matchset for reporting
9429 	 * all APs with a strong RSSI. This is needed to be compatible with
9430 	 * older userspace that treated a matchset with only the RSSI as the
9431 	 * global RSSI for all other matchsets - if there are other matchsets.
9432 	 */
9433 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9434 		nla_for_each_nested(attr,
9435 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9436 				    tmp) {
9437 			struct nlattr *rssi;
9438 
9439 			err = nla_parse_nested_deprecated(tb,
9440 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9441 							  attr,
9442 							  nl80211_match_policy,
9443 							  NULL);
9444 			if (err)
9445 				return ERR_PTR(err);
9446 
9447 			/* SSID and BSSID are mutually exclusive */
9448 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9449 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9450 				return ERR_PTR(-EINVAL);
9451 
9452 			/* add other standalone attributes here */
9453 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9454 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9455 				n_match_sets++;
9456 				continue;
9457 			}
9458 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9459 			if (rssi)
9460 				default_match_rssi = nla_get_s32(rssi);
9461 		}
9462 	}
9463 
9464 	/* However, if there's no other matchset, add the RSSI one */
9465 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9466 		n_match_sets = 1;
9467 
9468 	if (n_match_sets > max_match_sets)
9469 		return ERR_PTR(-EINVAL);
9470 
9471 	if (attrs[NL80211_ATTR_IE])
9472 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9473 	else
9474 		ie_len = 0;
9475 
9476 	if (ie_len > wiphy->max_sched_scan_ie_len)
9477 		return ERR_PTR(-EINVAL);
9478 
9479 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9480 		/*
9481 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9482 		 * each scan plan already specifies its own interval
9483 		 */
9484 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9485 			return ERR_PTR(-EINVAL);
9486 
9487 		nla_for_each_nested(attr,
9488 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9489 			n_plans++;
9490 	} else {
9491 		/*
9492 		 * The scan interval attribute is kept for backward
9493 		 * compatibility. If no scan plans are specified and sched scan
9494 		 * interval is specified, one scan plan will be set with this
9495 		 * scan interval and infinite number of iterations.
9496 		 */
9497 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9498 			return ERR_PTR(-EINVAL);
9499 
9500 		n_plans = 1;
9501 	}
9502 
9503 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9504 		return ERR_PTR(-EINVAL);
9505 
9506 	if (!wiphy_ext_feature_isset(
9507 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9508 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9509 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9510 		return ERR_PTR(-EINVAL);
9511 
9512 	request = kzalloc(sizeof(*request)
9513 			+ sizeof(*request->ssids) * n_ssids
9514 			+ sizeof(*request->match_sets) * n_match_sets
9515 			+ sizeof(*request->scan_plans) * n_plans
9516 			+ sizeof(*request->channels) * n_channels
9517 			+ ie_len, GFP_KERNEL);
9518 	if (!request)
9519 		return ERR_PTR(-ENOMEM);
9520 
9521 	if (n_ssids)
9522 		request->ssids = (void *)&request->channels[n_channels];
9523 	request->n_ssids = n_ssids;
9524 	if (ie_len) {
9525 		if (n_ssids)
9526 			request->ie = (void *)(request->ssids + n_ssids);
9527 		else
9528 			request->ie = (void *)(request->channels + n_channels);
9529 	}
9530 
9531 	if (n_match_sets) {
9532 		if (request->ie)
9533 			request->match_sets = (void *)(request->ie + ie_len);
9534 		else if (n_ssids)
9535 			request->match_sets =
9536 				(void *)(request->ssids + n_ssids);
9537 		else
9538 			request->match_sets =
9539 				(void *)(request->channels + n_channels);
9540 	}
9541 	request->n_match_sets = n_match_sets;
9542 
9543 	if (n_match_sets)
9544 		request->scan_plans = (void *)(request->match_sets +
9545 					       n_match_sets);
9546 	else if (request->ie)
9547 		request->scan_plans = (void *)(request->ie + ie_len);
9548 	else if (n_ssids)
9549 		request->scan_plans = (void *)(request->ssids + n_ssids);
9550 	else
9551 		request->scan_plans = (void *)(request->channels + n_channels);
9552 
9553 	request->n_scan_plans = n_plans;
9554 
9555 	i = 0;
9556 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9557 		/* user specified, bail out if channel not found */
9558 		nla_for_each_nested(attr,
9559 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9560 				    tmp) {
9561 			struct ieee80211_channel *chan;
9562 
9563 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9564 
9565 			if (!chan) {
9566 				err = -EINVAL;
9567 				goto out_free;
9568 			}
9569 
9570 			/* ignore disabled channels */
9571 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9572 				continue;
9573 
9574 			request->channels[i] = chan;
9575 			i++;
9576 		}
9577 	} else {
9578 		/* all channels */
9579 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9580 			int j;
9581 
9582 			if (!wiphy->bands[band])
9583 				continue;
9584 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9585 				struct ieee80211_channel *chan;
9586 
9587 				chan = &wiphy->bands[band]->channels[j];
9588 
9589 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9590 					continue;
9591 
9592 				request->channels[i] = chan;
9593 				i++;
9594 			}
9595 		}
9596 	}
9597 
9598 	if (!i) {
9599 		err = -EINVAL;
9600 		goto out_free;
9601 	}
9602 
9603 	request->n_channels = i;
9604 
9605 	i = 0;
9606 	if (n_ssids) {
9607 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9608 				    tmp) {
9609 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9610 				err = -EINVAL;
9611 				goto out_free;
9612 			}
9613 			request->ssids[i].ssid_len = nla_len(attr);
9614 			memcpy(request->ssids[i].ssid, nla_data(attr),
9615 			       nla_len(attr));
9616 			i++;
9617 		}
9618 	}
9619 
9620 	i = 0;
9621 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9622 		nla_for_each_nested(attr,
9623 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9624 				    tmp) {
9625 			struct nlattr *ssid, *bssid, *rssi;
9626 
9627 			err = nla_parse_nested_deprecated(tb,
9628 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9629 							  attr,
9630 							  nl80211_match_policy,
9631 							  NULL);
9632 			if (err)
9633 				goto out_free;
9634 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9635 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9636 
9637 			if (!ssid && !bssid) {
9638 				i++;
9639 				continue;
9640 			}
9641 
9642 			if (WARN_ON(i >= n_match_sets)) {
9643 				/* this indicates a programming error,
9644 				 * the loop above should have verified
9645 				 * things properly
9646 				 */
9647 				err = -EINVAL;
9648 				goto out_free;
9649 			}
9650 
9651 			if (ssid) {
9652 				memcpy(request->match_sets[i].ssid.ssid,
9653 				       nla_data(ssid), nla_len(ssid));
9654 				request->match_sets[i].ssid.ssid_len =
9655 					nla_len(ssid);
9656 			}
9657 			if (bssid)
9658 				memcpy(request->match_sets[i].bssid,
9659 				       nla_data(bssid), ETH_ALEN);
9660 
9661 			/* special attribute - old implementation w/a */
9662 			request->match_sets[i].rssi_thold = default_match_rssi;
9663 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9664 			if (rssi)
9665 				request->match_sets[i].rssi_thold =
9666 					nla_get_s32(rssi);
9667 
9668 			/* Parse per band RSSI attribute */
9669 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9670 				&request->match_sets[i],
9671 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9672 				request->match_sets[i].rssi_thold);
9673 			if (err)
9674 				goto out_free;
9675 
9676 			i++;
9677 		}
9678 
9679 		/* there was no other matchset, so the RSSI one is alone */
9680 		if (i == 0 && n_match_sets)
9681 			request->match_sets[0].rssi_thold = default_match_rssi;
9682 
9683 		request->min_rssi_thold = INT_MAX;
9684 		for (i = 0; i < n_match_sets; i++)
9685 			request->min_rssi_thold =
9686 				min(request->match_sets[i].rssi_thold,
9687 				    request->min_rssi_thold);
9688 	} else {
9689 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9690 	}
9691 
9692 	if (ie_len) {
9693 		request->ie_len = ie_len;
9694 		memcpy((void *)request->ie,
9695 		       nla_data(attrs[NL80211_ATTR_IE]),
9696 		       request->ie_len);
9697 	}
9698 
9699 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9700 	if (err)
9701 		goto out_free;
9702 
9703 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9704 		request->delay =
9705 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9706 
9707 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9708 		request->relative_rssi = nla_get_s8(
9709 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9710 		request->relative_rssi_set = true;
9711 	}
9712 
9713 	if (request->relative_rssi_set &&
9714 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9715 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9716 
9717 		rssi_adjust = nla_data(
9718 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9719 		request->rssi_adjust.band = rssi_adjust->band;
9720 		request->rssi_adjust.delta = rssi_adjust->delta;
9721 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9722 			err = -EINVAL;
9723 			goto out_free;
9724 		}
9725 	}
9726 
9727 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9728 	if (err)
9729 		goto out_free;
9730 
9731 	request->scan_start = jiffies;
9732 
9733 	return request;
9734 
9735 out_free:
9736 	kfree(request);
9737 	return ERR_PTR(err);
9738 }
9739 
9740 static int nl80211_start_sched_scan(struct sk_buff *skb,
9741 				    struct genl_info *info)
9742 {
9743 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9744 	struct net_device *dev = info->user_ptr[1];
9745 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9746 	struct cfg80211_sched_scan_request *sched_scan_req;
9747 	bool want_multi;
9748 	int err;
9749 
9750 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9751 		return -EOPNOTSUPP;
9752 
9753 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9754 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9755 	if (err)
9756 		return err;
9757 
9758 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9759 						  info->attrs,
9760 						  rdev->wiphy.max_match_sets);
9761 
9762 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9763 	if (err)
9764 		goto out_err;
9765 
9766 	/* leave request id zero for legacy request
9767 	 * or if driver does not support multi-scheduled scan
9768 	 */
9769 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9770 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9771 
9772 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9773 	if (err)
9774 		goto out_free;
9775 
9776 	sched_scan_req->dev = dev;
9777 	sched_scan_req->wiphy = &rdev->wiphy;
9778 
9779 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9780 		sched_scan_req->owner_nlportid = info->snd_portid;
9781 
9782 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9783 
9784 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9785 	return 0;
9786 
9787 out_free:
9788 	kfree(sched_scan_req);
9789 out_err:
9790 	return err;
9791 }
9792 
9793 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9794 				   struct genl_info *info)
9795 {
9796 	struct cfg80211_sched_scan_request *req;
9797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9798 	u64 cookie;
9799 
9800 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9801 		return -EOPNOTSUPP;
9802 
9803 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9804 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9805 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9806 	}
9807 
9808 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9809 				     struct cfg80211_sched_scan_request,
9810 				     list);
9811 	if (!req || req->reqid ||
9812 	    (req->owner_nlportid &&
9813 	     req->owner_nlportid != info->snd_portid))
9814 		return -ENOENT;
9815 
9816 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9817 }
9818 
9819 static int nl80211_start_radar_detection(struct sk_buff *skb,
9820 					 struct genl_info *info)
9821 {
9822 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9823 	struct net_device *dev = info->user_ptr[1];
9824 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9825 	struct wiphy *wiphy = wdev->wiphy;
9826 	struct cfg80211_chan_def chandef;
9827 	enum nl80211_dfs_regions dfs_region;
9828 	unsigned int cac_time_ms;
9829 	int err = -EINVAL;
9830 
9831 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9832 
9833 	wiphy_lock(wiphy);
9834 
9835 	dfs_region = reg_get_dfs_region(wiphy);
9836 	if (dfs_region == NL80211_DFS_UNSET)
9837 		goto unlock;
9838 
9839 	err = nl80211_parse_chandef(rdev, info, &chandef);
9840 	if (err)
9841 		goto unlock;
9842 
9843 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9844 	if (err < 0)
9845 		goto unlock;
9846 
9847 	if (err == 0) {
9848 		err = -EINVAL;
9849 		goto unlock;
9850 	}
9851 
9852 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9853 		err = -EINVAL;
9854 		goto unlock;
9855 	}
9856 
9857 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9858 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9859 								&chandef);
9860 		goto unlock;
9861 	}
9862 
9863 	if (netif_carrier_ok(dev)) {
9864 		err = -EBUSY;
9865 		goto unlock;
9866 	}
9867 
9868 	if (wdev->cac_started) {
9869 		err = -EBUSY;
9870 		goto unlock;
9871 	}
9872 
9873 	/* CAC start is offloaded to HW and can't be started manually */
9874 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9875 		err = -EOPNOTSUPP;
9876 		goto unlock;
9877 	}
9878 
9879 	if (!rdev->ops->start_radar_detection) {
9880 		err = -EOPNOTSUPP;
9881 		goto unlock;
9882 	}
9883 
9884 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9885 	if (WARN_ON(!cac_time_ms))
9886 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9887 
9888 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9889 	if (!err) {
9890 		wdev->links[0].ap.chandef = chandef;
9891 		wdev->cac_started = true;
9892 		wdev->cac_start_time = jiffies;
9893 		wdev->cac_time_ms = cac_time_ms;
9894 	}
9895 unlock:
9896 	wiphy_unlock(wiphy);
9897 
9898 	return err;
9899 }
9900 
9901 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9902 					  struct genl_info *info)
9903 {
9904 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9905 	struct net_device *dev = info->user_ptr[1];
9906 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9907 	struct wiphy *wiphy = wdev->wiphy;
9908 	struct cfg80211_chan_def chandef;
9909 	enum nl80211_dfs_regions dfs_region;
9910 	int err;
9911 
9912 	dfs_region = reg_get_dfs_region(wiphy);
9913 	if (dfs_region == NL80211_DFS_UNSET) {
9914 		GENL_SET_ERR_MSG(info,
9915 				 "DFS Region is not set. Unexpected Radar indication");
9916 		return -EINVAL;
9917 	}
9918 
9919 	err = nl80211_parse_chandef(rdev, info, &chandef);
9920 	if (err) {
9921 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9922 		return err;
9923 	}
9924 
9925 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9926 	if (err < 0) {
9927 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9928 		return err;
9929 	}
9930 
9931 	if (err == 0) {
9932 		GENL_SET_ERR_MSG(info,
9933 				 "Unexpected Radar indication for chandef/iftype");
9934 		return -EINVAL;
9935 	}
9936 
9937 	/* Do not process this notification if radar is already detected
9938 	 * by kernel on this channel, and return success.
9939 	 */
9940 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9941 		return 0;
9942 
9943 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9944 
9945 	cfg80211_sched_dfs_chan_update(rdev);
9946 
9947 	rdev->radar_chandef = chandef;
9948 
9949 	/* Propagate this notification to other radios as well */
9950 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9951 
9952 	return 0;
9953 }
9954 
9955 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9956 {
9957 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9958 	unsigned int link_id = nl80211_link_id(info->attrs);
9959 	struct net_device *dev = info->user_ptr[1];
9960 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9961 	struct cfg80211_csa_settings params;
9962 	struct nlattr **csa_attrs = NULL;
9963 	int err;
9964 	bool need_new_beacon = false;
9965 	bool need_handle_dfs_flag = true;
9966 	int len, i;
9967 	u32 cs_count;
9968 
9969 	if (!rdev->ops->channel_switch ||
9970 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9971 		return -EOPNOTSUPP;
9972 
9973 	switch (dev->ieee80211_ptr->iftype) {
9974 	case NL80211_IFTYPE_AP:
9975 	case NL80211_IFTYPE_P2P_GO:
9976 		need_new_beacon = true;
9977 		/* For all modes except AP the handle_dfs flag needs to be
9978 		 * supplied to tell the kernel that userspace will handle radar
9979 		 * events when they happen. Otherwise a switch to a channel
9980 		 * requiring DFS will be rejected.
9981 		 */
9982 		need_handle_dfs_flag = false;
9983 
9984 		/* useless if AP is not running */
9985 		if (!wdev->links[link_id].ap.beacon_interval)
9986 			return -ENOTCONN;
9987 		break;
9988 	case NL80211_IFTYPE_ADHOC:
9989 		if (!wdev->u.ibss.ssid_len)
9990 			return -ENOTCONN;
9991 		break;
9992 	case NL80211_IFTYPE_MESH_POINT:
9993 		if (!wdev->u.mesh.id_len)
9994 			return -ENOTCONN;
9995 		break;
9996 	default:
9997 		return -EOPNOTSUPP;
9998 	}
9999 
10000 	memset(&params, 0, sizeof(params));
10001 	params.beacon_csa.ftm_responder = -1;
10002 
10003 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10004 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10005 		return -EINVAL;
10006 
10007 	/* only important for AP, IBSS and mesh create IEs internally */
10008 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10009 		return -EINVAL;
10010 
10011 	/* Even though the attribute is u32, the specification says
10012 	 * u8, so let's make sure we don't overflow.
10013 	 */
10014 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10015 	if (cs_count > 255)
10016 		return -EINVAL;
10017 
10018 	params.count = cs_count;
10019 
10020 	if (!need_new_beacon)
10021 		goto skip_beacons;
10022 
10023 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
10024 	if (err)
10025 		goto free;
10026 
10027 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10028 			    GFP_KERNEL);
10029 	if (!csa_attrs) {
10030 		err = -ENOMEM;
10031 		goto free;
10032 	}
10033 
10034 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10035 					  info->attrs[NL80211_ATTR_CSA_IES],
10036 					  nl80211_policy, info->extack);
10037 	if (err)
10038 		goto free;
10039 
10040 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
10041 	if (err)
10042 		goto free;
10043 
10044 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10045 		err = -EINVAL;
10046 		goto free;
10047 	}
10048 
10049 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10050 	if (!len || (len % sizeof(u16))) {
10051 		err = -EINVAL;
10052 		goto free;
10053 	}
10054 
10055 	params.n_counter_offsets_beacon = len / sizeof(u16);
10056 	if (rdev->wiphy.max_num_csa_counters &&
10057 	    (params.n_counter_offsets_beacon >
10058 	     rdev->wiphy.max_num_csa_counters)) {
10059 		err = -EINVAL;
10060 		goto free;
10061 	}
10062 
10063 	params.counter_offsets_beacon =
10064 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10065 
10066 	/* sanity checks - counters should fit and be the same */
10067 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
10068 		u16 offset = params.counter_offsets_beacon[i];
10069 
10070 		if (offset >= params.beacon_csa.tail_len) {
10071 			err = -EINVAL;
10072 			goto free;
10073 		}
10074 
10075 		if (params.beacon_csa.tail[offset] != params.count) {
10076 			err = -EINVAL;
10077 			goto free;
10078 		}
10079 	}
10080 
10081 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
10082 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10083 		if (!len || (len % sizeof(u16))) {
10084 			err = -EINVAL;
10085 			goto free;
10086 		}
10087 
10088 		params.n_counter_offsets_presp = len / sizeof(u16);
10089 		if (rdev->wiphy.max_num_csa_counters &&
10090 		    (params.n_counter_offsets_presp >
10091 		     rdev->wiphy.max_num_csa_counters)) {
10092 			err = -EINVAL;
10093 			goto free;
10094 		}
10095 
10096 		params.counter_offsets_presp =
10097 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10098 
10099 		/* sanity checks - counters should fit and be the same */
10100 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
10101 			u16 offset = params.counter_offsets_presp[i];
10102 
10103 			if (offset >= params.beacon_csa.probe_resp_len) {
10104 				err = -EINVAL;
10105 				goto free;
10106 			}
10107 
10108 			if (params.beacon_csa.probe_resp[offset] !=
10109 			    params.count) {
10110 				err = -EINVAL;
10111 				goto free;
10112 			}
10113 		}
10114 	}
10115 
10116 skip_beacons:
10117 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10118 	if (err)
10119 		goto free;
10120 
10121 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10122 					   wdev->iftype)) {
10123 		err = -EINVAL;
10124 		goto free;
10125 	}
10126 
10127 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10128 					    &params.chandef,
10129 					    wdev->iftype);
10130 	if (err < 0)
10131 		goto free;
10132 
10133 	if (err > 0) {
10134 		params.radar_required = true;
10135 		if (need_handle_dfs_flag &&
10136 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10137 			err = -EINVAL;
10138 			goto free;
10139 		}
10140 	}
10141 
10142 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10143 		params.block_tx = true;
10144 
10145 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
10146 		err = nl80211_parse_punct_bitmap(rdev, info,
10147 						 &params.chandef,
10148 						 &params.punct_bitmap);
10149 		if (err)
10150 			goto free;
10151 	}
10152 
10153 	wdev_lock(wdev);
10154 	err = rdev_channel_switch(rdev, dev, &params);
10155 	wdev_unlock(wdev);
10156 
10157 free:
10158 	kfree(params.beacon_after.mbssid_ies);
10159 	kfree(params.beacon_csa.mbssid_ies);
10160 	kfree(csa_attrs);
10161 	return err;
10162 }
10163 
10164 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10165 			    u32 seq, int flags,
10166 			    struct cfg80211_registered_device *rdev,
10167 			    struct wireless_dev *wdev,
10168 			    struct cfg80211_internal_bss *intbss)
10169 {
10170 	struct cfg80211_bss *res = &intbss->pub;
10171 	const struct cfg80211_bss_ies *ies;
10172 	unsigned int link_id;
10173 	void *hdr;
10174 	struct nlattr *bss;
10175 
10176 	ASSERT_WDEV_LOCK(wdev);
10177 
10178 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10179 			     NL80211_CMD_NEW_SCAN_RESULTS);
10180 	if (!hdr)
10181 		return -1;
10182 
10183 	genl_dump_check_consistent(cb, hdr);
10184 
10185 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10186 		goto nla_put_failure;
10187 	if (wdev->netdev &&
10188 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10189 		goto nla_put_failure;
10190 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10191 			      NL80211_ATTR_PAD))
10192 		goto nla_put_failure;
10193 
10194 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10195 	if (!bss)
10196 		goto nla_put_failure;
10197 	if ((!is_zero_ether_addr(res->bssid) &&
10198 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10199 		goto nla_put_failure;
10200 
10201 	rcu_read_lock();
10202 	/* indicate whether we have probe response data or not */
10203 	if (rcu_access_pointer(res->proberesp_ies) &&
10204 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10205 		goto fail_unlock_rcu;
10206 
10207 	/* this pointer prefers to be pointed to probe response data
10208 	 * but is always valid
10209 	 */
10210 	ies = rcu_dereference(res->ies);
10211 	if (ies) {
10212 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10213 				      NL80211_BSS_PAD))
10214 			goto fail_unlock_rcu;
10215 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10216 					ies->len, ies->data))
10217 			goto fail_unlock_rcu;
10218 	}
10219 
10220 	/* and this pointer is always (unless driver didn't know) beacon data */
10221 	ies = rcu_dereference(res->beacon_ies);
10222 	if (ies && ies->from_beacon) {
10223 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10224 				      NL80211_BSS_PAD))
10225 			goto fail_unlock_rcu;
10226 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10227 					ies->len, ies->data))
10228 			goto fail_unlock_rcu;
10229 	}
10230 	rcu_read_unlock();
10231 
10232 	if (res->beacon_interval &&
10233 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10234 		goto nla_put_failure;
10235 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10236 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10237 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10238 			res->channel->freq_offset) ||
10239 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
10240 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10241 			jiffies_to_msecs(jiffies - intbss->ts)))
10242 		goto nla_put_failure;
10243 
10244 	if (intbss->parent_tsf &&
10245 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10246 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10247 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10248 		     intbss->parent_bssid)))
10249 		goto nla_put_failure;
10250 
10251 	if (intbss->ts_boottime &&
10252 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10253 			      intbss->ts_boottime, NL80211_BSS_PAD))
10254 		goto nla_put_failure;
10255 
10256 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10257 				intbss->pub.chain_signal,
10258 				NL80211_BSS_CHAIN_SIGNAL))
10259 		goto nla_put_failure;
10260 
10261 	switch (rdev->wiphy.signal_type) {
10262 	case CFG80211_SIGNAL_TYPE_MBM:
10263 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10264 			goto nla_put_failure;
10265 		break;
10266 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10267 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10268 			goto nla_put_failure;
10269 		break;
10270 	default:
10271 		break;
10272 	}
10273 
10274 	switch (wdev->iftype) {
10275 	case NL80211_IFTYPE_P2P_CLIENT:
10276 	case NL80211_IFTYPE_STATION:
10277 		for_each_valid_link(wdev, link_id) {
10278 			if (intbss == wdev->links[link_id].client.current_bss &&
10279 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10280 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10281 			     (wdev->valid_links &&
10282 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10283 					  link_id) ||
10284 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10285 				       wdev->u.client.connected_addr)))))
10286 				goto nla_put_failure;
10287 		}
10288 		break;
10289 	case NL80211_IFTYPE_ADHOC:
10290 		if (intbss == wdev->u.ibss.current_bss &&
10291 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10292 				NL80211_BSS_STATUS_IBSS_JOINED))
10293 			goto nla_put_failure;
10294 		break;
10295 	default:
10296 		break;
10297 	}
10298 
10299 	nla_nest_end(msg, bss);
10300 
10301 	genlmsg_end(msg, hdr);
10302 	return 0;
10303 
10304  fail_unlock_rcu:
10305 	rcu_read_unlock();
10306  nla_put_failure:
10307 	genlmsg_cancel(msg, hdr);
10308 	return -EMSGSIZE;
10309 }
10310 
10311 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10312 {
10313 	struct cfg80211_registered_device *rdev;
10314 	struct cfg80211_internal_bss *scan;
10315 	struct wireless_dev *wdev;
10316 	int start = cb->args[2], idx = 0;
10317 	int err;
10318 
10319 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10320 	if (err)
10321 		return err;
10322 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10323 	__acquire(&rdev->wiphy.mtx);
10324 
10325 	wdev_lock(wdev);
10326 	spin_lock_bh(&rdev->bss_lock);
10327 
10328 	/*
10329 	 * dump_scan will be called multiple times to break up the scan results
10330 	 * into multiple messages.  It is unlikely that any more bss-es will be
10331 	 * expired after the first call, so only call only call this on the
10332 	 * first dump_scan invocation.
10333 	 */
10334 	if (start == 0)
10335 		cfg80211_bss_expire(rdev);
10336 
10337 	cb->seq = rdev->bss_generation;
10338 
10339 	list_for_each_entry(scan, &rdev->bss_list, list) {
10340 		if (++idx <= start)
10341 			continue;
10342 		if (nl80211_send_bss(skb, cb,
10343 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10344 				rdev, wdev, scan) < 0) {
10345 			idx--;
10346 			break;
10347 		}
10348 	}
10349 
10350 	spin_unlock_bh(&rdev->bss_lock);
10351 	wdev_unlock(wdev);
10352 
10353 	cb->args[2] = idx;
10354 	wiphy_unlock(&rdev->wiphy);
10355 
10356 	return skb->len;
10357 }
10358 
10359 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10360 			       int flags, struct net_device *dev,
10361 			       bool allow_radio_stats,
10362 			       struct survey_info *survey)
10363 {
10364 	void *hdr;
10365 	struct nlattr *infoattr;
10366 
10367 	/* skip radio stats if userspace didn't request them */
10368 	if (!survey->channel && !allow_radio_stats)
10369 		return 0;
10370 
10371 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10372 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10373 	if (!hdr)
10374 		return -ENOMEM;
10375 
10376 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10377 		goto nla_put_failure;
10378 
10379 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10380 	if (!infoattr)
10381 		goto nla_put_failure;
10382 
10383 	if (survey->channel &&
10384 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10385 			survey->channel->center_freq))
10386 		goto nla_put_failure;
10387 
10388 	if (survey->channel && survey->channel->freq_offset &&
10389 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10390 			survey->channel->freq_offset))
10391 		goto nla_put_failure;
10392 
10393 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10394 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10395 		goto nla_put_failure;
10396 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10397 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10398 		goto nla_put_failure;
10399 	if ((survey->filled & SURVEY_INFO_TIME) &&
10400 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10401 			survey->time, NL80211_SURVEY_INFO_PAD))
10402 		goto nla_put_failure;
10403 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10404 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10405 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10406 		goto nla_put_failure;
10407 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10408 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10409 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10410 		goto nla_put_failure;
10411 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10412 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10413 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10414 		goto nla_put_failure;
10415 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10416 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10417 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10418 		goto nla_put_failure;
10419 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10420 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10421 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10422 		goto nla_put_failure;
10423 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10424 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10425 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10426 		goto nla_put_failure;
10427 
10428 	nla_nest_end(msg, infoattr);
10429 
10430 	genlmsg_end(msg, hdr);
10431 	return 0;
10432 
10433  nla_put_failure:
10434 	genlmsg_cancel(msg, hdr);
10435 	return -EMSGSIZE;
10436 }
10437 
10438 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10439 {
10440 	struct nlattr **attrbuf;
10441 	struct survey_info survey;
10442 	struct cfg80211_registered_device *rdev;
10443 	struct wireless_dev *wdev;
10444 	int survey_idx = cb->args[2];
10445 	int res;
10446 	bool radio_stats;
10447 
10448 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10449 	if (!attrbuf)
10450 		return -ENOMEM;
10451 
10452 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10453 	if (res) {
10454 		kfree(attrbuf);
10455 		return res;
10456 	}
10457 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10458 	__acquire(&rdev->wiphy.mtx);
10459 
10460 	/* prepare_wdev_dump parsed the attributes */
10461 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10462 
10463 	if (!wdev->netdev) {
10464 		res = -EINVAL;
10465 		goto out_err;
10466 	}
10467 
10468 	if (!rdev->ops->dump_survey) {
10469 		res = -EOPNOTSUPP;
10470 		goto out_err;
10471 	}
10472 
10473 	while (1) {
10474 		wdev_lock(wdev);
10475 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10476 		wdev_unlock(wdev);
10477 		if (res == -ENOENT)
10478 			break;
10479 		if (res)
10480 			goto out_err;
10481 
10482 		/* don't send disabled channels, but do send non-channel data */
10483 		if (survey.channel &&
10484 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10485 			survey_idx++;
10486 			continue;
10487 		}
10488 
10489 		if (nl80211_send_survey(skb,
10490 				NETLINK_CB(cb->skb).portid,
10491 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10492 				wdev->netdev, radio_stats, &survey) < 0)
10493 			goto out;
10494 		survey_idx++;
10495 	}
10496 
10497  out:
10498 	cb->args[2] = survey_idx;
10499 	res = skb->len;
10500  out_err:
10501 	kfree(attrbuf);
10502 	wiphy_unlock(&rdev->wiphy);
10503 	return res;
10504 }
10505 
10506 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10507 {
10508 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10509 				  NL80211_WPA_VERSION_2 |
10510 				  NL80211_WPA_VERSION_3));
10511 }
10512 
10513 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10514 {
10515 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10516 	struct net_device *dev = info->user_ptr[1];
10517 	struct ieee80211_channel *chan;
10518 	const u8 *bssid, *ssid;
10519 	int err, ssid_len;
10520 	enum nl80211_auth_type auth_type;
10521 	struct key_parse key;
10522 	bool local_state_change;
10523 	struct cfg80211_auth_request req = {};
10524 	u32 freq;
10525 
10526 	if (!info->attrs[NL80211_ATTR_MAC])
10527 		return -EINVAL;
10528 
10529 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10530 		return -EINVAL;
10531 
10532 	if (!info->attrs[NL80211_ATTR_SSID])
10533 		return -EINVAL;
10534 
10535 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10536 		return -EINVAL;
10537 
10538 	err = nl80211_parse_key(info, &key);
10539 	if (err)
10540 		return err;
10541 
10542 	if (key.idx >= 0) {
10543 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10544 			return -EINVAL;
10545 		if (!key.p.key || !key.p.key_len)
10546 			return -EINVAL;
10547 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10548 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10549 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10550 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10551 			return -EINVAL;
10552 		if (key.idx > 3)
10553 			return -EINVAL;
10554 	} else {
10555 		key.p.key_len = 0;
10556 		key.p.key = NULL;
10557 	}
10558 
10559 	if (key.idx >= 0) {
10560 		int i;
10561 		bool ok = false;
10562 
10563 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10564 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10565 				ok = true;
10566 				break;
10567 			}
10568 		}
10569 		if (!ok)
10570 			return -EINVAL;
10571 	}
10572 
10573 	if (!rdev->ops->auth)
10574 		return -EOPNOTSUPP;
10575 
10576 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10577 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10578 		return -EOPNOTSUPP;
10579 
10580 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10581 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10582 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10583 		freq +=
10584 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10585 
10586 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10587 	if (!chan)
10588 		return -EINVAL;
10589 
10590 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10591 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10592 
10593 	if (info->attrs[NL80211_ATTR_IE]) {
10594 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10595 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10596 	}
10597 
10598 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10599 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10600 		return -EINVAL;
10601 
10602 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10603 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10604 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10605 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10606 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10607 		return -EINVAL;
10608 
10609 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10610 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10611 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10612 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10613 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10614 			return -EINVAL;
10615 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10616 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10617 	}
10618 
10619 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10620 
10621 	/*
10622 	 * Since we no longer track auth state, ignore
10623 	 * requests to only change local state.
10624 	 */
10625 	if (local_state_change)
10626 		return 0;
10627 
10628 	req.auth_type = auth_type;
10629 	req.key = key.p.key;
10630 	req.key_len = key.p.key_len;
10631 	req.key_idx = key.idx;
10632 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10633 	if (req.link_id >= 0) {
10634 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10635 			return -EINVAL;
10636 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10637 			return -EINVAL;
10638 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10639 	}
10640 
10641 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10642 				   IEEE80211_BSS_TYPE_ESS,
10643 				   IEEE80211_PRIVACY_ANY);
10644 	if (!req.bss)
10645 		return -ENOENT;
10646 
10647 	wdev_lock(dev->ieee80211_ptr);
10648 	err = cfg80211_mlme_auth(rdev, dev, &req);
10649 	wdev_unlock(dev->ieee80211_ptr);
10650 
10651 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10652 
10653 	return err;
10654 }
10655 
10656 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10657 				     struct genl_info *info)
10658 {
10659 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10660 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10661 		return -EINVAL;
10662 	}
10663 
10664 	if (!rdev->ops->tx_control_port ||
10665 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10666 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10667 		return -EOPNOTSUPP;
10668 
10669 	return 0;
10670 }
10671 
10672 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10673 				   struct genl_info *info,
10674 				   struct cfg80211_crypto_settings *settings,
10675 				   int cipher_limit)
10676 {
10677 	memset(settings, 0, sizeof(*settings));
10678 
10679 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10680 
10681 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10682 		u16 proto;
10683 
10684 		proto = nla_get_u16(
10685 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10686 		settings->control_port_ethertype = cpu_to_be16(proto);
10687 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10688 		    proto != ETH_P_PAE)
10689 			return -EINVAL;
10690 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10691 			settings->control_port_no_encrypt = true;
10692 	} else
10693 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10694 
10695 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10696 		int r = validate_pae_over_nl80211(rdev, info);
10697 
10698 		if (r < 0)
10699 			return r;
10700 
10701 		settings->control_port_over_nl80211 = true;
10702 
10703 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10704 			settings->control_port_no_preauth = true;
10705 	}
10706 
10707 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10708 		void *data;
10709 		int len, i;
10710 
10711 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10712 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10713 		settings->n_ciphers_pairwise = len / sizeof(u32);
10714 
10715 		if (len % sizeof(u32))
10716 			return -EINVAL;
10717 
10718 		if (settings->n_ciphers_pairwise > cipher_limit)
10719 			return -EINVAL;
10720 
10721 		memcpy(settings->ciphers_pairwise, data, len);
10722 
10723 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10724 			if (!cfg80211_supported_cipher_suite(
10725 					&rdev->wiphy,
10726 					settings->ciphers_pairwise[i]))
10727 				return -EINVAL;
10728 	}
10729 
10730 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10731 		settings->cipher_group =
10732 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10733 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10734 						     settings->cipher_group))
10735 			return -EINVAL;
10736 	}
10737 
10738 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10739 		settings->wpa_versions =
10740 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10741 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10742 			return -EINVAL;
10743 	}
10744 
10745 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10746 		void *data;
10747 		int len;
10748 
10749 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10750 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10751 		settings->n_akm_suites = len / sizeof(u32);
10752 
10753 		if (len % sizeof(u32))
10754 			return -EINVAL;
10755 
10756 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10757 			return -EINVAL;
10758 
10759 		memcpy(settings->akm_suites, data, len);
10760 	}
10761 
10762 	if (info->attrs[NL80211_ATTR_PMK]) {
10763 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10764 			return -EINVAL;
10765 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10766 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10767 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10768 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10769 			return -EINVAL;
10770 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10771 	}
10772 
10773 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10774 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10775 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10776 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10777 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10778 			return -EINVAL;
10779 		settings->sae_pwd =
10780 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10781 		settings->sae_pwd_len =
10782 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10783 	}
10784 
10785 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10786 		settings->sae_pwe =
10787 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10788 	else
10789 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10790 
10791 	return 0;
10792 }
10793 
10794 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10795 					      const u8 *ssid, int ssid_len,
10796 					      struct nlattr **attrs,
10797 					      const u8 **bssid_out)
10798 {
10799 	struct ieee80211_channel *chan;
10800 	struct cfg80211_bss *bss;
10801 	const u8 *bssid;
10802 	u32 freq;
10803 
10804 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10805 		return ERR_PTR(-EINVAL);
10806 
10807 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10808 
10809 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10810 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10811 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10812 
10813 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10814 	if (!chan)
10815 		return ERR_PTR(-EINVAL);
10816 
10817 	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10818 			       ssid, ssid_len,
10819 			       IEEE80211_BSS_TYPE_ESS,
10820 			       IEEE80211_PRIVACY_ANY);
10821 	if (!bss)
10822 		return ERR_PTR(-ENOENT);
10823 
10824 	*bssid_out = bssid;
10825 	return bss;
10826 }
10827 
10828 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10829 {
10830 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10831 	struct net_device *dev = info->user_ptr[1];
10832 	struct cfg80211_assoc_request req = {};
10833 	struct nlattr **attrs = NULL;
10834 	const u8 *bssid, *ssid;
10835 	unsigned int link_id;
10836 	int err, ssid_len;
10837 
10838 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10839 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10840 		return -EPERM;
10841 
10842 	if (!info->attrs[NL80211_ATTR_SSID])
10843 		return -EINVAL;
10844 
10845 	if (!rdev->ops->assoc)
10846 		return -EOPNOTSUPP;
10847 
10848 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10849 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10850 		return -EOPNOTSUPP;
10851 
10852 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10853 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10854 
10855 	if (info->attrs[NL80211_ATTR_IE]) {
10856 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10857 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10858 
10859 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10860 					   req.ie, req.ie_len)) {
10861 			GENL_SET_ERR_MSG(info,
10862 					 "non-inheritance makes no sense");
10863 			return -EINVAL;
10864 		}
10865 	}
10866 
10867 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10868 		enum nl80211_mfp mfp =
10869 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10870 		if (mfp == NL80211_MFP_REQUIRED)
10871 			req.use_mfp = true;
10872 		else if (mfp != NL80211_MFP_NO)
10873 			return -EINVAL;
10874 	}
10875 
10876 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10877 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10878 
10879 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10880 		req.flags |= ASSOC_REQ_DISABLE_HT;
10881 
10882 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10883 		memcpy(&req.ht_capa_mask,
10884 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10885 		       sizeof(req.ht_capa_mask));
10886 
10887 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10888 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10889 			return -EINVAL;
10890 		memcpy(&req.ht_capa,
10891 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10892 		       sizeof(req.ht_capa));
10893 	}
10894 
10895 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10896 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10897 
10898 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10899 		req.flags |= ASSOC_REQ_DISABLE_HE;
10900 
10901 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
10902 		req.flags |= ASSOC_REQ_DISABLE_EHT;
10903 
10904 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10905 		memcpy(&req.vht_capa_mask,
10906 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10907 		       sizeof(req.vht_capa_mask));
10908 
10909 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10910 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10911 			return -EINVAL;
10912 		memcpy(&req.vht_capa,
10913 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10914 		       sizeof(req.vht_capa));
10915 	}
10916 
10917 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10918 		if (!((rdev->wiphy.features &
10919 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10920 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10921 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10922 					     NL80211_EXT_FEATURE_RRM))
10923 			return -EINVAL;
10924 		req.flags |= ASSOC_REQ_USE_RRM;
10925 	}
10926 
10927 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10928 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10929 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10930 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10931 			return -EINVAL;
10932 		req.fils_nonces =
10933 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10934 	}
10935 
10936 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10937 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10938 			return -EINVAL;
10939 		memcpy(&req.s1g_capa_mask,
10940 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10941 		       sizeof(req.s1g_capa_mask));
10942 	}
10943 
10944 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10945 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10946 			return -EINVAL;
10947 		memcpy(&req.s1g_capa,
10948 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10949 		       sizeof(req.s1g_capa));
10950 	}
10951 
10952 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10953 
10954 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
10955 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
10956 		struct nlattr *link;
10957 		int rem = 0;
10958 
10959 		if (req.link_id < 0)
10960 			return -EINVAL;
10961 
10962 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10963 			return -EINVAL;
10964 
10965 		if (info->attrs[NL80211_ATTR_MAC] ||
10966 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10967 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
10968 			return -EINVAL;
10969 
10970 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10971 
10972 		attrs = kzalloc(attrsize, GFP_KERNEL);
10973 		if (!attrs)
10974 			return -ENOMEM;
10975 
10976 		nla_for_each_nested(link,
10977 				    info->attrs[NL80211_ATTR_MLO_LINKS],
10978 				    rem) {
10979 			memset(attrs, 0, attrsize);
10980 
10981 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
10982 					 link, NULL, NULL);
10983 
10984 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
10985 				err = -EINVAL;
10986 				goto free;
10987 			}
10988 
10989 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
10990 			/* cannot use the same link ID again */
10991 			if (req.links[link_id].bss) {
10992 				err = -EINVAL;
10993 				goto free;
10994 			}
10995 			req.links[link_id].bss =
10996 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
10997 						  &bssid);
10998 			if (IS_ERR(req.links[link_id].bss)) {
10999 				err = PTR_ERR(req.links[link_id].bss);
11000 				req.links[link_id].bss = NULL;
11001 				goto free;
11002 			}
11003 
11004 			if (attrs[NL80211_ATTR_IE]) {
11005 				req.links[link_id].elems =
11006 					nla_data(attrs[NL80211_ATTR_IE]);
11007 				req.links[link_id].elems_len =
11008 					nla_len(attrs[NL80211_ATTR_IE]);
11009 
11010 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11011 						       req.links[link_id].elems,
11012 						       req.links[link_id].elems_len)) {
11013 					GENL_SET_ERR_MSG(info,
11014 							 "cannot deal with fragmentation");
11015 					err = -EINVAL;
11016 					goto free;
11017 				}
11018 
11019 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11020 							   req.links[link_id].elems,
11021 							   req.links[link_id].elems_len)) {
11022 					GENL_SET_ERR_MSG(info,
11023 							 "cannot deal with non-inheritance");
11024 					err = -EINVAL;
11025 					goto free;
11026 				}
11027 			}
11028 		}
11029 
11030 		if (!req.links[req.link_id].bss) {
11031 			err = -EINVAL;
11032 			goto free;
11033 		}
11034 
11035 		if (req.links[req.link_id].elems_len) {
11036 			GENL_SET_ERR_MSG(info,
11037 					 "cannot have per-link elems on assoc link");
11038 			err = -EINVAL;
11039 			goto free;
11040 		}
11041 
11042 		kfree(attrs);
11043 		attrs = NULL;
11044 	} else {
11045 		if (req.link_id >= 0)
11046 			return -EINVAL;
11047 
11048 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11049 					    &bssid);
11050 		if (IS_ERR(req.bss))
11051 			return PTR_ERR(req.bss);
11052 	}
11053 
11054 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11055 	if (!err) {
11056 		wdev_lock(dev->ieee80211_ptr);
11057 
11058 		err = cfg80211_mlme_assoc(rdev, dev, &req);
11059 
11060 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11061 			dev->ieee80211_ptr->conn_owner_nlportid =
11062 				info->snd_portid;
11063 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11064 			       bssid, ETH_ALEN);
11065 		}
11066 
11067 		wdev_unlock(dev->ieee80211_ptr);
11068 	}
11069 
11070 free:
11071 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11072 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11073 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11074 	kfree(attrs);
11075 
11076 	return err;
11077 }
11078 
11079 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11080 {
11081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11082 	struct net_device *dev = info->user_ptr[1];
11083 	const u8 *ie = NULL, *bssid;
11084 	int ie_len = 0, err;
11085 	u16 reason_code;
11086 	bool local_state_change;
11087 
11088 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11089 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11090 		return -EPERM;
11091 
11092 	if (!info->attrs[NL80211_ATTR_MAC])
11093 		return -EINVAL;
11094 
11095 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11096 		return -EINVAL;
11097 
11098 	if (!rdev->ops->deauth)
11099 		return -EOPNOTSUPP;
11100 
11101 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11102 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11103 		return -EOPNOTSUPP;
11104 
11105 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11106 
11107 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11108 	if (reason_code == 0) {
11109 		/* Reason Code 0 is reserved */
11110 		return -EINVAL;
11111 	}
11112 
11113 	if (info->attrs[NL80211_ATTR_IE]) {
11114 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11115 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11116 	}
11117 
11118 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11119 
11120 	wdev_lock(dev->ieee80211_ptr);
11121 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11122 				   local_state_change);
11123 	wdev_unlock(dev->ieee80211_ptr);
11124 	return err;
11125 }
11126 
11127 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11128 {
11129 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11130 	struct net_device *dev = info->user_ptr[1];
11131 	const u8 *ie = NULL, *bssid;
11132 	int ie_len = 0, err;
11133 	u16 reason_code;
11134 	bool local_state_change;
11135 
11136 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11137 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11138 		return -EPERM;
11139 
11140 	if (!info->attrs[NL80211_ATTR_MAC])
11141 		return -EINVAL;
11142 
11143 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11144 		return -EINVAL;
11145 
11146 	if (!rdev->ops->disassoc)
11147 		return -EOPNOTSUPP;
11148 
11149 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11150 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11151 		return -EOPNOTSUPP;
11152 
11153 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11154 
11155 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11156 	if (reason_code == 0) {
11157 		/* Reason Code 0 is reserved */
11158 		return -EINVAL;
11159 	}
11160 
11161 	if (info->attrs[NL80211_ATTR_IE]) {
11162 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11163 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11164 	}
11165 
11166 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11167 
11168 	wdev_lock(dev->ieee80211_ptr);
11169 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11170 				     local_state_change);
11171 	wdev_unlock(dev->ieee80211_ptr);
11172 	return err;
11173 }
11174 
11175 static bool
11176 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11177 			 int mcast_rate[NUM_NL80211_BANDS],
11178 			 int rateval)
11179 {
11180 	struct wiphy *wiphy = &rdev->wiphy;
11181 	bool found = false;
11182 	int band, i;
11183 
11184 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11185 		struct ieee80211_supported_band *sband;
11186 
11187 		sband = wiphy->bands[band];
11188 		if (!sband)
11189 			continue;
11190 
11191 		for (i = 0; i < sband->n_bitrates; i++) {
11192 			if (sband->bitrates[i].bitrate == rateval) {
11193 				mcast_rate[band] = i + 1;
11194 				found = true;
11195 				break;
11196 			}
11197 		}
11198 	}
11199 
11200 	return found;
11201 }
11202 
11203 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11204 {
11205 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11206 	struct net_device *dev = info->user_ptr[1];
11207 	struct cfg80211_ibss_params ibss;
11208 	struct wiphy *wiphy;
11209 	struct cfg80211_cached_keys *connkeys = NULL;
11210 	int err;
11211 
11212 	memset(&ibss, 0, sizeof(ibss));
11213 
11214 	if (!info->attrs[NL80211_ATTR_SSID] ||
11215 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11216 		return -EINVAL;
11217 
11218 	ibss.beacon_interval = 100;
11219 
11220 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11221 		ibss.beacon_interval =
11222 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11223 
11224 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11225 					   ibss.beacon_interval);
11226 	if (err)
11227 		return err;
11228 
11229 	if (!rdev->ops->join_ibss)
11230 		return -EOPNOTSUPP;
11231 
11232 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11233 		return -EOPNOTSUPP;
11234 
11235 	wiphy = &rdev->wiphy;
11236 
11237 	if (info->attrs[NL80211_ATTR_MAC]) {
11238 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11239 
11240 		if (!is_valid_ether_addr(ibss.bssid))
11241 			return -EINVAL;
11242 	}
11243 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11244 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11245 
11246 	if (info->attrs[NL80211_ATTR_IE]) {
11247 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11248 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11249 	}
11250 
11251 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11252 	if (err)
11253 		return err;
11254 
11255 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11256 				     NL80211_IFTYPE_ADHOC))
11257 		return -EINVAL;
11258 
11259 	switch (ibss.chandef.width) {
11260 	case NL80211_CHAN_WIDTH_5:
11261 	case NL80211_CHAN_WIDTH_10:
11262 	case NL80211_CHAN_WIDTH_20_NOHT:
11263 		break;
11264 	case NL80211_CHAN_WIDTH_20:
11265 	case NL80211_CHAN_WIDTH_40:
11266 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11267 			return -EINVAL;
11268 		break;
11269 	case NL80211_CHAN_WIDTH_80:
11270 	case NL80211_CHAN_WIDTH_80P80:
11271 	case NL80211_CHAN_WIDTH_160:
11272 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11273 			return -EINVAL;
11274 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11275 					     NL80211_EXT_FEATURE_VHT_IBSS))
11276 			return -EINVAL;
11277 		break;
11278 	case NL80211_CHAN_WIDTH_320:
11279 		return -EINVAL;
11280 	default:
11281 		return -EINVAL;
11282 	}
11283 
11284 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11285 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11286 
11287 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11288 		u8 *rates =
11289 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11290 		int n_rates =
11291 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11292 		struct ieee80211_supported_band *sband =
11293 			wiphy->bands[ibss.chandef.chan->band];
11294 
11295 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11296 					     &ibss.basic_rates);
11297 		if (err)
11298 			return err;
11299 	}
11300 
11301 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11302 		memcpy(&ibss.ht_capa_mask,
11303 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11304 		       sizeof(ibss.ht_capa_mask));
11305 
11306 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11307 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11308 			return -EINVAL;
11309 		memcpy(&ibss.ht_capa,
11310 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11311 		       sizeof(ibss.ht_capa));
11312 	}
11313 
11314 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11315 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11316 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11317 		return -EINVAL;
11318 
11319 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11320 		bool no_ht = false;
11321 
11322 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11323 		if (IS_ERR(connkeys))
11324 			return PTR_ERR(connkeys);
11325 
11326 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11327 		    no_ht) {
11328 			kfree_sensitive(connkeys);
11329 			return -EINVAL;
11330 		}
11331 	}
11332 
11333 	ibss.control_port =
11334 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11335 
11336 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11337 		int r = validate_pae_over_nl80211(rdev, info);
11338 
11339 		if (r < 0) {
11340 			kfree_sensitive(connkeys);
11341 			return r;
11342 		}
11343 
11344 		ibss.control_port_over_nl80211 = true;
11345 	}
11346 
11347 	ibss.userspace_handles_dfs =
11348 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11349 
11350 	wdev_lock(dev->ieee80211_ptr);
11351 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11352 	if (err)
11353 		kfree_sensitive(connkeys);
11354 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11355 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11356 	wdev_unlock(dev->ieee80211_ptr);
11357 
11358 	return err;
11359 }
11360 
11361 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11362 {
11363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11364 	struct net_device *dev = info->user_ptr[1];
11365 
11366 	if (!rdev->ops->leave_ibss)
11367 		return -EOPNOTSUPP;
11368 
11369 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11370 		return -EOPNOTSUPP;
11371 
11372 	return cfg80211_leave_ibss(rdev, dev, false);
11373 }
11374 
11375 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11376 {
11377 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11378 	struct net_device *dev = info->user_ptr[1];
11379 	int mcast_rate[NUM_NL80211_BANDS];
11380 	u32 nla_rate;
11381 
11382 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11383 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11384 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11385 		return -EOPNOTSUPP;
11386 
11387 	if (!rdev->ops->set_mcast_rate)
11388 		return -EOPNOTSUPP;
11389 
11390 	memset(mcast_rate, 0, sizeof(mcast_rate));
11391 
11392 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11393 		return -EINVAL;
11394 
11395 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11396 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11397 		return -EINVAL;
11398 
11399 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11400 }
11401 
11402 static struct sk_buff *
11403 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11404 			    struct wireless_dev *wdev, int approxlen,
11405 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11406 			    enum nl80211_attrs attr,
11407 			    const struct nl80211_vendor_cmd_info *info,
11408 			    gfp_t gfp)
11409 {
11410 	struct sk_buff *skb;
11411 	void *hdr;
11412 	struct nlattr *data;
11413 
11414 	skb = nlmsg_new(approxlen + 100, gfp);
11415 	if (!skb)
11416 		return NULL;
11417 
11418 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11419 	if (!hdr) {
11420 		kfree_skb(skb);
11421 		return NULL;
11422 	}
11423 
11424 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11425 		goto nla_put_failure;
11426 
11427 	if (info) {
11428 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11429 				info->vendor_id))
11430 			goto nla_put_failure;
11431 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11432 				info->subcmd))
11433 			goto nla_put_failure;
11434 	}
11435 
11436 	if (wdev) {
11437 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11438 				      wdev_id(wdev), NL80211_ATTR_PAD))
11439 			goto nla_put_failure;
11440 		if (wdev->netdev &&
11441 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11442 				wdev->netdev->ifindex))
11443 			goto nla_put_failure;
11444 	}
11445 
11446 	data = nla_nest_start_noflag(skb, attr);
11447 	if (!data)
11448 		goto nla_put_failure;
11449 
11450 	((void **)skb->cb)[0] = rdev;
11451 	((void **)skb->cb)[1] = hdr;
11452 	((void **)skb->cb)[2] = data;
11453 
11454 	return skb;
11455 
11456  nla_put_failure:
11457 	kfree_skb(skb);
11458 	return NULL;
11459 }
11460 
11461 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11462 					   struct wireless_dev *wdev,
11463 					   enum nl80211_commands cmd,
11464 					   enum nl80211_attrs attr,
11465 					   unsigned int portid,
11466 					   int vendor_event_idx,
11467 					   int approxlen, gfp_t gfp)
11468 {
11469 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11470 	const struct nl80211_vendor_cmd_info *info;
11471 
11472 	switch (cmd) {
11473 	case NL80211_CMD_TESTMODE:
11474 		if (WARN_ON(vendor_event_idx != -1))
11475 			return NULL;
11476 		info = NULL;
11477 		break;
11478 	case NL80211_CMD_VENDOR:
11479 		if (WARN_ON(vendor_event_idx < 0 ||
11480 			    vendor_event_idx >= wiphy->n_vendor_events))
11481 			return NULL;
11482 		info = &wiphy->vendor_events[vendor_event_idx];
11483 		break;
11484 	default:
11485 		WARN_ON(1);
11486 		return NULL;
11487 	}
11488 
11489 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11490 					   cmd, attr, info, gfp);
11491 }
11492 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11493 
11494 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11495 {
11496 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11497 	void *hdr = ((void **)skb->cb)[1];
11498 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11499 	struct nlattr *data = ((void **)skb->cb)[2];
11500 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11501 
11502 	/* clear CB data for netlink core to own from now on */
11503 	memset(skb->cb, 0, sizeof(skb->cb));
11504 
11505 	nla_nest_end(skb, data);
11506 	genlmsg_end(skb, hdr);
11507 
11508 	if (nlhdr->nlmsg_pid) {
11509 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11510 				nlhdr->nlmsg_pid);
11511 	} else {
11512 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11513 			mcgrp = NL80211_MCGRP_VENDOR;
11514 
11515 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11516 					skb, 0, mcgrp, gfp);
11517 	}
11518 }
11519 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11520 
11521 #ifdef CONFIG_NL80211_TESTMODE
11522 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11523 {
11524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11525 	struct wireless_dev *wdev;
11526 	int err;
11527 
11528 	lockdep_assert_held(&rdev->wiphy.mtx);
11529 
11530 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11531 					  info->attrs);
11532 
11533 	if (!rdev->ops->testmode_cmd)
11534 		return -EOPNOTSUPP;
11535 
11536 	if (IS_ERR(wdev)) {
11537 		err = PTR_ERR(wdev);
11538 		if (err != -EINVAL)
11539 			return err;
11540 		wdev = NULL;
11541 	} else if (wdev->wiphy != &rdev->wiphy) {
11542 		return -EINVAL;
11543 	}
11544 
11545 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11546 		return -EINVAL;
11547 
11548 	rdev->cur_cmd_info = info;
11549 	err = rdev_testmode_cmd(rdev, wdev,
11550 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11551 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11552 	rdev->cur_cmd_info = NULL;
11553 
11554 	return err;
11555 }
11556 
11557 static int nl80211_testmode_dump(struct sk_buff *skb,
11558 				 struct netlink_callback *cb)
11559 {
11560 	struct cfg80211_registered_device *rdev;
11561 	struct nlattr **attrbuf = NULL;
11562 	int err;
11563 	long phy_idx;
11564 	void *data = NULL;
11565 	int data_len = 0;
11566 
11567 	rtnl_lock();
11568 
11569 	if (cb->args[0]) {
11570 		/*
11571 		 * 0 is a valid index, but not valid for args[0],
11572 		 * so we need to offset by 1.
11573 		 */
11574 		phy_idx = cb->args[0] - 1;
11575 
11576 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11577 		if (!rdev) {
11578 			err = -ENOENT;
11579 			goto out_err;
11580 		}
11581 	} else {
11582 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11583 				  GFP_KERNEL);
11584 		if (!attrbuf) {
11585 			err = -ENOMEM;
11586 			goto out_err;
11587 		}
11588 
11589 		err = nlmsg_parse_deprecated(cb->nlh,
11590 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11591 					     attrbuf, nl80211_fam.maxattr,
11592 					     nl80211_policy, NULL);
11593 		if (err)
11594 			goto out_err;
11595 
11596 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11597 		if (IS_ERR(rdev)) {
11598 			err = PTR_ERR(rdev);
11599 			goto out_err;
11600 		}
11601 		phy_idx = rdev->wiphy_idx;
11602 
11603 		if (attrbuf[NL80211_ATTR_TESTDATA])
11604 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11605 	}
11606 
11607 	if (cb->args[1]) {
11608 		data = nla_data((void *)cb->args[1]);
11609 		data_len = nla_len((void *)cb->args[1]);
11610 	}
11611 
11612 	if (!rdev->ops->testmode_dump) {
11613 		err = -EOPNOTSUPP;
11614 		goto out_err;
11615 	}
11616 
11617 	while (1) {
11618 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11619 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11620 					   NL80211_CMD_TESTMODE);
11621 		struct nlattr *tmdata;
11622 
11623 		if (!hdr)
11624 			break;
11625 
11626 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11627 			genlmsg_cancel(skb, hdr);
11628 			break;
11629 		}
11630 
11631 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11632 		if (!tmdata) {
11633 			genlmsg_cancel(skb, hdr);
11634 			break;
11635 		}
11636 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11637 		nla_nest_end(skb, tmdata);
11638 
11639 		if (err == -ENOBUFS || err == -ENOENT) {
11640 			genlmsg_cancel(skb, hdr);
11641 			break;
11642 		} else if (err) {
11643 			genlmsg_cancel(skb, hdr);
11644 			goto out_err;
11645 		}
11646 
11647 		genlmsg_end(skb, hdr);
11648 	}
11649 
11650 	err = skb->len;
11651 	/* see above */
11652 	cb->args[0] = phy_idx + 1;
11653  out_err:
11654 	kfree(attrbuf);
11655 	rtnl_unlock();
11656 	return err;
11657 }
11658 #endif
11659 
11660 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11661 {
11662 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11663 	struct net_device *dev = info->user_ptr[1];
11664 	struct cfg80211_connect_params connect;
11665 	struct wiphy *wiphy;
11666 	struct cfg80211_cached_keys *connkeys = NULL;
11667 	u32 freq = 0;
11668 	int err;
11669 
11670 	memset(&connect, 0, sizeof(connect));
11671 
11672 	if (!info->attrs[NL80211_ATTR_SSID] ||
11673 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11674 		return -EINVAL;
11675 
11676 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11677 		connect.auth_type =
11678 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11679 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11680 					     NL80211_CMD_CONNECT))
11681 			return -EINVAL;
11682 	} else
11683 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11684 
11685 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11686 
11687 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11688 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11689 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11690 		return -EINVAL;
11691 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11692 
11693 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11694 				      NL80211_MAX_NR_CIPHER_SUITES);
11695 	if (err)
11696 		return err;
11697 
11698 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11699 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11700 		return -EOPNOTSUPP;
11701 
11702 	wiphy = &rdev->wiphy;
11703 
11704 	connect.bg_scan_period = -1;
11705 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11706 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11707 		connect.bg_scan_period =
11708 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11709 	}
11710 
11711 	if (info->attrs[NL80211_ATTR_MAC])
11712 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11713 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11714 		connect.bssid_hint =
11715 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11716 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11717 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11718 
11719 	if (info->attrs[NL80211_ATTR_IE]) {
11720 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11721 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11722 	}
11723 
11724 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11725 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11726 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11727 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11728 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11729 			return -EOPNOTSUPP;
11730 	} else {
11731 		connect.mfp = NL80211_MFP_NO;
11732 	}
11733 
11734 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11735 		connect.prev_bssid =
11736 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11737 
11738 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11739 		freq = MHZ_TO_KHZ(nla_get_u32(
11740 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11741 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11742 		freq +=
11743 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11744 
11745 	if (freq) {
11746 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11747 		if (!connect.channel)
11748 			return -EINVAL;
11749 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11750 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11751 		freq = MHZ_TO_KHZ(freq);
11752 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11753 		if (!connect.channel_hint)
11754 			return -EINVAL;
11755 	}
11756 
11757 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11758 		connect.edmg.channels =
11759 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11760 
11761 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11762 			connect.edmg.bw_config =
11763 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11764 	}
11765 
11766 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11767 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11768 		if (IS_ERR(connkeys))
11769 			return PTR_ERR(connkeys);
11770 	}
11771 
11772 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11773 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11774 
11775 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11776 		memcpy(&connect.ht_capa_mask,
11777 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11778 		       sizeof(connect.ht_capa_mask));
11779 
11780 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11781 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11782 			kfree_sensitive(connkeys);
11783 			return -EINVAL;
11784 		}
11785 		memcpy(&connect.ht_capa,
11786 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11787 		       sizeof(connect.ht_capa));
11788 	}
11789 
11790 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11791 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11792 
11793 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11794 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11795 
11796 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11797 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11798 
11799 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11800 		memcpy(&connect.vht_capa_mask,
11801 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11802 		       sizeof(connect.vht_capa_mask));
11803 
11804 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11805 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11806 			kfree_sensitive(connkeys);
11807 			return -EINVAL;
11808 		}
11809 		memcpy(&connect.vht_capa,
11810 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11811 		       sizeof(connect.vht_capa));
11812 	}
11813 
11814 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11815 		if (!((rdev->wiphy.features &
11816 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11817 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11818 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11819 					     NL80211_EXT_FEATURE_RRM)) {
11820 			kfree_sensitive(connkeys);
11821 			return -EINVAL;
11822 		}
11823 		connect.flags |= ASSOC_REQ_USE_RRM;
11824 	}
11825 
11826 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11827 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11828 		kfree_sensitive(connkeys);
11829 		return -EOPNOTSUPP;
11830 	}
11831 
11832 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11833 		/* bss selection makes no sense if bssid is set */
11834 		if (connect.bssid) {
11835 			kfree_sensitive(connkeys);
11836 			return -EINVAL;
11837 		}
11838 
11839 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11840 				       wiphy, &connect.bss_select);
11841 		if (err) {
11842 			kfree_sensitive(connkeys);
11843 			return err;
11844 		}
11845 	}
11846 
11847 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11848 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11849 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11850 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11851 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11852 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11853 		connect.fils_erp_username =
11854 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11855 		connect.fils_erp_username_len =
11856 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11857 		connect.fils_erp_realm =
11858 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11859 		connect.fils_erp_realm_len =
11860 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11861 		connect.fils_erp_next_seq_num =
11862 			nla_get_u16(
11863 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11864 		connect.fils_erp_rrk =
11865 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11866 		connect.fils_erp_rrk_len =
11867 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11868 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11869 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11870 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11871 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11872 		kfree_sensitive(connkeys);
11873 		return -EINVAL;
11874 	}
11875 
11876 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11877 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11878 			kfree_sensitive(connkeys);
11879 			GENL_SET_ERR_MSG(info,
11880 					 "external auth requires connection ownership");
11881 			return -EINVAL;
11882 		}
11883 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11884 	}
11885 
11886 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
11887 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
11888 
11889 	wdev_lock(dev->ieee80211_ptr);
11890 
11891 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11892 			       connect.prev_bssid);
11893 	if (err)
11894 		kfree_sensitive(connkeys);
11895 
11896 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11897 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11898 		if (connect.bssid)
11899 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11900 			       connect.bssid, ETH_ALEN);
11901 		else
11902 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11903 	}
11904 
11905 	wdev_unlock(dev->ieee80211_ptr);
11906 
11907 	return err;
11908 }
11909 
11910 static int nl80211_update_connect_params(struct sk_buff *skb,
11911 					 struct genl_info *info)
11912 {
11913 	struct cfg80211_connect_params connect = {};
11914 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11915 	struct net_device *dev = info->user_ptr[1];
11916 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11917 	bool fils_sk_offload;
11918 	u32 auth_type;
11919 	u32 changed = 0;
11920 	int ret;
11921 
11922 	if (!rdev->ops->update_connect_params)
11923 		return -EOPNOTSUPP;
11924 
11925 	if (info->attrs[NL80211_ATTR_IE]) {
11926 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11927 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11928 		changed |= UPDATE_ASSOC_IES;
11929 	}
11930 
11931 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11932 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11933 
11934 	/*
11935 	 * when driver supports fils-sk offload all attributes must be
11936 	 * provided. So the else covers "fils-sk-not-all" and
11937 	 * "no-fils-sk-any".
11938 	 */
11939 	if (fils_sk_offload &&
11940 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11941 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11942 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11943 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11944 		connect.fils_erp_username =
11945 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11946 		connect.fils_erp_username_len =
11947 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11948 		connect.fils_erp_realm =
11949 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11950 		connect.fils_erp_realm_len =
11951 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11952 		connect.fils_erp_next_seq_num =
11953 			nla_get_u16(
11954 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11955 		connect.fils_erp_rrk =
11956 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11957 		connect.fils_erp_rrk_len =
11958 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11959 		changed |= UPDATE_FILS_ERP_INFO;
11960 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11961 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11962 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11963 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11964 		return -EINVAL;
11965 	}
11966 
11967 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11968 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11969 		if (!nl80211_valid_auth_type(rdev, auth_type,
11970 					     NL80211_CMD_CONNECT))
11971 			return -EINVAL;
11972 
11973 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11974 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11975 			return -EINVAL;
11976 
11977 		connect.auth_type = auth_type;
11978 		changed |= UPDATE_AUTH_TYPE;
11979 	}
11980 
11981 	wdev_lock(dev->ieee80211_ptr);
11982 	if (!wdev->connected)
11983 		ret = -ENOLINK;
11984 	else
11985 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11986 	wdev_unlock(dev->ieee80211_ptr);
11987 
11988 	return ret;
11989 }
11990 
11991 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11992 {
11993 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11994 	struct net_device *dev = info->user_ptr[1];
11995 	u16 reason;
11996 	int ret;
11997 
11998 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11999 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12000 		return -EPERM;
12001 
12002 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12003 		reason = WLAN_REASON_DEAUTH_LEAVING;
12004 	else
12005 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12006 
12007 	if (reason == 0)
12008 		return -EINVAL;
12009 
12010 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12011 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12012 		return -EOPNOTSUPP;
12013 
12014 	wdev_lock(dev->ieee80211_ptr);
12015 	ret = cfg80211_disconnect(rdev, dev, reason, true);
12016 	wdev_unlock(dev->ieee80211_ptr);
12017 	return ret;
12018 }
12019 
12020 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12021 {
12022 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12023 	struct net *net;
12024 	int err;
12025 
12026 	if (info->attrs[NL80211_ATTR_PID]) {
12027 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12028 
12029 		net = get_net_ns_by_pid(pid);
12030 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12031 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12032 
12033 		net = get_net_ns_by_fd(fd);
12034 	} else {
12035 		return -EINVAL;
12036 	}
12037 
12038 	if (IS_ERR(net))
12039 		return PTR_ERR(net);
12040 
12041 	err = 0;
12042 
12043 	/* check if anything to do */
12044 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12045 		err = cfg80211_switch_netns(rdev, net);
12046 
12047 	put_net(net);
12048 	return err;
12049 }
12050 
12051 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
12052 {
12053 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12054 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
12055 			struct cfg80211_pmksa *pmksa) = NULL;
12056 	struct net_device *dev = info->user_ptr[1];
12057 	struct cfg80211_pmksa pmksa;
12058 
12059 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12060 
12061 	if (!info->attrs[NL80211_ATTR_PMKID])
12062 		return -EINVAL;
12063 
12064 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12065 
12066 	if (info->attrs[NL80211_ATTR_MAC]) {
12067 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12068 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12069 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12070 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
12071 		    info->attrs[NL80211_ATTR_PMK])) {
12072 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12073 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12074 		pmksa.cache_id =
12075 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12076 	} else {
12077 		return -EINVAL;
12078 	}
12079 	if (info->attrs[NL80211_ATTR_PMK]) {
12080 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12081 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12082 	}
12083 
12084 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12085 		pmksa.pmk_lifetime =
12086 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12087 
12088 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12089 		pmksa.pmk_reauth_threshold =
12090 			nla_get_u8(
12091 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12092 
12093 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12094 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12095 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
12096 	      wiphy_ext_feature_isset(&rdev->wiphy,
12097 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
12098 		return -EOPNOTSUPP;
12099 
12100 	switch (info->genlhdr->cmd) {
12101 	case NL80211_CMD_SET_PMKSA:
12102 		rdev_ops = rdev->ops->set_pmksa;
12103 		break;
12104 	case NL80211_CMD_DEL_PMKSA:
12105 		rdev_ops = rdev->ops->del_pmksa;
12106 		break;
12107 	default:
12108 		WARN_ON(1);
12109 		break;
12110 	}
12111 
12112 	if (!rdev_ops)
12113 		return -EOPNOTSUPP;
12114 
12115 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
12116 }
12117 
12118 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12119 {
12120 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12121 	struct net_device *dev = info->user_ptr[1];
12122 
12123 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12124 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12125 		return -EOPNOTSUPP;
12126 
12127 	if (!rdev->ops->flush_pmksa)
12128 		return -EOPNOTSUPP;
12129 
12130 	return rdev_flush_pmksa(rdev, dev);
12131 }
12132 
12133 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12134 {
12135 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12136 	struct net_device *dev = info->user_ptr[1];
12137 	u8 action_code, dialog_token;
12138 	u32 peer_capability = 0;
12139 	u16 status_code;
12140 	u8 *peer;
12141 	bool initiator;
12142 
12143 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12144 	    !rdev->ops->tdls_mgmt)
12145 		return -EOPNOTSUPP;
12146 
12147 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12148 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12149 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12150 	    !info->attrs[NL80211_ATTR_IE] ||
12151 	    !info->attrs[NL80211_ATTR_MAC])
12152 		return -EINVAL;
12153 
12154 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12155 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12156 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12157 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12158 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12159 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12160 		peer_capability =
12161 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12162 
12163 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
12164 			      dialog_token, status_code, peer_capability,
12165 			      initiator,
12166 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12167 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12168 }
12169 
12170 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12171 {
12172 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12173 	struct net_device *dev = info->user_ptr[1];
12174 	enum nl80211_tdls_operation operation;
12175 	u8 *peer;
12176 
12177 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12178 	    !rdev->ops->tdls_oper)
12179 		return -EOPNOTSUPP;
12180 
12181 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12182 	    !info->attrs[NL80211_ATTR_MAC])
12183 		return -EINVAL;
12184 
12185 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12186 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12187 
12188 	return rdev_tdls_oper(rdev, dev, peer, operation);
12189 }
12190 
12191 static int nl80211_remain_on_channel(struct sk_buff *skb,
12192 				     struct genl_info *info)
12193 {
12194 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12195 	unsigned int link_id = nl80211_link_id(info->attrs);
12196 	struct wireless_dev *wdev = info->user_ptr[1];
12197 	struct cfg80211_chan_def chandef;
12198 	struct sk_buff *msg;
12199 	void *hdr;
12200 	u64 cookie;
12201 	u32 duration;
12202 	int err;
12203 
12204 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12205 	    !info->attrs[NL80211_ATTR_DURATION])
12206 		return -EINVAL;
12207 
12208 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12209 
12210 	if (!rdev->ops->remain_on_channel ||
12211 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12212 		return -EOPNOTSUPP;
12213 
12214 	/*
12215 	 * We should be on that channel for at least a minimum amount of
12216 	 * time (10ms) but no longer than the driver supports.
12217 	 */
12218 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12219 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12220 		return -EINVAL;
12221 
12222 	err = nl80211_parse_chandef(rdev, info, &chandef);
12223 	if (err)
12224 		return err;
12225 
12226 	wdev_lock(wdev);
12227 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12228 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12229 
12230 		oper_chandef = wdev_chandef(wdev, link_id);
12231 
12232 		if (WARN_ON(!oper_chandef)) {
12233 			/* cannot happen since we must beacon to get here */
12234 			WARN_ON(1);
12235 			wdev_unlock(wdev);
12236 			return -EBUSY;
12237 		}
12238 
12239 		/* note: returns first one if identical chandefs */
12240 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12241 							     oper_chandef);
12242 
12243 		if (compat_chandef != &chandef) {
12244 			wdev_unlock(wdev);
12245 			return -EBUSY;
12246 		}
12247 	}
12248 	wdev_unlock(wdev);
12249 
12250 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12251 	if (!msg)
12252 		return -ENOMEM;
12253 
12254 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12255 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12256 	if (!hdr) {
12257 		err = -ENOBUFS;
12258 		goto free_msg;
12259 	}
12260 
12261 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12262 				     duration, &cookie);
12263 
12264 	if (err)
12265 		goto free_msg;
12266 
12267 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12268 			      NL80211_ATTR_PAD))
12269 		goto nla_put_failure;
12270 
12271 	genlmsg_end(msg, hdr);
12272 
12273 	return genlmsg_reply(msg, info);
12274 
12275  nla_put_failure:
12276 	err = -ENOBUFS;
12277  free_msg:
12278 	nlmsg_free(msg);
12279 	return err;
12280 }
12281 
12282 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12283 					    struct genl_info *info)
12284 {
12285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12286 	struct wireless_dev *wdev = info->user_ptr[1];
12287 	u64 cookie;
12288 
12289 	if (!info->attrs[NL80211_ATTR_COOKIE])
12290 		return -EINVAL;
12291 
12292 	if (!rdev->ops->cancel_remain_on_channel)
12293 		return -EOPNOTSUPP;
12294 
12295 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12296 
12297 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12298 }
12299 
12300 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12301 				       struct genl_info *info)
12302 {
12303 	struct cfg80211_bitrate_mask mask;
12304 	unsigned int link_id = nl80211_link_id(info->attrs);
12305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12306 	struct net_device *dev = info->user_ptr[1];
12307 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12308 	int err;
12309 
12310 	if (!rdev->ops->set_bitrate_mask)
12311 		return -EOPNOTSUPP;
12312 
12313 	wdev_lock(wdev);
12314 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12315 					    NL80211_ATTR_TX_RATES, &mask,
12316 					    dev, true, link_id);
12317 	if (err)
12318 		goto out;
12319 
12320 	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12321 out:
12322 	wdev_unlock(wdev);
12323 	return err;
12324 }
12325 
12326 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12327 {
12328 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12329 	struct wireless_dev *wdev = info->user_ptr[1];
12330 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12331 
12332 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12333 		return -EINVAL;
12334 
12335 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12336 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12337 
12338 	switch (wdev->iftype) {
12339 	case NL80211_IFTYPE_STATION:
12340 	case NL80211_IFTYPE_ADHOC:
12341 	case NL80211_IFTYPE_P2P_CLIENT:
12342 	case NL80211_IFTYPE_AP:
12343 	case NL80211_IFTYPE_AP_VLAN:
12344 	case NL80211_IFTYPE_MESH_POINT:
12345 	case NL80211_IFTYPE_P2P_GO:
12346 	case NL80211_IFTYPE_P2P_DEVICE:
12347 		break;
12348 	case NL80211_IFTYPE_NAN:
12349 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12350 					     NL80211_EXT_FEATURE_SECURE_NAN))
12351 			return -EOPNOTSUPP;
12352 		break;
12353 	default:
12354 		return -EOPNOTSUPP;
12355 	}
12356 
12357 	/* not much point in registering if we can't reply */
12358 	if (!rdev->ops->mgmt_tx)
12359 		return -EOPNOTSUPP;
12360 
12361 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12362 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12363 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12364 		GENL_SET_ERR_MSG(info,
12365 				 "multicast RX registrations are not supported");
12366 		return -EOPNOTSUPP;
12367 	}
12368 
12369 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12370 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12371 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12372 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12373 					   info->extack);
12374 }
12375 
12376 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12377 {
12378 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12379 	struct wireless_dev *wdev = info->user_ptr[1];
12380 	struct cfg80211_chan_def chandef;
12381 	int err;
12382 	void *hdr = NULL;
12383 	u64 cookie;
12384 	struct sk_buff *msg = NULL;
12385 	struct cfg80211_mgmt_tx_params params = {
12386 		.dont_wait_for_ack =
12387 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12388 	};
12389 
12390 	if (!info->attrs[NL80211_ATTR_FRAME])
12391 		return -EINVAL;
12392 
12393 	if (!rdev->ops->mgmt_tx)
12394 		return -EOPNOTSUPP;
12395 
12396 	switch (wdev->iftype) {
12397 	case NL80211_IFTYPE_P2P_DEVICE:
12398 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12399 			return -EINVAL;
12400 		break;
12401 	case NL80211_IFTYPE_STATION:
12402 	case NL80211_IFTYPE_ADHOC:
12403 	case NL80211_IFTYPE_P2P_CLIENT:
12404 	case NL80211_IFTYPE_AP:
12405 	case NL80211_IFTYPE_AP_VLAN:
12406 	case NL80211_IFTYPE_MESH_POINT:
12407 	case NL80211_IFTYPE_P2P_GO:
12408 		break;
12409 	case NL80211_IFTYPE_NAN:
12410 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12411 					     NL80211_EXT_FEATURE_SECURE_NAN))
12412 			return -EOPNOTSUPP;
12413 		break;
12414 	default:
12415 		return -EOPNOTSUPP;
12416 	}
12417 
12418 	if (info->attrs[NL80211_ATTR_DURATION]) {
12419 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12420 			return -EINVAL;
12421 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12422 
12423 		/*
12424 		 * We should wait on the channel for at least a minimum amount
12425 		 * of time (10ms) but no longer than the driver supports.
12426 		 */
12427 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12428 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12429 			return -EINVAL;
12430 	}
12431 
12432 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12433 
12434 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12435 		return -EINVAL;
12436 
12437 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12438 
12439 	/* get the channel if any has been specified, otherwise pass NULL to
12440 	 * the driver. The latter will use the current one
12441 	 */
12442 	chandef.chan = NULL;
12443 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12444 		err = nl80211_parse_chandef(rdev, info, &chandef);
12445 		if (err)
12446 			return err;
12447 	}
12448 
12449 	if (!chandef.chan && params.offchan)
12450 		return -EINVAL;
12451 
12452 	wdev_lock(wdev);
12453 	if (params.offchan &&
12454 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12455 		wdev_unlock(wdev);
12456 		return -EBUSY;
12457 	}
12458 
12459 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12460 	/*
12461 	 * This now races due to the unlock, but we cannot check
12462 	 * the valid links for the _station_ anyway, so that's up
12463 	 * to the driver.
12464 	 */
12465 	if (params.link_id >= 0 &&
12466 	    !(wdev->valid_links & BIT(params.link_id))) {
12467 		wdev_unlock(wdev);
12468 		return -EINVAL;
12469 	}
12470 	wdev_unlock(wdev);
12471 
12472 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12473 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12474 
12475 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12476 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12477 		int i;
12478 
12479 		if (len % sizeof(u16))
12480 			return -EINVAL;
12481 
12482 		params.n_csa_offsets = len / sizeof(u16);
12483 		params.csa_offsets =
12484 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12485 
12486 		/* check that all the offsets fit the frame */
12487 		for (i = 0; i < params.n_csa_offsets; i++) {
12488 			if (params.csa_offsets[i] >= params.len)
12489 				return -EINVAL;
12490 		}
12491 	}
12492 
12493 	if (!params.dont_wait_for_ack) {
12494 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12495 		if (!msg)
12496 			return -ENOMEM;
12497 
12498 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12499 				     NL80211_CMD_FRAME);
12500 		if (!hdr) {
12501 			err = -ENOBUFS;
12502 			goto free_msg;
12503 		}
12504 	}
12505 
12506 	params.chan = chandef.chan;
12507 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12508 	if (err)
12509 		goto free_msg;
12510 
12511 	if (msg) {
12512 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12513 				      NL80211_ATTR_PAD))
12514 			goto nla_put_failure;
12515 
12516 		genlmsg_end(msg, hdr);
12517 		return genlmsg_reply(msg, info);
12518 	}
12519 
12520 	return 0;
12521 
12522  nla_put_failure:
12523 	err = -ENOBUFS;
12524  free_msg:
12525 	nlmsg_free(msg);
12526 	return err;
12527 }
12528 
12529 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12530 {
12531 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12532 	struct wireless_dev *wdev = info->user_ptr[1];
12533 	u64 cookie;
12534 
12535 	if (!info->attrs[NL80211_ATTR_COOKIE])
12536 		return -EINVAL;
12537 
12538 	if (!rdev->ops->mgmt_tx_cancel_wait)
12539 		return -EOPNOTSUPP;
12540 
12541 	switch (wdev->iftype) {
12542 	case NL80211_IFTYPE_STATION:
12543 	case NL80211_IFTYPE_ADHOC:
12544 	case NL80211_IFTYPE_P2P_CLIENT:
12545 	case NL80211_IFTYPE_AP:
12546 	case NL80211_IFTYPE_AP_VLAN:
12547 	case NL80211_IFTYPE_P2P_GO:
12548 	case NL80211_IFTYPE_P2P_DEVICE:
12549 		break;
12550 	case NL80211_IFTYPE_NAN:
12551 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12552 					     NL80211_EXT_FEATURE_SECURE_NAN))
12553 			return -EOPNOTSUPP;
12554 		break;
12555 	default:
12556 		return -EOPNOTSUPP;
12557 	}
12558 
12559 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12560 
12561 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12562 }
12563 
12564 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12565 {
12566 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12567 	struct wireless_dev *wdev;
12568 	struct net_device *dev = info->user_ptr[1];
12569 	u8 ps_state;
12570 	bool state;
12571 	int err;
12572 
12573 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12574 		return -EINVAL;
12575 
12576 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12577 
12578 	wdev = dev->ieee80211_ptr;
12579 
12580 	if (!rdev->ops->set_power_mgmt)
12581 		return -EOPNOTSUPP;
12582 
12583 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12584 
12585 	if (state == wdev->ps)
12586 		return 0;
12587 
12588 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12589 	if (!err)
12590 		wdev->ps = state;
12591 	return err;
12592 }
12593 
12594 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12595 {
12596 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12597 	enum nl80211_ps_state ps_state;
12598 	struct wireless_dev *wdev;
12599 	struct net_device *dev = info->user_ptr[1];
12600 	struct sk_buff *msg;
12601 	void *hdr;
12602 	int err;
12603 
12604 	wdev = dev->ieee80211_ptr;
12605 
12606 	if (!rdev->ops->set_power_mgmt)
12607 		return -EOPNOTSUPP;
12608 
12609 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12610 	if (!msg)
12611 		return -ENOMEM;
12612 
12613 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12614 			     NL80211_CMD_GET_POWER_SAVE);
12615 	if (!hdr) {
12616 		err = -ENOBUFS;
12617 		goto free_msg;
12618 	}
12619 
12620 	if (wdev->ps)
12621 		ps_state = NL80211_PS_ENABLED;
12622 	else
12623 		ps_state = NL80211_PS_DISABLED;
12624 
12625 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12626 		goto nla_put_failure;
12627 
12628 	genlmsg_end(msg, hdr);
12629 	return genlmsg_reply(msg, info);
12630 
12631  nla_put_failure:
12632 	err = -ENOBUFS;
12633  free_msg:
12634 	nlmsg_free(msg);
12635 	return err;
12636 }
12637 
12638 static const struct nla_policy
12639 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12640 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12641 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12642 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12643 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12644 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12645 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12646 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12647 };
12648 
12649 static int nl80211_set_cqm_txe(struct genl_info *info,
12650 			       u32 rate, u32 pkts, u32 intvl)
12651 {
12652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12653 	struct net_device *dev = info->user_ptr[1];
12654 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12655 
12656 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12657 		return -EINVAL;
12658 
12659 	if (!rdev->ops->set_cqm_txe_config)
12660 		return -EOPNOTSUPP;
12661 
12662 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12663 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12664 		return -EOPNOTSUPP;
12665 
12666 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12667 }
12668 
12669 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12670 				    struct net_device *dev)
12671 {
12672 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12673 	s32 last, low, high;
12674 	u32 hyst;
12675 	int i, n, low_index;
12676 	int err;
12677 
12678 	/* RSSI reporting disabled? */
12679 	if (!wdev->cqm_config)
12680 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12681 
12682 	/*
12683 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12684 	 * event has been received yet, we should receive an event after a
12685 	 * connection is established and enough beacons received to calculate
12686 	 * the average.
12687 	 */
12688 	if (!wdev->cqm_config->last_rssi_event_value &&
12689 	    wdev->links[0].client.current_bss &&
12690 	    rdev->ops->get_station) {
12691 		struct station_info sinfo = {};
12692 		u8 *mac_addr;
12693 
12694 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12695 
12696 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12697 		if (err)
12698 			return err;
12699 
12700 		cfg80211_sinfo_release_content(&sinfo);
12701 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12702 			wdev->cqm_config->last_rssi_event_value =
12703 				(s8) sinfo.rx_beacon_signal_avg;
12704 	}
12705 
12706 	last = wdev->cqm_config->last_rssi_event_value;
12707 	hyst = wdev->cqm_config->rssi_hyst;
12708 	n = wdev->cqm_config->n_rssi_thresholds;
12709 
12710 	for (i = 0; i < n; i++) {
12711 		i = array_index_nospec(i, n);
12712 		if (last < wdev->cqm_config->rssi_thresholds[i])
12713 			break;
12714 	}
12715 
12716 	low_index = i - 1;
12717 	if (low_index >= 0) {
12718 		low_index = array_index_nospec(low_index, n);
12719 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12720 	} else {
12721 		low = S32_MIN;
12722 	}
12723 	if (i < n) {
12724 		i = array_index_nospec(i, n);
12725 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12726 	} else {
12727 		high = S32_MAX;
12728 	}
12729 
12730 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12731 }
12732 
12733 static int nl80211_set_cqm_rssi(struct genl_info *info,
12734 				const s32 *thresholds, int n_thresholds,
12735 				u32 hysteresis)
12736 {
12737 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12738 	struct net_device *dev = info->user_ptr[1];
12739 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12740 	int i, err;
12741 	s32 prev = S32_MIN;
12742 
12743 	/* Check all values negative and sorted */
12744 	for (i = 0; i < n_thresholds; i++) {
12745 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12746 			return -EINVAL;
12747 
12748 		prev = thresholds[i];
12749 	}
12750 
12751 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12752 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12753 		return -EOPNOTSUPP;
12754 
12755 	wdev_lock(wdev);
12756 	cfg80211_cqm_config_free(wdev);
12757 	wdev_unlock(wdev);
12758 
12759 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12760 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12761 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12762 
12763 		return rdev_set_cqm_rssi_config(rdev, dev,
12764 						thresholds[0], hysteresis);
12765 	}
12766 
12767 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12768 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12769 		return -EOPNOTSUPP;
12770 
12771 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12772 		n_thresholds = 0;
12773 
12774 	wdev_lock(wdev);
12775 	if (n_thresholds) {
12776 		struct cfg80211_cqm_config *cqm_config;
12777 
12778 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12779 						 n_thresholds),
12780 				     GFP_KERNEL);
12781 		if (!cqm_config) {
12782 			err = -ENOMEM;
12783 			goto unlock;
12784 		}
12785 
12786 		cqm_config->rssi_hyst = hysteresis;
12787 		cqm_config->n_rssi_thresholds = n_thresholds;
12788 		memcpy(cqm_config->rssi_thresholds, thresholds,
12789 		       flex_array_size(cqm_config, rssi_thresholds,
12790 				       n_thresholds));
12791 
12792 		wdev->cqm_config = cqm_config;
12793 	}
12794 
12795 	err = cfg80211_cqm_rssi_update(rdev, dev);
12796 
12797 unlock:
12798 	wdev_unlock(wdev);
12799 
12800 	return err;
12801 }
12802 
12803 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12804 {
12805 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12806 	struct nlattr *cqm;
12807 	int err;
12808 
12809 	cqm = info->attrs[NL80211_ATTR_CQM];
12810 	if (!cqm)
12811 		return -EINVAL;
12812 
12813 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12814 					  nl80211_attr_cqm_policy,
12815 					  info->extack);
12816 	if (err)
12817 		return err;
12818 
12819 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12820 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12821 		const s32 *thresholds =
12822 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12823 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12824 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12825 
12826 		if (len % 4)
12827 			return -EINVAL;
12828 
12829 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12830 					    hysteresis);
12831 	}
12832 
12833 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12834 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12835 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12836 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12837 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12838 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12839 
12840 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12841 	}
12842 
12843 	return -EINVAL;
12844 }
12845 
12846 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12847 {
12848 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12849 	struct net_device *dev = info->user_ptr[1];
12850 	struct ocb_setup setup = {};
12851 	int err;
12852 
12853 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12854 	if (err)
12855 		return err;
12856 
12857 	return cfg80211_join_ocb(rdev, dev, &setup);
12858 }
12859 
12860 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12861 {
12862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12863 	struct net_device *dev = info->user_ptr[1];
12864 
12865 	return cfg80211_leave_ocb(rdev, dev);
12866 }
12867 
12868 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12869 {
12870 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12871 	struct net_device *dev = info->user_ptr[1];
12872 	struct mesh_config cfg;
12873 	struct mesh_setup setup;
12874 	int err;
12875 
12876 	/* start with default */
12877 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12878 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12879 
12880 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12881 		/* and parse parameters if given */
12882 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12883 		if (err)
12884 			return err;
12885 	}
12886 
12887 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12888 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12889 		return -EINVAL;
12890 
12891 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12892 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12893 
12894 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12895 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12896 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12897 			return -EINVAL;
12898 
12899 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12900 		setup.beacon_interval =
12901 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12902 
12903 		err = cfg80211_validate_beacon_int(rdev,
12904 						   NL80211_IFTYPE_MESH_POINT,
12905 						   setup.beacon_interval);
12906 		if (err)
12907 			return err;
12908 	}
12909 
12910 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12911 		setup.dtim_period =
12912 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12913 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12914 			return -EINVAL;
12915 	}
12916 
12917 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12918 		/* parse additional setup parameters if given */
12919 		err = nl80211_parse_mesh_setup(info, &setup);
12920 		if (err)
12921 			return err;
12922 	}
12923 
12924 	if (setup.user_mpm)
12925 		cfg.auto_open_plinks = false;
12926 
12927 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12928 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12929 		if (err)
12930 			return err;
12931 	} else {
12932 		/* __cfg80211_join_mesh() will sort it out */
12933 		setup.chandef.chan = NULL;
12934 	}
12935 
12936 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12937 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12938 		int n_rates =
12939 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12940 		struct ieee80211_supported_band *sband;
12941 
12942 		if (!setup.chandef.chan)
12943 			return -EINVAL;
12944 
12945 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12946 
12947 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12948 					     &setup.basic_rates);
12949 		if (err)
12950 			return err;
12951 	}
12952 
12953 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12954 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12955 						    NL80211_ATTR_TX_RATES,
12956 						    &setup.beacon_rate,
12957 						    dev, false, 0);
12958 		if (err)
12959 			return err;
12960 
12961 		if (!setup.chandef.chan)
12962 			return -EINVAL;
12963 
12964 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12965 					      &setup.beacon_rate);
12966 		if (err)
12967 			return err;
12968 	}
12969 
12970 	setup.userspace_handles_dfs =
12971 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12972 
12973 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12974 		int r = validate_pae_over_nl80211(rdev, info);
12975 
12976 		if (r < 0)
12977 			return r;
12978 
12979 		setup.control_port_over_nl80211 = true;
12980 	}
12981 
12982 	wdev_lock(dev->ieee80211_ptr);
12983 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12984 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12985 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12986 	wdev_unlock(dev->ieee80211_ptr);
12987 
12988 	return err;
12989 }
12990 
12991 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12992 {
12993 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12994 	struct net_device *dev = info->user_ptr[1];
12995 
12996 	return cfg80211_leave_mesh(rdev, dev);
12997 }
12998 
12999 #ifdef CONFIG_PM
13000 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13001 					struct cfg80211_registered_device *rdev)
13002 {
13003 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13004 	struct nlattr *nl_pats, *nl_pat;
13005 	int i, pat_len;
13006 
13007 	if (!wowlan->n_patterns)
13008 		return 0;
13009 
13010 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13011 	if (!nl_pats)
13012 		return -ENOBUFS;
13013 
13014 	for (i = 0; i < wowlan->n_patterns; i++) {
13015 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13016 		if (!nl_pat)
13017 			return -ENOBUFS;
13018 		pat_len = wowlan->patterns[i].pattern_len;
13019 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13020 			    wowlan->patterns[i].mask) ||
13021 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13022 			    wowlan->patterns[i].pattern) ||
13023 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13024 				wowlan->patterns[i].pkt_offset))
13025 			return -ENOBUFS;
13026 		nla_nest_end(msg, nl_pat);
13027 	}
13028 	nla_nest_end(msg, nl_pats);
13029 
13030 	return 0;
13031 }
13032 
13033 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13034 				   struct cfg80211_wowlan_tcp *tcp)
13035 {
13036 	struct nlattr *nl_tcp;
13037 
13038 	if (!tcp)
13039 		return 0;
13040 
13041 	nl_tcp = nla_nest_start_noflag(msg,
13042 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13043 	if (!nl_tcp)
13044 		return -ENOBUFS;
13045 
13046 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13047 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13048 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13049 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13050 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13051 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13052 		    tcp->payload_len, tcp->payload) ||
13053 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13054 			tcp->data_interval) ||
13055 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13056 		    tcp->wake_len, tcp->wake_data) ||
13057 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13058 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13059 		return -ENOBUFS;
13060 
13061 	if (tcp->payload_seq.len &&
13062 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13063 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13064 		return -ENOBUFS;
13065 
13066 	if (tcp->payload_tok.len &&
13067 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13068 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13069 		    &tcp->payload_tok))
13070 		return -ENOBUFS;
13071 
13072 	nla_nest_end(msg, nl_tcp);
13073 
13074 	return 0;
13075 }
13076 
13077 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13078 				  struct cfg80211_sched_scan_request *req)
13079 {
13080 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13081 	int i;
13082 
13083 	if (!req)
13084 		return 0;
13085 
13086 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13087 	if (!nd)
13088 		return -ENOBUFS;
13089 
13090 	if (req->n_scan_plans == 1 &&
13091 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13092 			req->scan_plans[0].interval * 1000))
13093 		return -ENOBUFS;
13094 
13095 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13096 		return -ENOBUFS;
13097 
13098 	if (req->relative_rssi_set) {
13099 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13100 
13101 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13102 			       req->relative_rssi))
13103 			return -ENOBUFS;
13104 
13105 		rssi_adjust.band = req->rssi_adjust.band;
13106 		rssi_adjust.delta = req->rssi_adjust.delta;
13107 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13108 			    sizeof(rssi_adjust), &rssi_adjust))
13109 			return -ENOBUFS;
13110 	}
13111 
13112 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13113 	if (!freqs)
13114 		return -ENOBUFS;
13115 
13116 	for (i = 0; i < req->n_channels; i++) {
13117 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13118 			return -ENOBUFS;
13119 	}
13120 
13121 	nla_nest_end(msg, freqs);
13122 
13123 	if (req->n_match_sets) {
13124 		matches = nla_nest_start_noflag(msg,
13125 						NL80211_ATTR_SCHED_SCAN_MATCH);
13126 		if (!matches)
13127 			return -ENOBUFS;
13128 
13129 		for (i = 0; i < req->n_match_sets; i++) {
13130 			match = nla_nest_start_noflag(msg, i);
13131 			if (!match)
13132 				return -ENOBUFS;
13133 
13134 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13135 				    req->match_sets[i].ssid.ssid_len,
13136 				    req->match_sets[i].ssid.ssid))
13137 				return -ENOBUFS;
13138 			nla_nest_end(msg, match);
13139 		}
13140 		nla_nest_end(msg, matches);
13141 	}
13142 
13143 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13144 	if (!scan_plans)
13145 		return -ENOBUFS;
13146 
13147 	for (i = 0; i < req->n_scan_plans; i++) {
13148 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13149 		if (!scan_plan)
13150 			return -ENOBUFS;
13151 
13152 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13153 				req->scan_plans[i].interval) ||
13154 		    (req->scan_plans[i].iterations &&
13155 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13156 				 req->scan_plans[i].iterations)))
13157 			return -ENOBUFS;
13158 		nla_nest_end(msg, scan_plan);
13159 	}
13160 	nla_nest_end(msg, scan_plans);
13161 
13162 	nla_nest_end(msg, nd);
13163 
13164 	return 0;
13165 }
13166 
13167 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13168 {
13169 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13170 	struct sk_buff *msg;
13171 	void *hdr;
13172 	u32 size = NLMSG_DEFAULT_SIZE;
13173 
13174 	if (!rdev->wiphy.wowlan)
13175 		return -EOPNOTSUPP;
13176 
13177 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13178 		/* adjust size to have room for all the data */
13179 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13180 			rdev->wiphy.wowlan_config->tcp->payload_len +
13181 			rdev->wiphy.wowlan_config->tcp->wake_len +
13182 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13183 	}
13184 
13185 	msg = nlmsg_new(size, GFP_KERNEL);
13186 	if (!msg)
13187 		return -ENOMEM;
13188 
13189 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13190 			     NL80211_CMD_GET_WOWLAN);
13191 	if (!hdr)
13192 		goto nla_put_failure;
13193 
13194 	if (rdev->wiphy.wowlan_config) {
13195 		struct nlattr *nl_wowlan;
13196 
13197 		nl_wowlan = nla_nest_start_noflag(msg,
13198 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13199 		if (!nl_wowlan)
13200 			goto nla_put_failure;
13201 
13202 		if ((rdev->wiphy.wowlan_config->any &&
13203 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13204 		    (rdev->wiphy.wowlan_config->disconnect &&
13205 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13206 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13207 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13208 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13209 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13210 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13211 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13212 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13213 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13214 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13215 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13216 			goto nla_put_failure;
13217 
13218 		if (nl80211_send_wowlan_patterns(msg, rdev))
13219 			goto nla_put_failure;
13220 
13221 		if (nl80211_send_wowlan_tcp(msg,
13222 					    rdev->wiphy.wowlan_config->tcp))
13223 			goto nla_put_failure;
13224 
13225 		if (nl80211_send_wowlan_nd(
13226 			    msg,
13227 			    rdev->wiphy.wowlan_config->nd_config))
13228 			goto nla_put_failure;
13229 
13230 		nla_nest_end(msg, nl_wowlan);
13231 	}
13232 
13233 	genlmsg_end(msg, hdr);
13234 	return genlmsg_reply(msg, info);
13235 
13236 nla_put_failure:
13237 	nlmsg_free(msg);
13238 	return -ENOBUFS;
13239 }
13240 
13241 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13242 				    struct nlattr *attr,
13243 				    struct cfg80211_wowlan *trig)
13244 {
13245 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13246 	struct cfg80211_wowlan_tcp *cfg;
13247 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13248 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13249 	u32 size;
13250 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13251 	int err, port;
13252 
13253 	if (!rdev->wiphy.wowlan->tcp)
13254 		return -EINVAL;
13255 
13256 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13257 					  nl80211_wowlan_tcp_policy, NULL);
13258 	if (err)
13259 		return err;
13260 
13261 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13262 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13263 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13264 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13265 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13266 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13267 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13268 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13269 		return -EINVAL;
13270 
13271 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13272 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13273 		return -EINVAL;
13274 
13275 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13276 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13277 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13278 		return -EINVAL;
13279 
13280 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13281 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13282 		return -EINVAL;
13283 
13284 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13285 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13286 		return -EINVAL;
13287 
13288 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13289 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13290 
13291 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13292 		tokens_size = tokln - sizeof(*tok);
13293 
13294 		if (!tok->len || tokens_size % tok->len)
13295 			return -EINVAL;
13296 		if (!rdev->wiphy.wowlan->tcp->tok)
13297 			return -EINVAL;
13298 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13299 			return -EINVAL;
13300 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13301 			return -EINVAL;
13302 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13303 			return -EINVAL;
13304 		if (tok->offset + tok->len > data_size)
13305 			return -EINVAL;
13306 	}
13307 
13308 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13309 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13310 		if (!rdev->wiphy.wowlan->tcp->seq)
13311 			return -EINVAL;
13312 		if (seq->len == 0 || seq->len > 4)
13313 			return -EINVAL;
13314 		if (seq->len + seq->offset > data_size)
13315 			return -EINVAL;
13316 	}
13317 
13318 	size = sizeof(*cfg);
13319 	size += data_size;
13320 	size += wake_size + wake_mask_size;
13321 	size += tokens_size;
13322 
13323 	cfg = kzalloc(size, GFP_KERNEL);
13324 	if (!cfg)
13325 		return -ENOMEM;
13326 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13327 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13328 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13329 	       ETH_ALEN);
13330 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13331 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13332 	else
13333 		port = 0;
13334 #ifdef CONFIG_INET
13335 	/* allocate a socket and port for it and use it */
13336 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13337 			    IPPROTO_TCP, &cfg->sock, 1);
13338 	if (err) {
13339 		kfree(cfg);
13340 		return err;
13341 	}
13342 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13343 		sock_release(cfg->sock);
13344 		kfree(cfg);
13345 		return -EADDRINUSE;
13346 	}
13347 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13348 #else
13349 	if (!port) {
13350 		kfree(cfg);
13351 		return -EINVAL;
13352 	}
13353 	cfg->src_port = port;
13354 #endif
13355 
13356 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13357 	cfg->payload_len = data_size;
13358 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13359 	memcpy((void *)cfg->payload,
13360 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13361 	       data_size);
13362 	if (seq)
13363 		cfg->payload_seq = *seq;
13364 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13365 	cfg->wake_len = wake_size;
13366 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13367 	memcpy((void *)cfg->wake_data,
13368 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13369 	       wake_size);
13370 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13371 			 data_size + wake_size;
13372 	memcpy((void *)cfg->wake_mask,
13373 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13374 	       wake_mask_size);
13375 	if (tok) {
13376 		cfg->tokens_size = tokens_size;
13377 		cfg->payload_tok = *tok;
13378 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13379 		       tokens_size);
13380 	}
13381 
13382 	trig->tcp = cfg;
13383 
13384 	return 0;
13385 }
13386 
13387 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13388 				   const struct wiphy_wowlan_support *wowlan,
13389 				   struct nlattr *attr,
13390 				   struct cfg80211_wowlan *trig)
13391 {
13392 	struct nlattr **tb;
13393 	int err;
13394 
13395 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13396 	if (!tb)
13397 		return -ENOMEM;
13398 
13399 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13400 		err = -EOPNOTSUPP;
13401 		goto out;
13402 	}
13403 
13404 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13405 					  nl80211_policy, NULL);
13406 	if (err)
13407 		goto out;
13408 
13409 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13410 						   wowlan->max_nd_match_sets);
13411 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13412 	if (err)
13413 		trig->nd_config = NULL;
13414 
13415 out:
13416 	kfree(tb);
13417 	return err;
13418 }
13419 
13420 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13421 {
13422 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13423 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13424 	struct cfg80211_wowlan new_triggers = {};
13425 	struct cfg80211_wowlan *ntrig;
13426 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13427 	int err, i;
13428 	bool prev_enabled = rdev->wiphy.wowlan_config;
13429 	bool regular = false;
13430 
13431 	if (!wowlan)
13432 		return -EOPNOTSUPP;
13433 
13434 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13435 		cfg80211_rdev_free_wowlan(rdev);
13436 		rdev->wiphy.wowlan_config = NULL;
13437 		goto set_wakeup;
13438 	}
13439 
13440 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13441 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13442 					  nl80211_wowlan_policy, info->extack);
13443 	if (err)
13444 		return err;
13445 
13446 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13447 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13448 			return -EINVAL;
13449 		new_triggers.any = true;
13450 	}
13451 
13452 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13453 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13454 			return -EINVAL;
13455 		new_triggers.disconnect = true;
13456 		regular = true;
13457 	}
13458 
13459 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13460 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13461 			return -EINVAL;
13462 		new_triggers.magic_pkt = true;
13463 		regular = true;
13464 	}
13465 
13466 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13467 		return -EINVAL;
13468 
13469 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13470 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13471 			return -EINVAL;
13472 		new_triggers.gtk_rekey_failure = true;
13473 		regular = true;
13474 	}
13475 
13476 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13477 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13478 			return -EINVAL;
13479 		new_triggers.eap_identity_req = true;
13480 		regular = true;
13481 	}
13482 
13483 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13484 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13485 			return -EINVAL;
13486 		new_triggers.four_way_handshake = true;
13487 		regular = true;
13488 	}
13489 
13490 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13491 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13492 			return -EINVAL;
13493 		new_triggers.rfkill_release = true;
13494 		regular = true;
13495 	}
13496 
13497 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13498 		struct nlattr *pat;
13499 		int n_patterns = 0;
13500 		int rem, pat_len, mask_len, pkt_offset;
13501 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13502 
13503 		regular = true;
13504 
13505 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13506 				    rem)
13507 			n_patterns++;
13508 		if (n_patterns > wowlan->n_patterns)
13509 			return -EINVAL;
13510 
13511 		new_triggers.patterns = kcalloc(n_patterns,
13512 						sizeof(new_triggers.patterns[0]),
13513 						GFP_KERNEL);
13514 		if (!new_triggers.patterns)
13515 			return -ENOMEM;
13516 
13517 		new_triggers.n_patterns = n_patterns;
13518 		i = 0;
13519 
13520 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13521 				    rem) {
13522 			u8 *mask_pat;
13523 
13524 			err = nla_parse_nested_deprecated(pat_tb,
13525 							  MAX_NL80211_PKTPAT,
13526 							  pat,
13527 							  nl80211_packet_pattern_policy,
13528 							  info->extack);
13529 			if (err)
13530 				goto error;
13531 
13532 			err = -EINVAL;
13533 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13534 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13535 				goto error;
13536 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13537 			mask_len = DIV_ROUND_UP(pat_len, 8);
13538 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13539 				goto error;
13540 			if (pat_len > wowlan->pattern_max_len ||
13541 			    pat_len < wowlan->pattern_min_len)
13542 				goto error;
13543 
13544 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13545 				pkt_offset = 0;
13546 			else
13547 				pkt_offset = nla_get_u32(
13548 					pat_tb[NL80211_PKTPAT_OFFSET]);
13549 			if (pkt_offset > wowlan->max_pkt_offset)
13550 				goto error;
13551 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13552 
13553 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13554 			if (!mask_pat) {
13555 				err = -ENOMEM;
13556 				goto error;
13557 			}
13558 			new_triggers.patterns[i].mask = mask_pat;
13559 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13560 			       mask_len);
13561 			mask_pat += mask_len;
13562 			new_triggers.patterns[i].pattern = mask_pat;
13563 			new_triggers.patterns[i].pattern_len = pat_len;
13564 			memcpy(mask_pat,
13565 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13566 			       pat_len);
13567 			i++;
13568 		}
13569 	}
13570 
13571 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13572 		regular = true;
13573 		err = nl80211_parse_wowlan_tcp(
13574 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13575 			&new_triggers);
13576 		if (err)
13577 			goto error;
13578 	}
13579 
13580 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13581 		regular = true;
13582 		err = nl80211_parse_wowlan_nd(
13583 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13584 			&new_triggers);
13585 		if (err)
13586 			goto error;
13587 	}
13588 
13589 	/* The 'any' trigger means the device continues operating more or less
13590 	 * as in its normal operation mode and wakes up the host on most of the
13591 	 * normal interrupts (like packet RX, ...)
13592 	 * It therefore makes little sense to combine with the more constrained
13593 	 * wakeup trigger modes.
13594 	 */
13595 	if (new_triggers.any && regular) {
13596 		err = -EINVAL;
13597 		goto error;
13598 	}
13599 
13600 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13601 	if (!ntrig) {
13602 		err = -ENOMEM;
13603 		goto error;
13604 	}
13605 	cfg80211_rdev_free_wowlan(rdev);
13606 	rdev->wiphy.wowlan_config = ntrig;
13607 
13608  set_wakeup:
13609 	if (rdev->ops->set_wakeup &&
13610 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13611 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13612 
13613 	return 0;
13614  error:
13615 	for (i = 0; i < new_triggers.n_patterns; i++)
13616 		kfree(new_triggers.patterns[i].mask);
13617 	kfree(new_triggers.patterns);
13618 	if (new_triggers.tcp && new_triggers.tcp->sock)
13619 		sock_release(new_triggers.tcp->sock);
13620 	kfree(new_triggers.tcp);
13621 	kfree(new_triggers.nd_config);
13622 	return err;
13623 }
13624 #endif
13625 
13626 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13627 				       struct cfg80211_registered_device *rdev)
13628 {
13629 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13630 	int i, j, pat_len;
13631 	struct cfg80211_coalesce_rules *rule;
13632 
13633 	if (!rdev->coalesce->n_rules)
13634 		return 0;
13635 
13636 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13637 	if (!nl_rules)
13638 		return -ENOBUFS;
13639 
13640 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13641 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13642 		if (!nl_rule)
13643 			return -ENOBUFS;
13644 
13645 		rule = &rdev->coalesce->rules[i];
13646 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13647 				rule->delay))
13648 			return -ENOBUFS;
13649 
13650 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13651 				rule->condition))
13652 			return -ENOBUFS;
13653 
13654 		nl_pats = nla_nest_start_noflag(msg,
13655 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13656 		if (!nl_pats)
13657 			return -ENOBUFS;
13658 
13659 		for (j = 0; j < rule->n_patterns; j++) {
13660 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13661 			if (!nl_pat)
13662 				return -ENOBUFS;
13663 			pat_len = rule->patterns[j].pattern_len;
13664 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13665 				    DIV_ROUND_UP(pat_len, 8),
13666 				    rule->patterns[j].mask) ||
13667 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13668 				    rule->patterns[j].pattern) ||
13669 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13670 					rule->patterns[j].pkt_offset))
13671 				return -ENOBUFS;
13672 			nla_nest_end(msg, nl_pat);
13673 		}
13674 		nla_nest_end(msg, nl_pats);
13675 		nla_nest_end(msg, nl_rule);
13676 	}
13677 	nla_nest_end(msg, nl_rules);
13678 
13679 	return 0;
13680 }
13681 
13682 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13683 {
13684 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13685 	struct sk_buff *msg;
13686 	void *hdr;
13687 
13688 	if (!rdev->wiphy.coalesce)
13689 		return -EOPNOTSUPP;
13690 
13691 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13692 	if (!msg)
13693 		return -ENOMEM;
13694 
13695 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13696 			     NL80211_CMD_GET_COALESCE);
13697 	if (!hdr)
13698 		goto nla_put_failure;
13699 
13700 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13701 		goto nla_put_failure;
13702 
13703 	genlmsg_end(msg, hdr);
13704 	return genlmsg_reply(msg, info);
13705 
13706 nla_put_failure:
13707 	nlmsg_free(msg);
13708 	return -ENOBUFS;
13709 }
13710 
13711 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13712 {
13713 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13714 	int i, j;
13715 	struct cfg80211_coalesce_rules *rule;
13716 
13717 	if (!coalesce)
13718 		return;
13719 
13720 	for (i = 0; i < coalesce->n_rules; i++) {
13721 		rule = &coalesce->rules[i];
13722 		for (j = 0; j < rule->n_patterns; j++)
13723 			kfree(rule->patterns[j].mask);
13724 		kfree(rule->patterns);
13725 	}
13726 	kfree(coalesce->rules);
13727 	kfree(coalesce);
13728 	rdev->coalesce = NULL;
13729 }
13730 
13731 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13732 				       struct nlattr *rule,
13733 				       struct cfg80211_coalesce_rules *new_rule)
13734 {
13735 	int err, i;
13736 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13737 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13738 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13739 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13740 
13741 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13742 					  rule, nl80211_coalesce_policy, NULL);
13743 	if (err)
13744 		return err;
13745 
13746 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13747 		new_rule->delay =
13748 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13749 	if (new_rule->delay > coalesce->max_delay)
13750 		return -EINVAL;
13751 
13752 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13753 		new_rule->condition =
13754 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13755 
13756 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13757 		return -EINVAL;
13758 
13759 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13760 			    rem)
13761 		n_patterns++;
13762 	if (n_patterns > coalesce->n_patterns)
13763 		return -EINVAL;
13764 
13765 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13766 				     GFP_KERNEL);
13767 	if (!new_rule->patterns)
13768 		return -ENOMEM;
13769 
13770 	new_rule->n_patterns = n_patterns;
13771 	i = 0;
13772 
13773 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13774 			    rem) {
13775 		u8 *mask_pat;
13776 
13777 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13778 						  pat,
13779 						  nl80211_packet_pattern_policy,
13780 						  NULL);
13781 		if (err)
13782 			return err;
13783 
13784 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13785 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13786 			return -EINVAL;
13787 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13788 		mask_len = DIV_ROUND_UP(pat_len, 8);
13789 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13790 			return -EINVAL;
13791 		if (pat_len > coalesce->pattern_max_len ||
13792 		    pat_len < coalesce->pattern_min_len)
13793 			return -EINVAL;
13794 
13795 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13796 			pkt_offset = 0;
13797 		else
13798 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13799 		if (pkt_offset > coalesce->max_pkt_offset)
13800 			return -EINVAL;
13801 		new_rule->patterns[i].pkt_offset = pkt_offset;
13802 
13803 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13804 		if (!mask_pat)
13805 			return -ENOMEM;
13806 
13807 		new_rule->patterns[i].mask = mask_pat;
13808 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13809 		       mask_len);
13810 
13811 		mask_pat += mask_len;
13812 		new_rule->patterns[i].pattern = mask_pat;
13813 		new_rule->patterns[i].pattern_len = pat_len;
13814 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13815 		       pat_len);
13816 		i++;
13817 	}
13818 
13819 	return 0;
13820 }
13821 
13822 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13823 {
13824 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13825 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13826 	struct cfg80211_coalesce new_coalesce = {};
13827 	struct cfg80211_coalesce *n_coalesce;
13828 	int err, rem_rule, n_rules = 0, i, j;
13829 	struct nlattr *rule;
13830 	struct cfg80211_coalesce_rules *tmp_rule;
13831 
13832 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13833 		return -EOPNOTSUPP;
13834 
13835 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13836 		cfg80211_rdev_free_coalesce(rdev);
13837 		rdev_set_coalesce(rdev, NULL);
13838 		return 0;
13839 	}
13840 
13841 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13842 			    rem_rule)
13843 		n_rules++;
13844 	if (n_rules > coalesce->n_rules)
13845 		return -EINVAL;
13846 
13847 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13848 				     GFP_KERNEL);
13849 	if (!new_coalesce.rules)
13850 		return -ENOMEM;
13851 
13852 	new_coalesce.n_rules = n_rules;
13853 	i = 0;
13854 
13855 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13856 			    rem_rule) {
13857 		err = nl80211_parse_coalesce_rule(rdev, rule,
13858 						  &new_coalesce.rules[i]);
13859 		if (err)
13860 			goto error;
13861 
13862 		i++;
13863 	}
13864 
13865 	err = rdev_set_coalesce(rdev, &new_coalesce);
13866 	if (err)
13867 		goto error;
13868 
13869 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13870 	if (!n_coalesce) {
13871 		err = -ENOMEM;
13872 		goto error;
13873 	}
13874 	cfg80211_rdev_free_coalesce(rdev);
13875 	rdev->coalesce = n_coalesce;
13876 
13877 	return 0;
13878 error:
13879 	for (i = 0; i < new_coalesce.n_rules; i++) {
13880 		tmp_rule = &new_coalesce.rules[i];
13881 		for (j = 0; j < tmp_rule->n_patterns; j++)
13882 			kfree(tmp_rule->patterns[j].mask);
13883 		kfree(tmp_rule->patterns);
13884 	}
13885 	kfree(new_coalesce.rules);
13886 
13887 	return err;
13888 }
13889 
13890 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13891 {
13892 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13893 	struct net_device *dev = info->user_ptr[1];
13894 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13895 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13896 	struct cfg80211_gtk_rekey_data rekey_data = {};
13897 	int err;
13898 
13899 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13900 		return -EINVAL;
13901 
13902 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13903 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13904 					  nl80211_rekey_policy, info->extack);
13905 	if (err)
13906 		return err;
13907 
13908 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13909 	    !tb[NL80211_REKEY_DATA_KCK])
13910 		return -EINVAL;
13911 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13912 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13913 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13914 		return -ERANGE;
13915 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13916 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13917 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
13918 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
13919 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
13920 		return -ERANGE;
13921 
13922 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13923 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13924 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13925 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13926 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13927 	if (tb[NL80211_REKEY_DATA_AKM])
13928 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13929 
13930 	wdev_lock(wdev);
13931 	if (!wdev->connected) {
13932 		err = -ENOTCONN;
13933 		goto out;
13934 	}
13935 
13936 	if (!rdev->ops->set_rekey_data) {
13937 		err = -EOPNOTSUPP;
13938 		goto out;
13939 	}
13940 
13941 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13942  out:
13943 	wdev_unlock(wdev);
13944 	return err;
13945 }
13946 
13947 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13948 					     struct genl_info *info)
13949 {
13950 	struct net_device *dev = info->user_ptr[1];
13951 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13952 
13953 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13954 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13955 		return -EINVAL;
13956 
13957 	if (wdev->ap_unexpected_nlportid)
13958 		return -EBUSY;
13959 
13960 	wdev->ap_unexpected_nlportid = info->snd_portid;
13961 	return 0;
13962 }
13963 
13964 static int nl80211_probe_client(struct sk_buff *skb,
13965 				struct genl_info *info)
13966 {
13967 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13968 	struct net_device *dev = info->user_ptr[1];
13969 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13970 	struct sk_buff *msg;
13971 	void *hdr;
13972 	const u8 *addr;
13973 	u64 cookie;
13974 	int err;
13975 
13976 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13977 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13978 		return -EOPNOTSUPP;
13979 
13980 	if (!info->attrs[NL80211_ATTR_MAC])
13981 		return -EINVAL;
13982 
13983 	if (!rdev->ops->probe_client)
13984 		return -EOPNOTSUPP;
13985 
13986 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13987 	if (!msg)
13988 		return -ENOMEM;
13989 
13990 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13991 			     NL80211_CMD_PROBE_CLIENT);
13992 	if (!hdr) {
13993 		err = -ENOBUFS;
13994 		goto free_msg;
13995 	}
13996 
13997 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13998 
13999 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14000 	if (err)
14001 		goto free_msg;
14002 
14003 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14004 			      NL80211_ATTR_PAD))
14005 		goto nla_put_failure;
14006 
14007 	genlmsg_end(msg, hdr);
14008 
14009 	return genlmsg_reply(msg, info);
14010 
14011  nla_put_failure:
14012 	err = -ENOBUFS;
14013  free_msg:
14014 	nlmsg_free(msg);
14015 	return err;
14016 }
14017 
14018 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14019 {
14020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14021 	struct cfg80211_beacon_registration *reg, *nreg;
14022 	int rv;
14023 
14024 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14025 		return -EOPNOTSUPP;
14026 
14027 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14028 	if (!nreg)
14029 		return -ENOMEM;
14030 
14031 	/* First, check if already registered. */
14032 	spin_lock_bh(&rdev->beacon_registrations_lock);
14033 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14034 		if (reg->nlportid == info->snd_portid) {
14035 			rv = -EALREADY;
14036 			goto out_err;
14037 		}
14038 	}
14039 	/* Add it to the list */
14040 	nreg->nlportid = info->snd_portid;
14041 	list_add(&nreg->list, &rdev->beacon_registrations);
14042 
14043 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14044 
14045 	return 0;
14046 out_err:
14047 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14048 	kfree(nreg);
14049 	return rv;
14050 }
14051 
14052 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14053 {
14054 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14055 	struct wireless_dev *wdev = info->user_ptr[1];
14056 	int err;
14057 
14058 	if (!rdev->ops->start_p2p_device)
14059 		return -EOPNOTSUPP;
14060 
14061 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14062 		return -EOPNOTSUPP;
14063 
14064 	if (wdev_running(wdev))
14065 		return 0;
14066 
14067 	if (rfkill_blocked(rdev->wiphy.rfkill))
14068 		return -ERFKILL;
14069 
14070 	err = rdev_start_p2p_device(rdev, wdev);
14071 	if (err)
14072 		return err;
14073 
14074 	wdev->is_running = true;
14075 	rdev->opencount++;
14076 
14077 	return 0;
14078 }
14079 
14080 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14081 {
14082 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14083 	struct wireless_dev *wdev = info->user_ptr[1];
14084 
14085 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14086 		return -EOPNOTSUPP;
14087 
14088 	if (!rdev->ops->stop_p2p_device)
14089 		return -EOPNOTSUPP;
14090 
14091 	cfg80211_stop_p2p_device(rdev, wdev);
14092 
14093 	return 0;
14094 }
14095 
14096 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14097 {
14098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14099 	struct wireless_dev *wdev = info->user_ptr[1];
14100 	struct cfg80211_nan_conf conf = {};
14101 	int err;
14102 
14103 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14104 		return -EOPNOTSUPP;
14105 
14106 	if (wdev_running(wdev))
14107 		return -EEXIST;
14108 
14109 	if (rfkill_blocked(rdev->wiphy.rfkill))
14110 		return -ERFKILL;
14111 
14112 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14113 		return -EINVAL;
14114 
14115 	conf.master_pref =
14116 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14117 
14118 	if (info->attrs[NL80211_ATTR_BANDS]) {
14119 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14120 
14121 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14122 			return -EOPNOTSUPP;
14123 
14124 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14125 			return -EINVAL;
14126 
14127 		conf.bands = bands;
14128 	}
14129 
14130 	err = rdev_start_nan(rdev, wdev, &conf);
14131 	if (err)
14132 		return err;
14133 
14134 	wdev->is_running = true;
14135 	rdev->opencount++;
14136 
14137 	return 0;
14138 }
14139 
14140 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14141 {
14142 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14143 	struct wireless_dev *wdev = info->user_ptr[1];
14144 
14145 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14146 		return -EOPNOTSUPP;
14147 
14148 	cfg80211_stop_nan(rdev, wdev);
14149 
14150 	return 0;
14151 }
14152 
14153 static int validate_nan_filter(struct nlattr *filter_attr)
14154 {
14155 	struct nlattr *attr;
14156 	int len = 0, n_entries = 0, rem;
14157 
14158 	nla_for_each_nested(attr, filter_attr, rem) {
14159 		len += nla_len(attr);
14160 		n_entries++;
14161 	}
14162 
14163 	if (len >= U8_MAX)
14164 		return -EINVAL;
14165 
14166 	return n_entries;
14167 }
14168 
14169 static int handle_nan_filter(struct nlattr *attr_filter,
14170 			     struct cfg80211_nan_func *func,
14171 			     bool tx)
14172 {
14173 	struct nlattr *attr;
14174 	int n_entries, rem, i;
14175 	struct cfg80211_nan_func_filter *filter;
14176 
14177 	n_entries = validate_nan_filter(attr_filter);
14178 	if (n_entries < 0)
14179 		return n_entries;
14180 
14181 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14182 
14183 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14184 	if (!filter)
14185 		return -ENOMEM;
14186 
14187 	i = 0;
14188 	nla_for_each_nested(attr, attr_filter, rem) {
14189 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14190 		if (!filter[i].filter)
14191 			goto err;
14192 
14193 		filter[i].len = nla_len(attr);
14194 		i++;
14195 	}
14196 	if (tx) {
14197 		func->num_tx_filters = n_entries;
14198 		func->tx_filters = filter;
14199 	} else {
14200 		func->num_rx_filters = n_entries;
14201 		func->rx_filters = filter;
14202 	}
14203 
14204 	return 0;
14205 
14206 err:
14207 	i = 0;
14208 	nla_for_each_nested(attr, attr_filter, rem) {
14209 		kfree(filter[i].filter);
14210 		i++;
14211 	}
14212 	kfree(filter);
14213 	return -ENOMEM;
14214 }
14215 
14216 static int nl80211_nan_add_func(struct sk_buff *skb,
14217 				struct genl_info *info)
14218 {
14219 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14220 	struct wireless_dev *wdev = info->user_ptr[1];
14221 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14222 	struct cfg80211_nan_func *func;
14223 	struct sk_buff *msg = NULL;
14224 	void *hdr = NULL;
14225 	int err = 0;
14226 
14227 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14228 		return -EOPNOTSUPP;
14229 
14230 	if (!wdev_running(wdev))
14231 		return -ENOTCONN;
14232 
14233 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14234 		return -EINVAL;
14235 
14236 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14237 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14238 					  nl80211_nan_func_policy,
14239 					  info->extack);
14240 	if (err)
14241 		return err;
14242 
14243 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14244 	if (!func)
14245 		return -ENOMEM;
14246 
14247 	func->cookie = cfg80211_assign_cookie(rdev);
14248 
14249 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14250 		err = -EINVAL;
14251 		goto out;
14252 	}
14253 
14254 
14255 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14256 
14257 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14258 		err = -EINVAL;
14259 		goto out;
14260 	}
14261 
14262 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14263 	       sizeof(func->service_id));
14264 
14265 	func->close_range =
14266 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14267 
14268 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14269 		func->serv_spec_info_len =
14270 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14271 		func->serv_spec_info =
14272 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14273 				func->serv_spec_info_len,
14274 				GFP_KERNEL);
14275 		if (!func->serv_spec_info) {
14276 			err = -ENOMEM;
14277 			goto out;
14278 		}
14279 	}
14280 
14281 	if (tb[NL80211_NAN_FUNC_TTL])
14282 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14283 
14284 	switch (func->type) {
14285 	case NL80211_NAN_FUNC_PUBLISH:
14286 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14287 			err = -EINVAL;
14288 			goto out;
14289 		}
14290 
14291 		func->publish_type =
14292 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14293 		func->publish_bcast =
14294 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14295 
14296 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14297 			func->publish_bcast) {
14298 			err = -EINVAL;
14299 			goto out;
14300 		}
14301 		break;
14302 	case NL80211_NAN_FUNC_SUBSCRIBE:
14303 		func->subscribe_active =
14304 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14305 		break;
14306 	case NL80211_NAN_FUNC_FOLLOW_UP:
14307 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14308 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14309 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14310 			err = -EINVAL;
14311 			goto out;
14312 		}
14313 
14314 		func->followup_id =
14315 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14316 		func->followup_reqid =
14317 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14318 		memcpy(func->followup_dest.addr,
14319 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14320 		       sizeof(func->followup_dest.addr));
14321 		if (func->ttl) {
14322 			err = -EINVAL;
14323 			goto out;
14324 		}
14325 		break;
14326 	default:
14327 		err = -EINVAL;
14328 		goto out;
14329 	}
14330 
14331 	if (tb[NL80211_NAN_FUNC_SRF]) {
14332 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14333 
14334 		err = nla_parse_nested_deprecated(srf_tb,
14335 						  NL80211_NAN_SRF_ATTR_MAX,
14336 						  tb[NL80211_NAN_FUNC_SRF],
14337 						  nl80211_nan_srf_policy,
14338 						  info->extack);
14339 		if (err)
14340 			goto out;
14341 
14342 		func->srf_include =
14343 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14344 
14345 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14346 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14347 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14348 				err = -EINVAL;
14349 				goto out;
14350 			}
14351 
14352 			func->srf_bf_len =
14353 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14354 			func->srf_bf =
14355 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14356 					func->srf_bf_len, GFP_KERNEL);
14357 			if (!func->srf_bf) {
14358 				err = -ENOMEM;
14359 				goto out;
14360 			}
14361 
14362 			func->srf_bf_idx =
14363 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14364 		} else {
14365 			struct nlattr *attr, *mac_attr =
14366 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14367 			int n_entries, rem, i = 0;
14368 
14369 			if (!mac_attr) {
14370 				err = -EINVAL;
14371 				goto out;
14372 			}
14373 
14374 			n_entries = validate_acl_mac_addrs(mac_attr);
14375 			if (n_entries <= 0) {
14376 				err = -EINVAL;
14377 				goto out;
14378 			}
14379 
14380 			func->srf_num_macs = n_entries;
14381 			func->srf_macs =
14382 				kcalloc(n_entries, sizeof(*func->srf_macs),
14383 					GFP_KERNEL);
14384 			if (!func->srf_macs) {
14385 				err = -ENOMEM;
14386 				goto out;
14387 			}
14388 
14389 			nla_for_each_nested(attr, mac_attr, rem)
14390 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14391 				       sizeof(*func->srf_macs));
14392 		}
14393 	}
14394 
14395 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14396 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14397 					func, true);
14398 		if (err)
14399 			goto out;
14400 	}
14401 
14402 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14403 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14404 					func, false);
14405 		if (err)
14406 			goto out;
14407 	}
14408 
14409 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14410 	if (!msg) {
14411 		err = -ENOMEM;
14412 		goto out;
14413 	}
14414 
14415 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14416 			     NL80211_CMD_ADD_NAN_FUNCTION);
14417 	/* This can't really happen - we just allocated 4KB */
14418 	if (WARN_ON(!hdr)) {
14419 		err = -ENOMEM;
14420 		goto out;
14421 	}
14422 
14423 	err = rdev_add_nan_func(rdev, wdev, func);
14424 out:
14425 	if (err < 0) {
14426 		cfg80211_free_nan_func(func);
14427 		nlmsg_free(msg);
14428 		return err;
14429 	}
14430 
14431 	/* propagate the instance id and cookie to userspace  */
14432 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14433 			      NL80211_ATTR_PAD))
14434 		goto nla_put_failure;
14435 
14436 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14437 	if (!func_attr)
14438 		goto nla_put_failure;
14439 
14440 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14441 		       func->instance_id))
14442 		goto nla_put_failure;
14443 
14444 	nla_nest_end(msg, func_attr);
14445 
14446 	genlmsg_end(msg, hdr);
14447 	return genlmsg_reply(msg, info);
14448 
14449 nla_put_failure:
14450 	nlmsg_free(msg);
14451 	return -ENOBUFS;
14452 }
14453 
14454 static int nl80211_nan_del_func(struct sk_buff *skb,
14455 			       struct genl_info *info)
14456 {
14457 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14458 	struct wireless_dev *wdev = info->user_ptr[1];
14459 	u64 cookie;
14460 
14461 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14462 		return -EOPNOTSUPP;
14463 
14464 	if (!wdev_running(wdev))
14465 		return -ENOTCONN;
14466 
14467 	if (!info->attrs[NL80211_ATTR_COOKIE])
14468 		return -EINVAL;
14469 
14470 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14471 
14472 	rdev_del_nan_func(rdev, wdev, cookie);
14473 
14474 	return 0;
14475 }
14476 
14477 static int nl80211_nan_change_config(struct sk_buff *skb,
14478 				     struct genl_info *info)
14479 {
14480 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14481 	struct wireless_dev *wdev = info->user_ptr[1];
14482 	struct cfg80211_nan_conf conf = {};
14483 	u32 changed = 0;
14484 
14485 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14486 		return -EOPNOTSUPP;
14487 
14488 	if (!wdev_running(wdev))
14489 		return -ENOTCONN;
14490 
14491 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14492 		conf.master_pref =
14493 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14494 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14495 			return -EINVAL;
14496 
14497 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14498 	}
14499 
14500 	if (info->attrs[NL80211_ATTR_BANDS]) {
14501 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14502 
14503 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14504 			return -EOPNOTSUPP;
14505 
14506 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14507 			return -EINVAL;
14508 
14509 		conf.bands = bands;
14510 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14511 	}
14512 
14513 	if (!changed)
14514 		return -EINVAL;
14515 
14516 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14517 }
14518 
14519 void cfg80211_nan_match(struct wireless_dev *wdev,
14520 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14521 {
14522 	struct wiphy *wiphy = wdev->wiphy;
14523 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14524 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14525 	struct sk_buff *msg;
14526 	void *hdr;
14527 
14528 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14529 		return;
14530 
14531 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14532 	if (!msg)
14533 		return;
14534 
14535 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14536 	if (!hdr) {
14537 		nlmsg_free(msg);
14538 		return;
14539 	}
14540 
14541 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14542 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14543 					 wdev->netdev->ifindex)) ||
14544 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14545 			      NL80211_ATTR_PAD))
14546 		goto nla_put_failure;
14547 
14548 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14549 			      NL80211_ATTR_PAD) ||
14550 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14551 		goto nla_put_failure;
14552 
14553 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14554 	if (!match_attr)
14555 		goto nla_put_failure;
14556 
14557 	local_func_attr = nla_nest_start_noflag(msg,
14558 						NL80211_NAN_MATCH_FUNC_LOCAL);
14559 	if (!local_func_attr)
14560 		goto nla_put_failure;
14561 
14562 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14563 		goto nla_put_failure;
14564 
14565 	nla_nest_end(msg, local_func_attr);
14566 
14567 	peer_func_attr = nla_nest_start_noflag(msg,
14568 					       NL80211_NAN_MATCH_FUNC_PEER);
14569 	if (!peer_func_attr)
14570 		goto nla_put_failure;
14571 
14572 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14573 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14574 		goto nla_put_failure;
14575 
14576 	if (match->info && match->info_len &&
14577 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14578 		    match->info))
14579 		goto nla_put_failure;
14580 
14581 	nla_nest_end(msg, peer_func_attr);
14582 	nla_nest_end(msg, match_attr);
14583 	genlmsg_end(msg, hdr);
14584 
14585 	if (!wdev->owner_nlportid)
14586 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14587 					msg, 0, NL80211_MCGRP_NAN, gfp);
14588 	else
14589 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14590 				wdev->owner_nlportid);
14591 
14592 	return;
14593 
14594 nla_put_failure:
14595 	nlmsg_free(msg);
14596 }
14597 EXPORT_SYMBOL(cfg80211_nan_match);
14598 
14599 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14600 				  u8 inst_id,
14601 				  enum nl80211_nan_func_term_reason reason,
14602 				  u64 cookie, gfp_t gfp)
14603 {
14604 	struct wiphy *wiphy = wdev->wiphy;
14605 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14606 	struct sk_buff *msg;
14607 	struct nlattr *func_attr;
14608 	void *hdr;
14609 
14610 	if (WARN_ON(!inst_id))
14611 		return;
14612 
14613 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14614 	if (!msg)
14615 		return;
14616 
14617 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14618 	if (!hdr) {
14619 		nlmsg_free(msg);
14620 		return;
14621 	}
14622 
14623 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14624 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14625 					 wdev->netdev->ifindex)) ||
14626 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14627 			      NL80211_ATTR_PAD))
14628 		goto nla_put_failure;
14629 
14630 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14631 			      NL80211_ATTR_PAD))
14632 		goto nla_put_failure;
14633 
14634 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14635 	if (!func_attr)
14636 		goto nla_put_failure;
14637 
14638 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14639 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14640 		goto nla_put_failure;
14641 
14642 	nla_nest_end(msg, func_attr);
14643 	genlmsg_end(msg, hdr);
14644 
14645 	if (!wdev->owner_nlportid)
14646 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14647 					msg, 0, NL80211_MCGRP_NAN, gfp);
14648 	else
14649 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14650 				wdev->owner_nlportid);
14651 
14652 	return;
14653 
14654 nla_put_failure:
14655 	nlmsg_free(msg);
14656 }
14657 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14658 
14659 static int nl80211_get_protocol_features(struct sk_buff *skb,
14660 					 struct genl_info *info)
14661 {
14662 	void *hdr;
14663 	struct sk_buff *msg;
14664 
14665 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14666 	if (!msg)
14667 		return -ENOMEM;
14668 
14669 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14670 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14671 	if (!hdr)
14672 		goto nla_put_failure;
14673 
14674 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14675 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14676 		goto nla_put_failure;
14677 
14678 	genlmsg_end(msg, hdr);
14679 	return genlmsg_reply(msg, info);
14680 
14681  nla_put_failure:
14682 	kfree_skb(msg);
14683 	return -ENOBUFS;
14684 }
14685 
14686 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14687 {
14688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14689 	struct cfg80211_update_ft_ies_params ft_params;
14690 	struct net_device *dev = info->user_ptr[1];
14691 
14692 	if (!rdev->ops->update_ft_ies)
14693 		return -EOPNOTSUPP;
14694 
14695 	if (!info->attrs[NL80211_ATTR_MDID] ||
14696 	    !info->attrs[NL80211_ATTR_IE])
14697 		return -EINVAL;
14698 
14699 	memset(&ft_params, 0, sizeof(ft_params));
14700 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14701 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14702 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14703 
14704 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14705 }
14706 
14707 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14708 				       struct genl_info *info)
14709 {
14710 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14711 	struct wireless_dev *wdev = info->user_ptr[1];
14712 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14713 	u16 duration;
14714 	int ret;
14715 
14716 	if (!rdev->ops->crit_proto_start)
14717 		return -EOPNOTSUPP;
14718 
14719 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14720 		return -EINVAL;
14721 
14722 	if (rdev->crit_proto_nlportid)
14723 		return -EBUSY;
14724 
14725 	/* determine protocol if provided */
14726 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14727 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14728 
14729 	if (proto >= NUM_NL80211_CRIT_PROTO)
14730 		return -EINVAL;
14731 
14732 	/* timeout must be provided */
14733 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14734 		return -EINVAL;
14735 
14736 	duration =
14737 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14738 
14739 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14740 	if (!ret)
14741 		rdev->crit_proto_nlportid = info->snd_portid;
14742 
14743 	return ret;
14744 }
14745 
14746 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14747 				      struct genl_info *info)
14748 {
14749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14750 	struct wireless_dev *wdev = info->user_ptr[1];
14751 
14752 	if (!rdev->ops->crit_proto_stop)
14753 		return -EOPNOTSUPP;
14754 
14755 	if (rdev->crit_proto_nlportid) {
14756 		rdev->crit_proto_nlportid = 0;
14757 		rdev_crit_proto_stop(rdev, wdev);
14758 	}
14759 	return 0;
14760 }
14761 
14762 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14763 				       struct nlattr *attr,
14764 				       struct netlink_ext_ack *extack)
14765 {
14766 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14767 		if (attr->nla_type & NLA_F_NESTED) {
14768 			NL_SET_ERR_MSG_ATTR(extack, attr,
14769 					    "unexpected nested data");
14770 			return -EINVAL;
14771 		}
14772 
14773 		return 0;
14774 	}
14775 
14776 	if (!(attr->nla_type & NLA_F_NESTED)) {
14777 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14778 		return -EINVAL;
14779 	}
14780 
14781 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14782 }
14783 
14784 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14785 {
14786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14787 	struct wireless_dev *wdev =
14788 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14789 					   info->attrs);
14790 	int i, err;
14791 	u32 vid, subcmd;
14792 
14793 	if (!rdev->wiphy.vendor_commands)
14794 		return -EOPNOTSUPP;
14795 
14796 	if (IS_ERR(wdev)) {
14797 		err = PTR_ERR(wdev);
14798 		if (err != -EINVAL)
14799 			return err;
14800 		wdev = NULL;
14801 	} else if (wdev->wiphy != &rdev->wiphy) {
14802 		return -EINVAL;
14803 	}
14804 
14805 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14806 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14807 		return -EINVAL;
14808 
14809 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14810 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14811 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14812 		const struct wiphy_vendor_command *vcmd;
14813 		void *data = NULL;
14814 		int len = 0;
14815 
14816 		vcmd = &rdev->wiphy.vendor_commands[i];
14817 
14818 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14819 			continue;
14820 
14821 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14822 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14823 			if (!wdev)
14824 				return -EINVAL;
14825 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14826 			    !wdev->netdev)
14827 				return -EINVAL;
14828 
14829 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14830 				if (!wdev_running(wdev))
14831 					return -ENETDOWN;
14832 			}
14833 		} else {
14834 			wdev = NULL;
14835 		}
14836 
14837 		if (!vcmd->doit)
14838 			return -EOPNOTSUPP;
14839 
14840 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14841 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14842 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14843 
14844 			err = nl80211_vendor_check_policy(vcmd,
14845 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14846 					info->extack);
14847 			if (err)
14848 				return err;
14849 		}
14850 
14851 		rdev->cur_cmd_info = info;
14852 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14853 		rdev->cur_cmd_info = NULL;
14854 		return err;
14855 	}
14856 
14857 	return -EOPNOTSUPP;
14858 }
14859 
14860 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14861 				       struct netlink_callback *cb,
14862 				       struct cfg80211_registered_device **rdev,
14863 				       struct wireless_dev **wdev)
14864 {
14865 	struct nlattr **attrbuf;
14866 	u32 vid, subcmd;
14867 	unsigned int i;
14868 	int vcmd_idx = -1;
14869 	int err;
14870 	void *data = NULL;
14871 	unsigned int data_len = 0;
14872 
14873 	if (cb->args[0]) {
14874 		/* subtract the 1 again here */
14875 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14876 		struct wireless_dev *tmp;
14877 
14878 		if (!wiphy)
14879 			return -ENODEV;
14880 		*rdev = wiphy_to_rdev(wiphy);
14881 		*wdev = NULL;
14882 
14883 		if (cb->args[1]) {
14884 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14885 				if (tmp->identifier == cb->args[1] - 1) {
14886 					*wdev = tmp;
14887 					break;
14888 				}
14889 			}
14890 		}
14891 
14892 		/* keep rtnl locked in successful case */
14893 		return 0;
14894 	}
14895 
14896 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14897 	if (!attrbuf)
14898 		return -ENOMEM;
14899 
14900 	err = nlmsg_parse_deprecated(cb->nlh,
14901 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14902 				     attrbuf, nl80211_fam.maxattr,
14903 				     nl80211_policy, NULL);
14904 	if (err)
14905 		goto out;
14906 
14907 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14908 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14909 		err = -EINVAL;
14910 		goto out;
14911 	}
14912 
14913 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14914 	if (IS_ERR(*wdev))
14915 		*wdev = NULL;
14916 
14917 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14918 	if (IS_ERR(*rdev)) {
14919 		err = PTR_ERR(*rdev);
14920 		goto out;
14921 	}
14922 
14923 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14924 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14925 
14926 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14927 		const struct wiphy_vendor_command *vcmd;
14928 
14929 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14930 
14931 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14932 			continue;
14933 
14934 		if (!vcmd->dumpit) {
14935 			err = -EOPNOTSUPP;
14936 			goto out;
14937 		}
14938 
14939 		vcmd_idx = i;
14940 		break;
14941 	}
14942 
14943 	if (vcmd_idx < 0) {
14944 		err = -EOPNOTSUPP;
14945 		goto out;
14946 	}
14947 
14948 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14949 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14950 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14951 
14952 		err = nl80211_vendor_check_policy(
14953 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14954 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14955 				cb->extack);
14956 		if (err)
14957 			goto out;
14958 	}
14959 
14960 	/* 0 is the first index - add 1 to parse only once */
14961 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14962 	/* add 1 to know if it was NULL */
14963 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14964 	cb->args[2] = vcmd_idx;
14965 	cb->args[3] = (unsigned long)data;
14966 	cb->args[4] = data_len;
14967 
14968 	/* keep rtnl locked in successful case */
14969 	err = 0;
14970 out:
14971 	kfree(attrbuf);
14972 	return err;
14973 }
14974 
14975 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14976 				   struct netlink_callback *cb)
14977 {
14978 	struct cfg80211_registered_device *rdev;
14979 	struct wireless_dev *wdev;
14980 	unsigned int vcmd_idx;
14981 	const struct wiphy_vendor_command *vcmd;
14982 	void *data;
14983 	int data_len;
14984 	int err;
14985 	struct nlattr *vendor_data;
14986 
14987 	rtnl_lock();
14988 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14989 	if (err)
14990 		goto out;
14991 
14992 	vcmd_idx = cb->args[2];
14993 	data = (void *)cb->args[3];
14994 	data_len = cb->args[4];
14995 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14996 
14997 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14998 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14999 		if (!wdev) {
15000 			err = -EINVAL;
15001 			goto out;
15002 		}
15003 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15004 		    !wdev->netdev) {
15005 			err = -EINVAL;
15006 			goto out;
15007 		}
15008 
15009 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15010 			if (!wdev_running(wdev)) {
15011 				err = -ENETDOWN;
15012 				goto out;
15013 			}
15014 		}
15015 	}
15016 
15017 	while (1) {
15018 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15019 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15020 					   NL80211_CMD_VENDOR);
15021 		if (!hdr)
15022 			break;
15023 
15024 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15025 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15026 					       wdev_id(wdev),
15027 					       NL80211_ATTR_PAD))) {
15028 			genlmsg_cancel(skb, hdr);
15029 			break;
15030 		}
15031 
15032 		vendor_data = nla_nest_start_noflag(skb,
15033 						    NL80211_ATTR_VENDOR_DATA);
15034 		if (!vendor_data) {
15035 			genlmsg_cancel(skb, hdr);
15036 			break;
15037 		}
15038 
15039 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15040 				   (unsigned long *)&cb->args[5]);
15041 		nla_nest_end(skb, vendor_data);
15042 
15043 		if (err == -ENOBUFS || err == -ENOENT) {
15044 			genlmsg_cancel(skb, hdr);
15045 			break;
15046 		} else if (err <= 0) {
15047 			genlmsg_cancel(skb, hdr);
15048 			goto out;
15049 		}
15050 
15051 		genlmsg_end(skb, hdr);
15052 	}
15053 
15054 	err = skb->len;
15055  out:
15056 	rtnl_unlock();
15057 	return err;
15058 }
15059 
15060 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15061 					   enum nl80211_commands cmd,
15062 					   enum nl80211_attrs attr,
15063 					   int approxlen)
15064 {
15065 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15066 
15067 	if (WARN_ON(!rdev->cur_cmd_info))
15068 		return NULL;
15069 
15070 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15071 					   rdev->cur_cmd_info->snd_portid,
15072 					   rdev->cur_cmd_info->snd_seq,
15073 					   cmd, attr, NULL, GFP_KERNEL);
15074 }
15075 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15076 
15077 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15078 {
15079 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15080 	void *hdr = ((void **)skb->cb)[1];
15081 	struct nlattr *data = ((void **)skb->cb)[2];
15082 
15083 	/* clear CB data for netlink core to own from now on */
15084 	memset(skb->cb, 0, sizeof(skb->cb));
15085 
15086 	if (WARN_ON(!rdev->cur_cmd_info)) {
15087 		kfree_skb(skb);
15088 		return -EINVAL;
15089 	}
15090 
15091 	nla_nest_end(skb, data);
15092 	genlmsg_end(skb, hdr);
15093 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15094 }
15095 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15096 
15097 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15098 {
15099 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15100 
15101 	if (WARN_ON(!rdev->cur_cmd_info))
15102 		return 0;
15103 
15104 	return rdev->cur_cmd_info->snd_portid;
15105 }
15106 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15107 
15108 static int nl80211_set_qos_map(struct sk_buff *skb,
15109 			       struct genl_info *info)
15110 {
15111 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15112 	struct cfg80211_qos_map *qos_map = NULL;
15113 	struct net_device *dev = info->user_ptr[1];
15114 	u8 *pos, len, num_des, des_len, des;
15115 	int ret;
15116 
15117 	if (!rdev->ops->set_qos_map)
15118 		return -EOPNOTSUPP;
15119 
15120 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15121 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15122 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15123 
15124 		if (len % 2)
15125 			return -EINVAL;
15126 
15127 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15128 		if (!qos_map)
15129 			return -ENOMEM;
15130 
15131 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15132 		if (num_des) {
15133 			des_len = num_des *
15134 				sizeof(struct cfg80211_dscp_exception);
15135 			memcpy(qos_map->dscp_exception, pos, des_len);
15136 			qos_map->num_des = num_des;
15137 			for (des = 0; des < num_des; des++) {
15138 				if (qos_map->dscp_exception[des].up > 7) {
15139 					kfree(qos_map);
15140 					return -EINVAL;
15141 				}
15142 			}
15143 			pos += des_len;
15144 		}
15145 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15146 	}
15147 
15148 	wdev_lock(dev->ieee80211_ptr);
15149 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15150 	if (!ret)
15151 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15152 	wdev_unlock(dev->ieee80211_ptr);
15153 
15154 	kfree(qos_map);
15155 	return ret;
15156 }
15157 
15158 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15159 {
15160 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15161 	struct net_device *dev = info->user_ptr[1];
15162 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15163 	const u8 *peer;
15164 	u8 tsid, up;
15165 	u16 admitted_time = 0;
15166 	int err;
15167 
15168 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15169 		return -EOPNOTSUPP;
15170 
15171 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15172 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15173 		return -EINVAL;
15174 
15175 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15176 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15177 
15178 	/* WMM uses TIDs 0-7 even for TSPEC */
15179 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15180 		/* TODO: handle 802.11 TSPEC/admission control
15181 		 * need more attributes for that (e.g. BA session requirement);
15182 		 * change the WMM adminssion test above to allow both then
15183 		 */
15184 		return -EINVAL;
15185 	}
15186 
15187 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15188 
15189 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15190 		admitted_time =
15191 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15192 		if (!admitted_time)
15193 			return -EINVAL;
15194 	}
15195 
15196 	wdev_lock(wdev);
15197 	switch (wdev->iftype) {
15198 	case NL80211_IFTYPE_STATION:
15199 	case NL80211_IFTYPE_P2P_CLIENT:
15200 		if (wdev->connected)
15201 			break;
15202 		err = -ENOTCONN;
15203 		goto out;
15204 	default:
15205 		err = -EOPNOTSUPP;
15206 		goto out;
15207 	}
15208 
15209 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15210 
15211  out:
15212 	wdev_unlock(wdev);
15213 	return err;
15214 }
15215 
15216 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15217 {
15218 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15219 	struct net_device *dev = info->user_ptr[1];
15220 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15221 	const u8 *peer;
15222 	u8 tsid;
15223 	int err;
15224 
15225 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15226 		return -EINVAL;
15227 
15228 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15229 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15230 
15231 	wdev_lock(wdev);
15232 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
15233 	wdev_unlock(wdev);
15234 
15235 	return err;
15236 }
15237 
15238 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15239 				       struct genl_info *info)
15240 {
15241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15242 	struct net_device *dev = info->user_ptr[1];
15243 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15244 	struct cfg80211_chan_def chandef = {};
15245 	const u8 *addr;
15246 	u8 oper_class;
15247 	int err;
15248 
15249 	if (!rdev->ops->tdls_channel_switch ||
15250 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15251 		return -EOPNOTSUPP;
15252 
15253 	switch (dev->ieee80211_ptr->iftype) {
15254 	case NL80211_IFTYPE_STATION:
15255 	case NL80211_IFTYPE_P2P_CLIENT:
15256 		break;
15257 	default:
15258 		return -EOPNOTSUPP;
15259 	}
15260 
15261 	if (!info->attrs[NL80211_ATTR_MAC] ||
15262 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15263 		return -EINVAL;
15264 
15265 	err = nl80211_parse_chandef(rdev, info, &chandef);
15266 	if (err)
15267 		return err;
15268 
15269 	/*
15270 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15271 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15272 	 * specification is not defined for them.
15273 	 */
15274 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15275 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15276 	    chandef.width != NL80211_CHAN_WIDTH_20)
15277 		return -EINVAL;
15278 
15279 	/* we will be active on the TDLS link */
15280 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15281 					   wdev->iftype))
15282 		return -EINVAL;
15283 
15284 	/* don't allow switching to DFS channels */
15285 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15286 		return -EINVAL;
15287 
15288 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15289 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15290 
15291 	wdev_lock(wdev);
15292 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15293 	wdev_unlock(wdev);
15294 
15295 	return err;
15296 }
15297 
15298 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15299 					      struct genl_info *info)
15300 {
15301 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15302 	struct net_device *dev = info->user_ptr[1];
15303 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15304 	const u8 *addr;
15305 
15306 	if (!rdev->ops->tdls_channel_switch ||
15307 	    !rdev->ops->tdls_cancel_channel_switch ||
15308 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15309 		return -EOPNOTSUPP;
15310 
15311 	switch (dev->ieee80211_ptr->iftype) {
15312 	case NL80211_IFTYPE_STATION:
15313 	case NL80211_IFTYPE_P2P_CLIENT:
15314 		break;
15315 	default:
15316 		return -EOPNOTSUPP;
15317 	}
15318 
15319 	if (!info->attrs[NL80211_ATTR_MAC])
15320 		return -EINVAL;
15321 
15322 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15323 
15324 	wdev_lock(wdev);
15325 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15326 	wdev_unlock(wdev);
15327 
15328 	return 0;
15329 }
15330 
15331 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15332 					    struct genl_info *info)
15333 {
15334 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15335 	struct net_device *dev = info->user_ptr[1];
15336 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15337 	const struct nlattr *nla;
15338 	bool enabled;
15339 
15340 	if (!rdev->ops->set_multicast_to_unicast)
15341 		return -EOPNOTSUPP;
15342 
15343 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15344 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15345 		return -EOPNOTSUPP;
15346 
15347 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15348 	enabled = nla_get_flag(nla);
15349 
15350 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15351 }
15352 
15353 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15354 {
15355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15356 	struct net_device *dev = info->user_ptr[1];
15357 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15358 	struct cfg80211_pmk_conf pmk_conf = {};
15359 	int ret;
15360 
15361 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15362 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15363 		return -EOPNOTSUPP;
15364 
15365 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15366 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15367 		return -EOPNOTSUPP;
15368 
15369 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15370 		return -EINVAL;
15371 
15372 	wdev_lock(wdev);
15373 	if (!wdev->connected) {
15374 		ret = -ENOTCONN;
15375 		goto out;
15376 	}
15377 
15378 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15379 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15380 		ret = -EINVAL;
15381 		goto out;
15382 	}
15383 
15384 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15385 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15386 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15387 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15388 		ret = -EINVAL;
15389 		goto out;
15390 	}
15391 
15392 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15393 		pmk_conf.pmk_r0_name =
15394 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15395 
15396 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15397 out:
15398 	wdev_unlock(wdev);
15399 	return ret;
15400 }
15401 
15402 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15403 {
15404 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15405 	struct net_device *dev = info->user_ptr[1];
15406 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15407 	const u8 *aa;
15408 	int ret;
15409 
15410 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15411 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15412 		return -EOPNOTSUPP;
15413 
15414 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15415 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15416 		return -EOPNOTSUPP;
15417 
15418 	if (!info->attrs[NL80211_ATTR_MAC])
15419 		return -EINVAL;
15420 
15421 	wdev_lock(wdev);
15422 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15423 	ret = rdev_del_pmk(rdev, dev, aa);
15424 	wdev_unlock(wdev);
15425 
15426 	return ret;
15427 }
15428 
15429 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15430 {
15431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15432 	struct net_device *dev = info->user_ptr[1];
15433 	struct cfg80211_external_auth_params params;
15434 
15435 	if (!rdev->ops->external_auth)
15436 		return -EOPNOTSUPP;
15437 
15438 	if (!info->attrs[NL80211_ATTR_SSID] &&
15439 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15440 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15441 		return -EINVAL;
15442 
15443 	if (!info->attrs[NL80211_ATTR_BSSID])
15444 		return -EINVAL;
15445 
15446 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15447 		return -EINVAL;
15448 
15449 	memset(&params, 0, sizeof(params));
15450 
15451 	if (info->attrs[NL80211_ATTR_SSID]) {
15452 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15453 		if (params.ssid.ssid_len == 0)
15454 			return -EINVAL;
15455 		memcpy(params.ssid.ssid,
15456 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15457 		       params.ssid.ssid_len);
15458 	}
15459 
15460 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15461 	       ETH_ALEN);
15462 
15463 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15464 
15465 	if (info->attrs[NL80211_ATTR_PMKID])
15466 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15467 
15468 	return rdev_external_auth(rdev, dev, &params);
15469 }
15470 
15471 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15472 {
15473 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15474 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15475 	struct net_device *dev = info->user_ptr[1];
15476 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15477 	const u8 *buf;
15478 	size_t len;
15479 	u8 *dest;
15480 	u16 proto;
15481 	bool noencrypt;
15482 	u64 cookie = 0;
15483 	int link_id;
15484 	int err;
15485 
15486 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15487 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15488 		return -EOPNOTSUPP;
15489 
15490 	if (!rdev->ops->tx_control_port)
15491 		return -EOPNOTSUPP;
15492 
15493 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15494 	    !info->attrs[NL80211_ATTR_MAC] ||
15495 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15496 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15497 		return -EINVAL;
15498 	}
15499 
15500 	wdev_lock(wdev);
15501 
15502 	switch (wdev->iftype) {
15503 	case NL80211_IFTYPE_AP:
15504 	case NL80211_IFTYPE_P2P_GO:
15505 	case NL80211_IFTYPE_MESH_POINT:
15506 		break;
15507 	case NL80211_IFTYPE_ADHOC:
15508 		if (wdev->u.ibss.current_bss)
15509 			break;
15510 		err = -ENOTCONN;
15511 		goto out;
15512 	case NL80211_IFTYPE_STATION:
15513 	case NL80211_IFTYPE_P2P_CLIENT:
15514 		if (wdev->connected)
15515 			break;
15516 		err = -ENOTCONN;
15517 		goto out;
15518 	default:
15519 		err = -EOPNOTSUPP;
15520 		goto out;
15521 	}
15522 
15523 	wdev_unlock(wdev);
15524 
15525 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15526 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15527 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15528 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15529 	noencrypt =
15530 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15531 
15532 	link_id = nl80211_link_id_or_invalid(info->attrs);
15533 
15534 	err = rdev_tx_control_port(rdev, dev, buf, len,
15535 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15536 				   dont_wait_for_ack ? NULL : &cookie);
15537 	if (!err && !dont_wait_for_ack)
15538 		nl_set_extack_cookie_u64(info->extack, cookie);
15539 	return err;
15540  out:
15541 	wdev_unlock(wdev);
15542 	return err;
15543 }
15544 
15545 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15546 					   struct genl_info *info)
15547 {
15548 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15549 	struct net_device *dev = info->user_ptr[1];
15550 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15551 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15552 	unsigned int link_id = nl80211_link_id(info->attrs);
15553 	struct sk_buff *msg;
15554 	void *hdr;
15555 	struct nlattr *ftm_stats_attr;
15556 	int err;
15557 
15558 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15559 	    !wdev->links[link_id].ap.beacon_interval)
15560 		return -EOPNOTSUPP;
15561 
15562 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15563 	if (err)
15564 		return err;
15565 
15566 	if (!ftm_stats.filled)
15567 		return -ENODATA;
15568 
15569 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15570 	if (!msg)
15571 		return -ENOMEM;
15572 
15573 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15574 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15575 	if (!hdr)
15576 		goto nla_put_failure;
15577 
15578 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15579 		goto nla_put_failure;
15580 
15581 	ftm_stats_attr = nla_nest_start_noflag(msg,
15582 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15583 	if (!ftm_stats_attr)
15584 		goto nla_put_failure;
15585 
15586 #define SET_FTM(field, name, type)					 \
15587 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15588 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15589 			     ftm_stats.field))				 \
15590 		goto nla_put_failure; } while (0)
15591 #define SET_FTM_U64(field, name)					 \
15592 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15593 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15594 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15595 		goto nla_put_failure; } while (0)
15596 
15597 	SET_FTM(success_num, SUCCESS_NUM, u32);
15598 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15599 	SET_FTM(failed_num, FAILED_NUM, u32);
15600 	SET_FTM(asap_num, ASAP_NUM, u32);
15601 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15602 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15603 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15604 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15605 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15606 #undef SET_FTM
15607 
15608 	nla_nest_end(msg, ftm_stats_attr);
15609 
15610 	genlmsg_end(msg, hdr);
15611 	return genlmsg_reply(msg, info);
15612 
15613 nla_put_failure:
15614 	nlmsg_free(msg);
15615 	return -ENOBUFS;
15616 }
15617 
15618 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15619 {
15620 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15621 	struct cfg80211_update_owe_info owe_info;
15622 	struct net_device *dev = info->user_ptr[1];
15623 
15624 	if (!rdev->ops->update_owe_info)
15625 		return -EOPNOTSUPP;
15626 
15627 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15628 	    !info->attrs[NL80211_ATTR_MAC])
15629 		return -EINVAL;
15630 
15631 	memset(&owe_info, 0, sizeof(owe_info));
15632 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15633 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15634 
15635 	if (info->attrs[NL80211_ATTR_IE]) {
15636 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15637 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15638 	}
15639 
15640 	return rdev_update_owe_info(rdev, dev, &owe_info);
15641 }
15642 
15643 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15644 {
15645 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15646 	struct net_device *dev = info->user_ptr[1];
15647 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15648 	struct station_info sinfo = {};
15649 	const u8 *buf;
15650 	size_t len;
15651 	u8 *dest;
15652 	int err;
15653 
15654 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15655 		return -EOPNOTSUPP;
15656 
15657 	if (!info->attrs[NL80211_ATTR_MAC] ||
15658 	    !info->attrs[NL80211_ATTR_FRAME]) {
15659 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15660 		return -EINVAL;
15661 	}
15662 
15663 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15664 		return -EOPNOTSUPP;
15665 
15666 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15667 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15668 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15669 
15670 	if (len < sizeof(struct ethhdr))
15671 		return -EINVAL;
15672 
15673 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15674 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15675 		return -EINVAL;
15676 
15677 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15678 	if (err)
15679 		return err;
15680 
15681 	cfg80211_sinfo_release_content(&sinfo);
15682 
15683 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15684 }
15685 
15686 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15687 			  struct nlattr *attrs[], struct net_device *dev,
15688 			  struct cfg80211_tid_cfg *tid_conf,
15689 			  struct genl_info *info, const u8 *peer,
15690 			  unsigned int link_id)
15691 {
15692 	struct netlink_ext_ack *extack = info->extack;
15693 	u64 mask;
15694 	int err;
15695 
15696 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15697 		return -EINVAL;
15698 
15699 	tid_conf->config_override =
15700 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15701 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15702 
15703 	if (tid_conf->config_override) {
15704 		if (rdev->ops->reset_tid_config) {
15705 			err = rdev_reset_tid_config(rdev, dev, peer,
15706 						    tid_conf->tids);
15707 			if (err)
15708 				return err;
15709 		} else {
15710 			return -EINVAL;
15711 		}
15712 	}
15713 
15714 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15715 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15716 		tid_conf->noack =
15717 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15718 	}
15719 
15720 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15721 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15722 		tid_conf->retry_short =
15723 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15724 
15725 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15726 			return -EINVAL;
15727 	}
15728 
15729 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15730 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15731 		tid_conf->retry_long =
15732 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15733 
15734 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15735 			return -EINVAL;
15736 	}
15737 
15738 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15739 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15740 		tid_conf->ampdu =
15741 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15742 	}
15743 
15744 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15745 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15746 		tid_conf->rtscts =
15747 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15748 	}
15749 
15750 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15751 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15752 		tid_conf->amsdu =
15753 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15754 	}
15755 
15756 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15757 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15758 
15759 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15760 
15761 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15762 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15763 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15764 						    &tid_conf->txrate_mask, dev,
15765 						    true, link_id);
15766 			if (err)
15767 				return err;
15768 
15769 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15770 		}
15771 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15772 	}
15773 
15774 	if (peer)
15775 		mask = rdev->wiphy.tid_config_support.peer;
15776 	else
15777 		mask = rdev->wiphy.tid_config_support.vif;
15778 
15779 	if (tid_conf->mask & ~mask) {
15780 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15781 		return -ENOTSUPP;
15782 	}
15783 
15784 	return 0;
15785 }
15786 
15787 static int nl80211_set_tid_config(struct sk_buff *skb,
15788 				  struct genl_info *info)
15789 {
15790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15791 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15792 	unsigned int link_id = nl80211_link_id(info->attrs);
15793 	struct net_device *dev = info->user_ptr[1];
15794 	struct cfg80211_tid_config *tid_config;
15795 	struct nlattr *tid;
15796 	int conf_idx = 0, rem_conf;
15797 	int ret = -EINVAL;
15798 	u32 num_conf = 0;
15799 
15800 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15801 		return -EINVAL;
15802 
15803 	if (!rdev->ops->set_tid_config)
15804 		return -EOPNOTSUPP;
15805 
15806 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15807 			    rem_conf)
15808 		num_conf++;
15809 
15810 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15811 			     GFP_KERNEL);
15812 	if (!tid_config)
15813 		return -ENOMEM;
15814 
15815 	tid_config->n_tid_conf = num_conf;
15816 
15817 	if (info->attrs[NL80211_ATTR_MAC])
15818 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15819 
15820 	wdev_lock(dev->ieee80211_ptr);
15821 
15822 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15823 			    rem_conf) {
15824 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15825 				       tid, NULL, NULL);
15826 
15827 		if (ret)
15828 			goto bad_tid_conf;
15829 
15830 		ret = parse_tid_conf(rdev, attrs, dev,
15831 				     &tid_config->tid_conf[conf_idx],
15832 				     info, tid_config->peer, link_id);
15833 		if (ret)
15834 			goto bad_tid_conf;
15835 
15836 		conf_idx++;
15837 	}
15838 
15839 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15840 
15841 bad_tid_conf:
15842 	kfree(tid_config);
15843 	wdev_unlock(dev->ieee80211_ptr);
15844 	return ret;
15845 }
15846 
15847 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15848 {
15849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15850 	struct cfg80211_color_change_settings params = {};
15851 	struct net_device *dev = info->user_ptr[1];
15852 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15853 	struct nlattr **tb;
15854 	u16 offset;
15855 	int err;
15856 
15857 	if (!rdev->ops->color_change)
15858 		return -EOPNOTSUPP;
15859 
15860 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15861 				     NL80211_EXT_FEATURE_BSS_COLOR))
15862 		return -EOPNOTSUPP;
15863 
15864 	if (wdev->iftype != NL80211_IFTYPE_AP)
15865 		return -EOPNOTSUPP;
15866 
15867 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15868 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15869 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15870 		return -EINVAL;
15871 
15872 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15873 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15874 
15875 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15876 	if (err)
15877 		return err;
15878 
15879 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15880 	if (!tb)
15881 		return -ENOMEM;
15882 
15883 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15884 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15885 			       nl80211_policy, info->extack);
15886 	if (err)
15887 		goto out;
15888 
15889 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15890 	if (err)
15891 		goto out;
15892 
15893 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15894 		err = -EINVAL;
15895 		goto out;
15896 	}
15897 
15898 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15899 		err = -EINVAL;
15900 		goto out;
15901 	}
15902 
15903 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15904 	if (offset >= params.beacon_color_change.tail_len) {
15905 		err = -EINVAL;
15906 		goto out;
15907 	}
15908 
15909 	if (params.beacon_color_change.tail[offset] != params.count) {
15910 		err = -EINVAL;
15911 		goto out;
15912 	}
15913 
15914 	params.counter_offset_beacon = offset;
15915 
15916 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15917 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15918 		    sizeof(u16)) {
15919 			err = -EINVAL;
15920 			goto out;
15921 		}
15922 
15923 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15924 		if (offset >= params.beacon_color_change.probe_resp_len) {
15925 			err = -EINVAL;
15926 			goto out;
15927 		}
15928 
15929 		if (params.beacon_color_change.probe_resp[offset] !=
15930 		    params.count) {
15931 			err = -EINVAL;
15932 			goto out;
15933 		}
15934 
15935 		params.counter_offset_presp = offset;
15936 	}
15937 
15938 	wdev_lock(wdev);
15939 	err = rdev_color_change(rdev, dev, &params);
15940 	wdev_unlock(wdev);
15941 
15942 out:
15943 	kfree(params.beacon_next.mbssid_ies);
15944 	kfree(params.beacon_color_change.mbssid_ies);
15945 	kfree(tb);
15946 	return err;
15947 }
15948 
15949 static int nl80211_set_fils_aad(struct sk_buff *skb,
15950 				struct genl_info *info)
15951 {
15952 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15953 	struct net_device *dev = info->user_ptr[1];
15954 	struct cfg80211_fils_aad fils_aad = {};
15955 	u8 *nonces;
15956 
15957 	if (!info->attrs[NL80211_ATTR_MAC] ||
15958 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15959 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15960 		return -EINVAL;
15961 
15962 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15963 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15964 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15965 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15966 	fils_aad.snonce = nonces;
15967 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15968 
15969 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15970 }
15971 
15972 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
15973 {
15974 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15975 	unsigned int link_id = nl80211_link_id(info->attrs);
15976 	struct net_device *dev = info->user_ptr[1];
15977 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15978 	int ret;
15979 
15980 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
15981 		return -EINVAL;
15982 
15983 	switch (wdev->iftype) {
15984 	case NL80211_IFTYPE_AP:
15985 		break;
15986 	default:
15987 		return -EINVAL;
15988 	}
15989 
15990 	if (!info->attrs[NL80211_ATTR_MAC] ||
15991 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
15992 		return -EINVAL;
15993 
15994 	wdev_lock(wdev);
15995 	wdev->valid_links |= BIT(link_id);
15996 	ether_addr_copy(wdev->links[link_id].addr,
15997 			nla_data(info->attrs[NL80211_ATTR_MAC]));
15998 
15999 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16000 	if (ret) {
16001 		wdev->valid_links &= ~BIT(link_id);
16002 		eth_zero_addr(wdev->links[link_id].addr);
16003 	}
16004 	wdev_unlock(wdev);
16005 
16006 	return ret;
16007 }
16008 
16009 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16010 {
16011 	unsigned int link_id = nl80211_link_id(info->attrs);
16012 	struct net_device *dev = info->user_ptr[1];
16013 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16014 
16015 	/* cannot remove if there's no link */
16016 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16017 		return -EINVAL;
16018 
16019 	switch (wdev->iftype) {
16020 	case NL80211_IFTYPE_AP:
16021 		break;
16022 	default:
16023 		return -EINVAL;
16024 	}
16025 
16026 	wdev_lock(wdev);
16027 	cfg80211_remove_link(wdev, link_id);
16028 	wdev_unlock(wdev);
16029 
16030 	return 0;
16031 }
16032 
16033 static int
16034 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16035 			     bool add)
16036 {
16037 	struct link_station_parameters params = {};
16038 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16039 	struct net_device *dev = info->user_ptr[1];
16040 	int err;
16041 
16042 	if ((add && !rdev->ops->add_link_station) ||
16043 	    (!add && !rdev->ops->mod_link_station))
16044 		return -EOPNOTSUPP;
16045 
16046 	if (add && !info->attrs[NL80211_ATTR_MAC])
16047 		return -EINVAL;
16048 
16049 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16050 		return -EINVAL;
16051 
16052 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16053 		return -EINVAL;
16054 
16055 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16056 
16057 	if (info->attrs[NL80211_ATTR_MAC]) {
16058 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16059 		if (!is_valid_ether_addr(params.link_mac))
16060 			return -EINVAL;
16061 	}
16062 
16063 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16064 		return -EINVAL;
16065 
16066 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16067 
16068 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16069 		params.supported_rates =
16070 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16071 		params.supported_rates_len =
16072 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16073 	}
16074 
16075 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16076 		params.ht_capa =
16077 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16078 
16079 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16080 		params.vht_capa =
16081 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16082 
16083 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16084 		params.he_capa =
16085 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16086 		params.he_capa_len =
16087 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16088 
16089 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16090 			params.eht_capa =
16091 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16092 			params.eht_capa_len =
16093 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16094 
16095 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16096 							(const u8 *)params.eht_capa,
16097 							params.eht_capa_len,
16098 							false))
16099 				return -EINVAL;
16100 		}
16101 	}
16102 
16103 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16104 		params.he_6ghz_capa =
16105 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16106 
16107 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16108 		params.opmode_notif_used = true;
16109 		params.opmode_notif =
16110 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16111 	}
16112 
16113 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16114 						&params.txpwr_set);
16115 	if (err)
16116 		return err;
16117 
16118 	wdev_lock(dev->ieee80211_ptr);
16119 	if (add)
16120 		err = rdev_add_link_station(rdev, dev, &params);
16121 	else
16122 		err = rdev_mod_link_station(rdev, dev, &params);
16123 	wdev_unlock(dev->ieee80211_ptr);
16124 
16125 	return err;
16126 }
16127 
16128 static int
16129 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16130 {
16131 	return nl80211_add_mod_link_station(skb, info, true);
16132 }
16133 
16134 static int
16135 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16136 {
16137 	return nl80211_add_mod_link_station(skb, info, false);
16138 }
16139 
16140 static int
16141 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16142 {
16143 	struct link_station_del_parameters params = {};
16144 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16145 	struct net_device *dev = info->user_ptr[1];
16146 	int ret;
16147 
16148 	if (!rdev->ops->del_link_station)
16149 		return -EOPNOTSUPP;
16150 
16151 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16152 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16153 		return -EINVAL;
16154 
16155 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16156 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16157 
16158 	wdev_lock(dev->ieee80211_ptr);
16159 	ret = rdev_del_link_station(rdev, dev, &params);
16160 	wdev_unlock(dev->ieee80211_ptr);
16161 
16162 	return ret;
16163 }
16164 
16165 #define NL80211_FLAG_NEED_WIPHY		0x01
16166 #define NL80211_FLAG_NEED_NETDEV	0x02
16167 #define NL80211_FLAG_NEED_RTNL		0x04
16168 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16169 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16170 					 NL80211_FLAG_CHECK_NETDEV_UP)
16171 #define NL80211_FLAG_NEED_WDEV		0x10
16172 /* If a netdev is associated, it must be UP, P2P must be started */
16173 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16174 					 NL80211_FLAG_CHECK_NETDEV_UP)
16175 #define NL80211_FLAG_CLEAR_SKB		0x20
16176 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16177 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16178 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16179 
16180 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16181 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16182 	SELECTOR(__sel, WIPHY,				\
16183 		 NL80211_FLAG_NEED_WIPHY)		\
16184 	SELECTOR(__sel, WDEV,				\
16185 		 NL80211_FLAG_NEED_WDEV)		\
16186 	SELECTOR(__sel, NETDEV,				\
16187 		 NL80211_FLAG_NEED_NETDEV)		\
16188 	SELECTOR(__sel, NETDEV_LINK,			\
16189 		 NL80211_FLAG_NEED_NETDEV |		\
16190 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16191 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16192 		 NL80211_FLAG_NEED_NETDEV |		\
16193 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16194 	SELECTOR(__sel, WIPHY_RTNL,			\
16195 		 NL80211_FLAG_NEED_WIPHY |		\
16196 		 NL80211_FLAG_NEED_RTNL)		\
16197 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16198 		 NL80211_FLAG_NEED_WIPHY |		\
16199 		 NL80211_FLAG_NEED_RTNL |		\
16200 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16201 	SELECTOR(__sel, WDEV_RTNL,			\
16202 		 NL80211_FLAG_NEED_WDEV |		\
16203 		 NL80211_FLAG_NEED_RTNL)		\
16204 	SELECTOR(__sel, NETDEV_RTNL,			\
16205 		 NL80211_FLAG_NEED_NETDEV |		\
16206 		 NL80211_FLAG_NEED_RTNL)		\
16207 	SELECTOR(__sel, NETDEV_UP,			\
16208 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16209 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16210 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16211 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16212 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16213 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16214 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16215 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16216 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16217 		 NL80211_FLAG_CLEAR_SKB |		\
16218 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16219 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16220 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16221 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16222 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16223 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16224 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16225 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16226 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16227 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16228 		 NL80211_FLAG_CLEAR_SKB)		\
16229 	SELECTOR(__sel, WDEV_UP,			\
16230 		 NL80211_FLAG_NEED_WDEV_UP)		\
16231 	SELECTOR(__sel, WDEV_UP_LINK,			\
16232 		 NL80211_FLAG_NEED_WDEV_UP |		\
16233 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16234 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16235 		 NL80211_FLAG_NEED_WDEV_UP |		\
16236 		 NL80211_FLAG_NEED_RTNL)		\
16237 	SELECTOR(__sel, WIPHY_CLEAR,			\
16238 		 NL80211_FLAG_NEED_WIPHY |		\
16239 		 NL80211_FLAG_CLEAR_SKB)
16240 
16241 enum nl80211_internal_flags_selector {
16242 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16243 	INTERNAL_FLAG_SELECTORS(_)
16244 #undef SELECTOR
16245 };
16246 
16247 static u32 nl80211_internal_flags[] = {
16248 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16249 	INTERNAL_FLAG_SELECTORS(_)
16250 #undef SELECTOR
16251 };
16252 
16253 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16254 			    struct sk_buff *skb,
16255 			    struct genl_info *info)
16256 {
16257 	struct cfg80211_registered_device *rdev = NULL;
16258 	struct wireless_dev *wdev = NULL;
16259 	struct net_device *dev = NULL;
16260 	u32 internal_flags;
16261 	int err;
16262 
16263 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16264 		return -EINVAL;
16265 
16266 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16267 
16268 	rtnl_lock();
16269 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16270 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16271 		if (IS_ERR(rdev)) {
16272 			err = PTR_ERR(rdev);
16273 			goto out_unlock;
16274 		}
16275 		info->user_ptr[0] = rdev;
16276 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16277 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16278 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16279 						  info->attrs);
16280 		if (IS_ERR(wdev)) {
16281 			err = PTR_ERR(wdev);
16282 			goto out_unlock;
16283 		}
16284 
16285 		dev = wdev->netdev;
16286 		dev_hold(dev);
16287 		rdev = wiphy_to_rdev(wdev->wiphy);
16288 
16289 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16290 			if (!dev) {
16291 				err = -EINVAL;
16292 				goto out_unlock;
16293 			}
16294 
16295 			info->user_ptr[1] = dev;
16296 		} else {
16297 			info->user_ptr[1] = wdev;
16298 		}
16299 
16300 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16301 		    !wdev_running(wdev)) {
16302 			err = -ENETDOWN;
16303 			goto out_unlock;
16304 		}
16305 
16306 		info->user_ptr[0] = rdev;
16307 	}
16308 
16309 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16310 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16311 
16312 		if (!wdev) {
16313 			err = -EINVAL;
16314 			goto out_unlock;
16315 		}
16316 
16317 		/* MLO -> require valid link ID */
16318 		if (wdev->valid_links &&
16319 		    (!link_id ||
16320 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16321 			err = -EINVAL;
16322 			goto out_unlock;
16323 		}
16324 
16325 		/* non-MLO -> no link ID attribute accepted */
16326 		if (!wdev->valid_links && link_id) {
16327 			err = -EINVAL;
16328 			goto out_unlock;
16329 		}
16330 	}
16331 
16332 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16333 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16334 		    (wdev && wdev->valid_links)) {
16335 			err = -EINVAL;
16336 			goto out_unlock;
16337 		}
16338 	}
16339 
16340 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16341 		wiphy_lock(&rdev->wiphy);
16342 		/* we keep the mutex locked until post_doit */
16343 		__release(&rdev->wiphy.mtx);
16344 	}
16345 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16346 		rtnl_unlock();
16347 
16348 	return 0;
16349 out_unlock:
16350 	rtnl_unlock();
16351 	dev_put(dev);
16352 	return err;
16353 }
16354 
16355 static void nl80211_post_doit(const struct genl_split_ops *ops,
16356 			      struct sk_buff *skb,
16357 			      struct genl_info *info)
16358 {
16359 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16360 
16361 	if (info->user_ptr[1]) {
16362 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16363 			struct wireless_dev *wdev = info->user_ptr[1];
16364 
16365 			dev_put(wdev->netdev);
16366 		} else {
16367 			dev_put(info->user_ptr[1]);
16368 		}
16369 	}
16370 
16371 	if (info->user_ptr[0] &&
16372 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16373 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16374 
16375 		/* we kept the mutex locked since pre_doit */
16376 		__acquire(&rdev->wiphy.mtx);
16377 		wiphy_unlock(&rdev->wiphy);
16378 	}
16379 
16380 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16381 		rtnl_unlock();
16382 
16383 	/* If needed, clear the netlink message payload from the SKB
16384 	 * as it might contain key data that shouldn't stick around on
16385 	 * the heap after the SKB is freed. The netlink message header
16386 	 * is still needed for further processing, so leave it intact.
16387 	 */
16388 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16389 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16390 
16391 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16392 	}
16393 }
16394 
16395 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16396 				     struct cfg80211_sar_specs *sar_specs,
16397 				     struct nlattr *spec[], int index)
16398 {
16399 	u32 range_index, i;
16400 
16401 	if (!sar_specs || !spec)
16402 		return -EINVAL;
16403 
16404 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16405 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16406 		return -EINVAL;
16407 
16408 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16409 
16410 	/* check if range_index exceeds num_freq_ranges */
16411 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16412 		return -EINVAL;
16413 
16414 	/* check if range_index duplicates */
16415 	for (i = 0; i < index; i++) {
16416 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16417 			return -EINVAL;
16418 	}
16419 
16420 	sar_specs->sub_specs[index].power =
16421 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16422 
16423 	sar_specs->sub_specs[index].freq_range_index = range_index;
16424 
16425 	return 0;
16426 }
16427 
16428 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16429 {
16430 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16431 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16432 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16433 	struct cfg80211_sar_specs *sar_spec;
16434 	enum nl80211_sar_type type;
16435 	struct nlattr *spec_list;
16436 	u32 specs;
16437 	int rem, err;
16438 
16439 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16440 		return -EOPNOTSUPP;
16441 
16442 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16443 		return -EINVAL;
16444 
16445 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16446 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16447 			 NULL, NULL);
16448 
16449 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16450 		return -EINVAL;
16451 
16452 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16453 	if (type != rdev->wiphy.sar_capa->type)
16454 		return -EINVAL;
16455 
16456 	specs = 0;
16457 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16458 		specs++;
16459 
16460 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16461 		return -EINVAL;
16462 
16463 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16464 	if (!sar_spec)
16465 		return -ENOMEM;
16466 
16467 	sar_spec->type = type;
16468 	specs = 0;
16469 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16470 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16471 				 spec_list, NULL, NULL);
16472 
16473 		switch (type) {
16474 		case NL80211_SAR_TYPE_POWER:
16475 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16476 						      spec, specs)) {
16477 				err = -EINVAL;
16478 				goto error;
16479 			}
16480 			break;
16481 		default:
16482 			err = -EINVAL;
16483 			goto error;
16484 		}
16485 		specs++;
16486 	}
16487 
16488 	sar_spec->num_sub_specs = specs;
16489 
16490 	rdev->cur_cmd_info = info;
16491 	err = rdev_set_sar_specs(rdev, sar_spec);
16492 	rdev->cur_cmd_info = NULL;
16493 error:
16494 	kfree(sar_spec);
16495 	return err;
16496 }
16497 
16498 #define SELECTOR(__sel, name, value) \
16499 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16500 int __missing_selector(void);
16501 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16502 
16503 static const struct genl_ops nl80211_ops[] = {
16504 	{
16505 		.cmd = NL80211_CMD_GET_WIPHY,
16506 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16507 		.doit = nl80211_get_wiphy,
16508 		.dumpit = nl80211_dump_wiphy,
16509 		.done = nl80211_dump_wiphy_done,
16510 		/* can be retrieved by unprivileged users */
16511 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16512 	},
16513 };
16514 
16515 static const struct genl_small_ops nl80211_small_ops[] = {
16516 	{
16517 		.cmd = NL80211_CMD_SET_WIPHY,
16518 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16519 		.doit = nl80211_set_wiphy,
16520 		.flags = GENL_UNS_ADMIN_PERM,
16521 	},
16522 	{
16523 		.cmd = NL80211_CMD_GET_INTERFACE,
16524 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16525 		.doit = nl80211_get_interface,
16526 		.dumpit = nl80211_dump_interface,
16527 		/* can be retrieved by unprivileged users */
16528 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16529 	},
16530 	{
16531 		.cmd = NL80211_CMD_SET_INTERFACE,
16532 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16533 		.doit = nl80211_set_interface,
16534 		.flags = GENL_UNS_ADMIN_PERM,
16535 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16536 					 NL80211_FLAG_NEED_RTNL),
16537 	},
16538 	{
16539 		.cmd = NL80211_CMD_NEW_INTERFACE,
16540 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16541 		.doit = nl80211_new_interface,
16542 		.flags = GENL_UNS_ADMIN_PERM,
16543 		.internal_flags =
16544 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16545 			       NL80211_FLAG_NEED_RTNL |
16546 			       /* we take the wiphy mutex later ourselves */
16547 			       NL80211_FLAG_NO_WIPHY_MTX),
16548 	},
16549 	{
16550 		.cmd = NL80211_CMD_DEL_INTERFACE,
16551 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16552 		.doit = nl80211_del_interface,
16553 		.flags = GENL_UNS_ADMIN_PERM,
16554 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16555 					 NL80211_FLAG_NEED_RTNL),
16556 	},
16557 	{
16558 		.cmd = NL80211_CMD_GET_KEY,
16559 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16560 		.doit = nl80211_get_key,
16561 		.flags = GENL_UNS_ADMIN_PERM,
16562 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16563 	},
16564 	{
16565 		.cmd = NL80211_CMD_SET_KEY,
16566 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16567 		.doit = nl80211_set_key,
16568 		.flags = GENL_UNS_ADMIN_PERM,
16569 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16570 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16571 					 NL80211_FLAG_CLEAR_SKB),
16572 	},
16573 	{
16574 		.cmd = NL80211_CMD_NEW_KEY,
16575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16576 		.doit = nl80211_new_key,
16577 		.flags = GENL_UNS_ADMIN_PERM,
16578 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16579 					 NL80211_FLAG_CLEAR_SKB),
16580 	},
16581 	{
16582 		.cmd = NL80211_CMD_DEL_KEY,
16583 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16584 		.doit = nl80211_del_key,
16585 		.flags = GENL_UNS_ADMIN_PERM,
16586 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16587 	},
16588 	{
16589 		.cmd = NL80211_CMD_SET_BEACON,
16590 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16591 		.flags = GENL_UNS_ADMIN_PERM,
16592 		.doit = nl80211_set_beacon,
16593 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16594 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16595 	},
16596 	{
16597 		.cmd = NL80211_CMD_START_AP,
16598 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16599 		.flags = GENL_UNS_ADMIN_PERM,
16600 		.doit = nl80211_start_ap,
16601 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16602 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16603 	},
16604 	{
16605 		.cmd = NL80211_CMD_STOP_AP,
16606 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16607 		.flags = GENL_UNS_ADMIN_PERM,
16608 		.doit = nl80211_stop_ap,
16609 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16610 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16611 	},
16612 	{
16613 		.cmd = NL80211_CMD_GET_STATION,
16614 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16615 		.doit = nl80211_get_station,
16616 		.dumpit = nl80211_dump_station,
16617 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16618 	},
16619 	{
16620 		.cmd = NL80211_CMD_SET_STATION,
16621 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16622 		.doit = nl80211_set_station,
16623 		.flags = GENL_UNS_ADMIN_PERM,
16624 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16625 	},
16626 	{
16627 		.cmd = NL80211_CMD_NEW_STATION,
16628 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16629 		.doit = nl80211_new_station,
16630 		.flags = GENL_UNS_ADMIN_PERM,
16631 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16632 	},
16633 	{
16634 		.cmd = NL80211_CMD_DEL_STATION,
16635 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16636 		.doit = nl80211_del_station,
16637 		.flags = GENL_UNS_ADMIN_PERM,
16638 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16639 	},
16640 	{
16641 		.cmd = NL80211_CMD_GET_MPATH,
16642 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16643 		.doit = nl80211_get_mpath,
16644 		.dumpit = nl80211_dump_mpath,
16645 		.flags = GENL_UNS_ADMIN_PERM,
16646 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16647 	},
16648 	{
16649 		.cmd = NL80211_CMD_GET_MPP,
16650 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16651 		.doit = nl80211_get_mpp,
16652 		.dumpit = nl80211_dump_mpp,
16653 		.flags = GENL_UNS_ADMIN_PERM,
16654 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16655 	},
16656 	{
16657 		.cmd = NL80211_CMD_SET_MPATH,
16658 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16659 		.doit = nl80211_set_mpath,
16660 		.flags = GENL_UNS_ADMIN_PERM,
16661 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16662 	},
16663 	{
16664 		.cmd = NL80211_CMD_NEW_MPATH,
16665 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16666 		.doit = nl80211_new_mpath,
16667 		.flags = GENL_UNS_ADMIN_PERM,
16668 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16669 	},
16670 	{
16671 		.cmd = NL80211_CMD_DEL_MPATH,
16672 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16673 		.doit = nl80211_del_mpath,
16674 		.flags = GENL_UNS_ADMIN_PERM,
16675 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16676 	},
16677 	{
16678 		.cmd = NL80211_CMD_SET_BSS,
16679 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16680 		.doit = nl80211_set_bss,
16681 		.flags = GENL_UNS_ADMIN_PERM,
16682 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16683 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16684 	},
16685 	{
16686 		.cmd = NL80211_CMD_GET_REG,
16687 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16688 		.doit = nl80211_get_reg_do,
16689 		.dumpit = nl80211_get_reg_dump,
16690 		/* can be retrieved by unprivileged users */
16691 	},
16692 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16693 	{
16694 		.cmd = NL80211_CMD_SET_REG,
16695 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16696 		.doit = nl80211_set_reg,
16697 		.flags = GENL_ADMIN_PERM,
16698 	},
16699 #endif
16700 	{
16701 		.cmd = NL80211_CMD_REQ_SET_REG,
16702 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16703 		.doit = nl80211_req_set_reg,
16704 		.flags = GENL_ADMIN_PERM,
16705 	},
16706 	{
16707 		.cmd = NL80211_CMD_RELOAD_REGDB,
16708 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16709 		.doit = nl80211_reload_regdb,
16710 		.flags = GENL_ADMIN_PERM,
16711 	},
16712 	{
16713 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16714 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16715 		.doit = nl80211_get_mesh_config,
16716 		/* can be retrieved by unprivileged users */
16717 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16718 	},
16719 	{
16720 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16721 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16722 		.doit = nl80211_update_mesh_config,
16723 		.flags = GENL_UNS_ADMIN_PERM,
16724 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16725 	},
16726 	{
16727 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16728 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16729 		.doit = nl80211_trigger_scan,
16730 		.flags = GENL_UNS_ADMIN_PERM,
16731 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16732 	},
16733 	{
16734 		.cmd = NL80211_CMD_ABORT_SCAN,
16735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16736 		.doit = nl80211_abort_scan,
16737 		.flags = GENL_UNS_ADMIN_PERM,
16738 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16739 	},
16740 	{
16741 		.cmd = NL80211_CMD_GET_SCAN,
16742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16743 		.dumpit = nl80211_dump_scan,
16744 	},
16745 	{
16746 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16747 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16748 		.doit = nl80211_start_sched_scan,
16749 		.flags = GENL_UNS_ADMIN_PERM,
16750 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16751 	},
16752 	{
16753 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16754 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16755 		.doit = nl80211_stop_sched_scan,
16756 		.flags = GENL_UNS_ADMIN_PERM,
16757 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16758 	},
16759 	{
16760 		.cmd = NL80211_CMD_AUTHENTICATE,
16761 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16762 		.doit = nl80211_authenticate,
16763 		.flags = GENL_UNS_ADMIN_PERM,
16764 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16765 					 NL80211_FLAG_CLEAR_SKB),
16766 	},
16767 	{
16768 		.cmd = NL80211_CMD_ASSOCIATE,
16769 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16770 		.doit = nl80211_associate,
16771 		.flags = GENL_UNS_ADMIN_PERM,
16772 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16773 					 NL80211_FLAG_CLEAR_SKB),
16774 	},
16775 	{
16776 		.cmd = NL80211_CMD_DEAUTHENTICATE,
16777 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16778 		.doit = nl80211_deauthenticate,
16779 		.flags = GENL_UNS_ADMIN_PERM,
16780 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16781 	},
16782 	{
16783 		.cmd = NL80211_CMD_DISASSOCIATE,
16784 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16785 		.doit = nl80211_disassociate,
16786 		.flags = GENL_UNS_ADMIN_PERM,
16787 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16788 	},
16789 	{
16790 		.cmd = NL80211_CMD_JOIN_IBSS,
16791 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16792 		.doit = nl80211_join_ibss,
16793 		.flags = GENL_UNS_ADMIN_PERM,
16794 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16795 	},
16796 	{
16797 		.cmd = NL80211_CMD_LEAVE_IBSS,
16798 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16799 		.doit = nl80211_leave_ibss,
16800 		.flags = GENL_UNS_ADMIN_PERM,
16801 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16802 	},
16803 #ifdef CONFIG_NL80211_TESTMODE
16804 	{
16805 		.cmd = NL80211_CMD_TESTMODE,
16806 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16807 		.doit = nl80211_testmode_do,
16808 		.dumpit = nl80211_testmode_dump,
16809 		.flags = GENL_UNS_ADMIN_PERM,
16810 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16811 	},
16812 #endif
16813 	{
16814 		.cmd = NL80211_CMD_CONNECT,
16815 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16816 		.doit = nl80211_connect,
16817 		.flags = GENL_UNS_ADMIN_PERM,
16818 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16819 					 NL80211_FLAG_CLEAR_SKB),
16820 	},
16821 	{
16822 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
16823 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16824 		.doit = nl80211_update_connect_params,
16825 		.flags = GENL_ADMIN_PERM,
16826 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16827 					 NL80211_FLAG_CLEAR_SKB),
16828 	},
16829 	{
16830 		.cmd = NL80211_CMD_DISCONNECT,
16831 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16832 		.doit = nl80211_disconnect,
16833 		.flags = GENL_UNS_ADMIN_PERM,
16834 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16835 	},
16836 	{
16837 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
16838 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16839 		.doit = nl80211_wiphy_netns,
16840 		.flags = GENL_UNS_ADMIN_PERM,
16841 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16842 					 NL80211_FLAG_NEED_RTNL |
16843 					 NL80211_FLAG_NO_WIPHY_MTX),
16844 	},
16845 	{
16846 		.cmd = NL80211_CMD_GET_SURVEY,
16847 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16848 		.dumpit = nl80211_dump_survey,
16849 	},
16850 	{
16851 		.cmd = NL80211_CMD_SET_PMKSA,
16852 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16853 		.doit = nl80211_setdel_pmksa,
16854 		.flags = GENL_UNS_ADMIN_PERM,
16855 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16856 					 NL80211_FLAG_CLEAR_SKB),
16857 	},
16858 	{
16859 		.cmd = NL80211_CMD_DEL_PMKSA,
16860 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16861 		.doit = nl80211_setdel_pmksa,
16862 		.flags = GENL_UNS_ADMIN_PERM,
16863 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16864 	},
16865 	{
16866 		.cmd = NL80211_CMD_FLUSH_PMKSA,
16867 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16868 		.doit = nl80211_flush_pmksa,
16869 		.flags = GENL_UNS_ADMIN_PERM,
16870 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16871 	},
16872 	{
16873 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
16874 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16875 		.doit = nl80211_remain_on_channel,
16876 		.flags = GENL_UNS_ADMIN_PERM,
16877 		/* FIXME: requiring a link ID here is probably not good */
16878 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16879 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16880 	},
16881 	{
16882 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16883 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16884 		.doit = nl80211_cancel_remain_on_channel,
16885 		.flags = GENL_UNS_ADMIN_PERM,
16886 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16887 	},
16888 	{
16889 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
16890 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16891 		.doit = nl80211_set_tx_bitrate_mask,
16892 		.flags = GENL_UNS_ADMIN_PERM,
16893 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16894 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16895 	},
16896 	{
16897 		.cmd = NL80211_CMD_REGISTER_FRAME,
16898 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16899 		.doit = nl80211_register_mgmt,
16900 		.flags = GENL_UNS_ADMIN_PERM,
16901 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16902 	},
16903 	{
16904 		.cmd = NL80211_CMD_FRAME,
16905 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16906 		.doit = nl80211_tx_mgmt,
16907 		.flags = GENL_UNS_ADMIN_PERM,
16908 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16909 	},
16910 	{
16911 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
16912 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16913 		.doit = nl80211_tx_mgmt_cancel_wait,
16914 		.flags = GENL_UNS_ADMIN_PERM,
16915 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16916 	},
16917 	{
16918 		.cmd = NL80211_CMD_SET_POWER_SAVE,
16919 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16920 		.doit = nl80211_set_power_save,
16921 		.flags = GENL_UNS_ADMIN_PERM,
16922 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16923 	},
16924 	{
16925 		.cmd = NL80211_CMD_GET_POWER_SAVE,
16926 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16927 		.doit = nl80211_get_power_save,
16928 		/* can be retrieved by unprivileged users */
16929 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16930 	},
16931 	{
16932 		.cmd = NL80211_CMD_SET_CQM,
16933 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16934 		.doit = nl80211_set_cqm,
16935 		.flags = GENL_UNS_ADMIN_PERM,
16936 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16937 	},
16938 	{
16939 		.cmd = NL80211_CMD_SET_CHANNEL,
16940 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16941 		.doit = nl80211_set_channel,
16942 		.flags = GENL_UNS_ADMIN_PERM,
16943 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16944 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16945 	},
16946 	{
16947 		.cmd = NL80211_CMD_JOIN_MESH,
16948 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16949 		.doit = nl80211_join_mesh,
16950 		.flags = GENL_UNS_ADMIN_PERM,
16951 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16952 	},
16953 	{
16954 		.cmd = NL80211_CMD_LEAVE_MESH,
16955 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16956 		.doit = nl80211_leave_mesh,
16957 		.flags = GENL_UNS_ADMIN_PERM,
16958 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16959 	},
16960 	{
16961 		.cmd = NL80211_CMD_JOIN_OCB,
16962 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16963 		.doit = nl80211_join_ocb,
16964 		.flags = GENL_UNS_ADMIN_PERM,
16965 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16966 	},
16967 	{
16968 		.cmd = NL80211_CMD_LEAVE_OCB,
16969 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16970 		.doit = nl80211_leave_ocb,
16971 		.flags = GENL_UNS_ADMIN_PERM,
16972 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16973 	},
16974 #ifdef CONFIG_PM
16975 	{
16976 		.cmd = NL80211_CMD_GET_WOWLAN,
16977 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16978 		.doit = nl80211_get_wowlan,
16979 		/* can be retrieved by unprivileged users */
16980 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16981 	},
16982 	{
16983 		.cmd = NL80211_CMD_SET_WOWLAN,
16984 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16985 		.doit = nl80211_set_wowlan,
16986 		.flags = GENL_UNS_ADMIN_PERM,
16987 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16988 	},
16989 #endif
16990 	{
16991 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
16992 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16993 		.doit = nl80211_set_rekey_data,
16994 		.flags = GENL_UNS_ADMIN_PERM,
16995 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16996 					 NL80211_FLAG_CLEAR_SKB),
16997 	},
16998 	{
16999 		.cmd = NL80211_CMD_TDLS_MGMT,
17000 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17001 		.doit = nl80211_tdls_mgmt,
17002 		.flags = GENL_UNS_ADMIN_PERM,
17003 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17004 	},
17005 	{
17006 		.cmd = NL80211_CMD_TDLS_OPER,
17007 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17008 		.doit = nl80211_tdls_oper,
17009 		.flags = GENL_UNS_ADMIN_PERM,
17010 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17011 	},
17012 	{
17013 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17014 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17015 		.doit = nl80211_register_unexpected_frame,
17016 		.flags = GENL_UNS_ADMIN_PERM,
17017 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17018 	},
17019 	{
17020 		.cmd = NL80211_CMD_PROBE_CLIENT,
17021 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17022 		.doit = nl80211_probe_client,
17023 		.flags = GENL_UNS_ADMIN_PERM,
17024 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17025 	},
17026 	{
17027 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17028 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17029 		.doit = nl80211_register_beacons,
17030 		.flags = GENL_UNS_ADMIN_PERM,
17031 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17032 	},
17033 	{
17034 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17035 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17036 		.doit = nl80211_set_noack_map,
17037 		.flags = GENL_UNS_ADMIN_PERM,
17038 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17039 	},
17040 	{
17041 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17042 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17043 		.doit = nl80211_start_p2p_device,
17044 		.flags = GENL_UNS_ADMIN_PERM,
17045 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17046 					 NL80211_FLAG_NEED_RTNL),
17047 	},
17048 	{
17049 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17050 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17051 		.doit = nl80211_stop_p2p_device,
17052 		.flags = GENL_UNS_ADMIN_PERM,
17053 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17054 					 NL80211_FLAG_NEED_RTNL),
17055 	},
17056 	{
17057 		.cmd = NL80211_CMD_START_NAN,
17058 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17059 		.doit = nl80211_start_nan,
17060 		.flags = GENL_ADMIN_PERM,
17061 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17062 					 NL80211_FLAG_NEED_RTNL),
17063 	},
17064 	{
17065 		.cmd = NL80211_CMD_STOP_NAN,
17066 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17067 		.doit = nl80211_stop_nan,
17068 		.flags = GENL_ADMIN_PERM,
17069 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17070 					 NL80211_FLAG_NEED_RTNL),
17071 	},
17072 	{
17073 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17074 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17075 		.doit = nl80211_nan_add_func,
17076 		.flags = GENL_ADMIN_PERM,
17077 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17078 	},
17079 	{
17080 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17081 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17082 		.doit = nl80211_nan_del_func,
17083 		.flags = GENL_ADMIN_PERM,
17084 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17085 	},
17086 	{
17087 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17088 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17089 		.doit = nl80211_nan_change_config,
17090 		.flags = GENL_ADMIN_PERM,
17091 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17092 	},
17093 	{
17094 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17095 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17096 		.doit = nl80211_set_mcast_rate,
17097 		.flags = GENL_UNS_ADMIN_PERM,
17098 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17099 	},
17100 	{
17101 		.cmd = NL80211_CMD_SET_MAC_ACL,
17102 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17103 		.doit = nl80211_set_mac_acl,
17104 		.flags = GENL_UNS_ADMIN_PERM,
17105 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17106 					 NL80211_FLAG_MLO_UNSUPPORTED),
17107 	},
17108 	{
17109 		.cmd = NL80211_CMD_RADAR_DETECT,
17110 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17111 		.doit = nl80211_start_radar_detection,
17112 		.flags = GENL_UNS_ADMIN_PERM,
17113 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17114 					 NL80211_FLAG_NO_WIPHY_MTX |
17115 					 NL80211_FLAG_MLO_UNSUPPORTED),
17116 	},
17117 	{
17118 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17120 		.doit = nl80211_get_protocol_features,
17121 	},
17122 	{
17123 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17124 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17125 		.doit = nl80211_update_ft_ies,
17126 		.flags = GENL_UNS_ADMIN_PERM,
17127 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17128 	},
17129 	{
17130 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17131 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17132 		.doit = nl80211_crit_protocol_start,
17133 		.flags = GENL_UNS_ADMIN_PERM,
17134 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17135 	},
17136 	{
17137 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17138 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17139 		.doit = nl80211_crit_protocol_stop,
17140 		.flags = GENL_UNS_ADMIN_PERM,
17141 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17142 	},
17143 	{
17144 		.cmd = NL80211_CMD_GET_COALESCE,
17145 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17146 		.doit = nl80211_get_coalesce,
17147 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17148 	},
17149 	{
17150 		.cmd = NL80211_CMD_SET_COALESCE,
17151 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17152 		.doit = nl80211_set_coalesce,
17153 		.flags = GENL_UNS_ADMIN_PERM,
17154 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17155 	},
17156 	{
17157 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17158 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17159 		.doit = nl80211_channel_switch,
17160 		.flags = GENL_UNS_ADMIN_PERM,
17161 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17162 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17163 	},
17164 	{
17165 		.cmd = NL80211_CMD_VENDOR,
17166 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17167 		.doit = nl80211_vendor_cmd,
17168 		.dumpit = nl80211_vendor_cmd_dump,
17169 		.flags = GENL_UNS_ADMIN_PERM,
17170 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17171 					 NL80211_FLAG_CLEAR_SKB),
17172 	},
17173 	{
17174 		.cmd = NL80211_CMD_SET_QOS_MAP,
17175 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17176 		.doit = nl80211_set_qos_map,
17177 		.flags = GENL_UNS_ADMIN_PERM,
17178 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17179 	},
17180 	{
17181 		.cmd = NL80211_CMD_ADD_TX_TS,
17182 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17183 		.doit = nl80211_add_tx_ts,
17184 		.flags = GENL_UNS_ADMIN_PERM,
17185 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17186 					 NL80211_FLAG_MLO_UNSUPPORTED),
17187 	},
17188 	{
17189 		.cmd = NL80211_CMD_DEL_TX_TS,
17190 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17191 		.doit = nl80211_del_tx_ts,
17192 		.flags = GENL_UNS_ADMIN_PERM,
17193 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17194 	},
17195 	{
17196 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17197 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17198 		.doit = nl80211_tdls_channel_switch,
17199 		.flags = GENL_UNS_ADMIN_PERM,
17200 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17201 	},
17202 	{
17203 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17204 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17205 		.doit = nl80211_tdls_cancel_channel_switch,
17206 		.flags = GENL_UNS_ADMIN_PERM,
17207 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17208 	},
17209 	{
17210 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17211 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17212 		.doit = nl80211_set_multicast_to_unicast,
17213 		.flags = GENL_UNS_ADMIN_PERM,
17214 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17215 	},
17216 	{
17217 		.cmd = NL80211_CMD_SET_PMK,
17218 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17219 		.doit = nl80211_set_pmk,
17220 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17221 					 NL80211_FLAG_CLEAR_SKB),
17222 	},
17223 	{
17224 		.cmd = NL80211_CMD_DEL_PMK,
17225 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17226 		.doit = nl80211_del_pmk,
17227 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17228 	},
17229 	{
17230 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17231 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17232 		.doit = nl80211_external_auth,
17233 		.flags = GENL_ADMIN_PERM,
17234 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17235 	},
17236 	{
17237 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17238 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17239 		.doit = nl80211_tx_control_port,
17240 		.flags = GENL_UNS_ADMIN_PERM,
17241 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17242 	},
17243 	{
17244 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17245 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17246 		.doit = nl80211_get_ftm_responder_stats,
17247 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17248 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17249 	},
17250 	{
17251 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17252 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17253 		.doit = nl80211_pmsr_start,
17254 		.flags = GENL_UNS_ADMIN_PERM,
17255 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17256 	},
17257 	{
17258 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17259 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17260 		.doit = nl80211_notify_radar_detection,
17261 		.flags = GENL_UNS_ADMIN_PERM,
17262 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17263 	},
17264 	{
17265 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17266 		.doit = nl80211_update_owe_info,
17267 		.flags = GENL_ADMIN_PERM,
17268 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17269 	},
17270 	{
17271 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17272 		.doit = nl80211_probe_mesh_link,
17273 		.flags = GENL_UNS_ADMIN_PERM,
17274 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17275 	},
17276 	{
17277 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17278 		.doit = nl80211_set_tid_config,
17279 		.flags = GENL_UNS_ADMIN_PERM,
17280 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17281 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17282 	},
17283 	{
17284 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17285 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17286 		.doit = nl80211_set_sar_specs,
17287 		.flags = GENL_UNS_ADMIN_PERM,
17288 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17289 					 NL80211_FLAG_NEED_RTNL),
17290 	},
17291 	{
17292 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17293 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17294 		.doit = nl80211_color_change,
17295 		.flags = GENL_UNS_ADMIN_PERM,
17296 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17297 	},
17298 	{
17299 		.cmd = NL80211_CMD_SET_FILS_AAD,
17300 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17301 		.doit = nl80211_set_fils_aad,
17302 		.flags = GENL_UNS_ADMIN_PERM,
17303 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17304 	},
17305 	{
17306 		.cmd = NL80211_CMD_ADD_LINK,
17307 		.doit = nl80211_add_link,
17308 		.flags = GENL_UNS_ADMIN_PERM,
17309 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17310 	},
17311 	{
17312 		.cmd = NL80211_CMD_REMOVE_LINK,
17313 		.doit = nl80211_remove_link,
17314 		.flags = GENL_UNS_ADMIN_PERM,
17315 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17316 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17317 	},
17318 	{
17319 		.cmd = NL80211_CMD_ADD_LINK_STA,
17320 		.doit = nl80211_add_link_station,
17321 		.flags = GENL_UNS_ADMIN_PERM,
17322 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17323 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17324 	},
17325 	{
17326 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17327 		.doit = nl80211_modify_link_station,
17328 		.flags = GENL_UNS_ADMIN_PERM,
17329 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17330 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17331 	},
17332 	{
17333 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17334 		.doit = nl80211_remove_link_station,
17335 		.flags = GENL_UNS_ADMIN_PERM,
17336 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17337 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17338 	},
17339 };
17340 
17341 static struct genl_family nl80211_fam __ro_after_init = {
17342 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17343 	.hdrsize = 0,			/* no private header */
17344 	.version = 1,			/* no particular meaning now */
17345 	.maxattr = NL80211_ATTR_MAX,
17346 	.policy = nl80211_policy,
17347 	.netnsok = true,
17348 	.pre_doit = nl80211_pre_doit,
17349 	.post_doit = nl80211_post_doit,
17350 	.module = THIS_MODULE,
17351 	.ops = nl80211_ops,
17352 	.n_ops = ARRAY_SIZE(nl80211_ops),
17353 	.small_ops = nl80211_small_ops,
17354 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17355 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17356 	.mcgrps = nl80211_mcgrps,
17357 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17358 	.parallel_ops = true,
17359 };
17360 
17361 /* notification functions */
17362 
17363 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17364 			  enum nl80211_commands cmd)
17365 {
17366 	struct sk_buff *msg;
17367 	struct nl80211_dump_wiphy_state state = {};
17368 
17369 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17370 		cmd != NL80211_CMD_DEL_WIPHY);
17371 
17372 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17373 	if (!msg)
17374 		return;
17375 
17376 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17377 		nlmsg_free(msg);
17378 		return;
17379 	}
17380 
17381 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17382 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17383 }
17384 
17385 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17386 				struct wireless_dev *wdev,
17387 				enum nl80211_commands cmd)
17388 {
17389 	struct sk_buff *msg;
17390 
17391 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17392 	if (!msg)
17393 		return;
17394 
17395 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17396 		nlmsg_free(msg);
17397 		return;
17398 	}
17399 
17400 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17401 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17402 }
17403 
17404 static int nl80211_add_scan_req(struct sk_buff *msg,
17405 				struct cfg80211_registered_device *rdev)
17406 {
17407 	struct cfg80211_scan_request *req = rdev->scan_req;
17408 	struct nlattr *nest;
17409 	int i;
17410 	struct cfg80211_scan_info *info;
17411 
17412 	if (WARN_ON(!req))
17413 		return 0;
17414 
17415 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17416 	if (!nest)
17417 		goto nla_put_failure;
17418 	for (i = 0; i < req->n_ssids; i++) {
17419 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17420 			goto nla_put_failure;
17421 	}
17422 	nla_nest_end(msg, nest);
17423 
17424 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17425 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17426 		if (!nest)
17427 			goto nla_put_failure;
17428 		for (i = 0; i < req->n_channels; i++) {
17429 			if (nla_put_u32(msg, i,
17430 				   ieee80211_channel_to_khz(req->channels[i])))
17431 				goto nla_put_failure;
17432 		}
17433 		nla_nest_end(msg, nest);
17434 	} else {
17435 		nest = nla_nest_start_noflag(msg,
17436 					     NL80211_ATTR_SCAN_FREQUENCIES);
17437 		if (!nest)
17438 			goto nla_put_failure;
17439 		for (i = 0; i < req->n_channels; i++) {
17440 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17441 				goto nla_put_failure;
17442 		}
17443 		nla_nest_end(msg, nest);
17444 	}
17445 
17446 	if (req->ie &&
17447 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17448 		goto nla_put_failure;
17449 
17450 	if (req->flags &&
17451 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17452 		goto nla_put_failure;
17453 
17454 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17455 		&rdev->scan_req->info;
17456 	if (info->scan_start_tsf &&
17457 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17458 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17459 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17460 		     info->tsf_bssid)))
17461 		goto nla_put_failure;
17462 
17463 	return 0;
17464  nla_put_failure:
17465 	return -ENOBUFS;
17466 }
17467 
17468 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17469 				 struct cfg80211_registered_device *rdev,
17470 				 struct wireless_dev *wdev,
17471 				 u32 portid, u32 seq, int flags,
17472 				 u32 cmd)
17473 {
17474 	void *hdr;
17475 
17476 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17477 	if (!hdr)
17478 		return -1;
17479 
17480 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17481 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17482 					 wdev->netdev->ifindex)) ||
17483 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17484 			      NL80211_ATTR_PAD))
17485 		goto nla_put_failure;
17486 
17487 	/* ignore errors and send incomplete event anyway */
17488 	nl80211_add_scan_req(msg, rdev);
17489 
17490 	genlmsg_end(msg, hdr);
17491 	return 0;
17492 
17493  nla_put_failure:
17494 	genlmsg_cancel(msg, hdr);
17495 	return -EMSGSIZE;
17496 }
17497 
17498 static int
17499 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17500 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17501 {
17502 	void *hdr;
17503 
17504 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17505 	if (!hdr)
17506 		return -1;
17507 
17508 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17509 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17510 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17511 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17512 			      NL80211_ATTR_PAD))
17513 		goto nla_put_failure;
17514 
17515 	genlmsg_end(msg, hdr);
17516 	return 0;
17517 
17518  nla_put_failure:
17519 	genlmsg_cancel(msg, hdr);
17520 	return -EMSGSIZE;
17521 }
17522 
17523 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17524 			     struct wireless_dev *wdev)
17525 {
17526 	struct sk_buff *msg;
17527 
17528 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17529 	if (!msg)
17530 		return;
17531 
17532 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17533 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17534 		nlmsg_free(msg);
17535 		return;
17536 	}
17537 
17538 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17539 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17540 }
17541 
17542 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17543 				       struct wireless_dev *wdev, bool aborted)
17544 {
17545 	struct sk_buff *msg;
17546 
17547 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17548 	if (!msg)
17549 		return NULL;
17550 
17551 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17552 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17553 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17554 		nlmsg_free(msg);
17555 		return NULL;
17556 	}
17557 
17558 	return msg;
17559 }
17560 
17561 /* send message created by nl80211_build_scan_msg() */
17562 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17563 			   struct sk_buff *msg)
17564 {
17565 	if (!msg)
17566 		return;
17567 
17568 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17569 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17570 }
17571 
17572 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17573 {
17574 	struct sk_buff *msg;
17575 
17576 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17577 	if (!msg)
17578 		return;
17579 
17580 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17581 		nlmsg_free(msg);
17582 		return;
17583 	}
17584 
17585 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17586 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17587 }
17588 
17589 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17590 					  struct regulatory_request *request)
17591 {
17592 	/* Userspace can always count this one always being set */
17593 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17594 		goto nla_put_failure;
17595 
17596 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17597 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17598 			       NL80211_REGDOM_TYPE_WORLD))
17599 			goto nla_put_failure;
17600 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17601 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17602 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17603 			goto nla_put_failure;
17604 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17605 		   request->intersect) {
17606 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17607 			       NL80211_REGDOM_TYPE_INTERSECTION))
17608 			goto nla_put_failure;
17609 	} else {
17610 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17611 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17612 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17613 				   request->alpha2))
17614 			goto nla_put_failure;
17615 	}
17616 
17617 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17618 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17619 
17620 		if (wiphy &&
17621 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17622 			goto nla_put_failure;
17623 
17624 		if (wiphy &&
17625 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17626 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17627 			goto nla_put_failure;
17628 	}
17629 
17630 	return true;
17631 
17632 nla_put_failure:
17633 	return false;
17634 }
17635 
17636 /*
17637  * This can happen on global regulatory changes or device specific settings
17638  * based on custom regulatory domains.
17639  */
17640 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17641 				     struct regulatory_request *request)
17642 {
17643 	struct sk_buff *msg;
17644 	void *hdr;
17645 
17646 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17647 	if (!msg)
17648 		return;
17649 
17650 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17651 	if (!hdr)
17652 		goto nla_put_failure;
17653 
17654 	if (!nl80211_reg_change_event_fill(msg, request))
17655 		goto nla_put_failure;
17656 
17657 	genlmsg_end(msg, hdr);
17658 
17659 	rcu_read_lock();
17660 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17661 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17662 	rcu_read_unlock();
17663 
17664 	return;
17665 
17666 nla_put_failure:
17667 	nlmsg_free(msg);
17668 }
17669 
17670 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17671 				    struct net_device *netdev,
17672 				    const u8 *buf, size_t len,
17673 				    enum nl80211_commands cmd, gfp_t gfp,
17674 				    int uapsd_queues, const u8 *req_ies,
17675 				    size_t req_ies_len, bool reconnect)
17676 {
17677 	struct sk_buff *msg;
17678 	void *hdr;
17679 
17680 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17681 	if (!msg)
17682 		return;
17683 
17684 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17685 	if (!hdr) {
17686 		nlmsg_free(msg);
17687 		return;
17688 	}
17689 
17690 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17691 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17692 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17693 	    (req_ies &&
17694 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17695 		goto nla_put_failure;
17696 
17697 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17698 		goto nla_put_failure;
17699 
17700 	if (uapsd_queues >= 0) {
17701 		struct nlattr *nla_wmm =
17702 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17703 		if (!nla_wmm)
17704 			goto nla_put_failure;
17705 
17706 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17707 			       uapsd_queues))
17708 			goto nla_put_failure;
17709 
17710 		nla_nest_end(msg, nla_wmm);
17711 	}
17712 
17713 	genlmsg_end(msg, hdr);
17714 
17715 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17716 				NL80211_MCGRP_MLME, gfp);
17717 	return;
17718 
17719  nla_put_failure:
17720 	nlmsg_free(msg);
17721 }
17722 
17723 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17724 			  struct net_device *netdev, const u8 *buf,
17725 			  size_t len, gfp_t gfp)
17726 {
17727 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17728 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17729 				false);
17730 }
17731 
17732 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17733 			   struct net_device *netdev,
17734 			   struct cfg80211_rx_assoc_resp *data)
17735 {
17736 	nl80211_send_mlme_event(rdev, netdev, data->buf, data->len,
17737 				NL80211_CMD_ASSOCIATE, GFP_KERNEL,
17738 				data->uapsd_queues,
17739 				data->req_ies, data->req_ies_len, false);
17740 }
17741 
17742 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17743 			 struct net_device *netdev, const u8 *buf,
17744 			 size_t len, bool reconnect, gfp_t gfp)
17745 {
17746 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17747 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17748 				reconnect);
17749 }
17750 
17751 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17752 			   struct net_device *netdev, const u8 *buf,
17753 			   size_t len, bool reconnect, gfp_t gfp)
17754 {
17755 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17756 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17757 				reconnect);
17758 }
17759 
17760 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17761 				  size_t len)
17762 {
17763 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17764 	struct wiphy *wiphy = wdev->wiphy;
17765 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17766 	const struct ieee80211_mgmt *mgmt = (void *)buf;
17767 	u32 cmd;
17768 
17769 	if (WARN_ON(len < 2))
17770 		return;
17771 
17772 	if (ieee80211_is_deauth(mgmt->frame_control)) {
17773 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
17774 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
17775 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
17776 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
17777 		if (wdev->unprot_beacon_reported &&
17778 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
17779 			return;
17780 		cmd = NL80211_CMD_UNPROT_BEACON;
17781 		wdev->unprot_beacon_reported = jiffies;
17782 	} else {
17783 		return;
17784 	}
17785 
17786 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
17787 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
17788 				NULL, 0, false);
17789 }
17790 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
17791 
17792 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
17793 				      struct net_device *netdev, int cmd,
17794 				      const u8 *addr, gfp_t gfp)
17795 {
17796 	struct sk_buff *msg;
17797 	void *hdr;
17798 
17799 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17800 	if (!msg)
17801 		return;
17802 
17803 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17804 	if (!hdr) {
17805 		nlmsg_free(msg);
17806 		return;
17807 	}
17808 
17809 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17810 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17811 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17812 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17813 		goto nla_put_failure;
17814 
17815 	genlmsg_end(msg, hdr);
17816 
17817 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17818 				NL80211_MCGRP_MLME, gfp);
17819 	return;
17820 
17821  nla_put_failure:
17822 	nlmsg_free(msg);
17823 }
17824 
17825 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
17826 			       struct net_device *netdev, const u8 *addr,
17827 			       gfp_t gfp)
17828 {
17829 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
17830 				  addr, gfp);
17831 }
17832 
17833 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
17834 				struct net_device *netdev, const u8 *addr,
17835 				gfp_t gfp)
17836 {
17837 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
17838 				  addr, gfp);
17839 }
17840 
17841 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
17842 				 struct net_device *netdev,
17843 				 struct cfg80211_connect_resp_params *cr,
17844 				 gfp_t gfp)
17845 {
17846 	struct sk_buff *msg;
17847 	void *hdr;
17848 	unsigned int link;
17849 	size_t link_info_size = 0;
17850 	const u8 *connected_addr = cr->valid_links ?
17851 				   cr->ap_mld_addr : cr->links[0].bssid;
17852 
17853 	if (cr->valid_links) {
17854 		for_each_valid_link(cr, link) {
17855 			/* Nested attribute header */
17856 			link_info_size += NLA_HDRLEN;
17857 			/* Link ID */
17858 			link_info_size += nla_total_size(sizeof(u8));
17859 			link_info_size += cr->links[link].addr ?
17860 					  nla_total_size(ETH_ALEN) : 0;
17861 			link_info_size += (cr->links[link].bssid ||
17862 					   cr->links[link].bss) ?
17863 					  nla_total_size(ETH_ALEN) : 0;
17864 			link_info_size += nla_total_size(sizeof(u16));
17865 		}
17866 	}
17867 
17868 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
17869 			cr->fils.kek_len + cr->fils.pmk_len +
17870 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
17871 			gfp);
17872 	if (!msg)
17873 		return;
17874 
17875 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
17876 	if (!hdr) {
17877 		nlmsg_free(msg);
17878 		return;
17879 	}
17880 
17881 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17882 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17883 	    (connected_addr &&
17884 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
17885 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
17886 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
17887 			cr->status) ||
17888 	    (cr->status < 0 &&
17889 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17890 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
17891 			  cr->timeout_reason))) ||
17892 	    (cr->req_ie &&
17893 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
17894 	    (cr->resp_ie &&
17895 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
17896 		     cr->resp_ie)) ||
17897 	    (cr->fils.update_erp_next_seq_num &&
17898 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
17899 			 cr->fils.erp_next_seq_num)) ||
17900 	    (cr->status == WLAN_STATUS_SUCCESS &&
17901 	     ((cr->fils.kek &&
17902 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
17903 		       cr->fils.kek)) ||
17904 	      (cr->fils.pmk &&
17905 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
17906 	      (cr->fils.pmkid &&
17907 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
17908 		goto nla_put_failure;
17909 
17910 	if (cr->valid_links) {
17911 		int i = 1;
17912 		struct nlattr *nested;
17913 
17914 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
17915 		if (!nested)
17916 			goto nla_put_failure;
17917 
17918 		for_each_valid_link(cr, link) {
17919 			struct nlattr *nested_mlo_links;
17920 			const u8 *bssid = cr->links[link].bss ?
17921 					  cr->links[link].bss->bssid :
17922 					  cr->links[link].bssid;
17923 
17924 			nested_mlo_links = nla_nest_start(msg, i);
17925 			if (!nested_mlo_links)
17926 				goto nla_put_failure;
17927 
17928 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
17929 			    (bssid &&
17930 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
17931 			    (cr->links[link].addr &&
17932 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
17933 				     cr->links[link].addr)) ||
17934 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
17935 					cr->links[link].status))
17936 				goto nla_put_failure;
17937 
17938 			nla_nest_end(msg, nested_mlo_links);
17939 			i++;
17940 		}
17941 		nla_nest_end(msg, nested);
17942 	}
17943 
17944 	genlmsg_end(msg, hdr);
17945 
17946 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17947 				NL80211_MCGRP_MLME, gfp);
17948 	return;
17949 
17950  nla_put_failure:
17951 	nlmsg_free(msg);
17952 }
17953 
17954 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
17955 			 struct net_device *netdev,
17956 			 struct cfg80211_roam_info *info, gfp_t gfp)
17957 {
17958 	struct sk_buff *msg;
17959 	void *hdr;
17960 	size_t link_info_size = 0;
17961 	unsigned int link;
17962 	const u8 *connected_addr = info->ap_mld_addr ?
17963 				   info->ap_mld_addr :
17964 				   (info->links[0].bss ?
17965 				    info->links[0].bss->bssid :
17966 				    info->links[0].bssid);
17967 
17968 	if (info->valid_links) {
17969 		for_each_valid_link(info, link) {
17970 			/* Nested attribute header */
17971 			link_info_size += NLA_HDRLEN;
17972 			/* Link ID */
17973 			link_info_size += nla_total_size(sizeof(u8));
17974 			link_info_size += info->links[link].addr ?
17975 					  nla_total_size(ETH_ALEN) : 0;
17976 			link_info_size += (info->links[link].bssid ||
17977 					   info->links[link].bss) ?
17978 					  nla_total_size(ETH_ALEN) : 0;
17979 		}
17980 	}
17981 
17982 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
17983 			info->fils.kek_len + info->fils.pmk_len +
17984 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
17985 			link_info_size, gfp);
17986 	if (!msg)
17987 		return;
17988 
17989 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
17990 	if (!hdr) {
17991 		nlmsg_free(msg);
17992 		return;
17993 	}
17994 
17995 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17996 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17997 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
17998 	    (info->req_ie &&
17999 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18000 		     info->req_ie)) ||
18001 	    (info->resp_ie &&
18002 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18003 		     info->resp_ie)) ||
18004 	    (info->fils.update_erp_next_seq_num &&
18005 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18006 			 info->fils.erp_next_seq_num)) ||
18007 	    (info->fils.kek &&
18008 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18009 		     info->fils.kek)) ||
18010 	    (info->fils.pmk &&
18011 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18012 	    (info->fils.pmkid &&
18013 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18014 		goto nla_put_failure;
18015 
18016 	if (info->valid_links) {
18017 		int i = 1;
18018 		struct nlattr *nested;
18019 
18020 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18021 		if (!nested)
18022 			goto nla_put_failure;
18023 
18024 		for_each_valid_link(info, link) {
18025 			struct nlattr *nested_mlo_links;
18026 			const u8 *bssid = info->links[link].bss ?
18027 					  info->links[link].bss->bssid :
18028 					  info->links[link].bssid;
18029 
18030 			nested_mlo_links = nla_nest_start(msg, i);
18031 			if (!nested_mlo_links)
18032 				goto nla_put_failure;
18033 
18034 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18035 			    (bssid &&
18036 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18037 			    (info->links[link].addr &&
18038 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18039 				     info->links[link].addr)))
18040 				goto nla_put_failure;
18041 
18042 			nla_nest_end(msg, nested_mlo_links);
18043 			i++;
18044 		}
18045 		nla_nest_end(msg, nested);
18046 	}
18047 
18048 	genlmsg_end(msg, hdr);
18049 
18050 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18051 				NL80211_MCGRP_MLME, gfp);
18052 	return;
18053 
18054  nla_put_failure:
18055 	nlmsg_free(msg);
18056 }
18057 
18058 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18059 				  struct net_device *netdev, const u8 *bssid,
18060 				  const u8 *td_bitmap, u8 td_bitmap_len)
18061 {
18062 	struct sk_buff *msg;
18063 	void *hdr;
18064 
18065 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18066 	if (!msg)
18067 		return;
18068 
18069 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18070 	if (!hdr) {
18071 		nlmsg_free(msg);
18072 		return;
18073 	}
18074 
18075 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18076 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18077 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18078 		goto nla_put_failure;
18079 
18080 	if ((td_bitmap_len > 0) && td_bitmap)
18081 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18082 			    td_bitmap_len, td_bitmap))
18083 			goto nla_put_failure;
18084 
18085 	genlmsg_end(msg, hdr);
18086 
18087 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18088 				NL80211_MCGRP_MLME, GFP_KERNEL);
18089 	return;
18090 
18091  nla_put_failure:
18092 	nlmsg_free(msg);
18093 }
18094 
18095 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18096 			       struct net_device *netdev, u16 reason,
18097 			       const u8 *ie, size_t ie_len, bool from_ap)
18098 {
18099 	struct sk_buff *msg;
18100 	void *hdr;
18101 
18102 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18103 	if (!msg)
18104 		return;
18105 
18106 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18107 	if (!hdr) {
18108 		nlmsg_free(msg);
18109 		return;
18110 	}
18111 
18112 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18113 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18114 	    (reason &&
18115 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18116 	    (from_ap &&
18117 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18118 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18119 		goto nla_put_failure;
18120 
18121 	genlmsg_end(msg, hdr);
18122 
18123 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18124 				NL80211_MCGRP_MLME, GFP_KERNEL);
18125 	return;
18126 
18127  nla_put_failure:
18128 	nlmsg_free(msg);
18129 }
18130 
18131 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18132 			     struct net_device *netdev, const u8 *bssid,
18133 			     gfp_t gfp)
18134 {
18135 	struct sk_buff *msg;
18136 	void *hdr;
18137 
18138 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18139 	if (!msg)
18140 		return;
18141 
18142 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18143 	if (!hdr) {
18144 		nlmsg_free(msg);
18145 		return;
18146 	}
18147 
18148 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18149 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18150 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18151 		goto nla_put_failure;
18152 
18153 	genlmsg_end(msg, hdr);
18154 
18155 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18156 				NL80211_MCGRP_MLME, gfp);
18157 	return;
18158 
18159  nla_put_failure:
18160 	nlmsg_free(msg);
18161 }
18162 
18163 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18164 					const u8 *ie, u8 ie_len,
18165 					int sig_dbm, gfp_t gfp)
18166 {
18167 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18168 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18169 	struct sk_buff *msg;
18170 	void *hdr;
18171 
18172 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18173 		return;
18174 
18175 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18176 
18177 	msg = nlmsg_new(100 + ie_len, gfp);
18178 	if (!msg)
18179 		return;
18180 
18181 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18182 	if (!hdr) {
18183 		nlmsg_free(msg);
18184 		return;
18185 	}
18186 
18187 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18188 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18189 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18190 	    (ie_len && ie &&
18191 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18192 	    (sig_dbm &&
18193 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18194 		goto nla_put_failure;
18195 
18196 	genlmsg_end(msg, hdr);
18197 
18198 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18199 				NL80211_MCGRP_MLME, gfp);
18200 	return;
18201 
18202  nla_put_failure:
18203 	nlmsg_free(msg);
18204 }
18205 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18206 
18207 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18208 				 struct net_device *netdev, const u8 *addr,
18209 				 enum nl80211_key_type key_type, int key_id,
18210 				 const u8 *tsc, gfp_t gfp)
18211 {
18212 	struct sk_buff *msg;
18213 	void *hdr;
18214 
18215 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18216 	if (!msg)
18217 		return;
18218 
18219 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18220 	if (!hdr) {
18221 		nlmsg_free(msg);
18222 		return;
18223 	}
18224 
18225 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18226 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18227 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18228 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18229 	    (key_id != -1 &&
18230 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18231 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18232 		goto nla_put_failure;
18233 
18234 	genlmsg_end(msg, hdr);
18235 
18236 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18237 				NL80211_MCGRP_MLME, gfp);
18238 	return;
18239 
18240  nla_put_failure:
18241 	nlmsg_free(msg);
18242 }
18243 
18244 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18245 				    struct ieee80211_channel *channel_before,
18246 				    struct ieee80211_channel *channel_after)
18247 {
18248 	struct sk_buff *msg;
18249 	void *hdr;
18250 	struct nlattr *nl_freq;
18251 
18252 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18253 	if (!msg)
18254 		return;
18255 
18256 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18257 	if (!hdr) {
18258 		nlmsg_free(msg);
18259 		return;
18260 	}
18261 
18262 	/*
18263 	 * Since we are applying the beacon hint to a wiphy we know its
18264 	 * wiphy_idx is valid
18265 	 */
18266 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18267 		goto nla_put_failure;
18268 
18269 	/* Before */
18270 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18271 	if (!nl_freq)
18272 		goto nla_put_failure;
18273 
18274 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18275 		goto nla_put_failure;
18276 	nla_nest_end(msg, nl_freq);
18277 
18278 	/* After */
18279 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18280 	if (!nl_freq)
18281 		goto nla_put_failure;
18282 
18283 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18284 		goto nla_put_failure;
18285 	nla_nest_end(msg, nl_freq);
18286 
18287 	genlmsg_end(msg, hdr);
18288 
18289 	rcu_read_lock();
18290 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18291 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18292 	rcu_read_unlock();
18293 
18294 	return;
18295 
18296 nla_put_failure:
18297 	nlmsg_free(msg);
18298 }
18299 
18300 static void nl80211_send_remain_on_chan_event(
18301 	int cmd, struct cfg80211_registered_device *rdev,
18302 	struct wireless_dev *wdev, u64 cookie,
18303 	struct ieee80211_channel *chan,
18304 	unsigned int duration, gfp_t gfp)
18305 {
18306 	struct sk_buff *msg;
18307 	void *hdr;
18308 
18309 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18310 	if (!msg)
18311 		return;
18312 
18313 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18314 	if (!hdr) {
18315 		nlmsg_free(msg);
18316 		return;
18317 	}
18318 
18319 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18320 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18321 					 wdev->netdev->ifindex)) ||
18322 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18323 			      NL80211_ATTR_PAD) ||
18324 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18325 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18326 			NL80211_CHAN_NO_HT) ||
18327 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18328 			      NL80211_ATTR_PAD))
18329 		goto nla_put_failure;
18330 
18331 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18332 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18333 		goto nla_put_failure;
18334 
18335 	genlmsg_end(msg, hdr);
18336 
18337 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18338 				NL80211_MCGRP_MLME, gfp);
18339 	return;
18340 
18341  nla_put_failure:
18342 	nlmsg_free(msg);
18343 }
18344 
18345 void cfg80211_assoc_comeback(struct net_device *netdev,
18346 			     const u8 *ap_addr, u32 timeout)
18347 {
18348 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18349 	struct wiphy *wiphy = wdev->wiphy;
18350 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18351 	struct sk_buff *msg;
18352 	void *hdr;
18353 
18354 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18355 
18356 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18357 	if (!msg)
18358 		return;
18359 
18360 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18361 	if (!hdr) {
18362 		nlmsg_free(msg);
18363 		return;
18364 	}
18365 
18366 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18367 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18368 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18369 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18370 		goto nla_put_failure;
18371 
18372 	genlmsg_end(msg, hdr);
18373 
18374 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18375 				NL80211_MCGRP_MLME, GFP_KERNEL);
18376 	return;
18377 
18378  nla_put_failure:
18379 	nlmsg_free(msg);
18380 }
18381 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18382 
18383 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18384 			       struct ieee80211_channel *chan,
18385 			       unsigned int duration, gfp_t gfp)
18386 {
18387 	struct wiphy *wiphy = wdev->wiphy;
18388 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18389 
18390 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18391 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18392 					  rdev, wdev, cookie, chan,
18393 					  duration, gfp);
18394 }
18395 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18396 
18397 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18398 					struct ieee80211_channel *chan,
18399 					gfp_t gfp)
18400 {
18401 	struct wiphy *wiphy = wdev->wiphy;
18402 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18403 
18404 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18405 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18406 					  rdev, wdev, cookie, chan, 0, gfp);
18407 }
18408 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18409 
18410 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18411 					struct ieee80211_channel *chan,
18412 					gfp_t gfp)
18413 {
18414 	struct wiphy *wiphy = wdev->wiphy;
18415 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18416 
18417 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18418 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18419 					  rdev, wdev, cookie, chan, 0, gfp);
18420 }
18421 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18422 
18423 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18424 		      struct station_info *sinfo, gfp_t gfp)
18425 {
18426 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18427 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18428 	struct sk_buff *msg;
18429 
18430 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18431 
18432 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18433 	if (!msg)
18434 		return;
18435 
18436 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18437 				 rdev, dev, mac_addr, sinfo) < 0) {
18438 		nlmsg_free(msg);
18439 		return;
18440 	}
18441 
18442 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18443 				NL80211_MCGRP_MLME, gfp);
18444 }
18445 EXPORT_SYMBOL(cfg80211_new_sta);
18446 
18447 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18448 			    struct station_info *sinfo, gfp_t gfp)
18449 {
18450 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18451 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18452 	struct sk_buff *msg;
18453 	struct station_info empty_sinfo = {};
18454 
18455 	if (!sinfo)
18456 		sinfo = &empty_sinfo;
18457 
18458 	trace_cfg80211_del_sta(dev, mac_addr);
18459 
18460 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18461 	if (!msg) {
18462 		cfg80211_sinfo_release_content(sinfo);
18463 		return;
18464 	}
18465 
18466 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18467 				 rdev, dev, mac_addr, sinfo) < 0) {
18468 		nlmsg_free(msg);
18469 		return;
18470 	}
18471 
18472 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18473 				NL80211_MCGRP_MLME, gfp);
18474 }
18475 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18476 
18477 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18478 			  enum nl80211_connect_failed_reason reason,
18479 			  gfp_t gfp)
18480 {
18481 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18482 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18483 	struct sk_buff *msg;
18484 	void *hdr;
18485 
18486 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18487 	if (!msg)
18488 		return;
18489 
18490 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18491 	if (!hdr) {
18492 		nlmsg_free(msg);
18493 		return;
18494 	}
18495 
18496 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18497 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18498 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18499 		goto nla_put_failure;
18500 
18501 	genlmsg_end(msg, hdr);
18502 
18503 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18504 				NL80211_MCGRP_MLME, gfp);
18505 	return;
18506 
18507  nla_put_failure:
18508 	nlmsg_free(msg);
18509 }
18510 EXPORT_SYMBOL(cfg80211_conn_failed);
18511 
18512 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18513 				       const u8 *addr, gfp_t gfp)
18514 {
18515 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18516 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18517 	struct sk_buff *msg;
18518 	void *hdr;
18519 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18520 
18521 	if (!nlportid)
18522 		return false;
18523 
18524 	msg = nlmsg_new(100, gfp);
18525 	if (!msg)
18526 		return true;
18527 
18528 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18529 	if (!hdr) {
18530 		nlmsg_free(msg);
18531 		return true;
18532 	}
18533 
18534 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18535 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18536 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18537 		goto nla_put_failure;
18538 
18539 	genlmsg_end(msg, hdr);
18540 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18541 	return true;
18542 
18543  nla_put_failure:
18544 	nlmsg_free(msg);
18545 	return true;
18546 }
18547 
18548 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18549 				const u8 *addr, gfp_t gfp)
18550 {
18551 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18552 	bool ret;
18553 
18554 	trace_cfg80211_rx_spurious_frame(dev, addr);
18555 
18556 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18557 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18558 		trace_cfg80211_return_bool(false);
18559 		return false;
18560 	}
18561 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18562 					 addr, gfp);
18563 	trace_cfg80211_return_bool(ret);
18564 	return ret;
18565 }
18566 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18567 
18568 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18569 					const u8 *addr, gfp_t gfp)
18570 {
18571 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18572 	bool ret;
18573 
18574 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18575 
18576 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18577 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18578 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18579 		trace_cfg80211_return_bool(false);
18580 		return false;
18581 	}
18582 	ret = __nl80211_unexpected_frame(dev,
18583 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18584 					 addr, gfp);
18585 	trace_cfg80211_return_bool(ret);
18586 	return ret;
18587 }
18588 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18589 
18590 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18591 		      struct wireless_dev *wdev, u32 nlportid,
18592 		      struct cfg80211_rx_info *info, gfp_t gfp)
18593 {
18594 	struct net_device *netdev = wdev->netdev;
18595 	struct sk_buff *msg;
18596 	void *hdr;
18597 
18598 	msg = nlmsg_new(100 + info->len, gfp);
18599 	if (!msg)
18600 		return -ENOMEM;
18601 
18602 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18603 	if (!hdr) {
18604 		nlmsg_free(msg);
18605 		return -ENOMEM;
18606 	}
18607 
18608 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18609 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18610 					netdev->ifindex)) ||
18611 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18612 			      NL80211_ATTR_PAD) ||
18613 	    (info->have_link_id &&
18614 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18615 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18616 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18617 	    (info->sig_dbm &&
18618 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18619 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18620 	    (info->flags &&
18621 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18622 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18623 						  NL80211_ATTR_RX_HW_TIMESTAMP,
18624 						  info->rx_tstamp,
18625 						  NL80211_ATTR_PAD)) ||
18626 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18627 						   NL80211_ATTR_TX_HW_TIMESTAMP,
18628 						   info->ack_tstamp,
18629 						   NL80211_ATTR_PAD)))
18630 		goto nla_put_failure;
18631 
18632 	genlmsg_end(msg, hdr);
18633 
18634 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18635 
18636  nla_put_failure:
18637 	nlmsg_free(msg);
18638 	return -ENOBUFS;
18639 }
18640 
18641 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18642 				    struct cfg80211_tx_status *status,
18643 				    gfp_t gfp, enum nl80211_commands command)
18644 {
18645 	struct wiphy *wiphy = wdev->wiphy;
18646 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18647 	struct net_device *netdev = wdev->netdev;
18648 	struct sk_buff *msg;
18649 	void *hdr;
18650 
18651 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18652 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18653 					      status->ack);
18654 	else
18655 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18656 						      status->ack);
18657 
18658 	msg = nlmsg_new(100 + status->len, gfp);
18659 	if (!msg)
18660 		return;
18661 
18662 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18663 	if (!hdr) {
18664 		nlmsg_free(msg);
18665 		return;
18666 	}
18667 
18668 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18669 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18670 				   netdev->ifindex)) ||
18671 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18672 			      NL80211_ATTR_PAD) ||
18673 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18674 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18675 			      NL80211_ATTR_PAD) ||
18676 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18677 	    (status->tx_tstamp &&
18678 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18679 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18680 	    (status->ack_tstamp &&
18681 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18682 			       status->ack_tstamp, NL80211_ATTR_PAD)))
18683 		goto nla_put_failure;
18684 
18685 	genlmsg_end(msg, hdr);
18686 
18687 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18688 				NL80211_MCGRP_MLME, gfp);
18689 	return;
18690 
18691 nla_put_failure:
18692 	nlmsg_free(msg);
18693 }
18694 
18695 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18696 				     const u8 *buf, size_t len, bool ack,
18697 				     gfp_t gfp)
18698 {
18699 	struct cfg80211_tx_status status = {
18700 		.cookie = cookie,
18701 		.buf = buf,
18702 		.len = len,
18703 		.ack = ack
18704 	};
18705 
18706 	nl80211_frame_tx_status(wdev, &status, gfp,
18707 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
18708 }
18709 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
18710 
18711 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
18712 				 struct cfg80211_tx_status *status, gfp_t gfp)
18713 {
18714 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
18715 }
18716 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
18717 
18718 static int __nl80211_rx_control_port(struct net_device *dev,
18719 				     struct sk_buff *skb,
18720 				     bool unencrypted, gfp_t gfp)
18721 {
18722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18723 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18724 	struct ethhdr *ehdr = eth_hdr(skb);
18725 	const u8 *addr = ehdr->h_source;
18726 	u16 proto = be16_to_cpu(skb->protocol);
18727 	struct sk_buff *msg;
18728 	void *hdr;
18729 	struct nlattr *frame;
18730 
18731 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
18732 
18733 	if (!nlportid)
18734 		return -ENOENT;
18735 
18736 	msg = nlmsg_new(100 + skb->len, gfp);
18737 	if (!msg)
18738 		return -ENOMEM;
18739 
18740 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
18741 	if (!hdr) {
18742 		nlmsg_free(msg);
18743 		return -ENOBUFS;
18744 	}
18745 
18746 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18747 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18748 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18749 			      NL80211_ATTR_PAD) ||
18750 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18751 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
18752 	    (unencrypted && nla_put_flag(msg,
18753 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
18754 		goto nla_put_failure;
18755 
18756 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
18757 	if (!frame)
18758 		goto nla_put_failure;
18759 
18760 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
18761 	genlmsg_end(msg, hdr);
18762 
18763 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18764 
18765  nla_put_failure:
18766 	nlmsg_free(msg);
18767 	return -ENOBUFS;
18768 }
18769 
18770 bool cfg80211_rx_control_port(struct net_device *dev,
18771 			      struct sk_buff *skb, bool unencrypted)
18772 {
18773 	int ret;
18774 
18775 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
18776 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
18777 	trace_cfg80211_return_bool(ret == 0);
18778 	return ret == 0;
18779 }
18780 EXPORT_SYMBOL(cfg80211_rx_control_port);
18781 
18782 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
18783 					    const char *mac, gfp_t gfp)
18784 {
18785 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18786 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18787 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18788 	void **cb;
18789 
18790 	if (!msg)
18791 		return NULL;
18792 
18793 	cb = (void **)msg->cb;
18794 
18795 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
18796 	if (!cb[0]) {
18797 		nlmsg_free(msg);
18798 		return NULL;
18799 	}
18800 
18801 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18802 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18803 		goto nla_put_failure;
18804 
18805 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18806 		goto nla_put_failure;
18807 
18808 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
18809 	if (!cb[1])
18810 		goto nla_put_failure;
18811 
18812 	cb[2] = rdev;
18813 
18814 	return msg;
18815  nla_put_failure:
18816 	nlmsg_free(msg);
18817 	return NULL;
18818 }
18819 
18820 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
18821 {
18822 	void **cb = (void **)msg->cb;
18823 	struct cfg80211_registered_device *rdev = cb[2];
18824 
18825 	nla_nest_end(msg, cb[1]);
18826 	genlmsg_end(msg, cb[0]);
18827 
18828 	memset(msg->cb, 0, sizeof(msg->cb));
18829 
18830 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18831 				NL80211_MCGRP_MLME, gfp);
18832 }
18833 
18834 void cfg80211_cqm_rssi_notify(struct net_device *dev,
18835 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
18836 			      s32 rssi_level, gfp_t gfp)
18837 {
18838 	struct sk_buff *msg;
18839 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18840 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18841 
18842 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
18843 
18844 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
18845 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
18846 		return;
18847 
18848 	if (wdev->cqm_config) {
18849 		wdev->cqm_config->last_rssi_event_value = rssi_level;
18850 
18851 		cfg80211_cqm_rssi_update(rdev, dev);
18852 
18853 		if (rssi_level == 0)
18854 			rssi_level = wdev->cqm_config->last_rssi_event_value;
18855 	}
18856 
18857 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
18858 	if (!msg)
18859 		return;
18860 
18861 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
18862 			rssi_event))
18863 		goto nla_put_failure;
18864 
18865 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
18866 				      rssi_level))
18867 		goto nla_put_failure;
18868 
18869 	cfg80211_send_cqm(msg, gfp);
18870 
18871 	return;
18872 
18873  nla_put_failure:
18874 	nlmsg_free(msg);
18875 }
18876 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
18877 
18878 void cfg80211_cqm_txe_notify(struct net_device *dev,
18879 			     const u8 *peer, u32 num_packets,
18880 			     u32 rate, u32 intvl, gfp_t gfp)
18881 {
18882 	struct sk_buff *msg;
18883 
18884 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
18885 	if (!msg)
18886 		return;
18887 
18888 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
18889 		goto nla_put_failure;
18890 
18891 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
18892 		goto nla_put_failure;
18893 
18894 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
18895 		goto nla_put_failure;
18896 
18897 	cfg80211_send_cqm(msg, gfp);
18898 	return;
18899 
18900  nla_put_failure:
18901 	nlmsg_free(msg);
18902 }
18903 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
18904 
18905 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
18906 				 const u8 *peer, u32 num_packets, gfp_t gfp)
18907 {
18908 	struct sk_buff *msg;
18909 
18910 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
18911 
18912 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
18913 	if (!msg)
18914 		return;
18915 
18916 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
18917 		goto nla_put_failure;
18918 
18919 	cfg80211_send_cqm(msg, gfp);
18920 	return;
18921 
18922  nla_put_failure:
18923 	nlmsg_free(msg);
18924 }
18925 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
18926 
18927 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
18928 {
18929 	struct sk_buff *msg;
18930 
18931 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
18932 	if (!msg)
18933 		return;
18934 
18935 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
18936 		goto nla_put_failure;
18937 
18938 	cfg80211_send_cqm(msg, gfp);
18939 	return;
18940 
18941  nla_put_failure:
18942 	nlmsg_free(msg);
18943 }
18944 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
18945 
18946 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
18947 				     struct net_device *netdev, const u8 *bssid,
18948 				     const u8 *replay_ctr, gfp_t gfp)
18949 {
18950 	struct sk_buff *msg;
18951 	struct nlattr *rekey_attr;
18952 	void *hdr;
18953 
18954 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18955 	if (!msg)
18956 		return;
18957 
18958 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
18959 	if (!hdr) {
18960 		nlmsg_free(msg);
18961 		return;
18962 	}
18963 
18964 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18965 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18966 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18967 		goto nla_put_failure;
18968 
18969 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
18970 	if (!rekey_attr)
18971 		goto nla_put_failure;
18972 
18973 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
18974 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
18975 		goto nla_put_failure;
18976 
18977 	nla_nest_end(msg, rekey_attr);
18978 
18979 	genlmsg_end(msg, hdr);
18980 
18981 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18982 				NL80211_MCGRP_MLME, gfp);
18983 	return;
18984 
18985  nla_put_failure:
18986 	nlmsg_free(msg);
18987 }
18988 
18989 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
18990 			       const u8 *replay_ctr, gfp_t gfp)
18991 {
18992 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18993 	struct wiphy *wiphy = wdev->wiphy;
18994 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18995 
18996 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
18997 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
18998 }
18999 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19000 
19001 static void
19002 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19003 			       struct net_device *netdev, int index,
19004 			       const u8 *bssid, bool preauth, gfp_t gfp)
19005 {
19006 	struct sk_buff *msg;
19007 	struct nlattr *attr;
19008 	void *hdr;
19009 
19010 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19011 	if (!msg)
19012 		return;
19013 
19014 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19015 	if (!hdr) {
19016 		nlmsg_free(msg);
19017 		return;
19018 	}
19019 
19020 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19021 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19022 		goto nla_put_failure;
19023 
19024 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19025 	if (!attr)
19026 		goto nla_put_failure;
19027 
19028 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19029 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19030 	    (preauth &&
19031 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19032 		goto nla_put_failure;
19033 
19034 	nla_nest_end(msg, attr);
19035 
19036 	genlmsg_end(msg, hdr);
19037 
19038 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19039 				NL80211_MCGRP_MLME, gfp);
19040 	return;
19041 
19042  nla_put_failure:
19043 	nlmsg_free(msg);
19044 }
19045 
19046 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19047 				     const u8 *bssid, bool preauth, gfp_t gfp)
19048 {
19049 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19050 	struct wiphy *wiphy = wdev->wiphy;
19051 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19052 
19053 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19054 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19055 }
19056 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19057 
19058 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19059 				     struct net_device *netdev,
19060 				     unsigned int link_id,
19061 				     struct cfg80211_chan_def *chandef,
19062 				     gfp_t gfp,
19063 				     enum nl80211_commands notif,
19064 				     u8 count, bool quiet, u16 punct_bitmap)
19065 {
19066 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19067 	struct sk_buff *msg;
19068 	void *hdr;
19069 
19070 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19071 	if (!msg)
19072 		return;
19073 
19074 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19075 	if (!hdr) {
19076 		nlmsg_free(msg);
19077 		return;
19078 	}
19079 
19080 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19081 		goto nla_put_failure;
19082 
19083 	if (wdev->valid_links &&
19084 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19085 		goto nla_put_failure;
19086 
19087 	if (nl80211_send_chandef(msg, chandef))
19088 		goto nla_put_failure;
19089 
19090 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19091 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19092 			goto nla_put_failure;
19093 		if (quiet &&
19094 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19095 			goto nla_put_failure;
19096 	}
19097 
19098 	if (nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, punct_bitmap))
19099 		goto nla_put_failure;
19100 
19101 	genlmsg_end(msg, hdr);
19102 
19103 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19104 				NL80211_MCGRP_MLME, gfp);
19105 	return;
19106 
19107  nla_put_failure:
19108 	nlmsg_free(msg);
19109 }
19110 
19111 void cfg80211_ch_switch_notify(struct net_device *dev,
19112 			       struct cfg80211_chan_def *chandef,
19113 			       unsigned int link_id, u16 punct_bitmap)
19114 {
19115 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19116 	struct wiphy *wiphy = wdev->wiphy;
19117 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19118 
19119 	ASSERT_WDEV_LOCK(wdev);
19120 	WARN_INVALID_LINK_ID(wdev, link_id);
19121 
19122 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id, punct_bitmap);
19123 
19124 	switch (wdev->iftype) {
19125 	case NL80211_IFTYPE_STATION:
19126 	case NL80211_IFTYPE_P2P_CLIENT:
19127 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19128 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19129 							chandef->chan);
19130 		break;
19131 	case NL80211_IFTYPE_MESH_POINT:
19132 		wdev->u.mesh.chandef = *chandef;
19133 		wdev->u.mesh.preset_chandef = *chandef;
19134 		break;
19135 	case NL80211_IFTYPE_AP:
19136 	case NL80211_IFTYPE_P2P_GO:
19137 		wdev->links[link_id].ap.chandef = *chandef;
19138 		break;
19139 	case NL80211_IFTYPE_ADHOC:
19140 		wdev->u.ibss.chandef = *chandef;
19141 		break;
19142 	default:
19143 		WARN_ON(1);
19144 		break;
19145 	}
19146 
19147 	cfg80211_sched_dfs_chan_update(rdev);
19148 
19149 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19150 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false,
19151 				 punct_bitmap);
19152 }
19153 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19154 
19155 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19156 				       struct cfg80211_chan_def *chandef,
19157 				       unsigned int link_id, u8 count,
19158 				       bool quiet, u16 punct_bitmap)
19159 {
19160 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19161 	struct wiphy *wiphy = wdev->wiphy;
19162 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19163 
19164 	ASSERT_WDEV_LOCK(wdev);
19165 	WARN_INVALID_LINK_ID(wdev, link_id);
19166 
19167 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id,
19168 						punct_bitmap);
19169 
19170 
19171 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19172 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19173 				 count, quiet, punct_bitmap);
19174 }
19175 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19176 
19177 int cfg80211_bss_color_notify(struct net_device *dev,
19178 			      enum nl80211_commands cmd, u8 count,
19179 			      u64 color_bitmap)
19180 {
19181 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19182 	struct wiphy *wiphy = wdev->wiphy;
19183 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19184 	struct sk_buff *msg;
19185 	void *hdr;
19186 
19187 	ASSERT_WDEV_LOCK(wdev);
19188 
19189 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19190 
19191 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19192 	if (!msg)
19193 		return -ENOMEM;
19194 
19195 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19196 	if (!hdr)
19197 		goto nla_put_failure;
19198 
19199 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19200 		goto nla_put_failure;
19201 
19202 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19203 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19204 		goto nla_put_failure;
19205 
19206 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19207 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19208 			      color_bitmap, NL80211_ATTR_PAD))
19209 		goto nla_put_failure;
19210 
19211 	genlmsg_end(msg, hdr);
19212 
19213 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19214 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19215 
19216 nla_put_failure:
19217 	nlmsg_free(msg);
19218 	return -EINVAL;
19219 }
19220 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19221 
19222 void
19223 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19224 		     const struct cfg80211_chan_def *chandef,
19225 		     enum nl80211_radar_event event,
19226 		     struct net_device *netdev, gfp_t gfp)
19227 {
19228 	struct sk_buff *msg;
19229 	void *hdr;
19230 
19231 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19232 	if (!msg)
19233 		return;
19234 
19235 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19236 	if (!hdr) {
19237 		nlmsg_free(msg);
19238 		return;
19239 	}
19240 
19241 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19242 		goto nla_put_failure;
19243 
19244 	/* NOP and radar events don't need a netdev parameter */
19245 	if (netdev) {
19246 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19247 
19248 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19249 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19250 				      NL80211_ATTR_PAD))
19251 			goto nla_put_failure;
19252 	}
19253 
19254 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19255 		goto nla_put_failure;
19256 
19257 	if (nl80211_send_chandef(msg, chandef))
19258 		goto nla_put_failure;
19259 
19260 	genlmsg_end(msg, hdr);
19261 
19262 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19263 				NL80211_MCGRP_MLME, gfp);
19264 	return;
19265 
19266  nla_put_failure:
19267 	nlmsg_free(msg);
19268 }
19269 
19270 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19271 				       struct sta_opmode_info *sta_opmode,
19272 				       gfp_t gfp)
19273 {
19274 	struct sk_buff *msg;
19275 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19276 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19277 	void *hdr;
19278 
19279 	if (WARN_ON(!mac))
19280 		return;
19281 
19282 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19283 	if (!msg)
19284 		return;
19285 
19286 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19287 	if (!hdr) {
19288 		nlmsg_free(msg);
19289 		return;
19290 	}
19291 
19292 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19293 		goto nla_put_failure;
19294 
19295 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19296 		goto nla_put_failure;
19297 
19298 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19299 		goto nla_put_failure;
19300 
19301 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19302 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19303 		goto nla_put_failure;
19304 
19305 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19306 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19307 		goto nla_put_failure;
19308 
19309 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19310 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19311 		goto nla_put_failure;
19312 
19313 	genlmsg_end(msg, hdr);
19314 
19315 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19316 				NL80211_MCGRP_MLME, gfp);
19317 
19318 	return;
19319 
19320 nla_put_failure:
19321 	nlmsg_free(msg);
19322 }
19323 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19324 
19325 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19326 			   u64 cookie, bool acked, s32 ack_signal,
19327 			   bool is_valid_ack_signal, gfp_t gfp)
19328 {
19329 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19330 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19331 	struct sk_buff *msg;
19332 	void *hdr;
19333 
19334 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19335 
19336 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19337 
19338 	if (!msg)
19339 		return;
19340 
19341 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19342 	if (!hdr) {
19343 		nlmsg_free(msg);
19344 		return;
19345 	}
19346 
19347 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19348 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19349 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19350 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19351 			      NL80211_ATTR_PAD) ||
19352 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19353 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19354 						ack_signal)))
19355 		goto nla_put_failure;
19356 
19357 	genlmsg_end(msg, hdr);
19358 
19359 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19360 				NL80211_MCGRP_MLME, gfp);
19361 	return;
19362 
19363  nla_put_failure:
19364 	nlmsg_free(msg);
19365 }
19366 EXPORT_SYMBOL(cfg80211_probe_status);
19367 
19368 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19369 				     size_t len, int freq, int sig_dbm)
19370 {
19371 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19372 	struct sk_buff *msg;
19373 	void *hdr;
19374 	struct cfg80211_beacon_registration *reg;
19375 
19376 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19377 
19378 	spin_lock_bh(&rdev->beacon_registrations_lock);
19379 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19380 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19381 		if (!msg) {
19382 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19383 			return;
19384 		}
19385 
19386 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19387 		if (!hdr)
19388 			goto nla_put_failure;
19389 
19390 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19391 		    (freq &&
19392 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19393 				  KHZ_TO_MHZ(freq)) ||
19394 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19395 				  freq % 1000))) ||
19396 		    (sig_dbm &&
19397 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19398 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19399 			goto nla_put_failure;
19400 
19401 		genlmsg_end(msg, hdr);
19402 
19403 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19404 	}
19405 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19406 	return;
19407 
19408  nla_put_failure:
19409 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19410 	nlmsg_free(msg);
19411 }
19412 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19413 
19414 #ifdef CONFIG_PM
19415 static int cfg80211_net_detect_results(struct sk_buff *msg,
19416 				       struct cfg80211_wowlan_wakeup *wakeup)
19417 {
19418 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19419 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19420 	int i, j;
19421 
19422 	nl_results = nla_nest_start_noflag(msg,
19423 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19424 	if (!nl_results)
19425 		return -EMSGSIZE;
19426 
19427 	for (i = 0; i < nd->n_matches; i++) {
19428 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19429 
19430 		nl_match = nla_nest_start_noflag(msg, i);
19431 		if (!nl_match)
19432 			break;
19433 
19434 		/* The SSID attribute is optional in nl80211, but for
19435 		 * simplicity reasons it's always present in the
19436 		 * cfg80211 structure.  If a driver can't pass the
19437 		 * SSID, that needs to be changed.  A zero length SSID
19438 		 * is still a valid SSID (wildcard), so it cannot be
19439 		 * used for this purpose.
19440 		 */
19441 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19442 			    match->ssid.ssid)) {
19443 			nla_nest_cancel(msg, nl_match);
19444 			goto out;
19445 		}
19446 
19447 		if (match->n_channels) {
19448 			nl_freqs = nla_nest_start_noflag(msg,
19449 							 NL80211_ATTR_SCAN_FREQUENCIES);
19450 			if (!nl_freqs) {
19451 				nla_nest_cancel(msg, nl_match);
19452 				goto out;
19453 			}
19454 
19455 			for (j = 0; j < match->n_channels; j++) {
19456 				if (nla_put_u32(msg, j, match->channels[j])) {
19457 					nla_nest_cancel(msg, nl_freqs);
19458 					nla_nest_cancel(msg, nl_match);
19459 					goto out;
19460 				}
19461 			}
19462 
19463 			nla_nest_end(msg, nl_freqs);
19464 		}
19465 
19466 		nla_nest_end(msg, nl_match);
19467 	}
19468 
19469 out:
19470 	nla_nest_end(msg, nl_results);
19471 	return 0;
19472 }
19473 
19474 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19475 				   struct cfg80211_wowlan_wakeup *wakeup,
19476 				   gfp_t gfp)
19477 {
19478 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19479 	struct sk_buff *msg;
19480 	void *hdr;
19481 	int size = 200;
19482 
19483 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19484 
19485 	if (wakeup)
19486 		size += wakeup->packet_present_len;
19487 
19488 	msg = nlmsg_new(size, gfp);
19489 	if (!msg)
19490 		return;
19491 
19492 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19493 	if (!hdr)
19494 		goto free_msg;
19495 
19496 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19497 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19498 			      NL80211_ATTR_PAD))
19499 		goto free_msg;
19500 
19501 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19502 					wdev->netdev->ifindex))
19503 		goto free_msg;
19504 
19505 	if (wakeup) {
19506 		struct nlattr *reasons;
19507 
19508 		reasons = nla_nest_start_noflag(msg,
19509 						NL80211_ATTR_WOWLAN_TRIGGERS);
19510 		if (!reasons)
19511 			goto free_msg;
19512 
19513 		if (wakeup->disconnect &&
19514 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19515 			goto free_msg;
19516 		if (wakeup->magic_pkt &&
19517 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19518 			goto free_msg;
19519 		if (wakeup->gtk_rekey_failure &&
19520 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19521 			goto free_msg;
19522 		if (wakeup->eap_identity_req &&
19523 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19524 			goto free_msg;
19525 		if (wakeup->four_way_handshake &&
19526 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19527 			goto free_msg;
19528 		if (wakeup->rfkill_release &&
19529 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19530 			goto free_msg;
19531 
19532 		if (wakeup->pattern_idx >= 0 &&
19533 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19534 				wakeup->pattern_idx))
19535 			goto free_msg;
19536 
19537 		if (wakeup->tcp_match &&
19538 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19539 			goto free_msg;
19540 
19541 		if (wakeup->tcp_connlost &&
19542 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19543 			goto free_msg;
19544 
19545 		if (wakeup->tcp_nomoretokens &&
19546 		    nla_put_flag(msg,
19547 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19548 			goto free_msg;
19549 
19550 		if (wakeup->packet) {
19551 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19552 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19553 
19554 			if (!wakeup->packet_80211) {
19555 				pkt_attr =
19556 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19557 				len_attr =
19558 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19559 			}
19560 
19561 			if (wakeup->packet_len &&
19562 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19563 				goto free_msg;
19564 
19565 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19566 				    wakeup->packet))
19567 				goto free_msg;
19568 		}
19569 
19570 		if (wakeup->net_detect &&
19571 		    cfg80211_net_detect_results(msg, wakeup))
19572 				goto free_msg;
19573 
19574 		nla_nest_end(msg, reasons);
19575 	}
19576 
19577 	genlmsg_end(msg, hdr);
19578 
19579 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19580 				NL80211_MCGRP_MLME, gfp);
19581 	return;
19582 
19583  free_msg:
19584 	nlmsg_free(msg);
19585 }
19586 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19587 #endif
19588 
19589 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19590 				enum nl80211_tdls_operation oper,
19591 				u16 reason_code, gfp_t gfp)
19592 {
19593 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19594 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19595 	struct sk_buff *msg;
19596 	void *hdr;
19597 
19598 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19599 					 reason_code);
19600 
19601 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19602 	if (!msg)
19603 		return;
19604 
19605 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19606 	if (!hdr) {
19607 		nlmsg_free(msg);
19608 		return;
19609 	}
19610 
19611 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19612 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19613 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19614 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19615 	    (reason_code > 0 &&
19616 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19617 		goto nla_put_failure;
19618 
19619 	genlmsg_end(msg, hdr);
19620 
19621 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19622 				NL80211_MCGRP_MLME, gfp);
19623 	return;
19624 
19625  nla_put_failure:
19626 	nlmsg_free(msg);
19627 }
19628 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19629 
19630 static int nl80211_netlink_notify(struct notifier_block * nb,
19631 				  unsigned long state,
19632 				  void *_notify)
19633 {
19634 	struct netlink_notify *notify = _notify;
19635 	struct cfg80211_registered_device *rdev;
19636 	struct wireless_dev *wdev;
19637 	struct cfg80211_beacon_registration *reg, *tmp;
19638 
19639 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19640 		return NOTIFY_DONE;
19641 
19642 	rcu_read_lock();
19643 
19644 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19645 		struct cfg80211_sched_scan_request *sched_scan_req;
19646 
19647 		list_for_each_entry_rcu(sched_scan_req,
19648 					&rdev->sched_scan_req_list,
19649 					list) {
19650 			if (sched_scan_req->owner_nlportid == notify->portid) {
19651 				sched_scan_req->nl_owner_dead = true;
19652 				schedule_work(&rdev->sched_scan_stop_wk);
19653 			}
19654 		}
19655 
19656 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19657 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19658 
19659 			if (wdev->owner_nlportid == notify->portid) {
19660 				wdev->nl_owner_dead = true;
19661 				schedule_work(&rdev->destroy_work);
19662 			} else if (wdev->conn_owner_nlportid == notify->portid) {
19663 				schedule_work(&wdev->disconnect_wk);
19664 			}
19665 
19666 			cfg80211_release_pmsr(wdev, notify->portid);
19667 		}
19668 
19669 		spin_lock_bh(&rdev->beacon_registrations_lock);
19670 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
19671 					 list) {
19672 			if (reg->nlportid == notify->portid) {
19673 				list_del(&reg->list);
19674 				kfree(reg);
19675 				break;
19676 			}
19677 		}
19678 		spin_unlock_bh(&rdev->beacon_registrations_lock);
19679 	}
19680 
19681 	rcu_read_unlock();
19682 
19683 	/*
19684 	 * It is possible that the user space process that is controlling the
19685 	 * indoor setting disappeared, so notify the regulatory core.
19686 	 */
19687 	regulatory_netlink_notify(notify->portid);
19688 	return NOTIFY_OK;
19689 }
19690 
19691 static struct notifier_block nl80211_netlink_notifier = {
19692 	.notifier_call = nl80211_netlink_notify,
19693 };
19694 
19695 void cfg80211_ft_event(struct net_device *netdev,
19696 		       struct cfg80211_ft_event_params *ft_event)
19697 {
19698 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19699 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19700 	struct sk_buff *msg;
19701 	void *hdr;
19702 
19703 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
19704 
19705 	if (!ft_event->target_ap)
19706 		return;
19707 
19708 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
19709 			GFP_KERNEL);
19710 	if (!msg)
19711 		return;
19712 
19713 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
19714 	if (!hdr)
19715 		goto out;
19716 
19717 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19718 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19719 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
19720 		goto out;
19721 
19722 	if (ft_event->ies &&
19723 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
19724 		goto out;
19725 	if (ft_event->ric_ies &&
19726 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
19727 		    ft_event->ric_ies))
19728 		goto out;
19729 
19730 	genlmsg_end(msg, hdr);
19731 
19732 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19733 				NL80211_MCGRP_MLME, GFP_KERNEL);
19734 	return;
19735  out:
19736 	nlmsg_free(msg);
19737 }
19738 EXPORT_SYMBOL(cfg80211_ft_event);
19739 
19740 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
19741 {
19742 	struct cfg80211_registered_device *rdev;
19743 	struct sk_buff *msg;
19744 	void *hdr;
19745 	u32 nlportid;
19746 
19747 	rdev = wiphy_to_rdev(wdev->wiphy);
19748 	if (!rdev->crit_proto_nlportid)
19749 		return;
19750 
19751 	nlportid = rdev->crit_proto_nlportid;
19752 	rdev->crit_proto_nlportid = 0;
19753 
19754 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19755 	if (!msg)
19756 		return;
19757 
19758 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
19759 	if (!hdr)
19760 		goto nla_put_failure;
19761 
19762 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19763 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19764 			      NL80211_ATTR_PAD))
19765 		goto nla_put_failure;
19766 
19767 	genlmsg_end(msg, hdr);
19768 
19769 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19770 	return;
19771 
19772  nla_put_failure:
19773 	nlmsg_free(msg);
19774 }
19775 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
19776 
19777 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
19778 {
19779 	struct wiphy *wiphy = wdev->wiphy;
19780 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19781 	struct sk_buff *msg;
19782 	void *hdr;
19783 
19784 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19785 	if (!msg)
19786 		return;
19787 
19788 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
19789 	if (!hdr)
19790 		goto out;
19791 
19792 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19793 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
19794 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19795 			      NL80211_ATTR_PAD) ||
19796 	    (wdev->valid_links &&
19797 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
19798 		goto out;
19799 
19800 	genlmsg_end(msg, hdr);
19801 
19802 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
19803 				NL80211_MCGRP_MLME, GFP_KERNEL);
19804 	return;
19805  out:
19806 	nlmsg_free(msg);
19807 }
19808 
19809 int cfg80211_external_auth_request(struct net_device *dev,
19810 				   struct cfg80211_external_auth_params *params,
19811 				   gfp_t gfp)
19812 {
19813 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19814 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19815 	struct sk_buff *msg;
19816 	void *hdr;
19817 
19818 	if (!wdev->conn_owner_nlportid)
19819 		return -EINVAL;
19820 
19821 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19822 	if (!msg)
19823 		return -ENOMEM;
19824 
19825 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
19826 	if (!hdr)
19827 		goto nla_put_failure;
19828 
19829 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19830 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19831 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
19832 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
19833 			params->action) ||
19834 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
19835 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
19836 		    params->ssid.ssid) ||
19837 	    (!is_zero_ether_addr(params->mld_addr) &&
19838 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
19839 		goto nla_put_failure;
19840 
19841 	genlmsg_end(msg, hdr);
19842 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
19843 			wdev->conn_owner_nlportid);
19844 	return 0;
19845 
19846  nla_put_failure:
19847 	nlmsg_free(msg);
19848 	return -ENOBUFS;
19849 }
19850 EXPORT_SYMBOL(cfg80211_external_auth_request);
19851 
19852 void cfg80211_update_owe_info_event(struct net_device *netdev,
19853 				    struct cfg80211_update_owe_info *owe_info,
19854 				    gfp_t gfp)
19855 {
19856 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19857 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19858 	struct sk_buff *msg;
19859 	void *hdr;
19860 
19861 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
19862 
19863 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19864 	if (!msg)
19865 		return;
19866 
19867 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
19868 	if (!hdr)
19869 		goto nla_put_failure;
19870 
19871 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19872 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19873 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
19874 		goto nla_put_failure;
19875 
19876 	if (!owe_info->ie_len ||
19877 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
19878 		goto nla_put_failure;
19879 
19880 	if (owe_info->assoc_link_id != -1) {
19881 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
19882 			       owe_info->assoc_link_id))
19883 			goto nla_put_failure;
19884 
19885 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
19886 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
19887 			    owe_info->peer_mld_addr))
19888 			goto nla_put_failure;
19889 	}
19890 
19891 	genlmsg_end(msg, hdr);
19892 
19893 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19894 				NL80211_MCGRP_MLME, gfp);
19895 	return;
19896 
19897 nla_put_failure:
19898 	genlmsg_cancel(msg, hdr);
19899 	nlmsg_free(msg);
19900 }
19901 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
19902 
19903 /* initialisation/exit functions */
19904 
19905 int __init nl80211_init(void)
19906 {
19907 	int err;
19908 
19909 	err = genl_register_family(&nl80211_fam);
19910 	if (err)
19911 		return err;
19912 
19913 	err = netlink_register_notifier(&nl80211_netlink_notifier);
19914 	if (err)
19915 		goto err_out;
19916 
19917 	return 0;
19918  err_out:
19919 	genl_unregister_family(&nl80211_fam);
19920 	return err;
19921 }
19922 
19923 void nl80211_exit(void)
19924 {
19925 	netlink_unregister_notifier(&nl80211_netlink_notifier);
19926 	genl_unregister_family(&nl80211_fam);
19927 }
19928