xref: /linux/net/wireless/nl80211.c (revision 661fb4e68cf62bf52eacfcd9b3b0d93fe4260c5b) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2024 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
319 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
320 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
466 	.min = 0,
467 	.max = 0xffff,
468 };
469 
470 static const struct netlink_range_validation q_range = {
471 	.max = INT_MAX,
472 };
473 
474 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
475 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
476 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
477 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
478 				      .len = 20-1 },
479 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
480 
481 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
482 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
484 						NL80211_EDMG_CHANNELS_MIN,
485 						NL80211_EDMG_CHANNELS_MAX),
486 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
487 						NL80211_EDMG_BW_CONFIG_MIN,
488 						NL80211_EDMG_BW_CONFIG_MAX),
489 
490 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
491 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
492 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
493 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
494 
495 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
496 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
497 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
498 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
499 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
500 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
501 
502 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
503 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
504 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
505 
506 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
507 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
508 
509 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
510 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
511 				    .len = WLAN_MAX_KEY_LEN },
512 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
513 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
514 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
515 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
516 	[NL80211_ATTR_KEY_TYPE] =
517 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
518 
519 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
520 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
521 	[NL80211_ATTR_BEACON_HEAD] =
522 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
523 				       IEEE80211_MAX_DATA_LEN),
524 	[NL80211_ATTR_BEACON_TAIL] =
525 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
526 				       IEEE80211_MAX_DATA_LEN),
527 	[NL80211_ATTR_STA_AID] =
528 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
529 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
530 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
531 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
532 					       .len = NL80211_MAX_SUPP_RATES },
533 	[NL80211_ATTR_STA_PLINK_ACTION] =
534 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
535 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
536 		NLA_POLICY_RANGE(NLA_U8,
537 				 NL80211_TX_POWER_AUTOMATIC,
538 				 NL80211_TX_POWER_FIXED),
539 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
540 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
541 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
542 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
543 				   .len = IEEE80211_MAX_MESH_ID_LEN },
544 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
545 
546 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
547 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
548 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
549 
550 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
551 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
552 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
553 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
554 					   .len = NL80211_MAX_SUPP_RATES },
555 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
556 
557 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
558 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
559 
560 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
561 
562 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
563 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
564 						   validate_ie_attr,
565 						   IEEE80211_MAX_DATA_LEN),
566 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
567 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
568 
569 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
570 				.len = IEEE80211_MAX_SSID_LEN },
571 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
572 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
573 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
575 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
576 						  NL80211_MFP_NO,
577 						  NL80211_MFP_OPTIONAL),
578 	[NL80211_ATTR_STA_FLAGS2] =
579 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
580 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
583 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
584 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
585 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
586 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
587 	[NL80211_ATTR_WPA_VERSIONS] =
588 		NLA_POLICY_RANGE(NLA_U32, 0,
589 				 NL80211_WPA_VERSION_1 |
590 				 NL80211_WPA_VERSION_2 |
591 				 NL80211_WPA_VERSION_3),
592 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
593 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
594 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
595 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
596 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
597 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
599 				 .len = IEEE80211_MAX_DATA_LEN },
600 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
601 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
602 						   NL80211_PS_DISABLED,
603 						   NL80211_PS_ENABLED),
604 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
605 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
606 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
607 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
608 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
609 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
610 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
611 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
612 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
613 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
614 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
615 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
616 	[NL80211_ATTR_STA_PLINK_STATE] =
617 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
618 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
619 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_MESH_PEER_AID] =
621 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
622 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
623 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
624 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
625 	[NL80211_ATTR_HIDDEN_SSID] =
626 		NLA_POLICY_RANGE(NLA_U32,
627 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
628 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
629 	[NL80211_ATTR_IE_PROBE_RESP] =
630 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
631 				       IEEE80211_MAX_DATA_LEN),
632 	[NL80211_ATTR_IE_ASSOC_RESP] =
633 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
634 				       IEEE80211_MAX_DATA_LEN),
635 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
637 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
638 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
640 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
641 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
642 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
643 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
644 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
645 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
646 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
647 				      .len = IEEE80211_MAX_DATA_LEN },
648 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
649 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
650 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
651 		.len = NL80211_HT_CAPABILITY_LEN
652 	},
653 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
654 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
655 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
656 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
657 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
658 
659 	/* need to include at least Auth Transaction and Status Code */
660 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
661 
662 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
663 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
664 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
665 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
666 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
667 		NLA_POLICY_RANGE(NLA_U32,
668 				 NL80211_MESH_POWER_UNKNOWN + 1,
669 				 NL80211_MESH_POWER_MAX),
670 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
671 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
672 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
673 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
674 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
675 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
676 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
677 		.len = NL80211_VHT_CAPABILITY_LEN,
678 	},
679 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
680 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
681 				  .len = IEEE80211_MAX_DATA_LEN },
682 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
683 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
684 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
685 	[NL80211_ATTR_PEER_AID] =
686 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
687 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
688 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
689 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
690 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
691 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
692 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
693 	/*
694 	 * The value of the Length field of the Supported Operating
695 	 * Classes element is between 2 and 253.
696 	 */
697 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
698 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
699 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
700 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
701 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
702 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
704 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
705 						  IEEE80211_QOS_MAP_LEN_MIN,
706 						  IEEE80211_QOS_MAP_LEN_MAX),
707 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
708 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
709 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
710 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
711 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
712 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
713 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
714 	[NL80211_ATTR_USER_PRIO] =
715 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
716 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
717 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
718 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
719 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
720 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
721 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
722 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
723 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
724 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
725 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
726 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
727 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
728 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
729 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
730 	},
731 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
732 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
733 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
734 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
735 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
736 				    .len = FILS_MAX_KEK_LEN },
737 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
738 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
739 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
740 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
741 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
742 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
743 	},
744 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
745 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
746 					     .len = FILS_ERP_MAX_USERNAME_LEN },
747 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
748 					  .len = FILS_ERP_MAX_REALM_LEN },
749 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
750 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
751 					.len = FILS_ERP_MAX_RRK_LEN },
752 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
753 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
754 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
755 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
756 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
757 
758 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
759 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
760 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
761 	[NL80211_ATTR_HE_CAPABILITY] =
762 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
763 				       NL80211_HE_MAX_CAPABILITY_LEN),
764 	[NL80211_ATTR_FTM_RESPONDER] =
765 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
766 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
767 	[NL80211_ATTR_PEER_MEASUREMENTS] =
768 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
769 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
770 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
771 					.len = SAE_PASSWORD_MAX_LEN },
772 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
773 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
774 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
775 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
776 	[NL80211_ATTR_TID_CONFIG] =
777 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
778 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
779 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
780 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
781 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
782 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
783 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
784 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
785 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
786 	[NL80211_ATTR_FILS_DISCOVERY] =
787 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
788 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
789 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
790 	[NL80211_ATTR_S1G_CAPABILITY] =
791 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
792 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
793 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
794 	[NL80211_ATTR_SAE_PWE] =
795 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
796 				 NL80211_SAE_PWE_BOTH),
797 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
798 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
799 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
800 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
801 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
802 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
803 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
804 	[NL80211_ATTR_MBSSID_CONFIG] =
805 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
806 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
807 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
808 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
809 	[NL80211_ATTR_EHT_CAPABILITY] =
810 		NLA_POLICY_RANGE(NLA_BINARY,
811 				 NL80211_EHT_MIN_CAPABILITY_LEN,
812 				 NL80211_EHT_MAX_CAPABILITY_LEN),
813 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
814 	[NL80211_ATTR_MLO_LINKS] =
815 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
816 	[NL80211_ATTR_MLO_LINK_ID] =
817 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
818 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
819 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
820 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
821 	[NL80211_ATTR_PUNCT_BITMAP] =
822 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
823 
824 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
825 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
826 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
827 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
828 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
829 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
830 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
831 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
832 };
833 
834 /* policy for the key attributes */
835 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
836 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
837 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
838 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
839 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
840 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
841 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
842 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
843 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
844 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
845 };
846 
847 /* policy for the key default flags */
848 static const struct nla_policy
849 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
850 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
851 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
852 };
853 
854 #ifdef CONFIG_PM
855 /* policy for WoWLAN attributes */
856 static const struct nla_policy
857 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
858 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
859 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
860 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
861 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
862 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
863 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
864 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
865 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
866 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
867 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
868 };
869 
870 static const struct nla_policy
871 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
872 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
873 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
874 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
875 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
876 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
877 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
878 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
879 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
880 	},
881 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
882 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
883 	},
884 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
885 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
886 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
887 };
888 #endif /* CONFIG_PM */
889 
890 /* policy for coalesce rule attributes */
891 static const struct nla_policy
892 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
893 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
894 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
895 		NLA_POLICY_RANGE(NLA_U32,
896 				 NL80211_COALESCE_CONDITION_MATCH,
897 				 NL80211_COALESCE_CONDITION_NO_MATCH),
898 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
899 };
900 
901 /* policy for GTK rekey offload attributes */
902 static const struct nla_policy
903 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
904 	[NL80211_REKEY_DATA_KEK] = {
905 		.type = NLA_BINARY,
906 		.len = NL80211_KEK_EXT_LEN
907 	},
908 	[NL80211_REKEY_DATA_KCK] = {
909 		.type = NLA_BINARY,
910 		.len = NL80211_KCK_EXT_LEN_32
911 	},
912 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
913 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
914 };
915 
916 static const struct nla_policy
917 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
918 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
919 						 .len = IEEE80211_MAX_SSID_LEN },
920 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
921 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
922 };
923 
924 static const struct nla_policy
925 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
926 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
927 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
928 };
929 
930 static const struct nla_policy
931 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
932 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
933 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
934 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
935 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
936 	},
937 };
938 
939 /* policy for NAN function attributes */
940 static const struct nla_policy
941 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
942 	[NL80211_NAN_FUNC_TYPE] =
943 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
944 	[NL80211_NAN_FUNC_SERVICE_ID] = {
945 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
946 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
947 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
948 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
949 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
950 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
951 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
952 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
953 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
954 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
955 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
956 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
957 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
958 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
959 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
960 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
961 };
962 
963 /* policy for Service Response Filter attributes */
964 static const struct nla_policy
965 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
966 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
967 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
968 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
969 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
970 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
971 };
972 
973 /* policy for packet pattern attributes */
974 static const struct nla_policy
975 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
976 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
977 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
978 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
979 };
980 
981 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
982 				     struct cfg80211_registered_device **rdev,
983 				     struct wireless_dev **wdev,
984 				     struct nlattr **attrbuf)
985 {
986 	int err;
987 
988 	if (!cb->args[0]) {
989 		struct nlattr **attrbuf_free = NULL;
990 
991 		if (!attrbuf) {
992 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
993 					  GFP_KERNEL);
994 			if (!attrbuf)
995 				return -ENOMEM;
996 			attrbuf_free = attrbuf;
997 		}
998 
999 		err = nlmsg_parse_deprecated(cb->nlh,
1000 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1001 					     attrbuf, nl80211_fam.maxattr,
1002 					     nl80211_policy, NULL);
1003 		if (err) {
1004 			kfree(attrbuf_free);
1005 			return err;
1006 		}
1007 
1008 		rtnl_lock();
1009 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1010 						   attrbuf);
1011 		kfree(attrbuf_free);
1012 		if (IS_ERR(*wdev)) {
1013 			rtnl_unlock();
1014 			return PTR_ERR(*wdev);
1015 		}
1016 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1017 		mutex_lock(&(*rdev)->wiphy.mtx);
1018 		rtnl_unlock();
1019 		/* 0 is the first index - add 1 to parse only once */
1020 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1021 		cb->args[1] = (*wdev)->identifier;
1022 	} else {
1023 		/* subtract the 1 again here */
1024 		struct wiphy *wiphy;
1025 		struct wireless_dev *tmp;
1026 
1027 		rtnl_lock();
1028 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1029 		if (!wiphy) {
1030 			rtnl_unlock();
1031 			return -ENODEV;
1032 		}
1033 		*rdev = wiphy_to_rdev(wiphy);
1034 		*wdev = NULL;
1035 
1036 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1037 			if (tmp->identifier == cb->args[1]) {
1038 				*wdev = tmp;
1039 				break;
1040 			}
1041 		}
1042 
1043 		if (!*wdev) {
1044 			rtnl_unlock();
1045 			return -ENODEV;
1046 		}
1047 		mutex_lock(&(*rdev)->wiphy.mtx);
1048 		rtnl_unlock();
1049 	}
1050 
1051 	return 0;
1052 }
1053 
1054 /* message building helper */
1055 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1056 		     int flags, u8 cmd)
1057 {
1058 	/* since there is no private header just add the generic one */
1059 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1060 }
1061 
1062 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1063 				     const struct ieee80211_reg_rule *rule)
1064 {
1065 	int j;
1066 	struct nlattr *nl_wmm_rules =
1067 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1068 
1069 	if (!nl_wmm_rules)
1070 		goto nla_put_failure;
1071 
1072 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1073 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1074 
1075 		if (!nl_wmm_rule)
1076 			goto nla_put_failure;
1077 
1078 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1079 				rule->wmm_rule.client[j].cw_min) ||
1080 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1081 				rule->wmm_rule.client[j].cw_max) ||
1082 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1083 			       rule->wmm_rule.client[j].aifsn) ||
1084 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1085 			        rule->wmm_rule.client[j].cot))
1086 			goto nla_put_failure;
1087 
1088 		nla_nest_end(msg, nl_wmm_rule);
1089 	}
1090 	nla_nest_end(msg, nl_wmm_rules);
1091 
1092 	return 0;
1093 
1094 nla_put_failure:
1095 	return -ENOBUFS;
1096 }
1097 
1098 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1099 				   struct ieee80211_channel *chan,
1100 				   bool large)
1101 {
1102 	/* Some channels must be completely excluded from the
1103 	 * list to protect old user-space tools from breaking
1104 	 */
1105 	if (!large && chan->flags &
1106 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1107 		return 0;
1108 	if (!large && chan->freq_offset)
1109 		return 0;
1110 
1111 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1112 			chan->center_freq))
1113 		goto nla_put_failure;
1114 
1115 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1116 		goto nla_put_failure;
1117 
1118 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1119 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1120 		goto nla_put_failure;
1121 
1122 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1123 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1124 		goto nla_put_failure;
1125 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1126 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1127 			goto nla_put_failure;
1128 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1129 			goto nla_put_failure;
1130 	}
1131 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1132 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1133 			goto nla_put_failure;
1134 		if (large) {
1135 			u32 time;
1136 
1137 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1138 
1139 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1140 					chan->dfs_state))
1141 				goto nla_put_failure;
1142 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1143 					time))
1144 				goto nla_put_failure;
1145 			if (nla_put_u32(msg,
1146 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1147 					chan->dfs_cac_ms))
1148 				goto nla_put_failure;
1149 		}
1150 	}
1151 
1152 	if (large) {
1153 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1154 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1155 			goto nla_put_failure;
1156 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1157 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1158 			goto nla_put_failure;
1159 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1160 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1161 			goto nla_put_failure;
1162 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1163 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1164 			goto nla_put_failure;
1165 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1166 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1167 			goto nla_put_failure;
1168 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1169 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1170 			goto nla_put_failure;
1171 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1172 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1173 			goto nla_put_failure;
1174 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1175 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1176 			goto nla_put_failure;
1177 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1178 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1179 			goto nla_put_failure;
1180 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1181 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1182 			goto nla_put_failure;
1183 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1184 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1185 			goto nla_put_failure;
1186 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1187 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1188 			goto nla_put_failure;
1189 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1190 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1191 			goto nla_put_failure;
1192 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1193 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1194 			goto nla_put_failure;
1195 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1196 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1197 			goto nla_put_failure;
1198 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1199 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1200 			goto nla_put_failure;
1201 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1202 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1203 			goto nla_put_failure;
1204 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1205 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1206 			goto nla_put_failure;
1207 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1208 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1209 			goto nla_put_failure;
1210 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1211 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1212 			goto nla_put_failure;
1213 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1214 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1215 			goto nla_put_failure;
1216 	}
1217 
1218 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1219 			DBM_TO_MBM(chan->max_power)))
1220 		goto nla_put_failure;
1221 
1222 	if (large) {
1223 		const struct ieee80211_reg_rule *rule =
1224 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1225 
1226 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1227 			if (nl80211_msg_put_wmm_rules(msg, rule))
1228 				goto nla_put_failure;
1229 		}
1230 	}
1231 
1232 	return 0;
1233 
1234  nla_put_failure:
1235 	return -ENOBUFS;
1236 }
1237 
1238 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1239 				  struct cfg80211_txq_stats *txqstats,
1240 				  int attrtype)
1241 {
1242 	struct nlattr *txqattr;
1243 
1244 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1245 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1246 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1247 		return false;						  \
1248 	} while (0)
1249 
1250 	txqattr = nla_nest_start_noflag(msg, attrtype);
1251 	if (!txqattr)
1252 		return false;
1253 
1254 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1255 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1256 	PUT_TXQVAL_U32(FLOWS, flows);
1257 	PUT_TXQVAL_U32(DROPS, drops);
1258 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1259 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1260 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1261 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1262 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1263 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1264 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1265 	nla_nest_end(msg, txqattr);
1266 
1267 #undef PUT_TXQVAL_U32
1268 	return true;
1269 }
1270 
1271 /* netlink command implementations */
1272 
1273 /**
1274  * nl80211_link_id - return link ID
1275  * @attrs: attributes to look at
1276  *
1277  * Returns: the link ID or 0 if not given
1278  *
1279  * Note this function doesn't do any validation of the link
1280  * ID validity wrt. links that were actually added, so it must
1281  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1282  * or if additional validation is done.
1283  */
1284 static unsigned int nl80211_link_id(struct nlattr **attrs)
1285 {
1286 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1287 
1288 	if (!linkid)
1289 		return 0;
1290 
1291 	return nla_get_u8(linkid);
1292 }
1293 
1294 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1295 {
1296 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1297 
1298 	if (!linkid)
1299 		return -1;
1300 
1301 	return nla_get_u8(linkid);
1302 }
1303 
1304 struct key_parse {
1305 	struct key_params p;
1306 	int idx;
1307 	int type;
1308 	bool def, defmgmt, defbeacon;
1309 	bool def_uni, def_multi;
1310 };
1311 
1312 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1313 				 struct key_parse *k)
1314 {
1315 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1316 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1317 					      nl80211_key_policy,
1318 					      info->extack);
1319 	if (err)
1320 		return err;
1321 
1322 	k->def = !!tb[NL80211_KEY_DEFAULT];
1323 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1324 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1325 
1326 	if (k->def) {
1327 		k->def_uni = true;
1328 		k->def_multi = true;
1329 	}
1330 	if (k->defmgmt || k->defbeacon)
1331 		k->def_multi = true;
1332 
1333 	if (tb[NL80211_KEY_IDX])
1334 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1335 
1336 	if (tb[NL80211_KEY_DATA]) {
1337 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1338 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1339 	}
1340 
1341 	if (tb[NL80211_KEY_SEQ]) {
1342 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1343 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1344 	}
1345 
1346 	if (tb[NL80211_KEY_CIPHER])
1347 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1348 
1349 	if (tb[NL80211_KEY_TYPE])
1350 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1351 
1352 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1353 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1354 
1355 		err = nla_parse_nested_deprecated(kdt,
1356 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1357 						  tb[NL80211_KEY_DEFAULT_TYPES],
1358 						  nl80211_key_default_policy,
1359 						  info->extack);
1360 		if (err)
1361 			return err;
1362 
1363 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1364 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1365 	}
1366 
1367 	if (tb[NL80211_KEY_MODE])
1368 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1369 
1370 	return 0;
1371 }
1372 
1373 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1374 {
1375 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1376 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1377 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1378 	}
1379 
1380 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1381 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1382 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1383 	}
1384 
1385 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1386 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1387 
1388 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1389 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1390 
1391 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1392 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1393 
1394 	if (k->def) {
1395 		k->def_uni = true;
1396 		k->def_multi = true;
1397 	}
1398 	if (k->defmgmt)
1399 		k->def_multi = true;
1400 
1401 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1402 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1403 
1404 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1405 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1406 		int err = nla_parse_nested_deprecated(kdt,
1407 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1408 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1409 						      nl80211_key_default_policy,
1410 						      info->extack);
1411 		if (err)
1412 			return err;
1413 
1414 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1415 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1416 	}
1417 
1418 	return 0;
1419 }
1420 
1421 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1422 {
1423 	int err;
1424 
1425 	memset(k, 0, sizeof(*k));
1426 	k->idx = -1;
1427 	k->type = -1;
1428 
1429 	if (info->attrs[NL80211_ATTR_KEY])
1430 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1431 	else
1432 		err = nl80211_parse_key_old(info, k);
1433 
1434 	if (err)
1435 		return err;
1436 
1437 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1438 	    (k->defbeacon ? 1 : 0) > 1) {
1439 		GENL_SET_ERR_MSG(info,
1440 				 "key with multiple default flags is invalid");
1441 		return -EINVAL;
1442 	}
1443 
1444 	if (k->defmgmt || k->defbeacon) {
1445 		if (k->def_uni || !k->def_multi) {
1446 			GENL_SET_ERR_MSG(info,
1447 					 "defmgmt/defbeacon key must be mcast");
1448 			return -EINVAL;
1449 		}
1450 	}
1451 
1452 	if (k->idx != -1) {
1453 		if (k->defmgmt) {
1454 			if (k->idx < 4 || k->idx > 5) {
1455 				GENL_SET_ERR_MSG(info,
1456 						 "defmgmt key idx not 4 or 5");
1457 				return -EINVAL;
1458 			}
1459 		} else if (k->defbeacon) {
1460 			if (k->idx < 6 || k->idx > 7) {
1461 				GENL_SET_ERR_MSG(info,
1462 						 "defbeacon key idx not 6 or 7");
1463 				return -EINVAL;
1464 			}
1465 		} else if (k->def) {
1466 			if (k->idx < 0 || k->idx > 3) {
1467 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1468 				return -EINVAL;
1469 			}
1470 		} else {
1471 			if (k->idx < 0 || k->idx > 7) {
1472 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1473 				return -EINVAL;
1474 			}
1475 		}
1476 	}
1477 
1478 	return 0;
1479 }
1480 
1481 static struct cfg80211_cached_keys *
1482 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1483 		       struct genl_info *info, bool *no_ht)
1484 {
1485 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1486 	struct key_parse parse;
1487 	struct nlattr *key;
1488 	struct cfg80211_cached_keys *result;
1489 	int rem, err, def = 0;
1490 	bool have_key = false;
1491 
1492 	nla_for_each_nested(key, keys, rem) {
1493 		have_key = true;
1494 		break;
1495 	}
1496 
1497 	if (!have_key)
1498 		return NULL;
1499 
1500 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1501 	if (!result)
1502 		return ERR_PTR(-ENOMEM);
1503 
1504 	result->def = -1;
1505 
1506 	nla_for_each_nested(key, keys, rem) {
1507 		memset(&parse, 0, sizeof(parse));
1508 		parse.idx = -1;
1509 
1510 		err = nl80211_parse_key_new(info, key, &parse);
1511 		if (err)
1512 			goto error;
1513 		err = -EINVAL;
1514 		if (!parse.p.key)
1515 			goto error;
1516 		if (parse.idx < 0 || parse.idx > 3) {
1517 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1518 			goto error;
1519 		}
1520 		if (parse.def) {
1521 			if (def) {
1522 				GENL_SET_ERR_MSG(info,
1523 						 "only one key can be default");
1524 				goto error;
1525 			}
1526 			def = 1;
1527 			result->def = parse.idx;
1528 			if (!parse.def_uni || !parse.def_multi)
1529 				goto error;
1530 		} else if (parse.defmgmt)
1531 			goto error;
1532 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1533 						     parse.idx, false, NULL);
1534 		if (err)
1535 			goto error;
1536 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1537 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1538 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1539 			err = -EINVAL;
1540 			goto error;
1541 		}
1542 		result->params[parse.idx].cipher = parse.p.cipher;
1543 		result->params[parse.idx].key_len = parse.p.key_len;
1544 		result->params[parse.idx].key = result->data[parse.idx];
1545 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1546 
1547 		/* must be WEP key if we got here */
1548 		if (no_ht)
1549 			*no_ht = true;
1550 	}
1551 
1552 	if (result->def < 0) {
1553 		err = -EINVAL;
1554 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1555 		goto error;
1556 	}
1557 
1558 	return result;
1559  error:
1560 	kfree(result);
1561 	return ERR_PTR(err);
1562 }
1563 
1564 static int nl80211_key_allowed(struct wireless_dev *wdev)
1565 {
1566 	lockdep_assert_wiphy(wdev->wiphy);
1567 
1568 	switch (wdev->iftype) {
1569 	case NL80211_IFTYPE_AP:
1570 	case NL80211_IFTYPE_AP_VLAN:
1571 	case NL80211_IFTYPE_P2P_GO:
1572 	case NL80211_IFTYPE_MESH_POINT:
1573 		break;
1574 	case NL80211_IFTYPE_ADHOC:
1575 		if (wdev->u.ibss.current_bss)
1576 			return 0;
1577 		return -ENOLINK;
1578 	case NL80211_IFTYPE_STATION:
1579 	case NL80211_IFTYPE_P2P_CLIENT:
1580 		if (wdev->connected)
1581 			return 0;
1582 		return -ENOLINK;
1583 	case NL80211_IFTYPE_NAN:
1584 		if (wiphy_ext_feature_isset(wdev->wiphy,
1585 					    NL80211_EXT_FEATURE_SECURE_NAN))
1586 			return 0;
1587 		return -EINVAL;
1588 	case NL80211_IFTYPE_UNSPECIFIED:
1589 	case NL80211_IFTYPE_OCB:
1590 	case NL80211_IFTYPE_MONITOR:
1591 	case NL80211_IFTYPE_P2P_DEVICE:
1592 	case NL80211_IFTYPE_WDS:
1593 	case NUM_NL80211_IFTYPES:
1594 		return -EINVAL;
1595 	}
1596 
1597 	return 0;
1598 }
1599 
1600 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1601 							u32 freq)
1602 {
1603 	struct ieee80211_channel *chan;
1604 
1605 	chan = ieee80211_get_channel_khz(wiphy, freq);
1606 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1607 		return NULL;
1608 	return chan;
1609 }
1610 
1611 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1612 {
1613 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1614 	int i;
1615 
1616 	if (!nl_modes)
1617 		goto nla_put_failure;
1618 
1619 	i = 0;
1620 	while (ifmodes) {
1621 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1622 			goto nla_put_failure;
1623 		ifmodes >>= 1;
1624 		i++;
1625 	}
1626 
1627 	nla_nest_end(msg, nl_modes);
1628 	return 0;
1629 
1630 nla_put_failure:
1631 	return -ENOBUFS;
1632 }
1633 
1634 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1635 				   const struct ieee80211_iface_combination *c,
1636 				   u16 nested)
1637 {
1638 	struct nlattr *nl_combi, *nl_limits;
1639 	int i;
1640 
1641 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1642 	if (!nl_combi)
1643 		goto nla_put_failure;
1644 
1645 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1646 					       nested);
1647 	if (!nl_limits)
1648 		goto nla_put_failure;
1649 
1650 	for (i = 0; i < c->n_limits; i++) {
1651 		struct nlattr *nl_limit;
1652 
1653 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1654 		if (!nl_limit)
1655 			goto nla_put_failure;
1656 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1657 			goto nla_put_failure;
1658 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1659 					c->limits[i].types))
1660 			goto nla_put_failure;
1661 		nla_nest_end(msg, nl_limit);
1662 	}
1663 
1664 	nla_nest_end(msg, nl_limits);
1665 
1666 	if (c->beacon_int_infra_match &&
1667 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1668 		goto nla_put_failure;
1669 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1670 			c->num_different_channels) ||
1671 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1672 			c->max_interfaces))
1673 		goto nla_put_failure;
1674 	if (large &&
1675 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1676 			c->radar_detect_widths) ||
1677 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1678 			c->radar_detect_regions)))
1679 		goto nla_put_failure;
1680 	if (c->beacon_int_min_gcd &&
1681 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1682 			c->beacon_int_min_gcd))
1683 		goto nla_put_failure;
1684 
1685 	nla_nest_end(msg, nl_combi);
1686 
1687 	return 0;
1688 nla_put_failure:
1689 	return -ENOBUFS;
1690 }
1691 
1692 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1693 					  struct sk_buff *msg,
1694 					  int attr, int radio,
1695 					  bool large, u16 nested)
1696 {
1697 	const struct ieee80211_iface_combination *c;
1698 	struct nlattr *nl_combis;
1699 	int i, n;
1700 
1701 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1702 	if (!nl_combis)
1703 		goto nla_put_failure;
1704 
1705 	if (radio >= 0) {
1706 		c = wiphy->radio[0].iface_combinations;
1707 		n = wiphy->radio[0].n_iface_combinations;
1708 	} else {
1709 		c = wiphy->iface_combinations;
1710 		n = wiphy->n_iface_combinations;
1711 	}
1712 	for (i = 0; i < n; i++)
1713 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1714 			goto nla_put_failure;
1715 
1716 	nla_nest_end(msg, nl_combis);
1717 
1718 	return 0;
1719 nla_put_failure:
1720 	return -ENOBUFS;
1721 }
1722 
1723 #ifdef CONFIG_PM
1724 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1725 					struct sk_buff *msg)
1726 {
1727 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1728 	struct nlattr *nl_tcp;
1729 
1730 	if (!tcp)
1731 		return 0;
1732 
1733 	nl_tcp = nla_nest_start_noflag(msg,
1734 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1735 	if (!nl_tcp)
1736 		return -ENOBUFS;
1737 
1738 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1739 			tcp->data_payload_max))
1740 		return -ENOBUFS;
1741 
1742 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1743 			tcp->data_payload_max))
1744 		return -ENOBUFS;
1745 
1746 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1747 		return -ENOBUFS;
1748 
1749 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1750 				sizeof(*tcp->tok), tcp->tok))
1751 		return -ENOBUFS;
1752 
1753 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1754 			tcp->data_interval_max))
1755 		return -ENOBUFS;
1756 
1757 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1758 			tcp->wake_payload_max))
1759 		return -ENOBUFS;
1760 
1761 	nla_nest_end(msg, nl_tcp);
1762 	return 0;
1763 }
1764 
1765 static int nl80211_send_wowlan(struct sk_buff *msg,
1766 			       struct cfg80211_registered_device *rdev,
1767 			       bool large)
1768 {
1769 	struct nlattr *nl_wowlan;
1770 
1771 	if (!rdev->wiphy.wowlan)
1772 		return 0;
1773 
1774 	nl_wowlan = nla_nest_start_noflag(msg,
1775 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1776 	if (!nl_wowlan)
1777 		return -ENOBUFS;
1778 
1779 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1780 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1781 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1782 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1783 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1784 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1785 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1786 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1787 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1788 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1789 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1790 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1791 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1792 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1793 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1794 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1795 		return -ENOBUFS;
1796 
1797 	if (rdev->wiphy.wowlan->n_patterns) {
1798 		struct nl80211_pattern_support pat = {
1799 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1800 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1801 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1802 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1803 		};
1804 
1805 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1806 			    sizeof(pat), &pat))
1807 			return -ENOBUFS;
1808 	}
1809 
1810 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1811 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1812 			rdev->wiphy.wowlan->max_nd_match_sets))
1813 		return -ENOBUFS;
1814 
1815 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1816 		return -ENOBUFS;
1817 
1818 	nla_nest_end(msg, nl_wowlan);
1819 
1820 	return 0;
1821 }
1822 #endif
1823 
1824 static int nl80211_send_coalesce(struct sk_buff *msg,
1825 				 struct cfg80211_registered_device *rdev)
1826 {
1827 	struct nl80211_coalesce_rule_support rule;
1828 
1829 	if (!rdev->wiphy.coalesce)
1830 		return 0;
1831 
1832 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1833 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1834 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1835 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1836 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1837 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1838 
1839 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1840 		return -ENOBUFS;
1841 
1842 	return 0;
1843 }
1844 
1845 static int
1846 nl80211_send_iftype_data(struct sk_buff *msg,
1847 			 const struct ieee80211_supported_band *sband,
1848 			 const struct ieee80211_sband_iftype_data *iftdata)
1849 {
1850 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1851 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1852 
1853 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1854 				iftdata->types_mask))
1855 		return -ENOBUFS;
1856 
1857 	if (he_cap->has_he) {
1858 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1859 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1860 			    he_cap->he_cap_elem.mac_cap_info) ||
1861 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1862 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1863 			    he_cap->he_cap_elem.phy_cap_info) ||
1864 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1865 			    sizeof(he_cap->he_mcs_nss_supp),
1866 			    &he_cap->he_mcs_nss_supp) ||
1867 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1868 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1869 			return -ENOBUFS;
1870 	}
1871 
1872 	if (eht_cap->has_eht && he_cap->has_he) {
1873 		u8 mcs_nss_size, ppe_thresh_size;
1874 		u16 ppe_thres_hdr;
1875 		bool is_ap;
1876 
1877 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1878 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1879 
1880 		mcs_nss_size =
1881 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1882 						   &eht_cap->eht_cap_elem,
1883 						   is_ap);
1884 
1885 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1886 		ppe_thresh_size =
1887 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1888 					       eht_cap->eht_cap_elem.phy_cap_info);
1889 
1890 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1891 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1892 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1893 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1894 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1895 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1896 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1897 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1898 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1899 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1900 			return -ENOBUFS;
1901 	}
1902 
1903 	if (sband->band == NL80211_BAND_6GHZ &&
1904 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1905 		    sizeof(iftdata->he_6ghz_capa),
1906 		    &iftdata->he_6ghz_capa))
1907 		return -ENOBUFS;
1908 
1909 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1910 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1911 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1912 		return -ENOBUFS;
1913 
1914 	return 0;
1915 }
1916 
1917 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1918 				      struct ieee80211_supported_band *sband,
1919 				      bool large)
1920 {
1921 	struct nlattr *nl_rates, *nl_rate;
1922 	struct ieee80211_rate *rate;
1923 	int i;
1924 
1925 	/* add HT info */
1926 	if (sband->ht_cap.ht_supported &&
1927 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1928 		     sizeof(sband->ht_cap.mcs),
1929 		     &sband->ht_cap.mcs) ||
1930 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1931 			 sband->ht_cap.cap) ||
1932 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1933 			sband->ht_cap.ampdu_factor) ||
1934 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1935 			sband->ht_cap.ampdu_density)))
1936 		return -ENOBUFS;
1937 
1938 	/* add VHT info */
1939 	if (sband->vht_cap.vht_supported &&
1940 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1941 		     sizeof(sband->vht_cap.vht_mcs),
1942 		     &sband->vht_cap.vht_mcs) ||
1943 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1944 			 sband->vht_cap.cap)))
1945 		return -ENOBUFS;
1946 
1947 	if (large && sband->n_iftype_data) {
1948 		struct nlattr *nl_iftype_data =
1949 			nla_nest_start_noflag(msg,
1950 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1951 		const struct ieee80211_sband_iftype_data *iftd;
1952 		int err;
1953 
1954 		if (!nl_iftype_data)
1955 			return -ENOBUFS;
1956 
1957 		for_each_sband_iftype_data(sband, i, iftd) {
1958 			struct nlattr *iftdata;
1959 
1960 			iftdata = nla_nest_start_noflag(msg, i + 1);
1961 			if (!iftdata)
1962 				return -ENOBUFS;
1963 
1964 			err = nl80211_send_iftype_data(msg, sband, iftd);
1965 			if (err)
1966 				return err;
1967 
1968 			nla_nest_end(msg, iftdata);
1969 		}
1970 
1971 		nla_nest_end(msg, nl_iftype_data);
1972 	}
1973 
1974 	/* add EDMG info */
1975 	if (large && sband->edmg_cap.channels &&
1976 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1977 		       sband->edmg_cap.channels) ||
1978 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1979 		       sband->edmg_cap.bw_config)))
1980 
1981 		return -ENOBUFS;
1982 
1983 	/* add bitrates */
1984 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1985 	if (!nl_rates)
1986 		return -ENOBUFS;
1987 
1988 	for (i = 0; i < sband->n_bitrates; i++) {
1989 		nl_rate = nla_nest_start_noflag(msg, i);
1990 		if (!nl_rate)
1991 			return -ENOBUFS;
1992 
1993 		rate = &sband->bitrates[i];
1994 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1995 				rate->bitrate))
1996 			return -ENOBUFS;
1997 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1998 		    nla_put_flag(msg,
1999 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2000 			return -ENOBUFS;
2001 
2002 		nla_nest_end(msg, nl_rate);
2003 	}
2004 
2005 	nla_nest_end(msg, nl_rates);
2006 
2007 	/* S1G capabilities */
2008 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2009 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2010 		     sizeof(sband->s1g_cap.cap),
2011 		     sband->s1g_cap.cap) ||
2012 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2013 		     sizeof(sband->s1g_cap.nss_mcs),
2014 		     sband->s1g_cap.nss_mcs)))
2015 		return -ENOBUFS;
2016 
2017 	return 0;
2018 }
2019 
2020 static int
2021 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2022 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2023 {
2024 	u16 stypes;
2025 	struct nlattr *nl_ftypes, *nl_ifs;
2026 	enum nl80211_iftype ift;
2027 	int i;
2028 
2029 	if (!mgmt_stypes)
2030 		return 0;
2031 
2032 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2033 	if (!nl_ifs)
2034 		return -ENOBUFS;
2035 
2036 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2037 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2038 		if (!nl_ftypes)
2039 			return -ENOBUFS;
2040 		i = 0;
2041 		stypes = mgmt_stypes[ift].tx;
2042 		while (stypes) {
2043 			if ((stypes & 1) &&
2044 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2045 					(i << 4) | IEEE80211_FTYPE_MGMT))
2046 				return -ENOBUFS;
2047 			stypes >>= 1;
2048 			i++;
2049 		}
2050 		nla_nest_end(msg, nl_ftypes);
2051 	}
2052 
2053 	nla_nest_end(msg, nl_ifs);
2054 
2055 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2056 	if (!nl_ifs)
2057 		return -ENOBUFS;
2058 
2059 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2060 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2061 		if (!nl_ftypes)
2062 			return -ENOBUFS;
2063 		i = 0;
2064 		stypes = mgmt_stypes[ift].rx;
2065 		while (stypes) {
2066 			if ((stypes & 1) &&
2067 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2068 					(i << 4) | IEEE80211_FTYPE_MGMT))
2069 				return -ENOBUFS;
2070 			stypes >>= 1;
2071 			i++;
2072 		}
2073 		nla_nest_end(msg, nl_ftypes);
2074 	}
2075 	nla_nest_end(msg, nl_ifs);
2076 
2077 	return 0;
2078 }
2079 
2080 #define CMD(op, n)							\
2081 	 do {								\
2082 		if (rdev->ops->op) {					\
2083 			i++;						\
2084 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2085 				goto nla_put_failure;			\
2086 		}							\
2087 	} while (0)
2088 
2089 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2090 					struct sk_buff *msg)
2091 {
2092 	int i = 0;
2093 
2094 	/*
2095 	 * do *NOT* add anything into this function, new things need to be
2096 	 * advertised only to new versions of userspace that can deal with
2097 	 * the split (and they can't possibly care about new features...
2098 	 */
2099 	CMD(add_virtual_intf, NEW_INTERFACE);
2100 	CMD(change_virtual_intf, SET_INTERFACE);
2101 	CMD(add_key, NEW_KEY);
2102 	CMD(start_ap, START_AP);
2103 	CMD(add_station, NEW_STATION);
2104 	CMD(add_mpath, NEW_MPATH);
2105 	CMD(update_mesh_config, SET_MESH_CONFIG);
2106 	CMD(change_bss, SET_BSS);
2107 	CMD(auth, AUTHENTICATE);
2108 	CMD(assoc, ASSOCIATE);
2109 	CMD(deauth, DEAUTHENTICATE);
2110 	CMD(disassoc, DISASSOCIATE);
2111 	CMD(join_ibss, JOIN_IBSS);
2112 	CMD(join_mesh, JOIN_MESH);
2113 	CMD(set_pmksa, SET_PMKSA);
2114 	CMD(del_pmksa, DEL_PMKSA);
2115 	CMD(flush_pmksa, FLUSH_PMKSA);
2116 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2117 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2118 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2119 	CMD(mgmt_tx, FRAME);
2120 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2121 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2122 		i++;
2123 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2124 			goto nla_put_failure;
2125 	}
2126 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2127 	    rdev->ops->join_mesh) {
2128 		i++;
2129 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2130 			goto nla_put_failure;
2131 	}
2132 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2133 		CMD(tdls_mgmt, TDLS_MGMT);
2134 		CMD(tdls_oper, TDLS_OPER);
2135 	}
2136 	if (rdev->wiphy.max_sched_scan_reqs)
2137 		CMD(sched_scan_start, START_SCHED_SCAN);
2138 	CMD(probe_client, PROBE_CLIENT);
2139 	CMD(set_noack_map, SET_NOACK_MAP);
2140 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2141 		i++;
2142 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2143 			goto nla_put_failure;
2144 	}
2145 	CMD(start_p2p_device, START_P2P_DEVICE);
2146 	CMD(set_mcast_rate, SET_MCAST_RATE);
2147 #ifdef CONFIG_NL80211_TESTMODE
2148 	CMD(testmode_cmd, TESTMODE);
2149 #endif
2150 
2151 	if (rdev->ops->connect || rdev->ops->auth) {
2152 		i++;
2153 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2154 			goto nla_put_failure;
2155 	}
2156 
2157 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2158 		i++;
2159 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2160 			goto nla_put_failure;
2161 	}
2162 
2163 	return i;
2164  nla_put_failure:
2165 	return -ENOBUFS;
2166 }
2167 
2168 static int
2169 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2170 			   struct sk_buff *msg)
2171 {
2172 	struct nlattr *ftm;
2173 
2174 	if (!cap->ftm.supported)
2175 		return 0;
2176 
2177 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2178 	if (!ftm)
2179 		return -ENOBUFS;
2180 
2181 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2182 		return -ENOBUFS;
2183 	if (cap->ftm.non_asap &&
2184 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2185 		return -ENOBUFS;
2186 	if (cap->ftm.request_lci &&
2187 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2188 		return -ENOBUFS;
2189 	if (cap->ftm.request_civicloc &&
2190 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2191 		return -ENOBUFS;
2192 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2193 			cap->ftm.preambles))
2194 		return -ENOBUFS;
2195 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2196 			cap->ftm.bandwidths))
2197 		return -ENOBUFS;
2198 	if (cap->ftm.max_bursts_exponent >= 0 &&
2199 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2200 			cap->ftm.max_bursts_exponent))
2201 		return -ENOBUFS;
2202 	if (cap->ftm.max_ftms_per_burst &&
2203 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2204 			cap->ftm.max_ftms_per_burst))
2205 		return -ENOBUFS;
2206 	if (cap->ftm.trigger_based &&
2207 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2208 		return -ENOBUFS;
2209 	if (cap->ftm.non_trigger_based &&
2210 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2211 		return -ENOBUFS;
2212 
2213 	nla_nest_end(msg, ftm);
2214 	return 0;
2215 }
2216 
2217 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2218 				  struct sk_buff *msg)
2219 {
2220 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2221 	struct nlattr *pmsr, *caps;
2222 
2223 	if (!cap)
2224 		return 0;
2225 
2226 	/*
2227 	 * we don't need to clean up anything here since the caller
2228 	 * will genlmsg_cancel() if we fail
2229 	 */
2230 
2231 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2232 	if (!pmsr)
2233 		return -ENOBUFS;
2234 
2235 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2236 		return -ENOBUFS;
2237 
2238 	if (cap->report_ap_tsf &&
2239 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2240 		return -ENOBUFS;
2241 
2242 	if (cap->randomize_mac_addr &&
2243 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2244 		return -ENOBUFS;
2245 
2246 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2247 	if (!caps)
2248 		return -ENOBUFS;
2249 
2250 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2251 		return -ENOBUFS;
2252 
2253 	nla_nest_end(msg, caps);
2254 	nla_nest_end(msg, pmsr);
2255 
2256 	return 0;
2257 }
2258 
2259 static int
2260 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2261 			      struct sk_buff *msg)
2262 {
2263 	int i;
2264 	struct nlattr *nested, *nested_akms;
2265 	const struct wiphy_iftype_akm_suites *iftype_akms;
2266 
2267 	if (!rdev->wiphy.num_iftype_akm_suites ||
2268 	    !rdev->wiphy.iftype_akm_suites)
2269 		return 0;
2270 
2271 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2272 	if (!nested)
2273 		return -ENOBUFS;
2274 
2275 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2276 		nested_akms = nla_nest_start(msg, i + 1);
2277 		if (!nested_akms)
2278 			return -ENOBUFS;
2279 
2280 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2281 
2282 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2283 					iftype_akms->iftypes_mask))
2284 			return -ENOBUFS;
2285 
2286 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2287 			    sizeof(u32) * iftype_akms->n_akm_suites,
2288 			    iftype_akms->akm_suites)) {
2289 			return -ENOBUFS;
2290 		}
2291 		nla_nest_end(msg, nested_akms);
2292 	}
2293 
2294 	nla_nest_end(msg, nested);
2295 
2296 	return 0;
2297 }
2298 
2299 static int
2300 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2301 			       struct sk_buff *msg)
2302 {
2303 	struct nlattr *supp;
2304 
2305 	if (!rdev->wiphy.tid_config_support.vif &&
2306 	    !rdev->wiphy.tid_config_support.peer)
2307 		return 0;
2308 
2309 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2310 	if (!supp)
2311 		return -ENOSPC;
2312 
2313 	if (rdev->wiphy.tid_config_support.vif &&
2314 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2315 			      rdev->wiphy.tid_config_support.vif,
2316 			      NL80211_TID_CONFIG_ATTR_PAD))
2317 		goto fail;
2318 
2319 	if (rdev->wiphy.tid_config_support.peer &&
2320 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2321 			      rdev->wiphy.tid_config_support.peer,
2322 			      NL80211_TID_CONFIG_ATTR_PAD))
2323 		goto fail;
2324 
2325 	/* for now we just use the same value ... makes more sense */
2326 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2327 		       rdev->wiphy.tid_config_support.max_retry))
2328 		goto fail;
2329 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2330 		       rdev->wiphy.tid_config_support.max_retry))
2331 		goto fail;
2332 
2333 	nla_nest_end(msg, supp);
2334 
2335 	return 0;
2336 fail:
2337 	nla_nest_cancel(msg, supp);
2338 	return -ENOBUFS;
2339 }
2340 
2341 static int
2342 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2343 		      struct sk_buff *msg)
2344 {
2345 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2346 	u8 num_freq_ranges;
2347 	int i;
2348 
2349 	if (!rdev->wiphy.sar_capa)
2350 		return 0;
2351 
2352 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2353 
2354 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2355 	if (!sar_capa)
2356 		return -ENOSPC;
2357 
2358 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2359 		goto fail;
2360 
2361 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2362 	if (!specs)
2363 		goto fail;
2364 
2365 	/* report supported freq_ranges */
2366 	for (i = 0; i < num_freq_ranges; i++) {
2367 		sub_freq_range = nla_nest_start(msg, i + 1);
2368 		if (!sub_freq_range)
2369 			goto fail;
2370 
2371 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2372 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2373 			goto fail;
2374 
2375 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2376 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2377 			goto fail;
2378 
2379 		nla_nest_end(msg, sub_freq_range);
2380 	}
2381 
2382 	nla_nest_end(msg, specs);
2383 	nla_nest_end(msg, sar_capa);
2384 
2385 	return 0;
2386 fail:
2387 	nla_nest_cancel(msg, sar_capa);
2388 	return -ENOBUFS;
2389 }
2390 
2391 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2392 {
2393 	struct nlattr *config;
2394 
2395 	if (!wiphy->mbssid_max_interfaces)
2396 		return 0;
2397 
2398 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2399 	if (!config)
2400 		return -ENOBUFS;
2401 
2402 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2403 		       wiphy->mbssid_max_interfaces))
2404 		goto fail;
2405 
2406 	if (wiphy->ema_max_profile_periodicity &&
2407 	    nla_put_u8(msg,
2408 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2409 		       wiphy->ema_max_profile_periodicity))
2410 		goto fail;
2411 
2412 	nla_nest_end(msg, config);
2413 	return 0;
2414 
2415 fail:
2416 	nla_nest_cancel(msg, config);
2417 	return -ENOBUFS;
2418 }
2419 
2420 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2421 {
2422 	const struct wiphy_radio *r = &wiphy->radio[idx];
2423 	struct nlattr *radio, *freq;
2424 	int i;
2425 
2426 	radio = nla_nest_start(msg, idx);
2427 	if (!radio)
2428 		return -ENOBUFS;
2429 
2430 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2431 		goto nla_put_failure;
2432 
2433 	for (i = 0; i < r->n_freq_range; i++) {
2434 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2435 
2436 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2437 		if (!freq)
2438 			goto nla_put_failure;
2439 
2440 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2441 				range->start_freq) ||
2442 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2443 				range->end_freq))
2444 			goto nla_put_failure;
2445 
2446 		nla_nest_end(msg, freq);
2447 	}
2448 
2449 	for (i = 0; i < r->n_iface_combinations; i++)
2450 		if (nl80211_put_ifcomb_data(msg, true,
2451 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2452 					    &r->iface_combinations[i],
2453 					    NLA_F_NESTED))
2454 			goto nla_put_failure;
2455 
2456 	nla_nest_end(msg, radio);
2457 
2458 	return 0;
2459 
2460 nla_put_failure:
2461 	return -ENOBUFS;
2462 }
2463 
2464 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2465 {
2466 	struct nlattr *radios;
2467 	int i;
2468 
2469 	if (!wiphy->n_radio)
2470 		return 0;
2471 
2472 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2473 	if (!radios)
2474 		return -ENOBUFS;
2475 
2476 	for (i = 0; i < wiphy->n_radio; i++)
2477 		if (nl80211_put_radio(wiphy, msg, i))
2478 			goto fail;
2479 
2480 	nla_nest_end(msg, radios);
2481 
2482 	if (nl80211_put_iface_combinations(wiphy, msg,
2483 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2484 					   -1, true, NLA_F_NESTED))
2485 		return -ENOBUFS;
2486 
2487 	return 0;
2488 
2489 fail:
2490 	nla_nest_cancel(msg, radios);
2491 	return -ENOBUFS;
2492 }
2493 
2494 struct nl80211_dump_wiphy_state {
2495 	s64 filter_wiphy;
2496 	long start;
2497 	long split_start, band_start, chan_start, capa_start;
2498 	bool split;
2499 };
2500 
2501 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2502 			      enum nl80211_commands cmd,
2503 			      struct sk_buff *msg, u32 portid, u32 seq,
2504 			      int flags, struct nl80211_dump_wiphy_state *state)
2505 {
2506 	void *hdr;
2507 	struct nlattr *nl_bands, *nl_band;
2508 	struct nlattr *nl_freqs, *nl_freq;
2509 	struct nlattr *nl_cmds;
2510 	enum nl80211_band band;
2511 	struct ieee80211_channel *chan;
2512 	int i;
2513 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2514 				rdev->wiphy.mgmt_stypes;
2515 	u32 features;
2516 
2517 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2518 	if (!hdr)
2519 		return -ENOBUFS;
2520 
2521 	if (WARN_ON(!state))
2522 		return -EINVAL;
2523 
2524 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2525 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2526 			   wiphy_name(&rdev->wiphy)) ||
2527 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2528 			cfg80211_rdev_list_generation))
2529 		goto nla_put_failure;
2530 
2531 	if (cmd != NL80211_CMD_NEW_WIPHY)
2532 		goto finish;
2533 
2534 	switch (state->split_start) {
2535 	case 0:
2536 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2537 			       rdev->wiphy.retry_short) ||
2538 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2539 			       rdev->wiphy.retry_long) ||
2540 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2541 				rdev->wiphy.frag_threshold) ||
2542 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2543 				rdev->wiphy.rts_threshold) ||
2544 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2545 			       rdev->wiphy.coverage_class) ||
2546 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2547 			       rdev->wiphy.max_scan_ssids) ||
2548 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2549 			       rdev->wiphy.max_sched_scan_ssids) ||
2550 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2551 				rdev->wiphy.max_scan_ie_len) ||
2552 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2553 				rdev->wiphy.max_sched_scan_ie_len) ||
2554 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2555 			       rdev->wiphy.max_match_sets))
2556 			goto nla_put_failure;
2557 
2558 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2559 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2560 			goto nla_put_failure;
2561 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2562 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2563 			goto nla_put_failure;
2564 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2565 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2566 			goto nla_put_failure;
2567 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2568 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2569 			goto nla_put_failure;
2570 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2571 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2572 			goto nla_put_failure;
2573 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2574 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2575 			goto nla_put_failure;
2576 		state->split_start++;
2577 		if (state->split)
2578 			break;
2579 		fallthrough;
2580 	case 1:
2581 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2582 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2583 			    rdev->wiphy.cipher_suites))
2584 			goto nla_put_failure;
2585 
2586 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2587 			       rdev->wiphy.max_num_pmkids))
2588 			goto nla_put_failure;
2589 
2590 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2591 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2592 			goto nla_put_failure;
2593 
2594 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2595 				rdev->wiphy.available_antennas_tx) ||
2596 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2597 				rdev->wiphy.available_antennas_rx))
2598 			goto nla_put_failure;
2599 
2600 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2601 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2602 				rdev->wiphy.probe_resp_offload))
2603 			goto nla_put_failure;
2604 
2605 		if ((rdev->wiphy.available_antennas_tx ||
2606 		     rdev->wiphy.available_antennas_rx) &&
2607 		    rdev->ops->get_antenna) {
2608 			u32 tx_ant = 0, rx_ant = 0;
2609 			int res;
2610 
2611 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2612 			if (!res) {
2613 				if (nla_put_u32(msg,
2614 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2615 						tx_ant) ||
2616 				    nla_put_u32(msg,
2617 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2618 						rx_ant))
2619 					goto nla_put_failure;
2620 			}
2621 		}
2622 
2623 		state->split_start++;
2624 		if (state->split)
2625 			break;
2626 		fallthrough;
2627 	case 2:
2628 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2629 					rdev->wiphy.interface_modes))
2630 				goto nla_put_failure;
2631 		state->split_start++;
2632 		if (state->split)
2633 			break;
2634 		fallthrough;
2635 	case 3:
2636 		nl_bands = nla_nest_start_noflag(msg,
2637 						 NL80211_ATTR_WIPHY_BANDS);
2638 		if (!nl_bands)
2639 			goto nla_put_failure;
2640 
2641 		for (band = state->band_start;
2642 		     band < (state->split ?
2643 				NUM_NL80211_BANDS :
2644 				NL80211_BAND_60GHZ + 1);
2645 		     band++) {
2646 			struct ieee80211_supported_band *sband;
2647 
2648 			/* omit higher bands for ancient software */
2649 			if (band > NL80211_BAND_5GHZ && !state->split)
2650 				break;
2651 
2652 			sband = rdev->wiphy.bands[band];
2653 
2654 			if (!sband)
2655 				continue;
2656 
2657 			nl_band = nla_nest_start_noflag(msg, band);
2658 			if (!nl_band)
2659 				goto nla_put_failure;
2660 
2661 			switch (state->chan_start) {
2662 			case 0:
2663 				if (nl80211_send_band_rateinfo(msg, sband,
2664 							       state->split))
2665 					goto nla_put_failure;
2666 				state->chan_start++;
2667 				if (state->split)
2668 					break;
2669 				fallthrough;
2670 			default:
2671 				/* add frequencies */
2672 				nl_freqs = nla_nest_start_noflag(msg,
2673 								 NL80211_BAND_ATTR_FREQS);
2674 				if (!nl_freqs)
2675 					goto nla_put_failure;
2676 
2677 				for (i = state->chan_start - 1;
2678 				     i < sband->n_channels;
2679 				     i++) {
2680 					nl_freq = nla_nest_start_noflag(msg,
2681 									i);
2682 					if (!nl_freq)
2683 						goto nla_put_failure;
2684 
2685 					chan = &sband->channels[i];
2686 
2687 					if (nl80211_msg_put_channel(
2688 							msg, &rdev->wiphy, chan,
2689 							state->split))
2690 						goto nla_put_failure;
2691 
2692 					nla_nest_end(msg, nl_freq);
2693 					if (state->split)
2694 						break;
2695 				}
2696 				if (i < sband->n_channels)
2697 					state->chan_start = i + 2;
2698 				else
2699 					state->chan_start = 0;
2700 				nla_nest_end(msg, nl_freqs);
2701 			}
2702 
2703 			nla_nest_end(msg, nl_band);
2704 
2705 			if (state->split) {
2706 				/* start again here */
2707 				if (state->chan_start)
2708 					band--;
2709 				break;
2710 			}
2711 		}
2712 		nla_nest_end(msg, nl_bands);
2713 
2714 		if (band < NUM_NL80211_BANDS)
2715 			state->band_start = band + 1;
2716 		else
2717 			state->band_start = 0;
2718 
2719 		/* if bands & channels are done, continue outside */
2720 		if (state->band_start == 0 && state->chan_start == 0)
2721 			state->split_start++;
2722 		if (state->split)
2723 			break;
2724 		fallthrough;
2725 	case 4:
2726 		nl_cmds = nla_nest_start_noflag(msg,
2727 						NL80211_ATTR_SUPPORTED_COMMANDS);
2728 		if (!nl_cmds)
2729 			goto nla_put_failure;
2730 
2731 		i = nl80211_add_commands_unsplit(rdev, msg);
2732 		if (i < 0)
2733 			goto nla_put_failure;
2734 		if (state->split) {
2735 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2736 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2737 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2738 				CMD(channel_switch, CHANNEL_SWITCH);
2739 			CMD(set_qos_map, SET_QOS_MAP);
2740 			if (rdev->wiphy.features &
2741 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2742 				CMD(add_tx_ts, ADD_TX_TS);
2743 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2744 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2745 			CMD(update_ft_ies, UPDATE_FT_IES);
2746 			if (rdev->wiphy.sar_capa)
2747 				CMD(set_sar_specs, SET_SAR_SPECS);
2748 		}
2749 #undef CMD
2750 
2751 		nla_nest_end(msg, nl_cmds);
2752 		state->split_start++;
2753 		if (state->split)
2754 			break;
2755 		fallthrough;
2756 	case 5:
2757 		if (rdev->ops->remain_on_channel &&
2758 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2759 		    nla_put_u32(msg,
2760 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2761 				rdev->wiphy.max_remain_on_channel_duration))
2762 			goto nla_put_failure;
2763 
2764 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2765 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2766 			goto nla_put_failure;
2767 
2768 		state->split_start++;
2769 		if (state->split)
2770 			break;
2771 		fallthrough;
2772 	case 6:
2773 #ifdef CONFIG_PM
2774 		if (nl80211_send_wowlan(msg, rdev, state->split))
2775 			goto nla_put_failure;
2776 		state->split_start++;
2777 		if (state->split)
2778 			break;
2779 #else
2780 		state->split_start++;
2781 #endif
2782 		fallthrough;
2783 	case 7:
2784 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2785 					rdev->wiphy.software_iftypes))
2786 			goto nla_put_failure;
2787 
2788 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2789 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2790 						   rdev->wiphy.n_radio ? 0 : -1,
2791 						   state->split, 0))
2792 			goto nla_put_failure;
2793 
2794 		state->split_start++;
2795 		if (state->split)
2796 			break;
2797 		fallthrough;
2798 	case 8:
2799 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2800 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2801 				rdev->wiphy.ap_sme_capa))
2802 			goto nla_put_failure;
2803 
2804 		features = rdev->wiphy.features;
2805 		/*
2806 		 * We can only add the per-channel limit information if the
2807 		 * dump is split, otherwise it makes it too big. Therefore
2808 		 * only advertise it in that case.
2809 		 */
2810 		if (state->split)
2811 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2812 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2813 			goto nla_put_failure;
2814 
2815 		if (rdev->wiphy.ht_capa_mod_mask &&
2816 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2817 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2818 			    rdev->wiphy.ht_capa_mod_mask))
2819 			goto nla_put_failure;
2820 
2821 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2822 		    rdev->wiphy.max_acl_mac_addrs &&
2823 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2824 				rdev->wiphy.max_acl_mac_addrs))
2825 			goto nla_put_failure;
2826 
2827 		/*
2828 		 * Any information below this point is only available to
2829 		 * applications that can deal with it being split. This
2830 		 * helps ensure that newly added capabilities don't break
2831 		 * older tools by overrunning their buffers.
2832 		 *
2833 		 * We still increment split_start so that in the split
2834 		 * case we'll continue with more data in the next round,
2835 		 * but break unconditionally so unsplit data stops here.
2836 		 */
2837 		if (state->split)
2838 			state->split_start++;
2839 		else
2840 			state->split_start = 0;
2841 		break;
2842 	case 9:
2843 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2844 			goto nla_put_failure;
2845 
2846 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2847 				rdev->wiphy.max_sched_scan_plans) ||
2848 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2849 				rdev->wiphy.max_sched_scan_plan_interval) ||
2850 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2851 				rdev->wiphy.max_sched_scan_plan_iterations))
2852 			goto nla_put_failure;
2853 
2854 		if (rdev->wiphy.extended_capabilities &&
2855 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2856 			     rdev->wiphy.extended_capabilities_len,
2857 			     rdev->wiphy.extended_capabilities) ||
2858 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2859 			     rdev->wiphy.extended_capabilities_len,
2860 			     rdev->wiphy.extended_capabilities_mask)))
2861 			goto nla_put_failure;
2862 
2863 		if (rdev->wiphy.vht_capa_mod_mask &&
2864 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2865 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2866 			    rdev->wiphy.vht_capa_mod_mask))
2867 			goto nla_put_failure;
2868 
2869 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2870 			    rdev->wiphy.perm_addr))
2871 			goto nla_put_failure;
2872 
2873 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2874 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2875 			    rdev->wiphy.addr_mask))
2876 			goto nla_put_failure;
2877 
2878 		if (rdev->wiphy.n_addresses > 1) {
2879 			void *attr;
2880 
2881 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2882 			if (!attr)
2883 				goto nla_put_failure;
2884 
2885 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2886 				if (nla_put(msg, i + 1, ETH_ALEN,
2887 					    rdev->wiphy.addresses[i].addr))
2888 					goto nla_put_failure;
2889 
2890 			nla_nest_end(msg, attr);
2891 		}
2892 
2893 		state->split_start++;
2894 		break;
2895 	case 10:
2896 		if (nl80211_send_coalesce(msg, rdev))
2897 			goto nla_put_failure;
2898 
2899 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2900 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2901 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2902 			goto nla_put_failure;
2903 
2904 		if (rdev->wiphy.max_ap_assoc_sta &&
2905 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2906 				rdev->wiphy.max_ap_assoc_sta))
2907 			goto nla_put_failure;
2908 
2909 		state->split_start++;
2910 		break;
2911 	case 11:
2912 		if (rdev->wiphy.n_vendor_commands) {
2913 			const struct nl80211_vendor_cmd_info *info;
2914 			struct nlattr *nested;
2915 
2916 			nested = nla_nest_start_noflag(msg,
2917 						       NL80211_ATTR_VENDOR_DATA);
2918 			if (!nested)
2919 				goto nla_put_failure;
2920 
2921 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2922 				info = &rdev->wiphy.vendor_commands[i].info;
2923 				if (nla_put(msg, i + 1, sizeof(*info), info))
2924 					goto nla_put_failure;
2925 			}
2926 			nla_nest_end(msg, nested);
2927 		}
2928 
2929 		if (rdev->wiphy.n_vendor_events) {
2930 			const struct nl80211_vendor_cmd_info *info;
2931 			struct nlattr *nested;
2932 
2933 			nested = nla_nest_start_noflag(msg,
2934 						       NL80211_ATTR_VENDOR_EVENTS);
2935 			if (!nested)
2936 				goto nla_put_failure;
2937 
2938 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2939 				info = &rdev->wiphy.vendor_events[i];
2940 				if (nla_put(msg, i + 1, sizeof(*info), info))
2941 					goto nla_put_failure;
2942 			}
2943 			nla_nest_end(msg, nested);
2944 		}
2945 		state->split_start++;
2946 		break;
2947 	case 12:
2948 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2949 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2950 			       rdev->wiphy.max_num_csa_counters))
2951 			goto nla_put_failure;
2952 
2953 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2954 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2955 			goto nla_put_failure;
2956 
2957 		if (rdev->wiphy.max_sched_scan_reqs &&
2958 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2959 				rdev->wiphy.max_sched_scan_reqs))
2960 			goto nla_put_failure;
2961 
2962 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2963 			    sizeof(rdev->wiphy.ext_features),
2964 			    rdev->wiphy.ext_features))
2965 			goto nla_put_failure;
2966 
2967 		if (rdev->wiphy.bss_select_support) {
2968 			struct nlattr *nested;
2969 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2970 
2971 			nested = nla_nest_start_noflag(msg,
2972 						       NL80211_ATTR_BSS_SELECT);
2973 			if (!nested)
2974 				goto nla_put_failure;
2975 
2976 			i = 0;
2977 			while (bss_select_support) {
2978 				if ((bss_select_support & 1) &&
2979 				    nla_put_flag(msg, i))
2980 					goto nla_put_failure;
2981 				i++;
2982 				bss_select_support >>= 1;
2983 			}
2984 			nla_nest_end(msg, nested);
2985 		}
2986 
2987 		state->split_start++;
2988 		break;
2989 	case 13:
2990 		if (rdev->wiphy.num_iftype_ext_capab &&
2991 		    rdev->wiphy.iftype_ext_capab) {
2992 			struct nlattr *nested_ext_capab, *nested;
2993 
2994 			nested = nla_nest_start_noflag(msg,
2995 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2996 			if (!nested)
2997 				goto nla_put_failure;
2998 
2999 			for (i = state->capa_start;
3000 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3001 				const struct wiphy_iftype_ext_capab *capab;
3002 
3003 				capab = &rdev->wiphy.iftype_ext_capab[i];
3004 
3005 				nested_ext_capab = nla_nest_start_noflag(msg,
3006 									 i);
3007 				if (!nested_ext_capab ||
3008 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3009 						capab->iftype) ||
3010 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3011 					    capab->extended_capabilities_len,
3012 					    capab->extended_capabilities) ||
3013 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3014 					    capab->extended_capabilities_len,
3015 					    capab->extended_capabilities_mask))
3016 					goto nla_put_failure;
3017 
3018 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3019 				    (nla_put_u16(msg,
3020 						 NL80211_ATTR_EML_CAPABILITY,
3021 						 capab->eml_capabilities) ||
3022 				     nla_put_u16(msg,
3023 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3024 						 capab->mld_capa_and_ops)))
3025 					goto nla_put_failure;
3026 
3027 				nla_nest_end(msg, nested_ext_capab);
3028 				if (state->split)
3029 					break;
3030 			}
3031 			nla_nest_end(msg, nested);
3032 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3033 				state->capa_start = i + 1;
3034 				break;
3035 			}
3036 		}
3037 
3038 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3039 				rdev->wiphy.nan_supported_bands))
3040 			goto nla_put_failure;
3041 
3042 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3043 					    NL80211_EXT_FEATURE_TXQS)) {
3044 			struct cfg80211_txq_stats txqstats = {};
3045 			int res;
3046 
3047 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3048 			if (!res &&
3049 			    !nl80211_put_txq_stats(msg, &txqstats,
3050 						   NL80211_ATTR_TXQ_STATS))
3051 				goto nla_put_failure;
3052 
3053 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3054 					rdev->wiphy.txq_limit))
3055 				goto nla_put_failure;
3056 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3057 					rdev->wiphy.txq_memory_limit))
3058 				goto nla_put_failure;
3059 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3060 					rdev->wiphy.txq_quantum))
3061 				goto nla_put_failure;
3062 		}
3063 
3064 		state->split_start++;
3065 		break;
3066 	case 14:
3067 		if (nl80211_send_pmsr_capa(rdev, msg))
3068 			goto nla_put_failure;
3069 
3070 		state->split_start++;
3071 		break;
3072 	case 15:
3073 		if (rdev->wiphy.akm_suites &&
3074 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3075 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3076 			    rdev->wiphy.akm_suites))
3077 			goto nla_put_failure;
3078 
3079 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3080 			goto nla_put_failure;
3081 
3082 		if (nl80211_put_tid_config_support(rdev, msg))
3083 			goto nla_put_failure;
3084 		state->split_start++;
3085 		break;
3086 	case 16:
3087 		if (nl80211_put_sar_specs(rdev, msg))
3088 			goto nla_put_failure;
3089 
3090 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3091 			goto nla_put_failure;
3092 
3093 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3094 				rdev->wiphy.max_num_akm_suites))
3095 			goto nla_put_failure;
3096 
3097 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3098 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3099 
3100 		if (rdev->wiphy.hw_timestamp_max_peers &&
3101 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3102 				rdev->wiphy.hw_timestamp_max_peers))
3103 			goto nla_put_failure;
3104 
3105 		state->split_start++;
3106 		break;
3107 	case 17:
3108 		if (nl80211_put_radios(&rdev->wiphy, msg))
3109 			goto nla_put_failure;
3110 
3111 		/* done */
3112 		state->split_start = 0;
3113 		break;
3114 	}
3115  finish:
3116 	genlmsg_end(msg, hdr);
3117 	return 0;
3118 
3119  nla_put_failure:
3120 	genlmsg_cancel(msg, hdr);
3121 	return -EMSGSIZE;
3122 }
3123 
3124 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3125 				    struct netlink_callback *cb,
3126 				    struct nl80211_dump_wiphy_state *state)
3127 {
3128 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3129 	int ret;
3130 
3131 	if (!tb)
3132 		return -ENOMEM;
3133 
3134 	ret = nlmsg_parse_deprecated(cb->nlh,
3135 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3136 				     tb, nl80211_fam.maxattr,
3137 				     nl80211_policy, NULL);
3138 	/* ignore parse errors for backward compatibility */
3139 	if (ret) {
3140 		ret = 0;
3141 		goto out;
3142 	}
3143 
3144 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3145 	if (tb[NL80211_ATTR_WIPHY])
3146 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3147 	if (tb[NL80211_ATTR_WDEV])
3148 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3149 	if (tb[NL80211_ATTR_IFINDEX]) {
3150 		struct net_device *netdev;
3151 		struct cfg80211_registered_device *rdev;
3152 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3153 
3154 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3155 		if (!netdev) {
3156 			ret = -ENODEV;
3157 			goto out;
3158 		}
3159 		if (netdev->ieee80211_ptr) {
3160 			rdev = wiphy_to_rdev(
3161 				netdev->ieee80211_ptr->wiphy);
3162 			state->filter_wiphy = rdev->wiphy_idx;
3163 		}
3164 	}
3165 
3166 	ret = 0;
3167 out:
3168 	kfree(tb);
3169 	return ret;
3170 }
3171 
3172 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3173 {
3174 	int idx = 0, ret;
3175 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3176 	struct cfg80211_registered_device *rdev;
3177 
3178 	rtnl_lock();
3179 	if (!state) {
3180 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3181 		if (!state) {
3182 			rtnl_unlock();
3183 			return -ENOMEM;
3184 		}
3185 		state->filter_wiphy = -1;
3186 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3187 		if (ret) {
3188 			kfree(state);
3189 			rtnl_unlock();
3190 			return ret;
3191 		}
3192 		cb->args[0] = (long)state;
3193 	}
3194 
3195 	for_each_rdev(rdev) {
3196 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3197 			continue;
3198 		if (++idx <= state->start)
3199 			continue;
3200 		if (state->filter_wiphy != -1 &&
3201 		    state->filter_wiphy != rdev->wiphy_idx)
3202 			continue;
3203 		wiphy_lock(&rdev->wiphy);
3204 		/* attempt to fit multiple wiphy data chunks into the skb */
3205 		do {
3206 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3207 						 skb,
3208 						 NETLINK_CB(cb->skb).portid,
3209 						 cb->nlh->nlmsg_seq,
3210 						 NLM_F_MULTI, state);
3211 			if (ret < 0) {
3212 				/*
3213 				 * If sending the wiphy data didn't fit (ENOBUFS
3214 				 * or EMSGSIZE returned), this SKB is still
3215 				 * empty (so it's not too big because another
3216 				 * wiphy dataset is already in the skb) and
3217 				 * we've not tried to adjust the dump allocation
3218 				 * yet ... then adjust the alloc size to be
3219 				 * bigger, and return 1 but with the empty skb.
3220 				 * This results in an empty message being RX'ed
3221 				 * in userspace, but that is ignored.
3222 				 *
3223 				 * We can then retry with the larger buffer.
3224 				 */
3225 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3226 				    !skb->len && !state->split &&
3227 				    cb->min_dump_alloc < 4096) {
3228 					cb->min_dump_alloc = 4096;
3229 					state->split_start = 0;
3230 					wiphy_unlock(&rdev->wiphy);
3231 					rtnl_unlock();
3232 					return 1;
3233 				}
3234 				idx--;
3235 				break;
3236 			}
3237 		} while (state->split_start > 0);
3238 		wiphy_unlock(&rdev->wiphy);
3239 		break;
3240 	}
3241 	rtnl_unlock();
3242 
3243 	state->start = idx;
3244 
3245 	return skb->len;
3246 }
3247 
3248 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3249 {
3250 	kfree((void *)cb->args[0]);
3251 	return 0;
3252 }
3253 
3254 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3255 {
3256 	struct sk_buff *msg;
3257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3258 	struct nl80211_dump_wiphy_state state = {};
3259 
3260 	msg = nlmsg_new(4096, GFP_KERNEL);
3261 	if (!msg)
3262 		return -ENOMEM;
3263 
3264 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3265 			       info->snd_portid, info->snd_seq, 0,
3266 			       &state) < 0) {
3267 		nlmsg_free(msg);
3268 		return -ENOBUFS;
3269 	}
3270 
3271 	return genlmsg_reply(msg, info);
3272 }
3273 
3274 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3275 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3276 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3277 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3278 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3279 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3280 };
3281 
3282 static int parse_txq_params(struct nlattr *tb[],
3283 			    struct ieee80211_txq_params *txq_params)
3284 {
3285 	u8 ac;
3286 
3287 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3288 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3289 	    !tb[NL80211_TXQ_ATTR_AIFS])
3290 		return -EINVAL;
3291 
3292 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3293 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3294 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3295 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3296 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3297 
3298 	if (ac >= NL80211_NUM_ACS)
3299 		return -EINVAL;
3300 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3301 	return 0;
3302 }
3303 
3304 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3305 {
3306 	/*
3307 	 * You can only set the channel explicitly for some interfaces,
3308 	 * most have their channel managed via their respective
3309 	 * "establish a connection" command (connect, join, ...)
3310 	 *
3311 	 * For AP/GO and mesh mode, the channel can be set with the
3312 	 * channel userspace API, but is only stored and passed to the
3313 	 * low-level driver when the AP starts or the mesh is joined.
3314 	 * This is for backward compatibility, userspace can also give
3315 	 * the channel in the start-ap or join-mesh commands instead.
3316 	 *
3317 	 * Monitors are special as they are normally slaved to
3318 	 * whatever else is going on, so they have their own special
3319 	 * operation to set the monitor channel if possible.
3320 	 */
3321 	return !wdev ||
3322 		wdev->iftype == NL80211_IFTYPE_AP ||
3323 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3324 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3325 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3326 }
3327 
3328 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3329 				  struct genl_info *info, bool monitor,
3330 				  struct cfg80211_chan_def *chandef)
3331 {
3332 	struct netlink_ext_ack *extack = info->extack;
3333 	struct nlattr **attrs = info->attrs;
3334 	u32 control_freq;
3335 
3336 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3337 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3338 				    "Frequency is missing");
3339 		return -EINVAL;
3340 	}
3341 
3342 	control_freq = MHZ_TO_KHZ(
3343 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3344 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3345 		control_freq +=
3346 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3347 
3348 	memset(chandef, 0, sizeof(*chandef));
3349 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3350 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3351 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3352 	chandef->freq1_offset = control_freq % 1000;
3353 	chandef->center_freq2 = 0;
3354 
3355 	if (!chandef->chan) {
3356 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3357 				    "Unknown channel");
3358 		return -EINVAL;
3359 	}
3360 
3361 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3362 		enum nl80211_channel_type chantype;
3363 
3364 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3365 
3366 		switch (chantype) {
3367 		case NL80211_CHAN_NO_HT:
3368 		case NL80211_CHAN_HT20:
3369 		case NL80211_CHAN_HT40PLUS:
3370 		case NL80211_CHAN_HT40MINUS:
3371 			cfg80211_chandef_create(chandef, chandef->chan,
3372 						chantype);
3373 			/* user input for center_freq is incorrect */
3374 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3375 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3376 				NL_SET_ERR_MSG_ATTR(extack,
3377 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3378 						    "bad center frequency 1");
3379 				return -EINVAL;
3380 			}
3381 			/* center_freq2 must be zero */
3382 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3383 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3384 				NL_SET_ERR_MSG_ATTR(extack,
3385 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3386 						    "center frequency 2 can't be used");
3387 				return -EINVAL;
3388 			}
3389 			break;
3390 		default:
3391 			NL_SET_ERR_MSG_ATTR(extack,
3392 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3393 					    "invalid channel type");
3394 			return -EINVAL;
3395 		}
3396 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3397 		chandef->width =
3398 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3399 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3400 			/* User input error for channel width doesn't match channel  */
3401 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3402 				NL_SET_ERR_MSG_ATTR(extack,
3403 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3404 						    "bad channel width");
3405 				return -EINVAL;
3406 			}
3407 		}
3408 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3409 			chandef->center_freq1 =
3410 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3411 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3412 				chandef->freq1_offset = nla_get_u32(
3413 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3414 			else
3415 				chandef->freq1_offset = 0;
3416 		}
3417 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3418 			chandef->center_freq2 =
3419 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3420 	}
3421 
3422 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3423 		chandef->edmg.channels =
3424 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3425 
3426 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3427 			chandef->edmg.bw_config =
3428 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3429 	} else {
3430 		chandef->edmg.bw_config = 0;
3431 		chandef->edmg.channels = 0;
3432 	}
3433 
3434 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3435 		chandef->punctured =
3436 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3437 
3438 		if (chandef->punctured &&
3439 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3440 					     NL80211_EXT_FEATURE_PUNCT)) {
3441 			NL_SET_ERR_MSG(extack,
3442 				       "driver doesn't support puncturing");
3443 			return -EINVAL;
3444 		}
3445 	}
3446 
3447 	if (!cfg80211_chandef_valid(chandef)) {
3448 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3449 		return -EINVAL;
3450 	}
3451 
3452 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3453 				      IEEE80211_CHAN_DISABLED,
3454 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3455 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3456 		return -EINVAL;
3457 	}
3458 
3459 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3460 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3461 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3462 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3463 		return -EINVAL;
3464 	}
3465 
3466 	return 0;
3467 }
3468 
3469 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3470 			  struct genl_info *info,
3471 			  struct cfg80211_chan_def *chandef)
3472 {
3473 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3474 }
3475 
3476 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3477 				 struct net_device *dev,
3478 				 struct genl_info *info,
3479 				 int _link_id)
3480 {
3481 	struct cfg80211_chan_def chandef;
3482 	int result;
3483 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3484 	struct wireless_dev *wdev = NULL;
3485 	int link_id = _link_id;
3486 
3487 	if (dev)
3488 		wdev = dev->ieee80211_ptr;
3489 	if (!nl80211_can_set_dev_channel(wdev))
3490 		return -EOPNOTSUPP;
3491 	if (wdev)
3492 		iftype = wdev->iftype;
3493 
3494 	if (link_id < 0) {
3495 		if (wdev && wdev->valid_links)
3496 			return -EINVAL;
3497 		link_id = 0;
3498 	}
3499 
3500 	result = _nl80211_parse_chandef(rdev, info,
3501 					iftype == NL80211_IFTYPE_MONITOR,
3502 					&chandef);
3503 	if (result)
3504 		return result;
3505 
3506 	switch (iftype) {
3507 	case NL80211_IFTYPE_AP:
3508 	case NL80211_IFTYPE_P2P_GO:
3509 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3510 						   iftype))
3511 			return -EINVAL;
3512 		if (wdev->links[link_id].ap.beacon_interval) {
3513 			struct ieee80211_channel *cur_chan;
3514 
3515 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3516 			    !(rdev->wiphy.features &
3517 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3518 				return -EBUSY;
3519 
3520 			/* Only allow dynamic channel width changes */
3521 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3522 			if (chandef.chan != cur_chan)
3523 				return -EBUSY;
3524 
3525 			/* only allow this for regular channel widths */
3526 			switch (wdev->links[link_id].ap.chandef.width) {
3527 			case NL80211_CHAN_WIDTH_20_NOHT:
3528 			case NL80211_CHAN_WIDTH_20:
3529 			case NL80211_CHAN_WIDTH_40:
3530 			case NL80211_CHAN_WIDTH_80:
3531 			case NL80211_CHAN_WIDTH_80P80:
3532 			case NL80211_CHAN_WIDTH_160:
3533 			case NL80211_CHAN_WIDTH_320:
3534 				break;
3535 			default:
3536 				return -EINVAL;
3537 			}
3538 
3539 			switch (chandef.width) {
3540 			case NL80211_CHAN_WIDTH_20_NOHT:
3541 			case NL80211_CHAN_WIDTH_20:
3542 			case NL80211_CHAN_WIDTH_40:
3543 			case NL80211_CHAN_WIDTH_80:
3544 			case NL80211_CHAN_WIDTH_80P80:
3545 			case NL80211_CHAN_WIDTH_160:
3546 			case NL80211_CHAN_WIDTH_320:
3547 				break;
3548 			default:
3549 				return -EINVAL;
3550 			}
3551 
3552 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3553 						       &chandef);
3554 			if (result)
3555 				return result;
3556 			wdev->links[link_id].ap.chandef = chandef;
3557 		} else {
3558 			wdev->u.ap.preset_chandef = chandef;
3559 		}
3560 		return 0;
3561 	case NL80211_IFTYPE_MESH_POINT:
3562 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3563 	case NL80211_IFTYPE_MONITOR:
3564 		return cfg80211_set_monitor_channel(rdev, &chandef);
3565 	default:
3566 		break;
3567 	}
3568 
3569 	return -EINVAL;
3570 }
3571 
3572 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3573 {
3574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3575 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3576 	struct net_device *netdev = info->user_ptr[1];
3577 
3578 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3579 }
3580 
3581 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3582 {
3583 	struct cfg80211_registered_device *rdev = NULL;
3584 	struct net_device *netdev = NULL;
3585 	struct wireless_dev *wdev;
3586 	int result = 0, rem_txq_params = 0;
3587 	struct nlattr *nl_txq_params;
3588 	u32 changed;
3589 	u8 retry_short = 0, retry_long = 0;
3590 	u32 frag_threshold = 0, rts_threshold = 0;
3591 	u8 coverage_class = 0;
3592 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3593 
3594 	rtnl_lock();
3595 	/*
3596 	 * Try to find the wiphy and netdev. Normally this
3597 	 * function shouldn't need the netdev, but this is
3598 	 * done for backward compatibility -- previously
3599 	 * setting the channel was done per wiphy, but now
3600 	 * it is per netdev. Previous userland like hostapd
3601 	 * also passed a netdev to set_wiphy, so that it is
3602 	 * possible to let that go to the right netdev!
3603 	 */
3604 
3605 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3606 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3607 
3608 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3609 		if (netdev && netdev->ieee80211_ptr)
3610 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3611 		else
3612 			netdev = NULL;
3613 	}
3614 
3615 	if (!netdev) {
3616 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3617 						  info->attrs);
3618 		if (IS_ERR(rdev)) {
3619 			rtnl_unlock();
3620 			return PTR_ERR(rdev);
3621 		}
3622 		wdev = NULL;
3623 		netdev = NULL;
3624 		result = 0;
3625 	} else
3626 		wdev = netdev->ieee80211_ptr;
3627 
3628 	wiphy_lock(&rdev->wiphy);
3629 
3630 	/*
3631 	 * end workaround code, by now the rdev is available
3632 	 * and locked, and wdev may or may not be NULL.
3633 	 */
3634 
3635 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3636 		result = cfg80211_dev_rename(
3637 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3638 	rtnl_unlock();
3639 
3640 	if (result)
3641 		goto out;
3642 
3643 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3644 		struct ieee80211_txq_params txq_params;
3645 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3646 
3647 		if (!rdev->ops->set_txq_params) {
3648 			result = -EOPNOTSUPP;
3649 			goto out;
3650 		}
3651 
3652 		if (!netdev) {
3653 			result = -EINVAL;
3654 			goto out;
3655 		}
3656 
3657 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3658 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3659 			result = -EINVAL;
3660 			goto out;
3661 		}
3662 
3663 		if (!netif_running(netdev)) {
3664 			result = -ENETDOWN;
3665 			goto out;
3666 		}
3667 
3668 		nla_for_each_nested(nl_txq_params,
3669 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3670 				    rem_txq_params) {
3671 			result = nla_parse_nested_deprecated(tb,
3672 							     NL80211_TXQ_ATTR_MAX,
3673 							     nl_txq_params,
3674 							     txq_params_policy,
3675 							     info->extack);
3676 			if (result)
3677 				goto out;
3678 			result = parse_txq_params(tb, &txq_params);
3679 			if (result)
3680 				goto out;
3681 
3682 			txq_params.link_id =
3683 				nl80211_link_id_or_invalid(info->attrs);
3684 
3685 			if (txq_params.link_id >= 0 &&
3686 			    !(netdev->ieee80211_ptr->valid_links &
3687 			      BIT(txq_params.link_id)))
3688 				result = -ENOLINK;
3689 			else if (txq_params.link_id >= 0 &&
3690 				 !netdev->ieee80211_ptr->valid_links)
3691 				result = -EINVAL;
3692 			else
3693 				result = rdev_set_txq_params(rdev, netdev,
3694 							     &txq_params);
3695 			if (result)
3696 				goto out;
3697 		}
3698 	}
3699 
3700 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3701 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3702 
3703 		if (wdev) {
3704 			result = __nl80211_set_channel(
3705 				rdev,
3706 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3707 				info, link_id);
3708 		} else {
3709 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3710 		}
3711 
3712 		if (result)
3713 			goto out;
3714 	}
3715 
3716 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3717 		struct wireless_dev *txp_wdev = wdev;
3718 		enum nl80211_tx_power_setting type;
3719 		int idx, mbm = 0;
3720 
3721 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3722 			txp_wdev = NULL;
3723 
3724 		if (!rdev->ops->set_tx_power) {
3725 			result = -EOPNOTSUPP;
3726 			goto out;
3727 		}
3728 
3729 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3730 		type = nla_get_u32(info->attrs[idx]);
3731 
3732 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3733 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3734 			result = -EINVAL;
3735 			goto out;
3736 		}
3737 
3738 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3739 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3740 			mbm = nla_get_u32(info->attrs[idx]);
3741 		}
3742 
3743 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3744 		if (result)
3745 			goto out;
3746 	}
3747 
3748 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3749 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3750 		u32 tx_ant, rx_ant;
3751 
3752 		if ((!rdev->wiphy.available_antennas_tx &&
3753 		     !rdev->wiphy.available_antennas_rx) ||
3754 		    !rdev->ops->set_antenna) {
3755 			result = -EOPNOTSUPP;
3756 			goto out;
3757 		}
3758 
3759 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3760 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3761 
3762 		/* reject antenna configurations which don't match the
3763 		 * available antenna masks, except for the "all" mask */
3764 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3765 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3766 			result = -EINVAL;
3767 			goto out;
3768 		}
3769 
3770 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3771 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3772 
3773 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3774 		if (result)
3775 			goto out;
3776 	}
3777 
3778 	changed = 0;
3779 
3780 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3781 		retry_short = nla_get_u8(
3782 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3783 
3784 		changed |= WIPHY_PARAM_RETRY_SHORT;
3785 	}
3786 
3787 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3788 		retry_long = nla_get_u8(
3789 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3790 
3791 		changed |= WIPHY_PARAM_RETRY_LONG;
3792 	}
3793 
3794 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3795 		frag_threshold = nla_get_u32(
3796 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3797 		if (frag_threshold < 256) {
3798 			result = -EINVAL;
3799 			goto out;
3800 		}
3801 
3802 		if (frag_threshold != (u32) -1) {
3803 			/*
3804 			 * Fragments (apart from the last one) are required to
3805 			 * have even length. Make the fragmentation code
3806 			 * simpler by stripping LSB should someone try to use
3807 			 * odd threshold value.
3808 			 */
3809 			frag_threshold &= ~0x1;
3810 		}
3811 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3812 	}
3813 
3814 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3815 		rts_threshold = nla_get_u32(
3816 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3817 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3818 	}
3819 
3820 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3821 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3822 			result = -EINVAL;
3823 			goto out;
3824 		}
3825 
3826 		coverage_class = nla_get_u8(
3827 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3828 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3829 	}
3830 
3831 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3832 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3833 			result = -EOPNOTSUPP;
3834 			goto out;
3835 		}
3836 
3837 		changed |= WIPHY_PARAM_DYN_ACK;
3838 	}
3839 
3840 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3841 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3842 					     NL80211_EXT_FEATURE_TXQS)) {
3843 			result = -EOPNOTSUPP;
3844 			goto out;
3845 		}
3846 		txq_limit = nla_get_u32(
3847 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3848 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3849 	}
3850 
3851 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3852 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3853 					     NL80211_EXT_FEATURE_TXQS)) {
3854 			result = -EOPNOTSUPP;
3855 			goto out;
3856 		}
3857 		txq_memory_limit = nla_get_u32(
3858 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3859 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3860 	}
3861 
3862 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3863 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3864 					     NL80211_EXT_FEATURE_TXQS)) {
3865 			result = -EOPNOTSUPP;
3866 			goto out;
3867 		}
3868 		txq_quantum = nla_get_u32(
3869 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3870 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3871 	}
3872 
3873 	if (changed) {
3874 		u8 old_retry_short, old_retry_long;
3875 		u32 old_frag_threshold, old_rts_threshold;
3876 		u8 old_coverage_class;
3877 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3878 
3879 		if (!rdev->ops->set_wiphy_params) {
3880 			result = -EOPNOTSUPP;
3881 			goto out;
3882 		}
3883 
3884 		old_retry_short = rdev->wiphy.retry_short;
3885 		old_retry_long = rdev->wiphy.retry_long;
3886 		old_frag_threshold = rdev->wiphy.frag_threshold;
3887 		old_rts_threshold = rdev->wiphy.rts_threshold;
3888 		old_coverage_class = rdev->wiphy.coverage_class;
3889 		old_txq_limit = rdev->wiphy.txq_limit;
3890 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3891 		old_txq_quantum = rdev->wiphy.txq_quantum;
3892 
3893 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3894 			rdev->wiphy.retry_short = retry_short;
3895 		if (changed & WIPHY_PARAM_RETRY_LONG)
3896 			rdev->wiphy.retry_long = retry_long;
3897 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3898 			rdev->wiphy.frag_threshold = frag_threshold;
3899 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3900 			rdev->wiphy.rts_threshold = rts_threshold;
3901 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3902 			rdev->wiphy.coverage_class = coverage_class;
3903 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3904 			rdev->wiphy.txq_limit = txq_limit;
3905 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3906 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3907 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3908 			rdev->wiphy.txq_quantum = txq_quantum;
3909 
3910 		result = rdev_set_wiphy_params(rdev, changed);
3911 		if (result) {
3912 			rdev->wiphy.retry_short = old_retry_short;
3913 			rdev->wiphy.retry_long = old_retry_long;
3914 			rdev->wiphy.frag_threshold = old_frag_threshold;
3915 			rdev->wiphy.rts_threshold = old_rts_threshold;
3916 			rdev->wiphy.coverage_class = old_coverage_class;
3917 			rdev->wiphy.txq_limit = old_txq_limit;
3918 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3919 			rdev->wiphy.txq_quantum = old_txq_quantum;
3920 			goto out;
3921 		}
3922 	}
3923 
3924 	result = 0;
3925 
3926 out:
3927 	wiphy_unlock(&rdev->wiphy);
3928 	return result;
3929 }
3930 
3931 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3932 {
3933 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3934 		return -EINVAL;
3935 
3936 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3937 			chandef->chan->center_freq))
3938 		return -ENOBUFS;
3939 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3940 			chandef->chan->freq_offset))
3941 		return -ENOBUFS;
3942 	switch (chandef->width) {
3943 	case NL80211_CHAN_WIDTH_20_NOHT:
3944 	case NL80211_CHAN_WIDTH_20:
3945 	case NL80211_CHAN_WIDTH_40:
3946 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3947 				cfg80211_get_chandef_type(chandef)))
3948 			return -ENOBUFS;
3949 		break;
3950 	default:
3951 		break;
3952 	}
3953 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3954 		return -ENOBUFS;
3955 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3956 		return -ENOBUFS;
3957 	if (chandef->center_freq2 &&
3958 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3959 		return -ENOBUFS;
3960 	if (chandef->punctured &&
3961 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
3962 		return -ENOBUFS;
3963 
3964 	return 0;
3965 }
3966 EXPORT_SYMBOL(nl80211_send_chandef);
3967 
3968 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3969 			      struct cfg80211_registered_device *rdev,
3970 			      struct wireless_dev *wdev,
3971 			      enum nl80211_commands cmd)
3972 {
3973 	struct net_device *dev = wdev->netdev;
3974 	void *hdr;
3975 
3976 	lockdep_assert_wiphy(&rdev->wiphy);
3977 
3978 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3979 		cmd != NL80211_CMD_DEL_INTERFACE &&
3980 		cmd != NL80211_CMD_SET_INTERFACE);
3981 
3982 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3983 	if (!hdr)
3984 		return -1;
3985 
3986 	if (dev &&
3987 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3988 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3989 		goto nla_put_failure;
3990 
3991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3992 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3993 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3994 			      NL80211_ATTR_PAD) ||
3995 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3996 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3997 			rdev->devlist_generation ^
3998 			(cfg80211_rdev_list_generation << 2)) ||
3999 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
4000 		goto nla_put_failure;
4001 
4002 	if (rdev->ops->get_channel && !wdev->valid_links) {
4003 		struct cfg80211_chan_def chandef = {};
4004 		int ret;
4005 
4006 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4007 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4008 			goto nla_put_failure;
4009 	}
4010 
4011 	if (rdev->ops->get_tx_power) {
4012 		int dbm, ret;
4013 
4014 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
4015 		if (ret == 0 &&
4016 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4017 				DBM_TO_MBM(dbm)))
4018 			goto nla_put_failure;
4019 	}
4020 
4021 	switch (wdev->iftype) {
4022 	case NL80211_IFTYPE_AP:
4023 	case NL80211_IFTYPE_P2P_GO:
4024 		if (wdev->u.ap.ssid_len &&
4025 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4026 			    wdev->u.ap.ssid))
4027 			goto nla_put_failure;
4028 		break;
4029 	case NL80211_IFTYPE_STATION:
4030 	case NL80211_IFTYPE_P2P_CLIENT:
4031 		if (wdev->u.client.ssid_len &&
4032 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4033 			    wdev->u.client.ssid))
4034 			goto nla_put_failure;
4035 		break;
4036 	case NL80211_IFTYPE_ADHOC:
4037 		if (wdev->u.ibss.ssid_len &&
4038 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4039 			    wdev->u.ibss.ssid))
4040 			goto nla_put_failure;
4041 		break;
4042 	default:
4043 		/* nothing */
4044 		break;
4045 	}
4046 
4047 	if (rdev->ops->get_txq_stats) {
4048 		struct cfg80211_txq_stats txqstats = {};
4049 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4050 
4051 		if (ret == 0 &&
4052 		    !nl80211_put_txq_stats(msg, &txqstats,
4053 					   NL80211_ATTR_TXQ_STATS))
4054 			goto nla_put_failure;
4055 	}
4056 
4057 	if (wdev->valid_links) {
4058 		unsigned int link_id;
4059 		struct nlattr *links = nla_nest_start(msg,
4060 						      NL80211_ATTR_MLO_LINKS);
4061 
4062 		if (!links)
4063 			goto nla_put_failure;
4064 
4065 		for_each_valid_link(wdev, link_id) {
4066 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4067 			struct cfg80211_chan_def chandef = {};
4068 			int ret;
4069 
4070 			if (!link)
4071 				goto nla_put_failure;
4072 
4073 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4074 				goto nla_put_failure;
4075 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4076 				    wdev->links[link_id].addr))
4077 				goto nla_put_failure;
4078 
4079 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4080 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4081 				goto nla_put_failure;
4082 
4083 			nla_nest_end(msg, link);
4084 		}
4085 
4086 		nla_nest_end(msg, links);
4087 	}
4088 
4089 	genlmsg_end(msg, hdr);
4090 	return 0;
4091 
4092  nla_put_failure:
4093 	genlmsg_cancel(msg, hdr);
4094 	return -EMSGSIZE;
4095 }
4096 
4097 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4098 {
4099 	int wp_idx = 0;
4100 	int if_idx = 0;
4101 	int wp_start = cb->args[0];
4102 	int if_start = cb->args[1];
4103 	int filter_wiphy = -1;
4104 	struct cfg80211_registered_device *rdev;
4105 	struct wireless_dev *wdev;
4106 	int ret;
4107 
4108 	rtnl_lock();
4109 	if (!cb->args[2]) {
4110 		struct nl80211_dump_wiphy_state state = {
4111 			.filter_wiphy = -1,
4112 		};
4113 
4114 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4115 		if (ret)
4116 			goto out_unlock;
4117 
4118 		filter_wiphy = state.filter_wiphy;
4119 
4120 		/*
4121 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4122 		 * value needed to determine that parsing is necessary.
4123 		 */
4124 		if (filter_wiphy >= 0)
4125 			cb->args[2] = filter_wiphy + 1;
4126 		else
4127 			cb->args[2] = -1;
4128 	} else if (cb->args[2] > 0) {
4129 		filter_wiphy = cb->args[2] - 1;
4130 	}
4131 
4132 	for_each_rdev(rdev) {
4133 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4134 			continue;
4135 		if (wp_idx < wp_start) {
4136 			wp_idx++;
4137 			continue;
4138 		}
4139 
4140 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4141 			continue;
4142 
4143 		if_idx = 0;
4144 
4145 		wiphy_lock(&rdev->wiphy);
4146 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4147 			if (if_idx < if_start) {
4148 				if_idx++;
4149 				continue;
4150 			}
4151 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4152 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4153 					       rdev, wdev,
4154 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4155 				wiphy_unlock(&rdev->wiphy);
4156 				goto out;
4157 			}
4158 			if_idx++;
4159 		}
4160 		wiphy_unlock(&rdev->wiphy);
4161 
4162 		if_start = 0;
4163 		wp_idx++;
4164 	}
4165  out:
4166 	cb->args[0] = wp_idx;
4167 	cb->args[1] = if_idx;
4168 
4169 	ret = skb->len;
4170  out_unlock:
4171 	rtnl_unlock();
4172 
4173 	return ret;
4174 }
4175 
4176 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4177 {
4178 	struct sk_buff *msg;
4179 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4180 	struct wireless_dev *wdev = info->user_ptr[1];
4181 
4182 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4183 	if (!msg)
4184 		return -ENOMEM;
4185 
4186 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4187 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4188 		nlmsg_free(msg);
4189 		return -ENOBUFS;
4190 	}
4191 
4192 	return genlmsg_reply(msg, info);
4193 }
4194 
4195 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4196 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4197 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4198 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4199 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4200 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4201 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4202 };
4203 
4204 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4205 {
4206 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4207 	int flag;
4208 
4209 	*mntrflags = 0;
4210 
4211 	if (!nla)
4212 		return -EINVAL;
4213 
4214 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4215 		return -EINVAL;
4216 
4217 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4218 		if (flags[flag])
4219 			*mntrflags |= (1<<flag);
4220 
4221 	*mntrflags |= MONITOR_FLAG_CHANGED;
4222 
4223 	return 0;
4224 }
4225 
4226 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4227 				     enum nl80211_iftype type,
4228 				     struct genl_info *info,
4229 				     struct vif_params *params)
4230 {
4231 	bool change = false;
4232 	int err;
4233 
4234 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4235 		if (type != NL80211_IFTYPE_MONITOR)
4236 			return -EINVAL;
4237 
4238 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4239 					  &params->flags);
4240 		if (err)
4241 			return err;
4242 
4243 		change = true;
4244 	}
4245 
4246 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4247 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4248 		return -EOPNOTSUPP;
4249 
4250 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4251 		const u8 *mumimo_groups;
4252 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4253 
4254 		if (type != NL80211_IFTYPE_MONITOR)
4255 			return -EINVAL;
4256 
4257 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4258 			return -EOPNOTSUPP;
4259 
4260 		mumimo_groups =
4261 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4262 
4263 		/* bits 0 and 63 are reserved and must be zero */
4264 		if ((mumimo_groups[0] & BIT(0)) ||
4265 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4266 			return -EINVAL;
4267 
4268 		params->vht_mumimo_groups = mumimo_groups;
4269 		change = true;
4270 	}
4271 
4272 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4273 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4274 
4275 		if (type != NL80211_IFTYPE_MONITOR)
4276 			return -EINVAL;
4277 
4278 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4279 			return -EOPNOTSUPP;
4280 
4281 		params->vht_mumimo_follow_addr =
4282 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4283 		change = true;
4284 	}
4285 
4286 	return change ? 1 : 0;
4287 }
4288 
4289 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4290 			       struct net_device *netdev, u8 use_4addr,
4291 			       enum nl80211_iftype iftype)
4292 {
4293 	if (!use_4addr) {
4294 		if (netdev && netif_is_bridge_port(netdev))
4295 			return -EBUSY;
4296 		return 0;
4297 	}
4298 
4299 	switch (iftype) {
4300 	case NL80211_IFTYPE_AP_VLAN:
4301 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4302 			return 0;
4303 		break;
4304 	case NL80211_IFTYPE_STATION:
4305 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4306 			return 0;
4307 		break;
4308 	default:
4309 		break;
4310 	}
4311 
4312 	return -EOPNOTSUPP;
4313 }
4314 
4315 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4316 {
4317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4318 	struct vif_params params;
4319 	int err;
4320 	enum nl80211_iftype otype, ntype;
4321 	struct net_device *dev = info->user_ptr[1];
4322 	bool change = false;
4323 
4324 	memset(&params, 0, sizeof(params));
4325 
4326 	otype = ntype = dev->ieee80211_ptr->iftype;
4327 
4328 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4329 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4330 		if (otype != ntype)
4331 			change = true;
4332 	}
4333 
4334 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4335 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4336 
4337 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4338 			return -EINVAL;
4339 		if (otype != NL80211_IFTYPE_MESH_POINT)
4340 			return -EINVAL;
4341 		if (netif_running(dev))
4342 			return -EBUSY;
4343 
4344 		wdev->u.mesh.id_up_len =
4345 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4346 		memcpy(wdev->u.mesh.id,
4347 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4348 		       wdev->u.mesh.id_up_len);
4349 	}
4350 
4351 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4352 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4353 		change = true;
4354 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4355 		if (err)
4356 			return err;
4357 	} else {
4358 		params.use_4addr = -1;
4359 	}
4360 
4361 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4362 	if (err < 0)
4363 		return err;
4364 	if (err > 0)
4365 		change = true;
4366 
4367 	if (change)
4368 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4369 	else
4370 		err = 0;
4371 
4372 	if (!err && params.use_4addr != -1)
4373 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4374 
4375 	if (change && !err) {
4376 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4377 
4378 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4379 	}
4380 
4381 	return err;
4382 }
4383 
4384 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4385 {
4386 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4387 	struct vif_params params;
4388 	struct wireless_dev *wdev;
4389 	struct sk_buff *msg;
4390 	int err;
4391 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4392 
4393 	memset(&params, 0, sizeof(params));
4394 
4395 	if (!info->attrs[NL80211_ATTR_IFNAME])
4396 		return -EINVAL;
4397 
4398 	if (info->attrs[NL80211_ATTR_IFTYPE])
4399 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4400 
4401 	if (!rdev->ops->add_virtual_intf)
4402 		return -EOPNOTSUPP;
4403 
4404 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4405 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4406 	    info->attrs[NL80211_ATTR_MAC]) {
4407 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4408 			   ETH_ALEN);
4409 		if (!is_valid_ether_addr(params.macaddr))
4410 			return -EADDRNOTAVAIL;
4411 	}
4412 
4413 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4414 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4415 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4416 		if (err)
4417 			return err;
4418 	}
4419 
4420 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4421 		return -EOPNOTSUPP;
4422 
4423 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4424 	if (err < 0)
4425 		return err;
4426 
4427 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4428 	if (!msg)
4429 		return -ENOMEM;
4430 
4431 	wdev = rdev_add_virtual_intf(rdev,
4432 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4433 				NET_NAME_USER, type, &params);
4434 	if (WARN_ON(!wdev)) {
4435 		nlmsg_free(msg);
4436 		return -EPROTO;
4437 	} else if (IS_ERR(wdev)) {
4438 		nlmsg_free(msg);
4439 		return PTR_ERR(wdev);
4440 	}
4441 
4442 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4443 		wdev->owner_nlportid = info->snd_portid;
4444 
4445 	switch (type) {
4446 	case NL80211_IFTYPE_MESH_POINT:
4447 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4448 			break;
4449 		wdev->u.mesh.id_up_len =
4450 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4451 		memcpy(wdev->u.mesh.id,
4452 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4453 		       wdev->u.mesh.id_up_len);
4454 		break;
4455 	case NL80211_IFTYPE_NAN:
4456 	case NL80211_IFTYPE_P2P_DEVICE:
4457 		/*
4458 		 * P2P Device and NAN do not have a netdev, so don't go
4459 		 * through the netdev notifier and must be added here
4460 		 */
4461 		cfg80211_init_wdev(wdev);
4462 		cfg80211_register_wdev(rdev, wdev);
4463 		break;
4464 	default:
4465 		break;
4466 	}
4467 
4468 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4469 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4470 		nlmsg_free(msg);
4471 		return -ENOBUFS;
4472 	}
4473 
4474 	return genlmsg_reply(msg, info);
4475 }
4476 
4477 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4478 {
4479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4480 	int ret;
4481 
4482 	/* to avoid failing a new interface creation due to pending removal */
4483 	cfg80211_destroy_ifaces(rdev);
4484 
4485 	wiphy_lock(&rdev->wiphy);
4486 	ret = _nl80211_new_interface(skb, info);
4487 	wiphy_unlock(&rdev->wiphy);
4488 
4489 	return ret;
4490 }
4491 
4492 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4493 {
4494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4495 	struct wireless_dev *wdev = info->user_ptr[1];
4496 
4497 	if (!rdev->ops->del_virtual_intf)
4498 		return -EOPNOTSUPP;
4499 
4500 	/*
4501 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4502 	 * reach 0, and thus the rdev cannot be deleted.
4503 	 *
4504 	 * We need to do it for the dev_close(), since that will call
4505 	 * the netdev notifiers, and we need to acquire the mutex there
4506 	 * but don't know if we get there from here or from some other
4507 	 * place (e.g. "ip link set ... down").
4508 	 */
4509 	mutex_unlock(&rdev->wiphy.mtx);
4510 
4511 	/*
4512 	 * If we remove a wireless device without a netdev then clear
4513 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4514 	 * to check if it needs to do dev_put(). Otherwise it crashes
4515 	 * since the wdev has been freed, unlike with a netdev where
4516 	 * we need the dev_put() for the netdev to really be freed.
4517 	 */
4518 	if (!wdev->netdev)
4519 		info->user_ptr[1] = NULL;
4520 	else
4521 		dev_close(wdev->netdev);
4522 
4523 	mutex_lock(&rdev->wiphy.mtx);
4524 
4525 	return cfg80211_remove_virtual_intf(rdev, wdev);
4526 }
4527 
4528 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4529 {
4530 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4531 	struct net_device *dev = info->user_ptr[1];
4532 	u16 noack_map;
4533 
4534 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4535 		return -EINVAL;
4536 
4537 	if (!rdev->ops->set_noack_map)
4538 		return -EOPNOTSUPP;
4539 
4540 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4541 
4542 	return rdev_set_noack_map(rdev, dev, noack_map);
4543 }
4544 
4545 static int nl80211_validate_key_link_id(struct genl_info *info,
4546 					struct wireless_dev *wdev,
4547 					int link_id, bool pairwise)
4548 {
4549 	if (pairwise) {
4550 		if (link_id != -1) {
4551 			GENL_SET_ERR_MSG(info,
4552 					 "link ID not allowed for pairwise key");
4553 			return -EINVAL;
4554 		}
4555 
4556 		return 0;
4557 	}
4558 
4559 	if (wdev->valid_links) {
4560 		if (link_id == -1) {
4561 			GENL_SET_ERR_MSG(info,
4562 					 "link ID must for MLO group key");
4563 			return -EINVAL;
4564 		}
4565 		if (!(wdev->valid_links & BIT(link_id))) {
4566 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4567 			return -EINVAL;
4568 		}
4569 	} else if (link_id != -1) {
4570 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4571 		return -EINVAL;
4572 	}
4573 
4574 	return 0;
4575 }
4576 
4577 struct get_key_cookie {
4578 	struct sk_buff *msg;
4579 	int error;
4580 	int idx;
4581 };
4582 
4583 static void get_key_callback(void *c, struct key_params *params)
4584 {
4585 	struct nlattr *key;
4586 	struct get_key_cookie *cookie = c;
4587 
4588 	if ((params->seq &&
4589 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4590 		     params->seq_len, params->seq)) ||
4591 	    (params->cipher &&
4592 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4593 			 params->cipher)))
4594 		goto nla_put_failure;
4595 
4596 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4597 	if (!key)
4598 		goto nla_put_failure;
4599 
4600 	if ((params->seq &&
4601 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4602 		     params->seq_len, params->seq)) ||
4603 	    (params->cipher &&
4604 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4605 			 params->cipher)))
4606 		goto nla_put_failure;
4607 
4608 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4609 		goto nla_put_failure;
4610 
4611 	nla_nest_end(cookie->msg, key);
4612 
4613 	return;
4614  nla_put_failure:
4615 	cookie->error = 1;
4616 }
4617 
4618 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4619 {
4620 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4621 	int err;
4622 	struct net_device *dev = info->user_ptr[1];
4623 	u8 key_idx = 0;
4624 	const u8 *mac_addr = NULL;
4625 	bool pairwise;
4626 	struct get_key_cookie cookie = {
4627 		.error = 0,
4628 	};
4629 	void *hdr;
4630 	struct sk_buff *msg;
4631 	bool bigtk_support = false;
4632 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4633 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4634 
4635 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4636 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4637 		bigtk_support = true;
4638 
4639 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4640 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4641 	    wiphy_ext_feature_isset(&rdev->wiphy,
4642 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4643 		bigtk_support = true;
4644 
4645 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4646 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4647 
4648 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4649 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4650 			return -EINVAL;
4651 		}
4652 	}
4653 
4654 	if (info->attrs[NL80211_ATTR_MAC])
4655 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4656 
4657 	pairwise = !!mac_addr;
4658 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4659 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4660 
4661 		if (kt != NL80211_KEYTYPE_GROUP &&
4662 		    kt != NL80211_KEYTYPE_PAIRWISE)
4663 			return -EINVAL;
4664 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4665 	}
4666 
4667 	if (!rdev->ops->get_key)
4668 		return -EOPNOTSUPP;
4669 
4670 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4671 		return -ENOENT;
4672 
4673 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4674 	if (!msg)
4675 		return -ENOMEM;
4676 
4677 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4678 			     NL80211_CMD_NEW_KEY);
4679 	if (!hdr)
4680 		goto nla_put_failure;
4681 
4682 	cookie.msg = msg;
4683 	cookie.idx = key_idx;
4684 
4685 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4686 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4687 		goto nla_put_failure;
4688 	if (mac_addr &&
4689 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4690 		goto nla_put_failure;
4691 
4692 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4693 	if (err)
4694 		goto free_msg;
4695 
4696 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4697 			   &cookie, get_key_callback);
4698 
4699 	if (err)
4700 		goto free_msg;
4701 
4702 	if (cookie.error)
4703 		goto nla_put_failure;
4704 
4705 	genlmsg_end(msg, hdr);
4706 	return genlmsg_reply(msg, info);
4707 
4708  nla_put_failure:
4709 	err = -ENOBUFS;
4710  free_msg:
4711 	nlmsg_free(msg);
4712 	return err;
4713 }
4714 
4715 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4716 {
4717 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4718 	struct key_parse key;
4719 	int err;
4720 	struct net_device *dev = info->user_ptr[1];
4721 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4723 
4724 	err = nl80211_parse_key(info, &key);
4725 	if (err)
4726 		return err;
4727 
4728 	if (key.idx < 0)
4729 		return -EINVAL;
4730 
4731 	/* Only support setting default key and
4732 	 * Extended Key ID action NL80211_KEY_SET_TX.
4733 	 */
4734 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4735 	    !(key.p.mode == NL80211_KEY_SET_TX))
4736 		return -EINVAL;
4737 
4738 	if (key.def) {
4739 		if (!rdev->ops->set_default_key)
4740 			return -EOPNOTSUPP;
4741 
4742 		err = nl80211_key_allowed(wdev);
4743 		if (err)
4744 			return err;
4745 
4746 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4747 		if (err)
4748 			return err;
4749 
4750 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4751 					   key.def_uni, key.def_multi);
4752 
4753 		if (err)
4754 			return err;
4755 
4756 #ifdef CONFIG_CFG80211_WEXT
4757 		wdev->wext.default_key = key.idx;
4758 #endif
4759 		return 0;
4760 	} else if (key.defmgmt) {
4761 		if (key.def_uni || !key.def_multi)
4762 			return -EINVAL;
4763 
4764 		if (!rdev->ops->set_default_mgmt_key)
4765 			return -EOPNOTSUPP;
4766 
4767 		err = nl80211_key_allowed(wdev);
4768 		if (err)
4769 			return err;
4770 
4771 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4772 		if (err)
4773 			return err;
4774 
4775 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4776 		if (err)
4777 			return err;
4778 
4779 #ifdef CONFIG_CFG80211_WEXT
4780 		wdev->wext.default_mgmt_key = key.idx;
4781 #endif
4782 		return 0;
4783 	} else if (key.defbeacon) {
4784 		if (key.def_uni || !key.def_multi)
4785 			return -EINVAL;
4786 
4787 		if (!rdev->ops->set_default_beacon_key)
4788 			return -EOPNOTSUPP;
4789 
4790 		err = nl80211_key_allowed(wdev);
4791 		if (err)
4792 			return err;
4793 
4794 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4795 		if (err)
4796 			return err;
4797 
4798 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4799 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4800 		   wiphy_ext_feature_isset(&rdev->wiphy,
4801 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4802 		u8 *mac_addr = NULL;
4803 
4804 		if (info->attrs[NL80211_ATTR_MAC])
4805 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4806 
4807 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4808 			return -EINVAL;
4809 
4810 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4811 		if (err)
4812 			return err;
4813 
4814 		return rdev_add_key(rdev, dev, link_id, key.idx,
4815 				    NL80211_KEYTYPE_PAIRWISE,
4816 				    mac_addr, &key.p);
4817 	}
4818 
4819 	return -EINVAL;
4820 }
4821 
4822 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4823 {
4824 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4825 	int err;
4826 	struct net_device *dev = info->user_ptr[1];
4827 	struct key_parse key;
4828 	const u8 *mac_addr = NULL;
4829 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4830 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4831 
4832 	err = nl80211_parse_key(info, &key);
4833 	if (err)
4834 		return err;
4835 
4836 	if (!key.p.key) {
4837 		GENL_SET_ERR_MSG(info, "no key");
4838 		return -EINVAL;
4839 	}
4840 
4841 	if (info->attrs[NL80211_ATTR_MAC])
4842 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4843 
4844 	if (key.type == -1) {
4845 		if (mac_addr)
4846 			key.type = NL80211_KEYTYPE_PAIRWISE;
4847 		else
4848 			key.type = NL80211_KEYTYPE_GROUP;
4849 	}
4850 
4851 	/* for now */
4852 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4853 	    key.type != NL80211_KEYTYPE_GROUP) {
4854 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4855 		return -EINVAL;
4856 	}
4857 
4858 	if (key.type == NL80211_KEYTYPE_GROUP &&
4859 	    info->attrs[NL80211_ATTR_VLAN_ID])
4860 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4861 
4862 	if (!rdev->ops->add_key)
4863 		return -EOPNOTSUPP;
4864 
4865 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4866 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4867 					   mac_addr)) {
4868 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4869 		return -EINVAL;
4870 	}
4871 
4872 	err = nl80211_key_allowed(wdev);
4873 	if (err)
4874 		GENL_SET_ERR_MSG(info, "key not allowed");
4875 
4876 	if (!err)
4877 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4878 				key.type == NL80211_KEYTYPE_PAIRWISE);
4879 
4880 	if (!err) {
4881 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4882 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4883 				    mac_addr, &key.p);
4884 		if (err)
4885 			GENL_SET_ERR_MSG(info, "key addition failed");
4886 	}
4887 
4888 	return err;
4889 }
4890 
4891 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4892 {
4893 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4894 	int err;
4895 	struct net_device *dev = info->user_ptr[1];
4896 	u8 *mac_addr = NULL;
4897 	struct key_parse key;
4898 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4899 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4900 
4901 	err = nl80211_parse_key(info, &key);
4902 	if (err)
4903 		return err;
4904 
4905 	if (info->attrs[NL80211_ATTR_MAC])
4906 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4907 
4908 	if (key.type == -1) {
4909 		if (mac_addr)
4910 			key.type = NL80211_KEYTYPE_PAIRWISE;
4911 		else
4912 			key.type = NL80211_KEYTYPE_GROUP;
4913 	}
4914 
4915 	/* for now */
4916 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4917 	    key.type != NL80211_KEYTYPE_GROUP)
4918 		return -EINVAL;
4919 
4920 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4921 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4922 		return -EINVAL;
4923 
4924 	if (!rdev->ops->del_key)
4925 		return -EOPNOTSUPP;
4926 
4927 	err = nl80211_key_allowed(wdev);
4928 
4929 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4930 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4931 		err = -ENOENT;
4932 
4933 	if (!err)
4934 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4935 				key.type == NL80211_KEYTYPE_PAIRWISE);
4936 
4937 	if (!err)
4938 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4939 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4940 				   mac_addr);
4941 
4942 #ifdef CONFIG_CFG80211_WEXT
4943 	if (!err) {
4944 		if (key.idx == wdev->wext.default_key)
4945 			wdev->wext.default_key = -1;
4946 		else if (key.idx == wdev->wext.default_mgmt_key)
4947 			wdev->wext.default_mgmt_key = -1;
4948 	}
4949 #endif
4950 
4951 	return err;
4952 }
4953 
4954 /* This function returns an error or the number of nested attributes */
4955 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4956 {
4957 	struct nlattr *attr;
4958 	int n_entries = 0, tmp;
4959 
4960 	nla_for_each_nested(attr, nl_attr, tmp) {
4961 		if (nla_len(attr) != ETH_ALEN)
4962 			return -EINVAL;
4963 
4964 		n_entries++;
4965 	}
4966 
4967 	return n_entries;
4968 }
4969 
4970 /*
4971  * This function parses ACL information and allocates memory for ACL data.
4972  * On successful return, the calling function is responsible to free the
4973  * ACL buffer returned by this function.
4974  */
4975 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4976 						struct genl_info *info)
4977 {
4978 	enum nl80211_acl_policy acl_policy;
4979 	struct nlattr *attr;
4980 	struct cfg80211_acl_data *acl;
4981 	int i = 0, n_entries, tmp;
4982 
4983 	if (!wiphy->max_acl_mac_addrs)
4984 		return ERR_PTR(-EOPNOTSUPP);
4985 
4986 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4987 		return ERR_PTR(-EINVAL);
4988 
4989 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4990 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4991 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4992 		return ERR_PTR(-EINVAL);
4993 
4994 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4995 		return ERR_PTR(-EINVAL);
4996 
4997 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4998 	if (n_entries < 0)
4999 		return ERR_PTR(n_entries);
5000 
5001 	if (n_entries > wiphy->max_acl_mac_addrs)
5002 		return ERR_PTR(-EOPNOTSUPP);
5003 
5004 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5005 	if (!acl)
5006 		return ERR_PTR(-ENOMEM);
5007 	acl->n_acl_entries = n_entries;
5008 
5009 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5010 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5011 		i++;
5012 	}
5013 	acl->acl_policy = acl_policy;
5014 
5015 	return acl;
5016 }
5017 
5018 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5019 {
5020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5021 	struct net_device *dev = info->user_ptr[1];
5022 	struct cfg80211_acl_data *acl;
5023 	int err;
5024 
5025 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5026 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5027 		return -EOPNOTSUPP;
5028 
5029 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5030 		return -EINVAL;
5031 
5032 	acl = parse_acl_data(&rdev->wiphy, info);
5033 	if (IS_ERR(acl))
5034 		return PTR_ERR(acl);
5035 
5036 	err = rdev_set_mac_acl(rdev, dev, acl);
5037 
5038 	kfree(acl);
5039 
5040 	return err;
5041 }
5042 
5043 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5044 			   u8 *rates, u8 rates_len)
5045 {
5046 	u8 i;
5047 	u32 mask = 0;
5048 
5049 	for (i = 0; i < rates_len; i++) {
5050 		int rate = (rates[i] & 0x7f) * 5;
5051 		int ridx;
5052 
5053 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5054 			struct ieee80211_rate *srate =
5055 				&sband->bitrates[ridx];
5056 			if (rate == srate->bitrate) {
5057 				mask |= 1 << ridx;
5058 				break;
5059 			}
5060 		}
5061 		if (ridx == sband->n_bitrates)
5062 			return 0; /* rate not found */
5063 	}
5064 
5065 	return mask;
5066 }
5067 
5068 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5069 			       u8 *rates, u8 rates_len,
5070 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5071 {
5072 	u8 i;
5073 
5074 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5075 
5076 	for (i = 0; i < rates_len; i++) {
5077 		int ridx, rbit;
5078 
5079 		ridx = rates[i] / 8;
5080 		rbit = BIT(rates[i] % 8);
5081 
5082 		/* check validity */
5083 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5084 			return false;
5085 
5086 		/* check availability */
5087 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5088 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5089 			mcs[ridx] |= rbit;
5090 		else
5091 			return false;
5092 	}
5093 
5094 	return true;
5095 }
5096 
5097 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5098 {
5099 	u16 mcs_mask = 0;
5100 
5101 	switch (vht_mcs_map) {
5102 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5103 		break;
5104 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5105 		mcs_mask = 0x00FF;
5106 		break;
5107 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5108 		mcs_mask = 0x01FF;
5109 		break;
5110 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5111 		mcs_mask = 0x03FF;
5112 		break;
5113 	default:
5114 		break;
5115 	}
5116 
5117 	return mcs_mask;
5118 }
5119 
5120 static void vht_build_mcs_mask(u16 vht_mcs_map,
5121 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5122 {
5123 	u8 nss;
5124 
5125 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5126 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5127 		vht_mcs_map >>= 2;
5128 	}
5129 }
5130 
5131 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5132 			     struct nl80211_txrate_vht *txrate,
5133 			     u16 mcs[NL80211_VHT_NSS_MAX])
5134 {
5135 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5136 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5137 	u8 i;
5138 
5139 	if (!sband->vht_cap.vht_supported)
5140 		return false;
5141 
5142 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5143 
5144 	/* Build vht_mcs_mask from VHT capabilities */
5145 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5146 
5147 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5148 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5149 			mcs[i] = txrate->mcs[i];
5150 		else
5151 			return false;
5152 	}
5153 
5154 	return true;
5155 }
5156 
5157 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5158 {
5159 	switch (he_mcs_map) {
5160 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5161 		return 0;
5162 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5163 		return 0x00FF;
5164 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5165 		return 0x03FF;
5166 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5167 		return 0xFFF;
5168 	default:
5169 		break;
5170 	}
5171 	return 0;
5172 }
5173 
5174 static void he_build_mcs_mask(u16 he_mcs_map,
5175 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5176 {
5177 	u8 nss;
5178 
5179 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5180 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5181 		he_mcs_map >>= 2;
5182 	}
5183 }
5184 
5185 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5186 			   const struct ieee80211_sta_he_cap *he_cap)
5187 {
5188 	struct net_device *dev = info->user_ptr[1];
5189 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5190 	struct cfg80211_chan_def *chandef;
5191 	__le16 tx_mcs;
5192 
5193 	chandef = wdev_chandef(wdev, link_id);
5194 	if (!chandef) {
5195 		/*
5196 		 * This is probably broken, but we never maintained
5197 		 * a chandef in these cases, so it always was.
5198 		 */
5199 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5200 	}
5201 
5202 	switch (chandef->width) {
5203 	case NL80211_CHAN_WIDTH_80P80:
5204 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5205 		break;
5206 	case NL80211_CHAN_WIDTH_160:
5207 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5208 		break;
5209 	default:
5210 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5211 		break;
5212 	}
5213 
5214 	return le16_to_cpu(tx_mcs);
5215 }
5216 
5217 static bool he_set_mcs_mask(struct genl_info *info,
5218 			    struct wireless_dev *wdev,
5219 			    struct ieee80211_supported_band *sband,
5220 			    struct nl80211_txrate_he *txrate,
5221 			    u16 mcs[NL80211_HE_NSS_MAX],
5222 			    unsigned int link_id)
5223 {
5224 	const struct ieee80211_sta_he_cap *he_cap;
5225 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5226 	u16 tx_mcs_map = 0;
5227 	u8 i;
5228 
5229 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5230 	if (!he_cap)
5231 		return false;
5232 
5233 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5234 
5235 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5236 
5237 	/* Build he_mcs_mask from HE capabilities */
5238 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5239 
5240 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5241 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5242 			mcs[i] = txrate->mcs[i];
5243 		else
5244 			return false;
5245 	}
5246 
5247 	return true;
5248 }
5249 
5250 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5251 					 struct nlattr *attrs[],
5252 					 enum nl80211_attrs attr,
5253 					 struct cfg80211_bitrate_mask *mask,
5254 					 struct net_device *dev,
5255 					 bool default_all_enabled,
5256 					 unsigned int link_id)
5257 {
5258 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5260 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5261 	int rem, i;
5262 	struct nlattr *tx_rates;
5263 	struct ieee80211_supported_band *sband;
5264 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5265 
5266 	memset(mask, 0, sizeof(*mask));
5267 	/* Default to all rates enabled */
5268 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5269 		const struct ieee80211_sta_he_cap *he_cap;
5270 
5271 		if (!default_all_enabled)
5272 			break;
5273 
5274 		sband = rdev->wiphy.bands[i];
5275 
5276 		if (!sband)
5277 			continue;
5278 
5279 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5280 		memcpy(mask->control[i].ht_mcs,
5281 		       sband->ht_cap.mcs.rx_mask,
5282 		       sizeof(mask->control[i].ht_mcs));
5283 
5284 		if (sband->vht_cap.vht_supported) {
5285 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5286 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5287 		}
5288 
5289 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5290 		if (!he_cap)
5291 			continue;
5292 
5293 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5294 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5295 
5296 		mask->control[i].he_gi = 0xFF;
5297 		mask->control[i].he_ltf = 0xFF;
5298 	}
5299 
5300 	/* if no rates are given set it back to the defaults */
5301 	if (!attrs[attr])
5302 		goto out;
5303 
5304 	/* The nested attribute uses enum nl80211_band as the index. This maps
5305 	 * directly to the enum nl80211_band values used in cfg80211.
5306 	 */
5307 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5308 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5309 		enum nl80211_band band = nla_type(tx_rates);
5310 		int err;
5311 
5312 		if (band < 0 || band >= NUM_NL80211_BANDS)
5313 			return -EINVAL;
5314 		sband = rdev->wiphy.bands[band];
5315 		if (sband == NULL)
5316 			return -EINVAL;
5317 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5318 						  tx_rates,
5319 						  nl80211_txattr_policy,
5320 						  info->extack);
5321 		if (err)
5322 			return err;
5323 		if (tb[NL80211_TXRATE_LEGACY]) {
5324 			mask->control[band].legacy = rateset_to_mask(
5325 				sband,
5326 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5327 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5328 			if ((mask->control[band].legacy == 0) &&
5329 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5330 				return -EINVAL;
5331 		}
5332 		if (tb[NL80211_TXRATE_HT]) {
5333 			if (!ht_rateset_to_mask(
5334 					sband,
5335 					nla_data(tb[NL80211_TXRATE_HT]),
5336 					nla_len(tb[NL80211_TXRATE_HT]),
5337 					mask->control[band].ht_mcs))
5338 				return -EINVAL;
5339 		}
5340 
5341 		if (tb[NL80211_TXRATE_VHT]) {
5342 			if (!vht_set_mcs_mask(
5343 					sband,
5344 					nla_data(tb[NL80211_TXRATE_VHT]),
5345 					mask->control[band].vht_mcs))
5346 				return -EINVAL;
5347 		}
5348 
5349 		if (tb[NL80211_TXRATE_GI]) {
5350 			mask->control[band].gi =
5351 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5352 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5353 				return -EINVAL;
5354 		}
5355 		if (tb[NL80211_TXRATE_HE] &&
5356 		    !he_set_mcs_mask(info, wdev, sband,
5357 				     nla_data(tb[NL80211_TXRATE_HE]),
5358 				     mask->control[band].he_mcs,
5359 				     link_id))
5360 			return -EINVAL;
5361 
5362 		if (tb[NL80211_TXRATE_HE_GI])
5363 			mask->control[band].he_gi =
5364 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5365 		if (tb[NL80211_TXRATE_HE_LTF])
5366 			mask->control[band].he_ltf =
5367 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5368 
5369 		if (mask->control[band].legacy == 0) {
5370 			/* don't allow empty legacy rates if HT, VHT or HE
5371 			 * are not even supported.
5372 			 */
5373 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5374 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5375 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5376 				return -EINVAL;
5377 
5378 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5379 				if (mask->control[band].ht_mcs[i])
5380 					goto out;
5381 
5382 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5383 				if (mask->control[band].vht_mcs[i])
5384 					goto out;
5385 
5386 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5387 				if (mask->control[band].he_mcs[i])
5388 					goto out;
5389 
5390 			/* legacy and mcs rates may not be both empty */
5391 			return -EINVAL;
5392 		}
5393 	}
5394 
5395 out:
5396 	return 0;
5397 }
5398 
5399 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5400 				   enum nl80211_band band,
5401 				   struct cfg80211_bitrate_mask *beacon_rate)
5402 {
5403 	u32 count_ht, count_vht, count_he, i;
5404 	u32 rate = beacon_rate->control[band].legacy;
5405 
5406 	/* Allow only one rate */
5407 	if (hweight32(rate) > 1)
5408 		return -EINVAL;
5409 
5410 	count_ht = 0;
5411 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5412 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5413 			return -EINVAL;
5414 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5415 			count_ht++;
5416 			if (count_ht > 1)
5417 				return -EINVAL;
5418 		}
5419 		if (count_ht && rate)
5420 			return -EINVAL;
5421 	}
5422 
5423 	count_vht = 0;
5424 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5425 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5426 			return -EINVAL;
5427 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5428 			count_vht++;
5429 			if (count_vht > 1)
5430 				return -EINVAL;
5431 		}
5432 		if (count_vht && rate)
5433 			return -EINVAL;
5434 	}
5435 
5436 	count_he = 0;
5437 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5438 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5439 			return -EINVAL;
5440 		} else if (beacon_rate->control[band].he_mcs[i]) {
5441 			count_he++;
5442 			if (count_he > 1)
5443 				return -EINVAL;
5444 		}
5445 		if (count_he && rate)
5446 			return -EINVAL;
5447 	}
5448 
5449 	if ((count_ht && count_vht && count_he) ||
5450 	    (!rate && !count_ht && !count_vht && !count_he))
5451 		return -EINVAL;
5452 
5453 	if (rate &&
5454 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5455 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5456 		return -EINVAL;
5457 	if (count_ht &&
5458 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5459 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5460 		return -EINVAL;
5461 	if (count_vht &&
5462 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5463 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5464 		return -EINVAL;
5465 	if (count_he &&
5466 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5467 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5468 		return -EINVAL;
5469 
5470 	return 0;
5471 }
5472 
5473 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5474 				       struct net_device *dev,
5475 				       struct nlattr *attrs,
5476 				       struct cfg80211_mbssid_config *config,
5477 				       u8 num_elems)
5478 {
5479 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5480 
5481 	if (!wiphy->mbssid_max_interfaces)
5482 		return -EOPNOTSUPP;
5483 
5484 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5485 			     NULL) ||
5486 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5487 		return -EINVAL;
5488 
5489 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5490 	if (config->ema) {
5491 		if (!wiphy->ema_max_profile_periodicity)
5492 			return -EOPNOTSUPP;
5493 
5494 		if (num_elems > wiphy->ema_max_profile_periodicity)
5495 			return -EINVAL;
5496 	}
5497 
5498 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5499 	if (config->index >= wiphy->mbssid_max_interfaces ||
5500 	    (!config->index && !num_elems))
5501 		return -EINVAL;
5502 
5503 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5504 		u32 tx_ifindex =
5505 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5506 
5507 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5508 		    (config->index && tx_ifindex == dev->ifindex))
5509 			return -EINVAL;
5510 
5511 		if (tx_ifindex != dev->ifindex) {
5512 			struct net_device *tx_netdev =
5513 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5514 
5515 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5516 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5517 			    tx_netdev->ieee80211_ptr->iftype !=
5518 							NL80211_IFTYPE_AP) {
5519 				dev_put(tx_netdev);
5520 				return -EINVAL;
5521 			}
5522 
5523 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5524 		} else {
5525 			config->tx_wdev = dev->ieee80211_ptr;
5526 		}
5527 	} else if (!config->index) {
5528 		config->tx_wdev = dev->ieee80211_ptr;
5529 	} else {
5530 		return -EINVAL;
5531 	}
5532 
5533 	return 0;
5534 }
5535 
5536 static struct cfg80211_mbssid_elems *
5537 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5538 {
5539 	struct nlattr *nl_elems;
5540 	struct cfg80211_mbssid_elems *elems;
5541 	int rem_elems;
5542 	u8 i = 0, num_elems = 0;
5543 
5544 	if (!wiphy->mbssid_max_interfaces)
5545 		return ERR_PTR(-EINVAL);
5546 
5547 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5548 		if (num_elems >= 255)
5549 			return ERR_PTR(-EINVAL);
5550 		num_elems++;
5551 	}
5552 
5553 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5554 	if (!elems)
5555 		return ERR_PTR(-ENOMEM);
5556 	elems->cnt = num_elems;
5557 
5558 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5559 		elems->elem[i].data = nla_data(nl_elems);
5560 		elems->elem[i].len = nla_len(nl_elems);
5561 		i++;
5562 	}
5563 	return elems;
5564 }
5565 
5566 static struct cfg80211_rnr_elems *
5567 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5568 			struct netlink_ext_ack *extack)
5569 {
5570 	struct nlattr *nl_elems;
5571 	struct cfg80211_rnr_elems *elems;
5572 	int rem_elems;
5573 	u8 i = 0, num_elems = 0;
5574 
5575 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5576 		int ret;
5577 
5578 		ret = validate_ie_attr(nl_elems, extack);
5579 		if (ret)
5580 			return ERR_PTR(ret);
5581 
5582 		num_elems++;
5583 	}
5584 
5585 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5586 	if (!elems)
5587 		return ERR_PTR(-ENOMEM);
5588 	elems->cnt = num_elems;
5589 
5590 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5591 		elems->elem[i].data = nla_data(nl_elems);
5592 		elems->elem[i].len = nla_len(nl_elems);
5593 		i++;
5594 	}
5595 	return elems;
5596 }
5597 
5598 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5599 				      struct cfg80211_he_bss_color *he_bss_color)
5600 {
5601 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5602 	int err;
5603 
5604 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5605 			       he_bss_color_policy, NULL);
5606 	if (err)
5607 		return err;
5608 
5609 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5610 		return -EINVAL;
5611 
5612 	he_bss_color->color =
5613 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5614 	he_bss_color->enabled =
5615 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5616 	he_bss_color->partial =
5617 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5618 
5619 	return 0;
5620 }
5621 
5622 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5623 				struct nlattr *attrs[],
5624 				struct cfg80211_beacon_data *bcn,
5625 				struct netlink_ext_ack *extack)
5626 {
5627 	bool haveinfo = false;
5628 	int err;
5629 
5630 	memset(bcn, 0, sizeof(*bcn));
5631 
5632 	bcn->link_id = nl80211_link_id(attrs);
5633 
5634 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5635 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5636 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5637 		if (!bcn->head_len)
5638 			return -EINVAL;
5639 		haveinfo = true;
5640 	}
5641 
5642 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5643 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5644 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5645 		haveinfo = true;
5646 	}
5647 
5648 	if (!haveinfo)
5649 		return -EINVAL;
5650 
5651 	if (attrs[NL80211_ATTR_IE]) {
5652 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5653 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5654 	}
5655 
5656 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5657 		bcn->proberesp_ies =
5658 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5659 		bcn->proberesp_ies_len =
5660 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5661 	}
5662 
5663 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5664 		bcn->assocresp_ies =
5665 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5666 		bcn->assocresp_ies_len =
5667 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5668 	}
5669 
5670 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5671 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5672 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5673 	}
5674 
5675 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5676 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5677 
5678 		err = nla_parse_nested_deprecated(tb,
5679 						  NL80211_FTM_RESP_ATTR_MAX,
5680 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5681 						  NULL, NULL);
5682 		if (err)
5683 			return err;
5684 
5685 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5686 		    wiphy_ext_feature_isset(&rdev->wiphy,
5687 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5688 			bcn->ftm_responder = 1;
5689 		else
5690 			return -EOPNOTSUPP;
5691 
5692 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5693 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5694 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5695 		}
5696 
5697 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5698 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5699 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5700 		}
5701 	} else {
5702 		bcn->ftm_responder = -1;
5703 	}
5704 
5705 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5706 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5707 						 &bcn->he_bss_color);
5708 		if (err)
5709 			return err;
5710 		bcn->he_bss_color_valid = true;
5711 	}
5712 
5713 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5714 		struct cfg80211_mbssid_elems *mbssid =
5715 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5716 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5717 
5718 		if (IS_ERR(mbssid))
5719 			return PTR_ERR(mbssid);
5720 
5721 		bcn->mbssid_ies = mbssid;
5722 
5723 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5724 			struct cfg80211_rnr_elems *rnr =
5725 				nl80211_parse_rnr_elems(&rdev->wiphy,
5726 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5727 							extack);
5728 
5729 			if (IS_ERR(rnr))
5730 				return PTR_ERR(rnr);
5731 
5732 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5733 				return -EINVAL;
5734 
5735 			bcn->rnr_ies = rnr;
5736 		}
5737 	}
5738 
5739 	return 0;
5740 }
5741 
5742 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5743 				    struct ieee80211_he_obss_pd *he_obss_pd)
5744 {
5745 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5746 	int err;
5747 
5748 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5749 			       he_obss_pd_policy, NULL);
5750 	if (err)
5751 		return err;
5752 
5753 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5754 		return -EINVAL;
5755 
5756 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5757 
5758 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5759 		he_obss_pd->min_offset =
5760 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5761 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5762 		he_obss_pd->max_offset =
5763 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5764 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5765 		he_obss_pd->non_srg_max_offset =
5766 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5767 
5768 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5769 		return -EINVAL;
5770 
5771 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5772 		memcpy(he_obss_pd->bss_color_bitmap,
5773 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5774 		       sizeof(he_obss_pd->bss_color_bitmap));
5775 
5776 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5777 		memcpy(he_obss_pd->partial_bssid_bitmap,
5778 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5779 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5780 
5781 	he_obss_pd->enable = true;
5782 
5783 	return 0;
5784 }
5785 
5786 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5787 					struct nlattr *attrs,
5788 					struct cfg80211_fils_discovery *fd)
5789 {
5790 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5791 	int ret;
5792 
5793 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5794 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5795 		return -EINVAL;
5796 
5797 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5798 			       NULL, NULL);
5799 	if (ret)
5800 		return ret;
5801 
5802 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5803 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5804 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5805 		fd->update = true;
5806 		return 0;
5807 	}
5808 
5809 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5810 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5811 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5812 		return -EINVAL;
5813 
5814 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5815 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5816 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5817 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5818 	fd->update = true;
5819 	return 0;
5820 }
5821 
5822 static int
5823 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5824 				     struct nlattr *attrs,
5825 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5826 {
5827 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5828 	int ret;
5829 
5830 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5831 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5832 		return -EINVAL;
5833 
5834 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5835 			       attrs, NULL, NULL);
5836 	if (ret)
5837 		return ret;
5838 
5839 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5840 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5841 		presp->update = true;
5842 		return 0;
5843 	}
5844 
5845 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5846 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5847 		return -EINVAL;
5848 
5849 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5850 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5851 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5852 	presp->update = true;
5853 	return 0;
5854 }
5855 
5856 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5857 					    const struct element *rates)
5858 {
5859 	int i;
5860 
5861 	if (!rates)
5862 		return;
5863 
5864 	for (i = 0; i < rates->datalen; i++) {
5865 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5866 			params->ht_required = true;
5867 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5868 			params->vht_required = true;
5869 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5870 			params->he_required = true;
5871 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5872 			params->sae_h2e_required = true;
5873 	}
5874 }
5875 
5876 /*
5877  * Since the nl80211 API didn't include, from the beginning, attributes about
5878  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5879  * benefit of drivers that rebuild IEs in the firmware.
5880  */
5881 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5882 {
5883 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5884 	size_t ies_len = bcn->tail_len;
5885 	const u8 *ies = bcn->tail;
5886 	const struct element *rates;
5887 	const struct element *cap;
5888 
5889 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5890 	nl80211_check_ap_rate_selectors(params, rates);
5891 
5892 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5893 	nl80211_check_ap_rate_selectors(params, rates);
5894 
5895 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5896 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5897 		params->ht_cap = (void *)cap->data;
5898 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5899 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5900 		params->vht_cap = (void *)cap->data;
5901 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5902 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5903 		params->he_cap = (void *)(cap->data + 1);
5904 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5905 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5906 		params->he_oper = (void *)(cap->data + 1);
5907 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5908 	if (cap) {
5909 		if (!cap->datalen)
5910 			return -EINVAL;
5911 		params->eht_cap = (void *)(cap->data + 1);
5912 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5913 						(const u8 *)params->eht_cap,
5914 						cap->datalen - 1, true))
5915 			return -EINVAL;
5916 	}
5917 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5918 	if (cap) {
5919 		if (!cap->datalen)
5920 			return -EINVAL;
5921 		params->eht_oper = (void *)(cap->data + 1);
5922 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5923 						cap->datalen - 1))
5924 			return -EINVAL;
5925 	}
5926 	return 0;
5927 }
5928 
5929 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5930 				   struct cfg80211_ap_settings *params)
5931 {
5932 	struct wireless_dev *wdev;
5933 
5934 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5935 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5936 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5937 			continue;
5938 
5939 		if (!wdev->u.ap.preset_chandef.chan)
5940 			continue;
5941 
5942 		params->chandef = wdev->u.ap.preset_chandef;
5943 		return true;
5944 	}
5945 
5946 	return false;
5947 }
5948 
5949 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5950 				    enum nl80211_auth_type auth_type,
5951 				    enum nl80211_commands cmd)
5952 {
5953 	if (auth_type > NL80211_AUTHTYPE_MAX)
5954 		return false;
5955 
5956 	switch (cmd) {
5957 	case NL80211_CMD_AUTHENTICATE:
5958 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5959 		    auth_type == NL80211_AUTHTYPE_SAE)
5960 			return false;
5961 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5962 					     NL80211_EXT_FEATURE_FILS_STA) &&
5963 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5964 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5965 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5966 			return false;
5967 		return true;
5968 	case NL80211_CMD_CONNECT:
5969 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5970 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5971 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5972 		    auth_type == NL80211_AUTHTYPE_SAE)
5973 			return false;
5974 
5975 		/* FILS with SK PFS or PK not supported yet */
5976 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5977 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5978 			return false;
5979 		if (!wiphy_ext_feature_isset(
5980 			    &rdev->wiphy,
5981 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5982 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5983 			return false;
5984 		return true;
5985 	case NL80211_CMD_START_AP:
5986 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5987 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5988 		    auth_type == NL80211_AUTHTYPE_SAE)
5989 			return false;
5990 		/* FILS not supported yet */
5991 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5992 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5993 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5994 			return false;
5995 		return true;
5996 	default:
5997 		return false;
5998 	}
5999 }
6000 
6001 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6002 				    unsigned int link_id)
6003 {
6004 	struct wiphy *wiphy = wdev->wiphy;
6005 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6006 	struct sk_buff *msg;
6007 	void *hdr;
6008 
6009 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6010 	if (!msg)
6011 		return;
6012 
6013 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6014 	if (!hdr)
6015 		goto out;
6016 
6017 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6018 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6019 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6020 			      NL80211_ATTR_PAD) ||
6021 	    (wdev->u.ap.ssid_len &&
6022 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6023 		     wdev->u.ap.ssid)) ||
6024 	    (wdev->valid_links &&
6025 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6026 		goto out;
6027 
6028 	genlmsg_end(msg, hdr);
6029 
6030 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6031 				NL80211_MCGRP_MLME, GFP_KERNEL);
6032 	return;
6033 out:
6034 	nlmsg_free(msg);
6035 }
6036 
6037 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6038 {
6039 	struct ieee80211_channel *channel = params->chandef.chan;
6040 
6041 	if ((params->he_cap ||  params->he_oper) &&
6042 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6043 		return -EOPNOTSUPP;
6044 
6045 	if ((params->eht_cap || params->eht_oper) &&
6046 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6047 		return -EOPNOTSUPP;
6048 
6049 	return 0;
6050 }
6051 
6052 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6053 {
6054 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6055 	struct cfg80211_beaconing_check_config beacon_check = {};
6056 	unsigned int link_id = nl80211_link_id(info->attrs);
6057 	struct net_device *dev = info->user_ptr[1];
6058 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6059 	struct cfg80211_ap_settings *params;
6060 	int err;
6061 
6062 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6063 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6064 		return -EOPNOTSUPP;
6065 
6066 	if (!rdev->ops->start_ap)
6067 		return -EOPNOTSUPP;
6068 
6069 	if (wdev->cac_started)
6070 		return -EBUSY;
6071 
6072 	if (wdev->links[link_id].ap.beacon_interval)
6073 		return -EALREADY;
6074 
6075 	/* these are required for START_AP */
6076 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6077 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6078 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6079 		return -EINVAL;
6080 
6081 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6082 	if (!params)
6083 		return -ENOMEM;
6084 
6085 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6086 				   info->extack);
6087 	if (err)
6088 		goto out;
6089 
6090 	params->beacon_interval =
6091 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6092 	params->dtim_period =
6093 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6094 
6095 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6096 					   params->beacon_interval);
6097 	if (err)
6098 		goto out;
6099 
6100 	/*
6101 	 * In theory, some of these attributes should be required here
6102 	 * but since they were not used when the command was originally
6103 	 * added, keep them optional for old user space programs to let
6104 	 * them continue to work with drivers that do not need the
6105 	 * additional information -- drivers must check!
6106 	 */
6107 	if (info->attrs[NL80211_ATTR_SSID]) {
6108 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6109 		params->ssid_len =
6110 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6111 		if (params->ssid_len == 0) {
6112 			err = -EINVAL;
6113 			goto out;
6114 		}
6115 
6116 		if (wdev->u.ap.ssid_len &&
6117 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6118 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6119 			/* require identical SSID for MLO */
6120 			err = -EINVAL;
6121 			goto out;
6122 		}
6123 	} else if (wdev->valid_links) {
6124 		/* require SSID for MLO */
6125 		err = -EINVAL;
6126 		goto out;
6127 	}
6128 
6129 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6130 		params->hidden_ssid = nla_get_u32(
6131 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6132 
6133 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6134 
6135 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6136 		params->auth_type = nla_get_u32(
6137 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6138 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6139 					     NL80211_CMD_START_AP)) {
6140 			err = -EINVAL;
6141 			goto out;
6142 		}
6143 	} else
6144 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6145 
6146 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6147 				      NL80211_MAX_NR_CIPHER_SUITES);
6148 	if (err)
6149 		goto out;
6150 
6151 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6152 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6153 			err = -EOPNOTSUPP;
6154 			goto out;
6155 		}
6156 		params->inactivity_timeout = nla_get_u16(
6157 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6158 	}
6159 
6160 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6161 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6162 			err = -EINVAL;
6163 			goto out;
6164 		}
6165 		params->p2p_ctwindow =
6166 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6167 		if (params->p2p_ctwindow != 0 &&
6168 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6169 			err = -EINVAL;
6170 			goto out;
6171 		}
6172 	}
6173 
6174 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6175 		u8 tmp;
6176 
6177 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6178 			err = -EINVAL;
6179 			goto out;
6180 		}
6181 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6182 		params->p2p_opp_ps = tmp;
6183 		if (params->p2p_opp_ps != 0 &&
6184 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6185 			err = -EINVAL;
6186 			goto out;
6187 		}
6188 	}
6189 
6190 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6191 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6192 		if (err)
6193 			goto out;
6194 	} else if (wdev->valid_links) {
6195 		/* with MLD need to specify the channel configuration */
6196 		err = -EINVAL;
6197 		goto out;
6198 	} else if (wdev->u.ap.preset_chandef.chan) {
6199 		params->chandef = wdev->u.ap.preset_chandef;
6200 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6201 		err = -EINVAL;
6202 		goto out;
6203 	}
6204 
6205 	beacon_check.iftype = wdev->iftype;
6206 	beacon_check.relax = true;
6207 	beacon_check.reg_power =
6208 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6209 					     params->beacon.tail_len);
6210 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6211 					  &beacon_check)) {
6212 		err = -EINVAL;
6213 		goto out;
6214 	}
6215 
6216 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6217 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6218 						    NL80211_ATTR_TX_RATES,
6219 						    &params->beacon_rate,
6220 						    dev, false, link_id);
6221 		if (err)
6222 			goto out;
6223 
6224 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6225 					      &params->beacon_rate);
6226 		if (err)
6227 			goto out;
6228 	}
6229 
6230 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6231 		params->smps_mode =
6232 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6233 		switch (params->smps_mode) {
6234 		case NL80211_SMPS_OFF:
6235 			break;
6236 		case NL80211_SMPS_STATIC:
6237 			if (!(rdev->wiphy.features &
6238 			      NL80211_FEATURE_STATIC_SMPS)) {
6239 				err = -EINVAL;
6240 				goto out;
6241 			}
6242 			break;
6243 		case NL80211_SMPS_DYNAMIC:
6244 			if (!(rdev->wiphy.features &
6245 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6246 				err = -EINVAL;
6247 				goto out;
6248 			}
6249 			break;
6250 		default:
6251 			err = -EINVAL;
6252 			goto out;
6253 		}
6254 	} else {
6255 		params->smps_mode = NL80211_SMPS_OFF;
6256 	}
6257 
6258 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6259 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6260 		err = -EOPNOTSUPP;
6261 		goto out;
6262 	}
6263 
6264 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6265 		params->acl = parse_acl_data(&rdev->wiphy, info);
6266 		if (IS_ERR(params->acl)) {
6267 			err = PTR_ERR(params->acl);
6268 			params->acl = NULL;
6269 			goto out;
6270 		}
6271 	}
6272 
6273 	params->twt_responder =
6274 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6275 
6276 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6277 		err = nl80211_parse_he_obss_pd(
6278 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6279 					&params->he_obss_pd);
6280 		if (err)
6281 			goto out;
6282 	}
6283 
6284 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6285 		err = nl80211_parse_fils_discovery(rdev,
6286 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6287 						   &params->fils_discovery);
6288 		if (err)
6289 			goto out;
6290 	}
6291 
6292 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6293 		err = nl80211_parse_unsol_bcast_probe_resp(
6294 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6295 			&params->unsol_bcast_probe_resp);
6296 		if (err)
6297 			goto out;
6298 	}
6299 
6300 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6301 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6302 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6303 						  &params->mbssid_config,
6304 						  params->beacon.mbssid_ies ?
6305 							params->beacon.mbssid_ies->cnt :
6306 							0);
6307 		if (err)
6308 			goto out;
6309 	}
6310 
6311 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6312 		err = -EINVAL;
6313 		goto out;
6314 	}
6315 
6316 	err = nl80211_calculate_ap_params(params);
6317 	if (err)
6318 		goto out;
6319 
6320 	err = nl80211_validate_ap_phy_operation(params);
6321 	if (err)
6322 		goto out;
6323 
6324 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6325 		params->flags = nla_get_u32(
6326 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6327 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6328 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6329 
6330 	if (wdev->conn_owner_nlportid &&
6331 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6332 	    wdev->conn_owner_nlportid != info->snd_portid) {
6333 		err = -EINVAL;
6334 		goto out;
6335 	}
6336 
6337 	/* FIXME: validate MLO/link-id against driver capabilities */
6338 
6339 	err = rdev_start_ap(rdev, dev, params);
6340 	if (!err) {
6341 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6342 		wdev->links[link_id].ap.chandef = params->chandef;
6343 		wdev->u.ap.ssid_len = params->ssid_len;
6344 		memcpy(wdev->u.ap.ssid, params->ssid,
6345 		       params->ssid_len);
6346 
6347 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6348 			wdev->conn_owner_nlportid = info->snd_portid;
6349 
6350 		nl80211_send_ap_started(wdev, link_id);
6351 	}
6352 out:
6353 	kfree(params->acl);
6354 	kfree(params->beacon.mbssid_ies);
6355 	if (params->mbssid_config.tx_wdev &&
6356 	    params->mbssid_config.tx_wdev->netdev &&
6357 	    params->mbssid_config.tx_wdev->netdev != dev)
6358 		dev_put(params->mbssid_config.tx_wdev->netdev);
6359 	kfree(params->beacon.rnr_ies);
6360 	kfree(params);
6361 
6362 	return err;
6363 }
6364 
6365 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6366 {
6367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6368 	struct cfg80211_beaconing_check_config beacon_check = {};
6369 	unsigned int link_id = nl80211_link_id(info->attrs);
6370 	struct net_device *dev = info->user_ptr[1];
6371 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6372 	struct cfg80211_ap_update *params;
6373 	struct nlattr *attr;
6374 	int err;
6375 
6376 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6377 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6378 		return -EOPNOTSUPP;
6379 
6380 	if (!rdev->ops->change_beacon)
6381 		return -EOPNOTSUPP;
6382 
6383 	if (!wdev->links[link_id].ap.beacon_interval)
6384 		return -EINVAL;
6385 
6386 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6387 	if (!params)
6388 		return -ENOMEM;
6389 
6390 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6391 				   info->extack);
6392 	if (err)
6393 		goto out;
6394 
6395 	/* recheck beaconing is permitted with possibly changed power type */
6396 	beacon_check.iftype = wdev->iftype;
6397 	beacon_check.relax = true;
6398 	beacon_check.reg_power =
6399 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6400 					     params->beacon.tail_len);
6401 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6402 					  &wdev->links[link_id].ap.chandef,
6403 					  &beacon_check)) {
6404 		err = -EINVAL;
6405 		goto out;
6406 	}
6407 
6408 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6409 	if (attr) {
6410 		err = nl80211_parse_fils_discovery(rdev, attr,
6411 						   &params->fils_discovery);
6412 		if (err)
6413 			goto out;
6414 	}
6415 
6416 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6417 	if (attr) {
6418 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6419 							   &params->unsol_bcast_probe_resp);
6420 		if (err)
6421 			goto out;
6422 	}
6423 
6424 	err = rdev_change_beacon(rdev, dev, params);
6425 
6426 out:
6427 	kfree(params->beacon.mbssid_ies);
6428 	kfree(params->beacon.rnr_ies);
6429 	kfree(params);
6430 	return err;
6431 }
6432 
6433 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6434 {
6435 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6436 	unsigned int link_id = nl80211_link_id(info->attrs);
6437 	struct net_device *dev = info->user_ptr[1];
6438 
6439 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6440 }
6441 
6442 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6443 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6444 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6445 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6446 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6447 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6448 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6449 };
6450 
6451 static int parse_station_flags(struct genl_info *info,
6452 			       enum nl80211_iftype iftype,
6453 			       struct station_parameters *params)
6454 {
6455 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6456 	struct nlattr *nla;
6457 	int flag;
6458 
6459 	/*
6460 	 * Try parsing the new attribute first so userspace
6461 	 * can specify both for older kernels.
6462 	 */
6463 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6464 	if (nla) {
6465 		struct nl80211_sta_flag_update *sta_flags;
6466 
6467 		sta_flags = nla_data(nla);
6468 		params->sta_flags_mask = sta_flags->mask;
6469 		params->sta_flags_set = sta_flags->set;
6470 		params->sta_flags_set &= params->sta_flags_mask;
6471 		if ((params->sta_flags_mask |
6472 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6473 			return -EINVAL;
6474 		return 0;
6475 	}
6476 
6477 	/* if present, parse the old attribute */
6478 
6479 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6480 	if (!nla)
6481 		return 0;
6482 
6483 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6484 		return -EINVAL;
6485 
6486 	/*
6487 	 * Only allow certain flags for interface types so that
6488 	 * other attributes are silently ignored. Remember that
6489 	 * this is backward compatibility code with old userspace
6490 	 * and shouldn't be hit in other cases anyway.
6491 	 */
6492 	switch (iftype) {
6493 	case NL80211_IFTYPE_AP:
6494 	case NL80211_IFTYPE_AP_VLAN:
6495 	case NL80211_IFTYPE_P2P_GO:
6496 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6497 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6498 					 BIT(NL80211_STA_FLAG_WME) |
6499 					 BIT(NL80211_STA_FLAG_MFP);
6500 		break;
6501 	case NL80211_IFTYPE_P2P_CLIENT:
6502 	case NL80211_IFTYPE_STATION:
6503 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6504 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6505 		break;
6506 	case NL80211_IFTYPE_MESH_POINT:
6507 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6508 					 BIT(NL80211_STA_FLAG_MFP) |
6509 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6510 		break;
6511 	default:
6512 		return -EINVAL;
6513 	}
6514 
6515 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6516 		if (flags[flag]) {
6517 			params->sta_flags_set |= (1<<flag);
6518 
6519 			/* no longer support new API additions in old API */
6520 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6521 				return -EINVAL;
6522 		}
6523 	}
6524 
6525 	return 0;
6526 }
6527 
6528 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6529 {
6530 	struct nlattr *rate;
6531 	u32 bitrate;
6532 	u16 bitrate_compat;
6533 	enum nl80211_rate_info rate_flg;
6534 
6535 	rate = nla_nest_start_noflag(msg, attr);
6536 	if (!rate)
6537 		return false;
6538 
6539 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6540 	bitrate = cfg80211_calculate_bitrate(info);
6541 	/* report 16-bit bitrate only if we can */
6542 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6543 	if (bitrate > 0 &&
6544 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6545 		return false;
6546 	if (bitrate_compat > 0 &&
6547 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6548 		return false;
6549 
6550 	switch (info->bw) {
6551 	case RATE_INFO_BW_1:
6552 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6553 		break;
6554 	case RATE_INFO_BW_2:
6555 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6556 		break;
6557 	case RATE_INFO_BW_4:
6558 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6559 		break;
6560 	case RATE_INFO_BW_5:
6561 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6562 		break;
6563 	case RATE_INFO_BW_8:
6564 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6565 		break;
6566 	case RATE_INFO_BW_10:
6567 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6568 		break;
6569 	case RATE_INFO_BW_16:
6570 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6571 		break;
6572 	default:
6573 		WARN_ON(1);
6574 		fallthrough;
6575 	case RATE_INFO_BW_20:
6576 		rate_flg = 0;
6577 		break;
6578 	case RATE_INFO_BW_40:
6579 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6580 		break;
6581 	case RATE_INFO_BW_80:
6582 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6583 		break;
6584 	case RATE_INFO_BW_160:
6585 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6586 		break;
6587 	case RATE_INFO_BW_HE_RU:
6588 		rate_flg = 0;
6589 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6590 		break;
6591 	case RATE_INFO_BW_320:
6592 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6593 		break;
6594 	case RATE_INFO_BW_EHT_RU:
6595 		rate_flg = 0;
6596 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6597 		break;
6598 	}
6599 
6600 	if (rate_flg && nla_put_flag(msg, rate_flg))
6601 		return false;
6602 
6603 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6604 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6605 			return false;
6606 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6607 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6608 			return false;
6609 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6610 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6611 			return false;
6612 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6613 			return false;
6614 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6615 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6616 			return false;
6617 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6618 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6619 			return false;
6620 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6621 			return false;
6622 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6623 			return false;
6624 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6625 			return false;
6626 		if (info->bw == RATE_INFO_BW_HE_RU &&
6627 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6628 			       info->he_ru_alloc))
6629 			return false;
6630 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6631 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6632 			return false;
6633 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6634 			return false;
6635 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6636 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6637 			return false;
6638 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6639 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6640 			return false;
6641 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6642 			return false;
6643 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6644 			return false;
6645 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6646 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6647 			       info->eht_ru_alloc))
6648 			return false;
6649 	}
6650 
6651 	nla_nest_end(msg, rate);
6652 	return true;
6653 }
6654 
6655 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6656 			       int id)
6657 {
6658 	void *attr;
6659 	int i = 0;
6660 
6661 	if (!mask)
6662 		return true;
6663 
6664 	attr = nla_nest_start_noflag(msg, id);
6665 	if (!attr)
6666 		return false;
6667 
6668 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6669 		if (!(mask & BIT(i)))
6670 			continue;
6671 
6672 		if (nla_put_u8(msg, i, signal[i]))
6673 			return false;
6674 	}
6675 
6676 	nla_nest_end(msg, attr);
6677 
6678 	return true;
6679 }
6680 
6681 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6682 				u32 seq, int flags,
6683 				struct cfg80211_registered_device *rdev,
6684 				struct net_device *dev,
6685 				const u8 *mac_addr, struct station_info *sinfo)
6686 {
6687 	void *hdr;
6688 	struct nlattr *sinfoattr, *bss_param;
6689 
6690 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6691 	if (!hdr) {
6692 		cfg80211_sinfo_release_content(sinfo);
6693 		return -1;
6694 	}
6695 
6696 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6697 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6698 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6699 		goto nla_put_failure;
6700 
6701 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6702 	if (!sinfoattr)
6703 		goto nla_put_failure;
6704 
6705 #define PUT_SINFO(attr, memb, type) do {				\
6706 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6707 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6708 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6709 			     sinfo->memb))				\
6710 		goto nla_put_failure;					\
6711 	} while (0)
6712 #define PUT_SINFO_U64(attr, memb) do {					\
6713 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6714 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6715 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6716 		goto nla_put_failure;					\
6717 	} while (0)
6718 
6719 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6720 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6721 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6722 
6723 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6724 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6725 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6726 			(u32)sinfo->rx_bytes))
6727 		goto nla_put_failure;
6728 
6729 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6730 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6731 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6732 			(u32)sinfo->tx_bytes))
6733 		goto nla_put_failure;
6734 
6735 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6736 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6737 	PUT_SINFO(LLID, llid, u16);
6738 	PUT_SINFO(PLID, plid, u16);
6739 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6740 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6741 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6742 
6743 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6744 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6745 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6746 
6747 	switch (rdev->wiphy.signal_type) {
6748 	case CFG80211_SIGNAL_TYPE_MBM:
6749 		PUT_SINFO(SIGNAL, signal, u8);
6750 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6751 		break;
6752 	default:
6753 		break;
6754 	}
6755 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6756 		if (!nl80211_put_signal(msg, sinfo->chains,
6757 					sinfo->chain_signal,
6758 					NL80211_STA_INFO_CHAIN_SIGNAL))
6759 			goto nla_put_failure;
6760 	}
6761 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6762 		if (!nl80211_put_signal(msg, sinfo->chains,
6763 					sinfo->chain_signal_avg,
6764 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6765 			goto nla_put_failure;
6766 	}
6767 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6768 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6769 					  NL80211_STA_INFO_TX_BITRATE))
6770 			goto nla_put_failure;
6771 	}
6772 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6773 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6774 					  NL80211_STA_INFO_RX_BITRATE))
6775 			goto nla_put_failure;
6776 	}
6777 
6778 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6779 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6780 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6781 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6782 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6783 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6784 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6785 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6786 	PUT_SINFO(PEER_PM, peer_pm, u32);
6787 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6788 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6789 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6790 
6791 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6792 		bss_param = nla_nest_start_noflag(msg,
6793 						  NL80211_STA_INFO_BSS_PARAM);
6794 		if (!bss_param)
6795 			goto nla_put_failure;
6796 
6797 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6798 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6799 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6800 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6801 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6802 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6803 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6804 			       sinfo->bss_param.dtim_period) ||
6805 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6806 				sinfo->bss_param.beacon_interval))
6807 			goto nla_put_failure;
6808 
6809 		nla_nest_end(msg, bss_param);
6810 	}
6811 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6812 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6813 		    sizeof(struct nl80211_sta_flag_update),
6814 		    &sinfo->sta_flags))
6815 		goto nla_put_failure;
6816 
6817 	PUT_SINFO_U64(T_OFFSET, t_offset);
6818 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6819 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6820 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6821 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6822 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6823 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6824 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6825 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6826 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6827 	}
6828 
6829 #undef PUT_SINFO
6830 #undef PUT_SINFO_U64
6831 
6832 	if (sinfo->pertid) {
6833 		struct nlattr *tidsattr;
6834 		int tid;
6835 
6836 		tidsattr = nla_nest_start_noflag(msg,
6837 						 NL80211_STA_INFO_TID_STATS);
6838 		if (!tidsattr)
6839 			goto nla_put_failure;
6840 
6841 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6842 			struct cfg80211_tid_stats *tidstats;
6843 			struct nlattr *tidattr;
6844 
6845 			tidstats = &sinfo->pertid[tid];
6846 
6847 			if (!tidstats->filled)
6848 				continue;
6849 
6850 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6851 			if (!tidattr)
6852 				goto nla_put_failure;
6853 
6854 #define PUT_TIDVAL_U64(attr, memb) do {					\
6855 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6856 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6857 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6858 		goto nla_put_failure;					\
6859 	} while (0)
6860 
6861 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6862 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6863 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6864 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6865 
6866 #undef PUT_TIDVAL_U64
6867 			if ((tidstats->filled &
6868 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6869 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6870 						   NL80211_TID_STATS_TXQ_STATS))
6871 				goto nla_put_failure;
6872 
6873 			nla_nest_end(msg, tidattr);
6874 		}
6875 
6876 		nla_nest_end(msg, tidsattr);
6877 	}
6878 
6879 	nla_nest_end(msg, sinfoattr);
6880 
6881 	if (sinfo->assoc_req_ies_len &&
6882 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6883 		    sinfo->assoc_req_ies))
6884 		goto nla_put_failure;
6885 
6886 	if (sinfo->assoc_resp_ies_len &&
6887 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6888 		    sinfo->assoc_resp_ies))
6889 		goto nla_put_failure;
6890 
6891 	if (sinfo->mlo_params_valid) {
6892 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6893 			       sinfo->assoc_link_id))
6894 			goto nla_put_failure;
6895 
6896 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6897 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6898 			    sinfo->mld_addr))
6899 			goto nla_put_failure;
6900 	}
6901 
6902 	cfg80211_sinfo_release_content(sinfo);
6903 	genlmsg_end(msg, hdr);
6904 	return 0;
6905 
6906  nla_put_failure:
6907 	cfg80211_sinfo_release_content(sinfo);
6908 	genlmsg_cancel(msg, hdr);
6909 	return -EMSGSIZE;
6910 }
6911 
6912 static int nl80211_dump_station(struct sk_buff *skb,
6913 				struct netlink_callback *cb)
6914 {
6915 	struct station_info sinfo;
6916 	struct cfg80211_registered_device *rdev;
6917 	struct wireless_dev *wdev;
6918 	u8 mac_addr[ETH_ALEN];
6919 	int sta_idx = cb->args[2];
6920 	int err;
6921 
6922 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6923 	if (err)
6924 		return err;
6925 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6926 	__acquire(&rdev->wiphy.mtx);
6927 
6928 	if (!wdev->netdev) {
6929 		err = -EINVAL;
6930 		goto out_err;
6931 	}
6932 
6933 	if (!rdev->ops->dump_station) {
6934 		err = -EOPNOTSUPP;
6935 		goto out_err;
6936 	}
6937 
6938 	while (1) {
6939 		memset(&sinfo, 0, sizeof(sinfo));
6940 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6941 					mac_addr, &sinfo);
6942 		if (err == -ENOENT)
6943 			break;
6944 		if (err)
6945 			goto out_err;
6946 
6947 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6948 				NETLINK_CB(cb->skb).portid,
6949 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6950 				rdev, wdev->netdev, mac_addr,
6951 				&sinfo) < 0)
6952 			goto out;
6953 
6954 		sta_idx++;
6955 	}
6956 
6957  out:
6958 	cb->args[2] = sta_idx;
6959 	err = skb->len;
6960  out_err:
6961 	wiphy_unlock(&rdev->wiphy);
6962 
6963 	return err;
6964 }
6965 
6966 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6967 {
6968 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6969 	struct net_device *dev = info->user_ptr[1];
6970 	struct station_info sinfo;
6971 	struct sk_buff *msg;
6972 	u8 *mac_addr = NULL;
6973 	int err;
6974 
6975 	memset(&sinfo, 0, sizeof(sinfo));
6976 
6977 	if (!info->attrs[NL80211_ATTR_MAC])
6978 		return -EINVAL;
6979 
6980 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6981 
6982 	if (!rdev->ops->get_station)
6983 		return -EOPNOTSUPP;
6984 
6985 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6986 	if (err)
6987 		return err;
6988 
6989 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6990 	if (!msg) {
6991 		cfg80211_sinfo_release_content(&sinfo);
6992 		return -ENOMEM;
6993 	}
6994 
6995 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6996 				 info->snd_portid, info->snd_seq, 0,
6997 				 rdev, dev, mac_addr, &sinfo) < 0) {
6998 		nlmsg_free(msg);
6999 		return -ENOBUFS;
7000 	}
7001 
7002 	return genlmsg_reply(msg, info);
7003 }
7004 
7005 int cfg80211_check_station_change(struct wiphy *wiphy,
7006 				  struct station_parameters *params,
7007 				  enum cfg80211_station_type statype)
7008 {
7009 	if (params->listen_interval != -1 &&
7010 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7011 		return -EINVAL;
7012 
7013 	if (params->support_p2p_ps != -1 &&
7014 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7015 		return -EINVAL;
7016 
7017 	if (params->aid &&
7018 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7019 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7020 		return -EINVAL;
7021 
7022 	/* When you run into this, adjust the code below for the new flag */
7023 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7024 
7025 	switch (statype) {
7026 	case CFG80211_STA_MESH_PEER_KERNEL:
7027 	case CFG80211_STA_MESH_PEER_USER:
7028 		/*
7029 		 * No ignoring the TDLS flag here -- the userspace mesh
7030 		 * code doesn't have the bug of including TDLS in the
7031 		 * mask everywhere.
7032 		 */
7033 		if (params->sta_flags_mask &
7034 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7035 				  BIT(NL80211_STA_FLAG_MFP) |
7036 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7037 			return -EINVAL;
7038 		break;
7039 	case CFG80211_STA_TDLS_PEER_SETUP:
7040 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7041 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7042 			return -EINVAL;
7043 		/* ignore since it can't change */
7044 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7045 		break;
7046 	default:
7047 		/* disallow mesh-specific things */
7048 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7049 			return -EINVAL;
7050 		if (params->local_pm)
7051 			return -EINVAL;
7052 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7053 			return -EINVAL;
7054 	}
7055 
7056 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7057 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7058 		/* TDLS can't be set, ... */
7059 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7060 			return -EINVAL;
7061 		/*
7062 		 * ... but don't bother the driver with it. This works around
7063 		 * a hostapd/wpa_supplicant issue -- it always includes the
7064 		 * TLDS_PEER flag in the mask even for AP mode.
7065 		 */
7066 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7067 	}
7068 
7069 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7070 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7071 		/* reject other things that can't change */
7072 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7073 			return -EINVAL;
7074 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7075 			return -EINVAL;
7076 		if (params->link_sta_params.supported_rates)
7077 			return -EINVAL;
7078 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7079 		    params->link_sta_params.vht_capa ||
7080 		    params->link_sta_params.he_capa ||
7081 		    params->link_sta_params.eht_capa)
7082 			return -EINVAL;
7083 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7084 			return -EINVAL;
7085 	}
7086 
7087 	if (statype != CFG80211_STA_AP_CLIENT &&
7088 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7089 		if (params->vlan)
7090 			return -EINVAL;
7091 	}
7092 
7093 	switch (statype) {
7094 	case CFG80211_STA_AP_MLME_CLIENT:
7095 		/* Use this only for authorizing/unauthorizing a station */
7096 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7097 			return -EOPNOTSUPP;
7098 		break;
7099 	case CFG80211_STA_AP_CLIENT:
7100 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7101 		/* accept only the listed bits */
7102 		if (params->sta_flags_mask &
7103 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7104 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7105 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7106 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7107 				  BIT(NL80211_STA_FLAG_WME) |
7108 				  BIT(NL80211_STA_FLAG_MFP) |
7109 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7110 			return -EINVAL;
7111 
7112 		/* but authenticated/associated only if driver handles it */
7113 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7114 		    params->sta_flags_mask &
7115 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7116 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7117 			return -EINVAL;
7118 		break;
7119 	case CFG80211_STA_IBSS:
7120 	case CFG80211_STA_AP_STA:
7121 		/* reject any changes other than AUTHORIZED */
7122 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7123 			return -EINVAL;
7124 		break;
7125 	case CFG80211_STA_TDLS_PEER_SETUP:
7126 		/* reject any changes other than AUTHORIZED or WME */
7127 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7128 					       BIT(NL80211_STA_FLAG_WME)))
7129 			return -EINVAL;
7130 		/* force (at least) rates when authorizing */
7131 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7132 		    !params->link_sta_params.supported_rates)
7133 			return -EINVAL;
7134 		break;
7135 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7136 		/* reject any changes */
7137 		return -EINVAL;
7138 	case CFG80211_STA_MESH_PEER_KERNEL:
7139 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7140 			return -EINVAL;
7141 		break;
7142 	case CFG80211_STA_MESH_PEER_USER:
7143 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7144 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7145 			return -EINVAL;
7146 		break;
7147 	}
7148 
7149 	/*
7150 	 * Older kernel versions ignored this attribute entirely, so don't
7151 	 * reject attempts to update it but mark it as unused instead so the
7152 	 * driver won't look at the data.
7153 	 */
7154 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7155 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7156 		params->link_sta_params.opmode_notif_used = false;
7157 
7158 	return 0;
7159 }
7160 EXPORT_SYMBOL(cfg80211_check_station_change);
7161 
7162 /*
7163  * Get vlan interface making sure it is running and on the right wiphy.
7164  */
7165 static struct net_device *get_vlan(struct genl_info *info,
7166 				   struct cfg80211_registered_device *rdev)
7167 {
7168 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7169 	struct net_device *v;
7170 	int ret;
7171 
7172 	if (!vlanattr)
7173 		return NULL;
7174 
7175 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7176 	if (!v)
7177 		return ERR_PTR(-ENODEV);
7178 
7179 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7180 		ret = -EINVAL;
7181 		goto error;
7182 	}
7183 
7184 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7185 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7186 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7187 		ret = -EINVAL;
7188 		goto error;
7189 	}
7190 
7191 	if (!netif_running(v)) {
7192 		ret = -ENETDOWN;
7193 		goto error;
7194 	}
7195 
7196 	return v;
7197  error:
7198 	dev_put(v);
7199 	return ERR_PTR(ret);
7200 }
7201 
7202 static int nl80211_parse_sta_wme(struct genl_info *info,
7203 				 struct station_parameters *params)
7204 {
7205 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7206 	struct nlattr *nla;
7207 	int err;
7208 
7209 	/* parse WME attributes if present */
7210 	if (!info->attrs[NL80211_ATTR_STA_WME])
7211 		return 0;
7212 
7213 	nla = info->attrs[NL80211_ATTR_STA_WME];
7214 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7215 					  nl80211_sta_wme_policy,
7216 					  info->extack);
7217 	if (err)
7218 		return err;
7219 
7220 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7221 		params->uapsd_queues = nla_get_u8(
7222 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7223 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7224 		return -EINVAL;
7225 
7226 	if (tb[NL80211_STA_WME_MAX_SP])
7227 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7228 
7229 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7230 		return -EINVAL;
7231 
7232 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7233 
7234 	return 0;
7235 }
7236 
7237 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7238 				      struct station_parameters *params)
7239 {
7240 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7241 		params->supported_channels =
7242 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7243 		params->supported_channels_len =
7244 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7245 		/*
7246 		 * Need to include at least one (first channel, number of
7247 		 * channels) tuple for each subband (checked in policy),
7248 		 * and must have proper tuples for the rest of the data as well.
7249 		 */
7250 		if (params->supported_channels_len % 2)
7251 			return -EINVAL;
7252 	}
7253 
7254 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7255 		params->supported_oper_classes =
7256 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7257 		params->supported_oper_classes_len =
7258 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7259 	}
7260 	return 0;
7261 }
7262 
7263 static int nl80211_set_station_tdls(struct genl_info *info,
7264 				    struct station_parameters *params)
7265 {
7266 	int err;
7267 	/* Dummy STA entry gets updated once the peer capabilities are known */
7268 	if (info->attrs[NL80211_ATTR_PEER_AID])
7269 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7270 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7271 		params->link_sta_params.ht_capa =
7272 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7273 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7274 		params->link_sta_params.vht_capa =
7275 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7276 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7277 		params->link_sta_params.he_capa =
7278 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7279 		params->link_sta_params.he_capa_len =
7280 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7281 
7282 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7283 			params->link_sta_params.eht_capa =
7284 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7285 			params->link_sta_params.eht_capa_len =
7286 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7287 
7288 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7289 							(const u8 *)params->link_sta_params.eht_capa,
7290 							params->link_sta_params.eht_capa_len,
7291 							false))
7292 				return -EINVAL;
7293 		}
7294 	}
7295 
7296 	err = nl80211_parse_sta_channel_info(info, params);
7297 	if (err)
7298 		return err;
7299 
7300 	return nl80211_parse_sta_wme(info, params);
7301 }
7302 
7303 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7304 					     struct sta_txpwr *txpwr,
7305 					     bool *txpwr_set)
7306 {
7307 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7308 	int idx;
7309 
7310 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7311 		if (!rdev->ops->set_tx_power ||
7312 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7313 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7314 			return -EOPNOTSUPP;
7315 
7316 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7317 		txpwr->type = nla_get_u8(info->attrs[idx]);
7318 
7319 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7320 			idx = NL80211_ATTR_STA_TX_POWER;
7321 
7322 			if (info->attrs[idx])
7323 				txpwr->power = nla_get_s16(info->attrs[idx]);
7324 			else
7325 				return -EINVAL;
7326 		}
7327 
7328 		*txpwr_set = true;
7329 	} else {
7330 		*txpwr_set = false;
7331 	}
7332 
7333 	return 0;
7334 }
7335 
7336 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7337 {
7338 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7339 	struct net_device *dev = info->user_ptr[1];
7340 	struct station_parameters params;
7341 	u8 *mac_addr;
7342 	int err;
7343 
7344 	memset(&params, 0, sizeof(params));
7345 
7346 	if (!rdev->ops->change_station)
7347 		return -EOPNOTSUPP;
7348 
7349 	/*
7350 	 * AID and listen_interval properties can be set only for unassociated
7351 	 * station. Include these parameters here and will check them in
7352 	 * cfg80211_check_station_change().
7353 	 */
7354 	if (info->attrs[NL80211_ATTR_STA_AID])
7355 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7356 
7357 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7358 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7359 
7360 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7361 		params.listen_interval =
7362 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7363 	else
7364 		params.listen_interval = -1;
7365 
7366 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7367 		params.support_p2p_ps =
7368 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7369 	else
7370 		params.support_p2p_ps = -1;
7371 
7372 	if (!info->attrs[NL80211_ATTR_MAC])
7373 		return -EINVAL;
7374 
7375 	params.link_sta_params.link_id =
7376 		nl80211_link_id_or_invalid(info->attrs);
7377 
7378 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7379 		/* If MLD_ADDR attribute is set then this is an MLD station
7380 		 * and the MLD_ADDR attribute holds the MLD address and the
7381 		 * MAC attribute holds for the LINK address.
7382 		 * In that case, the link_id is also expected to be valid.
7383 		 */
7384 		if (params.link_sta_params.link_id < 0)
7385 			return -EINVAL;
7386 
7387 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7388 		params.link_sta_params.mld_mac = mac_addr;
7389 		params.link_sta_params.link_mac =
7390 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7391 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7392 			return -EINVAL;
7393 	} else {
7394 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7395 	}
7396 
7397 
7398 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7399 		params.link_sta_params.supported_rates =
7400 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7401 		params.link_sta_params.supported_rates_len =
7402 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7403 	}
7404 
7405 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7406 		params.capability =
7407 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7408 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7409 	}
7410 
7411 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7412 		params.ext_capab =
7413 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7414 		params.ext_capab_len =
7415 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7416 	}
7417 
7418 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7419 		return -EINVAL;
7420 
7421 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7422 		params.plink_action =
7423 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7424 
7425 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7426 		params.plink_state =
7427 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7428 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7429 			params.peer_aid = nla_get_u16(
7430 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7431 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7432 	}
7433 
7434 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7435 		params.local_pm = nla_get_u32(
7436 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7437 
7438 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7439 		params.link_sta_params.opmode_notif_used = true;
7440 		params.link_sta_params.opmode_notif =
7441 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7442 	}
7443 
7444 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7445 		params.link_sta_params.he_6ghz_capa =
7446 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7447 
7448 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7449 		params.airtime_weight =
7450 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7451 
7452 	if (params.airtime_weight &&
7453 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7454 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7455 		return -EOPNOTSUPP;
7456 
7457 	err = nl80211_parse_sta_txpower_setting(info,
7458 						&params.link_sta_params.txpwr,
7459 						&params.link_sta_params.txpwr_set);
7460 	if (err)
7461 		return err;
7462 
7463 	/* Include parameters for TDLS peer (will check later) */
7464 	err = nl80211_set_station_tdls(info, &params);
7465 	if (err)
7466 		return err;
7467 
7468 	params.vlan = get_vlan(info, rdev);
7469 	if (IS_ERR(params.vlan))
7470 		return PTR_ERR(params.vlan);
7471 
7472 	switch (dev->ieee80211_ptr->iftype) {
7473 	case NL80211_IFTYPE_AP:
7474 	case NL80211_IFTYPE_AP_VLAN:
7475 	case NL80211_IFTYPE_P2P_GO:
7476 	case NL80211_IFTYPE_P2P_CLIENT:
7477 	case NL80211_IFTYPE_STATION:
7478 	case NL80211_IFTYPE_ADHOC:
7479 	case NL80211_IFTYPE_MESH_POINT:
7480 		break;
7481 	default:
7482 		err = -EOPNOTSUPP;
7483 		goto out_put_vlan;
7484 	}
7485 
7486 	/* driver will call cfg80211_check_station_change() */
7487 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7488 
7489  out_put_vlan:
7490 	dev_put(params.vlan);
7491 
7492 	return err;
7493 }
7494 
7495 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7496 {
7497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7498 	int err;
7499 	struct net_device *dev = info->user_ptr[1];
7500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7501 	struct station_parameters params;
7502 	u8 *mac_addr = NULL;
7503 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7504 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7505 
7506 	memset(&params, 0, sizeof(params));
7507 
7508 	if (!rdev->ops->add_station)
7509 		return -EOPNOTSUPP;
7510 
7511 	if (!info->attrs[NL80211_ATTR_MAC])
7512 		return -EINVAL;
7513 
7514 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7515 		return -EINVAL;
7516 
7517 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7518 		return -EINVAL;
7519 
7520 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7521 	    !info->attrs[NL80211_ATTR_PEER_AID])
7522 		return -EINVAL;
7523 
7524 	params.link_sta_params.link_id =
7525 		nl80211_link_id_or_invalid(info->attrs);
7526 
7527 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7528 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7529 		params.link_sta_params.mld_mac = mac_addr;
7530 		params.link_sta_params.link_mac =
7531 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7532 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7533 			return -EINVAL;
7534 	} else {
7535 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7536 	}
7537 
7538 	params.link_sta_params.supported_rates =
7539 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7540 	params.link_sta_params.supported_rates_len =
7541 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7542 	params.listen_interval =
7543 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7544 
7545 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7546 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7547 
7548 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7549 		params.support_p2p_ps =
7550 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7551 	} else {
7552 		/*
7553 		 * if not specified, assume it's supported for P2P GO interface,
7554 		 * and is NOT supported for AP interface
7555 		 */
7556 		params.support_p2p_ps =
7557 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7558 	}
7559 
7560 	if (info->attrs[NL80211_ATTR_PEER_AID])
7561 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7562 	else
7563 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7564 
7565 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7566 		params.capability =
7567 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7568 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7569 	}
7570 
7571 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7572 		params.ext_capab =
7573 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7574 		params.ext_capab_len =
7575 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7576 	}
7577 
7578 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7579 		params.link_sta_params.ht_capa =
7580 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7581 
7582 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7583 		params.link_sta_params.vht_capa =
7584 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7585 
7586 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7587 		params.link_sta_params.he_capa =
7588 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7589 		params.link_sta_params.he_capa_len =
7590 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7591 
7592 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7593 			params.link_sta_params.eht_capa =
7594 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7595 			params.link_sta_params.eht_capa_len =
7596 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7597 
7598 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7599 							(const u8 *)params.link_sta_params.eht_capa,
7600 							params.link_sta_params.eht_capa_len,
7601 							false))
7602 				return -EINVAL;
7603 		}
7604 	}
7605 
7606 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7607 		params.link_sta_params.he_6ghz_capa =
7608 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7609 
7610 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7611 		params.link_sta_params.opmode_notif_used = true;
7612 		params.link_sta_params.opmode_notif =
7613 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7614 	}
7615 
7616 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7617 		params.plink_action =
7618 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7619 
7620 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7621 		params.airtime_weight =
7622 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7623 
7624 	if (params.airtime_weight &&
7625 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7626 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7627 		return -EOPNOTSUPP;
7628 
7629 	err = nl80211_parse_sta_txpower_setting(info,
7630 						&params.link_sta_params.txpwr,
7631 						&params.link_sta_params.txpwr_set);
7632 	if (err)
7633 		return err;
7634 
7635 	err = nl80211_parse_sta_channel_info(info, &params);
7636 	if (err)
7637 		return err;
7638 
7639 	err = nl80211_parse_sta_wme(info, &params);
7640 	if (err)
7641 		return err;
7642 
7643 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7644 		return -EINVAL;
7645 
7646 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7647 	 * as userspace might just pass through the capabilities from the IEs
7648 	 * directly, rather than enforcing this restriction and returning an
7649 	 * error in this case.
7650 	 */
7651 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7652 		params.link_sta_params.ht_capa = NULL;
7653 		params.link_sta_params.vht_capa = NULL;
7654 
7655 		/* HE and EHT require WME */
7656 		if (params.link_sta_params.he_capa_len ||
7657 		    params.link_sta_params.he_6ghz_capa ||
7658 		    params.link_sta_params.eht_capa_len)
7659 			return -EINVAL;
7660 	}
7661 
7662 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7663 	if (params.link_sta_params.he_6ghz_capa &&
7664 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7665 		return -EINVAL;
7666 
7667 	/* When you run into this, adjust the code below for the new flag */
7668 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7669 
7670 	switch (dev->ieee80211_ptr->iftype) {
7671 	case NL80211_IFTYPE_AP:
7672 	case NL80211_IFTYPE_AP_VLAN:
7673 	case NL80211_IFTYPE_P2P_GO:
7674 		/* ignore WME attributes if iface/sta is not capable */
7675 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7676 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7677 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7678 
7679 		/* TDLS peers cannot be added */
7680 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7681 		    info->attrs[NL80211_ATTR_PEER_AID])
7682 			return -EINVAL;
7683 		/* but don't bother the driver with it */
7684 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7685 
7686 		/* allow authenticated/associated only if driver handles it */
7687 		if (!(rdev->wiphy.features &
7688 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7689 		    params.sta_flags_mask & auth_assoc)
7690 			return -EINVAL;
7691 
7692 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7693 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
7694 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7695 			return -EINVAL;
7696 
7697 		/* Older userspace, or userspace wanting to be compatible with
7698 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7699 		 * and assoc flags in the mask, but assumes the station will be
7700 		 * added as associated anyway since this was the required driver
7701 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7702 		 * introduced.
7703 		 * In order to not bother drivers with this quirk in the API
7704 		 * set the flags in both the mask and set for new stations in
7705 		 * this case.
7706 		 */
7707 		if (!(params.sta_flags_mask & auth_assoc)) {
7708 			params.sta_flags_mask |= auth_assoc;
7709 			params.sta_flags_set |= auth_assoc;
7710 		}
7711 
7712 		/* must be last in here for error handling */
7713 		params.vlan = get_vlan(info, rdev);
7714 		if (IS_ERR(params.vlan))
7715 			return PTR_ERR(params.vlan);
7716 		break;
7717 	case NL80211_IFTYPE_MESH_POINT:
7718 		/* ignore uAPSD data */
7719 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7720 
7721 		/* associated is disallowed */
7722 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7723 			return -EINVAL;
7724 		/* TDLS peers cannot be added */
7725 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7726 		    info->attrs[NL80211_ATTR_PEER_AID])
7727 			return -EINVAL;
7728 		break;
7729 	case NL80211_IFTYPE_STATION:
7730 	case NL80211_IFTYPE_P2P_CLIENT:
7731 		/* ignore uAPSD data */
7732 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7733 
7734 		/* these are disallowed */
7735 		if (params.sta_flags_mask &
7736 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7737 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7738 			return -EINVAL;
7739 		/* Only TDLS peers can be added */
7740 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7741 			return -EINVAL;
7742 		/* Can only add if TDLS ... */
7743 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7744 			return -EOPNOTSUPP;
7745 		/* ... with external setup is supported */
7746 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7747 			return -EOPNOTSUPP;
7748 		/*
7749 		 * Older wpa_supplicant versions always mark the TDLS peer
7750 		 * as authorized, but it shouldn't yet be.
7751 		 */
7752 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7753 		break;
7754 	default:
7755 		return -EOPNOTSUPP;
7756 	}
7757 
7758 	/* be aware of params.vlan when changing code here */
7759 
7760 	if (wdev->valid_links) {
7761 		if (params.link_sta_params.link_id < 0) {
7762 			err = -EINVAL;
7763 			goto out;
7764 		}
7765 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7766 			err = -ENOLINK;
7767 			goto out;
7768 		}
7769 	} else {
7770 		if (params.link_sta_params.link_id >= 0) {
7771 			err = -EINVAL;
7772 			goto out;
7773 		}
7774 	}
7775 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7776 out:
7777 	dev_put(params.vlan);
7778 	return err;
7779 }
7780 
7781 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7782 {
7783 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7784 	struct net_device *dev = info->user_ptr[1];
7785 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7786 	struct station_del_parameters params;
7787 	int link_id = nl80211_link_id_or_invalid(info->attrs);
7788 
7789 	memset(&params, 0, sizeof(params));
7790 
7791 	if (info->attrs[NL80211_ATTR_MAC])
7792 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7793 
7794 	switch (wdev->iftype) {
7795 	case NL80211_IFTYPE_AP:
7796 	case NL80211_IFTYPE_AP_VLAN:
7797 	case NL80211_IFTYPE_MESH_POINT:
7798 	case NL80211_IFTYPE_P2P_GO:
7799 		/* always accept these */
7800 		break;
7801 	case NL80211_IFTYPE_ADHOC:
7802 		/* conditionally accept */
7803 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7804 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7805 			break;
7806 		return -EINVAL;
7807 	default:
7808 		return -EINVAL;
7809 	}
7810 
7811 	if (!rdev->ops->del_station)
7812 		return -EOPNOTSUPP;
7813 
7814 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7815 		params.subtype =
7816 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7817 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7818 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7819 			return -EINVAL;
7820 	} else {
7821 		/* Default to Deauthentication frame */
7822 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7823 	}
7824 
7825 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7826 		params.reason_code =
7827 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7828 		if (params.reason_code == 0)
7829 			return -EINVAL; /* 0 is reserved */
7830 	} else {
7831 		/* Default to reason code 2 */
7832 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7833 	}
7834 
7835 	/* Link ID not expected in case of non-ML operation */
7836 	if (!wdev->valid_links && link_id != -1)
7837 		return -EINVAL;
7838 
7839 	/* If given, a valid link ID should be passed during MLO */
7840 	if (wdev->valid_links && link_id >= 0 &&
7841 	    !(wdev->valid_links & BIT(link_id)))
7842 		return -EINVAL;
7843 
7844 	params.link_id = link_id;
7845 
7846 	return rdev_del_station(rdev, dev, &params);
7847 }
7848 
7849 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7850 				int flags, struct net_device *dev,
7851 				u8 *dst, u8 *next_hop,
7852 				struct mpath_info *pinfo)
7853 {
7854 	void *hdr;
7855 	struct nlattr *pinfoattr;
7856 
7857 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7858 	if (!hdr)
7859 		return -1;
7860 
7861 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7862 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7863 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7864 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7865 		goto nla_put_failure;
7866 
7867 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7868 	if (!pinfoattr)
7869 		goto nla_put_failure;
7870 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7871 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7872 			pinfo->frame_qlen))
7873 		goto nla_put_failure;
7874 	if (((pinfo->filled & MPATH_INFO_SN) &&
7875 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7876 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7877 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7878 			 pinfo->metric)) ||
7879 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7880 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7881 			 pinfo->exptime)) ||
7882 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7883 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7884 			pinfo->flags)) ||
7885 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7886 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7887 			 pinfo->discovery_timeout)) ||
7888 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7889 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7890 			pinfo->discovery_retries)) ||
7891 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7892 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7893 			pinfo->hop_count)) ||
7894 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7895 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7896 			 pinfo->path_change_count)))
7897 		goto nla_put_failure;
7898 
7899 	nla_nest_end(msg, pinfoattr);
7900 
7901 	genlmsg_end(msg, hdr);
7902 	return 0;
7903 
7904  nla_put_failure:
7905 	genlmsg_cancel(msg, hdr);
7906 	return -EMSGSIZE;
7907 }
7908 
7909 static int nl80211_dump_mpath(struct sk_buff *skb,
7910 			      struct netlink_callback *cb)
7911 {
7912 	struct mpath_info pinfo;
7913 	struct cfg80211_registered_device *rdev;
7914 	struct wireless_dev *wdev;
7915 	u8 dst[ETH_ALEN];
7916 	u8 next_hop[ETH_ALEN];
7917 	int path_idx = cb->args[2];
7918 	int err;
7919 
7920 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7921 	if (err)
7922 		return err;
7923 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7924 	__acquire(&rdev->wiphy.mtx);
7925 
7926 	if (!rdev->ops->dump_mpath) {
7927 		err = -EOPNOTSUPP;
7928 		goto out_err;
7929 	}
7930 
7931 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7932 		err = -EOPNOTSUPP;
7933 		goto out_err;
7934 	}
7935 
7936 	while (1) {
7937 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7938 				      next_hop, &pinfo);
7939 		if (err == -ENOENT)
7940 			break;
7941 		if (err)
7942 			goto out_err;
7943 
7944 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7945 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7946 				       wdev->netdev, dst, next_hop,
7947 				       &pinfo) < 0)
7948 			goto out;
7949 
7950 		path_idx++;
7951 	}
7952 
7953  out:
7954 	cb->args[2] = path_idx;
7955 	err = skb->len;
7956  out_err:
7957 	wiphy_unlock(&rdev->wiphy);
7958 	return err;
7959 }
7960 
7961 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7962 {
7963 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7964 	int err;
7965 	struct net_device *dev = info->user_ptr[1];
7966 	struct mpath_info pinfo;
7967 	struct sk_buff *msg;
7968 	u8 *dst = NULL;
7969 	u8 next_hop[ETH_ALEN];
7970 
7971 	memset(&pinfo, 0, sizeof(pinfo));
7972 
7973 	if (!info->attrs[NL80211_ATTR_MAC])
7974 		return -EINVAL;
7975 
7976 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7977 
7978 	if (!rdev->ops->get_mpath)
7979 		return -EOPNOTSUPP;
7980 
7981 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7982 		return -EOPNOTSUPP;
7983 
7984 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7985 	if (err)
7986 		return err;
7987 
7988 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7989 	if (!msg)
7990 		return -ENOMEM;
7991 
7992 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7993 				 dev, dst, next_hop, &pinfo) < 0) {
7994 		nlmsg_free(msg);
7995 		return -ENOBUFS;
7996 	}
7997 
7998 	return genlmsg_reply(msg, info);
7999 }
8000 
8001 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8002 {
8003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8004 	struct net_device *dev = info->user_ptr[1];
8005 	u8 *dst = NULL;
8006 	u8 *next_hop = NULL;
8007 
8008 	if (!info->attrs[NL80211_ATTR_MAC])
8009 		return -EINVAL;
8010 
8011 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8012 		return -EINVAL;
8013 
8014 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8015 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8016 
8017 	if (!rdev->ops->change_mpath)
8018 		return -EOPNOTSUPP;
8019 
8020 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8021 		return -EOPNOTSUPP;
8022 
8023 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8024 }
8025 
8026 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8027 {
8028 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8029 	struct net_device *dev = info->user_ptr[1];
8030 	u8 *dst = NULL;
8031 	u8 *next_hop = NULL;
8032 
8033 	if (!info->attrs[NL80211_ATTR_MAC])
8034 		return -EINVAL;
8035 
8036 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8037 		return -EINVAL;
8038 
8039 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8040 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8041 
8042 	if (!rdev->ops->add_mpath)
8043 		return -EOPNOTSUPP;
8044 
8045 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8046 		return -EOPNOTSUPP;
8047 
8048 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8049 }
8050 
8051 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8052 {
8053 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8054 	struct net_device *dev = info->user_ptr[1];
8055 	u8 *dst = NULL;
8056 
8057 	if (info->attrs[NL80211_ATTR_MAC])
8058 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8059 
8060 	if (!rdev->ops->del_mpath)
8061 		return -EOPNOTSUPP;
8062 
8063 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8064 		return -EOPNOTSUPP;
8065 
8066 	return rdev_del_mpath(rdev, dev, dst);
8067 }
8068 
8069 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8070 {
8071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8072 	int err;
8073 	struct net_device *dev = info->user_ptr[1];
8074 	struct mpath_info pinfo;
8075 	struct sk_buff *msg;
8076 	u8 *dst = NULL;
8077 	u8 mpp[ETH_ALEN];
8078 
8079 	memset(&pinfo, 0, sizeof(pinfo));
8080 
8081 	if (!info->attrs[NL80211_ATTR_MAC])
8082 		return -EINVAL;
8083 
8084 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8085 
8086 	if (!rdev->ops->get_mpp)
8087 		return -EOPNOTSUPP;
8088 
8089 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8090 		return -EOPNOTSUPP;
8091 
8092 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
8093 	if (err)
8094 		return err;
8095 
8096 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8097 	if (!msg)
8098 		return -ENOMEM;
8099 
8100 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8101 			       dev, dst, mpp, &pinfo) < 0) {
8102 		nlmsg_free(msg);
8103 		return -ENOBUFS;
8104 	}
8105 
8106 	return genlmsg_reply(msg, info);
8107 }
8108 
8109 static int nl80211_dump_mpp(struct sk_buff *skb,
8110 			    struct netlink_callback *cb)
8111 {
8112 	struct mpath_info pinfo;
8113 	struct cfg80211_registered_device *rdev;
8114 	struct wireless_dev *wdev;
8115 	u8 dst[ETH_ALEN];
8116 	u8 mpp[ETH_ALEN];
8117 	int path_idx = cb->args[2];
8118 	int err;
8119 
8120 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8121 	if (err)
8122 		return err;
8123 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8124 	__acquire(&rdev->wiphy.mtx);
8125 
8126 	if (!rdev->ops->dump_mpp) {
8127 		err = -EOPNOTSUPP;
8128 		goto out_err;
8129 	}
8130 
8131 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8132 		err = -EOPNOTSUPP;
8133 		goto out_err;
8134 	}
8135 
8136 	while (1) {
8137 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8138 				    mpp, &pinfo);
8139 		if (err == -ENOENT)
8140 			break;
8141 		if (err)
8142 			goto out_err;
8143 
8144 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8145 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8146 				       wdev->netdev, dst, mpp,
8147 				       &pinfo) < 0)
8148 			goto out;
8149 
8150 		path_idx++;
8151 	}
8152 
8153  out:
8154 	cb->args[2] = path_idx;
8155 	err = skb->len;
8156  out_err:
8157 	wiphy_unlock(&rdev->wiphy);
8158 	return err;
8159 }
8160 
8161 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8162 {
8163 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8164 	struct net_device *dev = info->user_ptr[1];
8165 	struct bss_parameters params;
8166 
8167 	memset(&params, 0, sizeof(params));
8168 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8169 	/* default to not changing parameters */
8170 	params.use_cts_prot = -1;
8171 	params.use_short_preamble = -1;
8172 	params.use_short_slot_time = -1;
8173 	params.ap_isolate = -1;
8174 	params.ht_opmode = -1;
8175 	params.p2p_ctwindow = -1;
8176 	params.p2p_opp_ps = -1;
8177 
8178 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8179 		params.use_cts_prot =
8180 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8181 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8182 		params.use_short_preamble =
8183 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8184 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8185 		params.use_short_slot_time =
8186 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8187 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8188 		params.basic_rates =
8189 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8190 		params.basic_rates_len =
8191 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8192 	}
8193 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8194 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8195 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8196 		params.ht_opmode =
8197 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8198 
8199 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8200 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8201 			return -EINVAL;
8202 		params.p2p_ctwindow =
8203 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8204 		if (params.p2p_ctwindow != 0 &&
8205 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8206 			return -EINVAL;
8207 	}
8208 
8209 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8210 		u8 tmp;
8211 
8212 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8213 			return -EINVAL;
8214 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8215 		params.p2p_opp_ps = tmp;
8216 		if (params.p2p_opp_ps &&
8217 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8218 			return -EINVAL;
8219 	}
8220 
8221 	if (!rdev->ops->change_bss)
8222 		return -EOPNOTSUPP;
8223 
8224 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8225 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8226 		return -EOPNOTSUPP;
8227 
8228 	return rdev_change_bss(rdev, dev, &params);
8229 }
8230 
8231 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8232 {
8233 	char *data = NULL;
8234 	bool is_indoor;
8235 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8236 	u32 owner_nlportid;
8237 
8238 	/*
8239 	 * You should only get this when cfg80211 hasn't yet initialized
8240 	 * completely when built-in to the kernel right between the time
8241 	 * window between nl80211_init() and regulatory_init(), if that is
8242 	 * even possible.
8243 	 */
8244 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8245 		return -EINPROGRESS;
8246 
8247 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8248 		user_reg_hint_type =
8249 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8250 	else
8251 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8252 
8253 	switch (user_reg_hint_type) {
8254 	case NL80211_USER_REG_HINT_USER:
8255 	case NL80211_USER_REG_HINT_CELL_BASE:
8256 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8257 			return -EINVAL;
8258 
8259 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8260 		return regulatory_hint_user(data, user_reg_hint_type);
8261 	case NL80211_USER_REG_HINT_INDOOR:
8262 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8263 			owner_nlportid = info->snd_portid;
8264 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8265 		} else {
8266 			owner_nlportid = 0;
8267 			is_indoor = true;
8268 		}
8269 
8270 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8271 		return 0;
8272 	default:
8273 		return -EINVAL;
8274 	}
8275 }
8276 
8277 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8278 {
8279 	return reg_reload_regdb();
8280 }
8281 
8282 static int nl80211_get_mesh_config(struct sk_buff *skb,
8283 				   struct genl_info *info)
8284 {
8285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8286 	struct net_device *dev = info->user_ptr[1];
8287 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8288 	struct mesh_config cur_params;
8289 	int err = 0;
8290 	void *hdr;
8291 	struct nlattr *pinfoattr;
8292 	struct sk_buff *msg;
8293 
8294 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8295 		return -EOPNOTSUPP;
8296 
8297 	if (!rdev->ops->get_mesh_config)
8298 		return -EOPNOTSUPP;
8299 
8300 	/* If not connected, get default parameters */
8301 	if (!wdev->u.mesh.id_len)
8302 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8303 	else
8304 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8305 
8306 	if (err)
8307 		return err;
8308 
8309 	/* Draw up a netlink message to send back */
8310 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8311 	if (!msg)
8312 		return -ENOMEM;
8313 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8314 			     NL80211_CMD_GET_MESH_CONFIG);
8315 	if (!hdr)
8316 		goto out;
8317 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8318 	if (!pinfoattr)
8319 		goto nla_put_failure;
8320 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8321 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8322 			cur_params.dot11MeshRetryTimeout) ||
8323 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8324 			cur_params.dot11MeshConfirmTimeout) ||
8325 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8326 			cur_params.dot11MeshHoldingTimeout) ||
8327 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8328 			cur_params.dot11MeshMaxPeerLinks) ||
8329 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8330 		       cur_params.dot11MeshMaxRetries) ||
8331 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8332 		       cur_params.dot11MeshTTL) ||
8333 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8334 		       cur_params.element_ttl) ||
8335 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8336 		       cur_params.auto_open_plinks) ||
8337 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8338 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8339 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8340 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8341 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8342 			cur_params.path_refresh_time) ||
8343 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8344 			cur_params.min_discovery_timeout) ||
8345 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8346 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8347 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8348 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8349 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8350 			cur_params.dot11MeshHWMPperrMinInterval) ||
8351 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8352 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8353 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8354 		       cur_params.dot11MeshHWMPRootMode) ||
8355 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8356 			cur_params.dot11MeshHWMPRannInterval) ||
8357 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8358 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8359 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8360 		       cur_params.dot11MeshForwarding) ||
8361 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8362 			cur_params.rssi_threshold) ||
8363 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8364 			cur_params.ht_opmode) ||
8365 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8366 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8367 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8368 			cur_params.dot11MeshHWMProotInterval) ||
8369 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8370 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8371 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8372 			cur_params.power_mode) ||
8373 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8374 			cur_params.dot11MeshAwakeWindowDuration) ||
8375 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8376 			cur_params.plink_timeout) ||
8377 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8378 		       cur_params.dot11MeshConnectedToMeshGate) ||
8379 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8380 		       cur_params.dot11MeshNolearn) ||
8381 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8382 		       cur_params.dot11MeshConnectedToAuthServer))
8383 		goto nla_put_failure;
8384 	nla_nest_end(msg, pinfoattr);
8385 	genlmsg_end(msg, hdr);
8386 	return genlmsg_reply(msg, info);
8387 
8388  nla_put_failure:
8389  out:
8390 	nlmsg_free(msg);
8391 	return -ENOBUFS;
8392 }
8393 
8394 static const struct nla_policy
8395 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8396 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8397 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8398 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8399 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8400 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8401 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8402 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8403 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8404 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8405 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8406 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8407 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8408 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8409 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8410 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8411 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8412 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8413 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8414 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8415 		NLA_POLICY_MIN(NLA_U16, 1),
8416 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8417 		NLA_POLICY_MIN(NLA_U16, 1),
8418 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8419 		NLA_POLICY_MIN(NLA_U16, 1),
8420 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8421 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8422 		NLA_POLICY_MIN(NLA_U16, 1),
8423 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8424 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8425 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8426 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8427 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8428 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8429 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8430 		NLA_POLICY_MIN(NLA_U16, 1),
8431 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8432 		NLA_POLICY_MIN(NLA_U16, 1),
8433 	[NL80211_MESHCONF_POWER_MODE] =
8434 		NLA_POLICY_RANGE(NLA_U32,
8435 				 NL80211_MESH_POWER_ACTIVE,
8436 				 NL80211_MESH_POWER_MAX),
8437 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8438 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8439 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8440 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8441 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8442 };
8443 
8444 static const struct nla_policy
8445 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8446 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8447 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8448 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8449 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8450 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8451 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8452 	[NL80211_MESH_SETUP_IE] =
8453 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8454 				       IEEE80211_MAX_DATA_LEN),
8455 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8456 };
8457 
8458 static int nl80211_parse_mesh_config(struct genl_info *info,
8459 				     struct mesh_config *cfg,
8460 				     u32 *mask_out)
8461 {
8462 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8463 	u32 mask = 0;
8464 	u16 ht_opmode;
8465 
8466 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8467 do {									\
8468 	if (tb[attr]) {							\
8469 		cfg->param = fn(tb[attr]);				\
8470 		mask |= BIT((attr) - 1);				\
8471 	}								\
8472 } while (0)
8473 
8474 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8475 		return -EINVAL;
8476 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8477 		return -EINVAL;
8478 
8479 	/* This makes sure that there aren't more than 32 mesh config
8480 	 * parameters (otherwise our bitfield scheme would not work.) */
8481 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8482 
8483 	/* Fill in the params struct */
8484 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8485 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8486 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8487 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8488 				  nla_get_u16);
8489 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8490 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8491 				  nla_get_u16);
8492 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8493 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8494 				  nla_get_u16);
8495 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8496 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8497 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8498 				  NL80211_MESHCONF_TTL, nla_get_u8);
8499 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8500 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8501 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8502 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8503 				  nla_get_u8);
8504 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8505 				  mask,
8506 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8507 				  nla_get_u32);
8508 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8509 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8510 				  nla_get_u8);
8511 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8512 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8513 				  nla_get_u32);
8514 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8515 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8516 		return -EINVAL;
8517 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8518 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8519 				  nla_get_u16);
8520 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8521 				  mask,
8522 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8523 				  nla_get_u32);
8524 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8525 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8526 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8527 		return -EINVAL;
8528 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8529 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8530 				  nla_get_u16);
8531 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8532 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8533 				  nla_get_u16);
8534 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8535 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8536 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8537 				  nla_get_u16);
8538 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8539 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8540 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8541 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8542 				  nla_get_u16);
8543 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8544 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8545 				  nla_get_u8);
8546 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8547 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8548 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8549 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8550 				  nla_get_s32);
8551 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8552 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8553 				  nla_get_u8);
8554 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8555 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8556 				  nla_get_u8);
8557 	/*
8558 	 * Check HT operation mode based on
8559 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8560 	 */
8561 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8562 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8563 
8564 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8565 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8566 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8567 			return -EINVAL;
8568 
8569 		/* NON_HT_STA bit is reserved, but some programs set it */
8570 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8571 
8572 		cfg->ht_opmode = ht_opmode;
8573 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8574 	}
8575 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8576 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8577 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8578 				  nla_get_u32);
8579 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8580 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8581 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8582 		return -EINVAL;
8583 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8584 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8585 				  nla_get_u16);
8586 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8587 				  mask,
8588 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8589 				  nla_get_u16);
8590 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8591 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8592 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8593 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8594 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8595 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8596 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8597 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8598 	if (mask_out)
8599 		*mask_out = mask;
8600 
8601 	return 0;
8602 
8603 #undef FILL_IN_MESH_PARAM_IF_SET
8604 }
8605 
8606 static int nl80211_parse_mesh_setup(struct genl_info *info,
8607 				     struct mesh_setup *setup)
8608 {
8609 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8610 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8611 
8612 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8613 		return -EINVAL;
8614 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8615 		return -EINVAL;
8616 
8617 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8618 		setup->sync_method =
8619 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8620 		 IEEE80211_SYNC_METHOD_VENDOR :
8621 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8622 
8623 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8624 		setup->path_sel_proto =
8625 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8626 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8627 		 IEEE80211_PATH_PROTOCOL_HWMP;
8628 
8629 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8630 		setup->path_metric =
8631 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8632 		 IEEE80211_PATH_METRIC_VENDOR :
8633 		 IEEE80211_PATH_METRIC_AIRTIME;
8634 
8635 	if (tb[NL80211_MESH_SETUP_IE]) {
8636 		struct nlattr *ieattr =
8637 			tb[NL80211_MESH_SETUP_IE];
8638 		setup->ie = nla_data(ieattr);
8639 		setup->ie_len = nla_len(ieattr);
8640 	}
8641 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8642 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8643 		return -EINVAL;
8644 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8645 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8646 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8647 	if (setup->is_secure)
8648 		setup->user_mpm = true;
8649 
8650 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8651 		if (!setup->user_mpm)
8652 			return -EINVAL;
8653 		setup->auth_id =
8654 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8655 	}
8656 
8657 	return 0;
8658 }
8659 
8660 static int nl80211_update_mesh_config(struct sk_buff *skb,
8661 				      struct genl_info *info)
8662 {
8663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8664 	struct net_device *dev = info->user_ptr[1];
8665 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8666 	struct mesh_config cfg = {};
8667 	u32 mask;
8668 	int err;
8669 
8670 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8671 		return -EOPNOTSUPP;
8672 
8673 	if (!rdev->ops->update_mesh_config)
8674 		return -EOPNOTSUPP;
8675 
8676 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8677 	if (err)
8678 		return err;
8679 
8680 	if (!wdev->u.mesh.id_len)
8681 		err = -ENOLINK;
8682 
8683 	if (!err)
8684 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8685 
8686 	return err;
8687 }
8688 
8689 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8690 			      struct sk_buff *msg)
8691 {
8692 	struct nlattr *nl_reg_rules;
8693 	unsigned int i;
8694 
8695 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8696 	    (regdom->dfs_region &&
8697 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8698 		goto nla_put_failure;
8699 
8700 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8701 	if (!nl_reg_rules)
8702 		goto nla_put_failure;
8703 
8704 	for (i = 0; i < regdom->n_reg_rules; i++) {
8705 		struct nlattr *nl_reg_rule;
8706 		const struct ieee80211_reg_rule *reg_rule;
8707 		const struct ieee80211_freq_range *freq_range;
8708 		const struct ieee80211_power_rule *power_rule;
8709 		unsigned int max_bandwidth_khz;
8710 
8711 		reg_rule = &regdom->reg_rules[i];
8712 		freq_range = &reg_rule->freq_range;
8713 		power_rule = &reg_rule->power_rule;
8714 
8715 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8716 		if (!nl_reg_rule)
8717 			goto nla_put_failure;
8718 
8719 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8720 		if (!max_bandwidth_khz)
8721 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8722 								  reg_rule);
8723 
8724 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8725 				reg_rule->flags) ||
8726 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8727 				freq_range->start_freq_khz) ||
8728 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8729 				freq_range->end_freq_khz) ||
8730 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8731 				max_bandwidth_khz) ||
8732 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8733 				power_rule->max_antenna_gain) ||
8734 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8735 				power_rule->max_eirp) ||
8736 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8737 				reg_rule->dfs_cac_ms))
8738 			goto nla_put_failure;
8739 
8740 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
8741 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
8742 			       reg_rule->psd))
8743 			goto nla_put_failure;
8744 
8745 		nla_nest_end(msg, nl_reg_rule);
8746 	}
8747 
8748 	nla_nest_end(msg, nl_reg_rules);
8749 	return 0;
8750 
8751 nla_put_failure:
8752 	return -EMSGSIZE;
8753 }
8754 
8755 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8756 {
8757 	const struct ieee80211_regdomain *regdom = NULL;
8758 	struct cfg80211_registered_device *rdev;
8759 	struct wiphy *wiphy = NULL;
8760 	struct sk_buff *msg;
8761 	int err = -EMSGSIZE;
8762 	void *hdr;
8763 
8764 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8765 	if (!msg)
8766 		return -ENOBUFS;
8767 
8768 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8769 			     NL80211_CMD_GET_REG);
8770 	if (!hdr)
8771 		goto put_failure;
8772 
8773 	rtnl_lock();
8774 
8775 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8776 		bool self_managed;
8777 
8778 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8779 		if (IS_ERR(rdev)) {
8780 			err = PTR_ERR(rdev);
8781 			goto nla_put_failure;
8782 		}
8783 
8784 		wiphy = &rdev->wiphy;
8785 		self_managed = wiphy->regulatory_flags &
8786 			       REGULATORY_WIPHY_SELF_MANAGED;
8787 
8788 		rcu_read_lock();
8789 
8790 		regdom = get_wiphy_regdom(wiphy);
8791 
8792 		/* a self-managed-reg device must have a private regdom */
8793 		if (WARN_ON(!regdom && self_managed)) {
8794 			err = -EINVAL;
8795 			goto nla_put_failure_rcu;
8796 		}
8797 
8798 		if (regdom &&
8799 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8800 			goto nla_put_failure_rcu;
8801 	} else {
8802 		rcu_read_lock();
8803 	}
8804 
8805 	if (!wiphy && reg_last_request_cell_base() &&
8806 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8807 			NL80211_USER_REG_HINT_CELL_BASE))
8808 		goto nla_put_failure_rcu;
8809 
8810 	if (!regdom)
8811 		regdom = rcu_dereference(cfg80211_regdomain);
8812 
8813 	if (nl80211_put_regdom(regdom, msg))
8814 		goto nla_put_failure_rcu;
8815 
8816 	rcu_read_unlock();
8817 
8818 	genlmsg_end(msg, hdr);
8819 	rtnl_unlock();
8820 	return genlmsg_reply(msg, info);
8821 
8822 nla_put_failure_rcu:
8823 	rcu_read_unlock();
8824 nla_put_failure:
8825 	rtnl_unlock();
8826 put_failure:
8827 	nlmsg_free(msg);
8828 	return err;
8829 }
8830 
8831 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8832 			       u32 seq, int flags, struct wiphy *wiphy,
8833 			       const struct ieee80211_regdomain *regdom)
8834 {
8835 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8836 				   NL80211_CMD_GET_REG);
8837 
8838 	if (!hdr)
8839 		return -1;
8840 
8841 	genl_dump_check_consistent(cb, hdr);
8842 
8843 	if (nl80211_put_regdom(regdom, msg))
8844 		goto nla_put_failure;
8845 
8846 	if (!wiphy && reg_last_request_cell_base() &&
8847 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8848 			NL80211_USER_REG_HINT_CELL_BASE))
8849 		goto nla_put_failure;
8850 
8851 	if (wiphy &&
8852 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8853 		goto nla_put_failure;
8854 
8855 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8856 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8857 		goto nla_put_failure;
8858 
8859 	genlmsg_end(msg, hdr);
8860 	return 0;
8861 
8862 nla_put_failure:
8863 	genlmsg_cancel(msg, hdr);
8864 	return -EMSGSIZE;
8865 }
8866 
8867 static int nl80211_get_reg_dump(struct sk_buff *skb,
8868 				struct netlink_callback *cb)
8869 {
8870 	const struct ieee80211_regdomain *regdom = NULL;
8871 	struct cfg80211_registered_device *rdev;
8872 	int err, reg_idx, start = cb->args[2];
8873 
8874 	rcu_read_lock();
8875 
8876 	if (cfg80211_regdomain && start == 0) {
8877 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8878 					  NLM_F_MULTI, NULL,
8879 					  rcu_dereference(cfg80211_regdomain));
8880 		if (err < 0)
8881 			goto out_err;
8882 	}
8883 
8884 	/* the global regdom is idx 0 */
8885 	reg_idx = 1;
8886 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8887 		regdom = get_wiphy_regdom(&rdev->wiphy);
8888 		if (!regdom)
8889 			continue;
8890 
8891 		if (++reg_idx <= start)
8892 			continue;
8893 
8894 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8895 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8896 		if (err < 0) {
8897 			reg_idx--;
8898 			break;
8899 		}
8900 	}
8901 
8902 	cb->args[2] = reg_idx;
8903 	err = skb->len;
8904 out_err:
8905 	rcu_read_unlock();
8906 	return err;
8907 }
8908 
8909 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8910 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8911 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8912 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8913 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8914 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8915 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8916 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8917 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8918 };
8919 
8920 static int parse_reg_rule(struct nlattr *tb[],
8921 	struct ieee80211_reg_rule *reg_rule)
8922 {
8923 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8924 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8925 
8926 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8927 		return -EINVAL;
8928 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8929 		return -EINVAL;
8930 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8931 		return -EINVAL;
8932 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8933 		return -EINVAL;
8934 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8935 		return -EINVAL;
8936 
8937 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8938 
8939 	freq_range->start_freq_khz =
8940 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8941 	freq_range->end_freq_khz =
8942 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8943 	freq_range->max_bandwidth_khz =
8944 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8945 
8946 	power_rule->max_eirp =
8947 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8948 
8949 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8950 		power_rule->max_antenna_gain =
8951 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8952 
8953 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8954 		reg_rule->dfs_cac_ms =
8955 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8956 
8957 	return 0;
8958 }
8959 
8960 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8961 {
8962 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8963 	struct nlattr *nl_reg_rule;
8964 	char *alpha2;
8965 	int rem_reg_rules, r;
8966 	u32 num_rules = 0, rule_idx = 0;
8967 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8968 	struct ieee80211_regdomain *rd;
8969 
8970 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8971 		return -EINVAL;
8972 
8973 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8974 		return -EINVAL;
8975 
8976 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8977 
8978 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8979 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8980 
8981 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8982 			    rem_reg_rules) {
8983 		num_rules++;
8984 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8985 			return -EINVAL;
8986 	}
8987 
8988 	rtnl_lock();
8989 	if (!reg_is_valid_request(alpha2)) {
8990 		r = -EINVAL;
8991 		goto out;
8992 	}
8993 
8994 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8995 	if (!rd) {
8996 		r = -ENOMEM;
8997 		goto out;
8998 	}
8999 
9000 	rd->n_reg_rules = num_rules;
9001 	rd->alpha2[0] = alpha2[0];
9002 	rd->alpha2[1] = alpha2[1];
9003 
9004 	/*
9005 	 * Disable DFS master mode if the DFS region was
9006 	 * not supported or known on this kernel.
9007 	 */
9008 	if (reg_supported_dfs_region(dfs_region))
9009 		rd->dfs_region = dfs_region;
9010 
9011 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9012 			    rem_reg_rules) {
9013 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9014 						nl_reg_rule, reg_rule_policy,
9015 						info->extack);
9016 		if (r)
9017 			goto bad_reg;
9018 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9019 		if (r)
9020 			goto bad_reg;
9021 
9022 		rule_idx++;
9023 
9024 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9025 			r = -EINVAL;
9026 			goto bad_reg;
9027 		}
9028 	}
9029 
9030 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9031 	/* set_regdom takes ownership of rd */
9032 	rd = NULL;
9033  bad_reg:
9034 	kfree(rd);
9035  out:
9036 	rtnl_unlock();
9037 	return r;
9038 }
9039 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9040 
9041 static int validate_scan_freqs(struct nlattr *freqs)
9042 {
9043 	struct nlattr *attr1, *attr2;
9044 	int n_channels = 0, tmp1, tmp2;
9045 
9046 	nla_for_each_nested(attr1, freqs, tmp1)
9047 		if (nla_len(attr1) != sizeof(u32))
9048 			return 0;
9049 
9050 	nla_for_each_nested(attr1, freqs, tmp1) {
9051 		n_channels++;
9052 		/*
9053 		 * Some hardware has a limited channel list for
9054 		 * scanning, and it is pretty much nonsensical
9055 		 * to scan for a channel twice, so disallow that
9056 		 * and don't require drivers to check that the
9057 		 * channel list they get isn't longer than what
9058 		 * they can scan, as long as they can scan all
9059 		 * the channels they registered at once.
9060 		 */
9061 		nla_for_each_nested(attr2, freqs, tmp2)
9062 			if (attr1 != attr2 &&
9063 			    nla_get_u32(attr1) == nla_get_u32(attr2))
9064 				return 0;
9065 	}
9066 
9067 	return n_channels;
9068 }
9069 
9070 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
9071 {
9072 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
9073 }
9074 
9075 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
9076 			    struct cfg80211_bss_selection *bss_select)
9077 {
9078 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
9079 	struct nlattr *nest;
9080 	int err;
9081 	bool found = false;
9082 	int i;
9083 
9084 	/* only process one nested attribute */
9085 	nest = nla_data(nla);
9086 	if (!nla_ok(nest, nla_len(nest)))
9087 		return -EINVAL;
9088 
9089 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
9090 					  nest, nl80211_bss_select_policy,
9091 					  NULL);
9092 	if (err)
9093 		return err;
9094 
9095 	/* only one attribute may be given */
9096 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9097 		if (attr[i]) {
9098 			if (found)
9099 				return -EINVAL;
9100 			found = true;
9101 		}
9102 	}
9103 
9104 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9105 
9106 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9107 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9108 
9109 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9110 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9111 		bss_select->param.band_pref =
9112 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9113 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9114 			return -EINVAL;
9115 	}
9116 
9117 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9118 		struct nl80211_bss_select_rssi_adjust *adj_param;
9119 
9120 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9121 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9122 		bss_select->param.adjust.band = adj_param->band;
9123 		bss_select->param.adjust.delta = adj_param->delta;
9124 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9125 			return -EINVAL;
9126 	}
9127 
9128 	/* user-space did not provide behaviour attribute */
9129 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9130 		return -EINVAL;
9131 
9132 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9133 		return -EINVAL;
9134 
9135 	return 0;
9136 }
9137 
9138 int nl80211_parse_random_mac(struct nlattr **attrs,
9139 			     u8 *mac_addr, u8 *mac_addr_mask)
9140 {
9141 	int i;
9142 
9143 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9144 		eth_zero_addr(mac_addr);
9145 		eth_zero_addr(mac_addr_mask);
9146 		mac_addr[0] = 0x2;
9147 		mac_addr_mask[0] = 0x3;
9148 
9149 		return 0;
9150 	}
9151 
9152 	/* need both or none */
9153 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9154 		return -EINVAL;
9155 
9156 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9157 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9158 
9159 	/* don't allow or configure an mcast address */
9160 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9161 	    is_multicast_ether_addr(mac_addr))
9162 		return -EINVAL;
9163 
9164 	/*
9165 	 * allow users to pass a MAC address that has bits set outside
9166 	 * of the mask, but don't bother drivers with having to deal
9167 	 * with such bits
9168 	 */
9169 	for (i = 0; i < ETH_ALEN; i++)
9170 		mac_addr[i] &= mac_addr_mask[i];
9171 
9172 	return 0;
9173 }
9174 
9175 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9176 					      struct ieee80211_channel *chan)
9177 {
9178 	unsigned int link_id;
9179 	bool all_ok = true;
9180 
9181 	lockdep_assert_wiphy(wdev->wiphy);
9182 
9183 	if (!cfg80211_beaconing_iface_active(wdev))
9184 		return true;
9185 
9186 	/*
9187 	 * FIXME: check if we have a free HW resource/link for chan
9188 	 *
9189 	 * This, as well as the FIXME below, requires knowing the link
9190 	 * capabilities of the hardware.
9191 	 */
9192 
9193 	/* we cannot leave radar channels */
9194 	for_each_valid_link(wdev, link_id) {
9195 		struct cfg80211_chan_def *chandef;
9196 
9197 		chandef = wdev_chandef(wdev, link_id);
9198 		if (!chandef || !chandef->chan)
9199 			continue;
9200 
9201 		/*
9202 		 * FIXME: don't require all_ok, but rather check only the
9203 		 *	  correct HW resource/link onto which 'chan' falls,
9204 		 *	  as only that link leaves the channel for doing
9205 		 *	  the off-channel operation.
9206 		 */
9207 
9208 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9209 			all_ok = false;
9210 	}
9211 
9212 	if (all_ok)
9213 		return true;
9214 
9215 	return regulatory_pre_cac_allowed(wdev->wiphy);
9216 }
9217 
9218 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9219 				    enum nl80211_ext_feature_index feat)
9220 {
9221 	if (!(flags & flag))
9222 		return true;
9223 	if (wiphy_ext_feature_isset(wiphy, feat))
9224 		return true;
9225 	return false;
9226 }
9227 
9228 static int
9229 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9230 			 void *request, struct nlattr **attrs,
9231 			 bool is_sched_scan)
9232 {
9233 	u8 *mac_addr, *mac_addr_mask;
9234 	u32 *flags;
9235 	enum nl80211_feature_flags randomness_flag;
9236 
9237 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9238 		return 0;
9239 
9240 	if (is_sched_scan) {
9241 		struct cfg80211_sched_scan_request *req = request;
9242 
9243 		randomness_flag = wdev ?
9244 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9245 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9246 		flags = &req->flags;
9247 		mac_addr = req->mac_addr;
9248 		mac_addr_mask = req->mac_addr_mask;
9249 	} else {
9250 		struct cfg80211_scan_request *req = request;
9251 
9252 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9253 		flags = &req->flags;
9254 		mac_addr = req->mac_addr;
9255 		mac_addr_mask = req->mac_addr_mask;
9256 	}
9257 
9258 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9259 
9260 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9261 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9262 	    !nl80211_check_scan_feat(wiphy, *flags,
9263 				     NL80211_SCAN_FLAG_LOW_SPAN,
9264 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9265 	    !nl80211_check_scan_feat(wiphy, *flags,
9266 				     NL80211_SCAN_FLAG_LOW_POWER,
9267 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9268 	    !nl80211_check_scan_feat(wiphy, *flags,
9269 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9270 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9271 	    !nl80211_check_scan_feat(wiphy, *flags,
9272 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9273 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9274 	    !nl80211_check_scan_feat(wiphy, *flags,
9275 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9276 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9277 	    !nl80211_check_scan_feat(wiphy, *flags,
9278 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9279 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9280 	    !nl80211_check_scan_feat(wiphy, *flags,
9281 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9282 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9283 	    !nl80211_check_scan_feat(wiphy, *flags,
9284 				     NL80211_SCAN_FLAG_RANDOM_SN,
9285 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9286 	    !nl80211_check_scan_feat(wiphy, *flags,
9287 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9288 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9289 		return -EOPNOTSUPP;
9290 
9291 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9292 		int err;
9293 
9294 		if (!(wiphy->features & randomness_flag) ||
9295 		    (wdev && wdev->connected))
9296 			return -EOPNOTSUPP;
9297 
9298 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9299 		if (err)
9300 			return err;
9301 	}
9302 
9303 	return 0;
9304 }
9305 
9306 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9307 {
9308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9309 	struct wireless_dev *wdev = info->user_ptr[1];
9310 	struct cfg80211_scan_request *request;
9311 	struct nlattr *scan_freqs = NULL;
9312 	bool scan_freqs_khz = false;
9313 	struct nlattr *attr;
9314 	struct wiphy *wiphy;
9315 	int err, tmp, n_ssids = 0, n_channels, i;
9316 	size_t ie_len, size;
9317 	size_t ssids_offset, ie_offset;
9318 
9319 	wiphy = &rdev->wiphy;
9320 
9321 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9322 		return -EOPNOTSUPP;
9323 
9324 	if (!rdev->ops->scan)
9325 		return -EOPNOTSUPP;
9326 
9327 	if (rdev->scan_req || rdev->scan_msg)
9328 		return -EBUSY;
9329 
9330 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9331 		if (!wiphy_ext_feature_isset(wiphy,
9332 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9333 			return -EOPNOTSUPP;
9334 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9335 		scan_freqs_khz = true;
9336 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9337 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9338 
9339 	if (scan_freqs) {
9340 		n_channels = validate_scan_freqs(scan_freqs);
9341 		if (!n_channels)
9342 			return -EINVAL;
9343 	} else {
9344 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9345 	}
9346 
9347 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9348 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9349 			n_ssids++;
9350 
9351 	if (n_ssids > wiphy->max_scan_ssids)
9352 		return -EINVAL;
9353 
9354 	if (info->attrs[NL80211_ATTR_IE])
9355 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9356 	else
9357 		ie_len = 0;
9358 
9359 	if (ie_len > wiphy->max_scan_ie_len)
9360 		return -EINVAL;
9361 
9362 	size = struct_size(request, channels, n_channels);
9363 	ssids_offset = size;
9364 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9365 	ie_offset = size;
9366 	size = size_add(size, ie_len);
9367 	request = kzalloc(size, GFP_KERNEL);
9368 	if (!request)
9369 		return -ENOMEM;
9370 	request->n_channels = n_channels;
9371 
9372 	if (n_ssids)
9373 		request->ssids = (void *)request + ssids_offset;
9374 	request->n_ssids = n_ssids;
9375 	if (ie_len)
9376 		request->ie = (void *)request + ie_offset;
9377 
9378 	i = 0;
9379 	if (scan_freqs) {
9380 		/* user specified, bail out if channel not found */
9381 		nla_for_each_nested(attr, scan_freqs, tmp) {
9382 			struct ieee80211_channel *chan;
9383 			int freq = nla_get_u32(attr);
9384 
9385 			if (!scan_freqs_khz)
9386 				freq = MHZ_TO_KHZ(freq);
9387 
9388 			chan = ieee80211_get_channel_khz(wiphy, freq);
9389 			if (!chan) {
9390 				err = -EINVAL;
9391 				goto out_free;
9392 			}
9393 
9394 			/* ignore disabled channels */
9395 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9396 				continue;
9397 
9398 			request->channels[i] = chan;
9399 			i++;
9400 		}
9401 	} else {
9402 		enum nl80211_band band;
9403 
9404 		/* all channels */
9405 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9406 			int j;
9407 
9408 			if (!wiphy->bands[band])
9409 				continue;
9410 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9411 				struct ieee80211_channel *chan;
9412 
9413 				chan = &wiphy->bands[band]->channels[j];
9414 
9415 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9416 					continue;
9417 
9418 				request->channels[i] = chan;
9419 				i++;
9420 			}
9421 		}
9422 	}
9423 
9424 	if (!i) {
9425 		err = -EINVAL;
9426 		goto out_free;
9427 	}
9428 
9429 	request->n_channels = i;
9430 
9431 	for (i = 0; i < request->n_channels; i++) {
9432 		struct ieee80211_channel *chan = request->channels[i];
9433 
9434 		/* if we can go off-channel to the target channel we're good */
9435 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9436 			continue;
9437 
9438 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9439 			err = -EBUSY;
9440 			goto out_free;
9441 		}
9442 	}
9443 
9444 	i = 0;
9445 	if (n_ssids) {
9446 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9447 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9448 				err = -EINVAL;
9449 				goto out_free;
9450 			}
9451 			request->ssids[i].ssid_len = nla_len(attr);
9452 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9453 			i++;
9454 		}
9455 	}
9456 
9457 	if (info->attrs[NL80211_ATTR_IE]) {
9458 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9459 		memcpy((void *)request->ie,
9460 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9461 		       request->ie_len);
9462 	}
9463 
9464 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9465 		if (wiphy->bands[i])
9466 			request->rates[i] =
9467 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9468 
9469 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9470 		nla_for_each_nested(attr,
9471 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9472 				    tmp) {
9473 			enum nl80211_band band = nla_type(attr);
9474 
9475 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9476 				err = -EINVAL;
9477 				goto out_free;
9478 			}
9479 
9480 			if (!wiphy->bands[band])
9481 				continue;
9482 
9483 			err = ieee80211_get_ratemask(wiphy->bands[band],
9484 						     nla_data(attr),
9485 						     nla_len(attr),
9486 						     &request->rates[band]);
9487 			if (err)
9488 				goto out_free;
9489 		}
9490 	}
9491 
9492 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9493 		request->duration =
9494 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9495 		request->duration_mandatory =
9496 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9497 	}
9498 
9499 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9500 				       false);
9501 	if (err)
9502 		goto out_free;
9503 
9504 	request->no_cck =
9505 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9506 
9507 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9508 	 * BSSID to scan for. This was problematic because that same attribute
9509 	 * was already used for another purpose (local random MAC address). The
9510 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9511 	 * compatibility with older userspace components, also use the
9512 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9513 	 * the specific BSSID use case instead of the random MAC address
9514 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9515 	 */
9516 	if (info->attrs[NL80211_ATTR_BSSID])
9517 		memcpy(request->bssid,
9518 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9519 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9520 		 info->attrs[NL80211_ATTR_MAC])
9521 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9522 		       ETH_ALEN);
9523 	else
9524 		eth_broadcast_addr(request->bssid);
9525 
9526 	request->tsf_report_link_id = nl80211_link_id_or_invalid(info->attrs);
9527 	request->wdev = wdev;
9528 	request->wiphy = &rdev->wiphy;
9529 	request->scan_start = jiffies;
9530 
9531 	rdev->scan_req = request;
9532 	err = cfg80211_scan(rdev);
9533 
9534 	if (err)
9535 		goto out_free;
9536 
9537 	nl80211_send_scan_start(rdev, wdev);
9538 	dev_hold(wdev->netdev);
9539 
9540 	return 0;
9541 
9542  out_free:
9543 	rdev->scan_req = NULL;
9544 	kfree(request);
9545 
9546 	return err;
9547 }
9548 
9549 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9550 {
9551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9552 	struct wireless_dev *wdev = info->user_ptr[1];
9553 
9554 	if (!rdev->ops->abort_scan)
9555 		return -EOPNOTSUPP;
9556 
9557 	if (rdev->scan_msg)
9558 		return 0;
9559 
9560 	if (!rdev->scan_req)
9561 		return -ENOENT;
9562 
9563 	rdev_abort_scan(rdev, wdev);
9564 	return 0;
9565 }
9566 
9567 static int
9568 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9569 			       struct cfg80211_sched_scan_request *request,
9570 			       struct nlattr **attrs)
9571 {
9572 	int tmp, err, i = 0;
9573 	struct nlattr *attr;
9574 
9575 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9576 		u32 interval;
9577 
9578 		/*
9579 		 * If scan plans are not specified,
9580 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9581 		 * case one scan plan will be set with the specified scan
9582 		 * interval and infinite number of iterations.
9583 		 */
9584 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9585 		if (!interval)
9586 			return -EINVAL;
9587 
9588 		request->scan_plans[0].interval =
9589 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9590 		if (!request->scan_plans[0].interval)
9591 			return -EINVAL;
9592 
9593 		if (request->scan_plans[0].interval >
9594 		    wiphy->max_sched_scan_plan_interval)
9595 			request->scan_plans[0].interval =
9596 				wiphy->max_sched_scan_plan_interval;
9597 
9598 		return 0;
9599 	}
9600 
9601 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9602 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9603 
9604 		if (WARN_ON(i >= n_plans))
9605 			return -EINVAL;
9606 
9607 		err = nla_parse_nested_deprecated(plan,
9608 						  NL80211_SCHED_SCAN_PLAN_MAX,
9609 						  attr, nl80211_plan_policy,
9610 						  NULL);
9611 		if (err)
9612 			return err;
9613 
9614 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9615 			return -EINVAL;
9616 
9617 		request->scan_plans[i].interval =
9618 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9619 		if (!request->scan_plans[i].interval ||
9620 		    request->scan_plans[i].interval >
9621 		    wiphy->max_sched_scan_plan_interval)
9622 			return -EINVAL;
9623 
9624 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9625 			request->scan_plans[i].iterations =
9626 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9627 			if (!request->scan_plans[i].iterations ||
9628 			    (request->scan_plans[i].iterations >
9629 			     wiphy->max_sched_scan_plan_iterations))
9630 				return -EINVAL;
9631 		} else if (i < n_plans - 1) {
9632 			/*
9633 			 * All scan plans but the last one must specify
9634 			 * a finite number of iterations
9635 			 */
9636 			return -EINVAL;
9637 		}
9638 
9639 		i++;
9640 	}
9641 
9642 	/*
9643 	 * The last scan plan must not specify the number of
9644 	 * iterations, it is supposed to run infinitely
9645 	 */
9646 	if (request->scan_plans[n_plans - 1].iterations)
9647 		return  -EINVAL;
9648 
9649 	return 0;
9650 }
9651 
9652 static struct cfg80211_sched_scan_request *
9653 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9654 			 struct nlattr **attrs, int max_match_sets)
9655 {
9656 	struct cfg80211_sched_scan_request *request;
9657 	struct nlattr *attr;
9658 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9659 	enum nl80211_band band;
9660 	size_t ie_len, size;
9661 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9662 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9663 
9664 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9665 		n_channels = validate_scan_freqs(
9666 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9667 		if (!n_channels)
9668 			return ERR_PTR(-EINVAL);
9669 	} else {
9670 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9671 	}
9672 
9673 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9674 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9675 				    tmp)
9676 			n_ssids++;
9677 
9678 	if (n_ssids > wiphy->max_sched_scan_ssids)
9679 		return ERR_PTR(-EINVAL);
9680 
9681 	/*
9682 	 * First, count the number of 'real' matchsets. Due to an issue with
9683 	 * the old implementation, matchsets containing only the RSSI attribute
9684 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9685 	 * RSSI for all matchsets, rather than their own matchset for reporting
9686 	 * all APs with a strong RSSI. This is needed to be compatible with
9687 	 * older userspace that treated a matchset with only the RSSI as the
9688 	 * global RSSI for all other matchsets - if there are other matchsets.
9689 	 */
9690 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9691 		nla_for_each_nested(attr,
9692 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9693 				    tmp) {
9694 			struct nlattr *rssi;
9695 
9696 			err = nla_parse_nested_deprecated(tb,
9697 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9698 							  attr,
9699 							  nl80211_match_policy,
9700 							  NULL);
9701 			if (err)
9702 				return ERR_PTR(err);
9703 
9704 			/* SSID and BSSID are mutually exclusive */
9705 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9706 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9707 				return ERR_PTR(-EINVAL);
9708 
9709 			/* add other standalone attributes here */
9710 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9711 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9712 				n_match_sets++;
9713 				continue;
9714 			}
9715 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9716 			if (rssi)
9717 				default_match_rssi = nla_get_s32(rssi);
9718 		}
9719 	}
9720 
9721 	/* However, if there's no other matchset, add the RSSI one */
9722 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9723 		n_match_sets = 1;
9724 
9725 	if (n_match_sets > max_match_sets)
9726 		return ERR_PTR(-EINVAL);
9727 
9728 	if (attrs[NL80211_ATTR_IE])
9729 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9730 	else
9731 		ie_len = 0;
9732 
9733 	if (ie_len > wiphy->max_sched_scan_ie_len)
9734 		return ERR_PTR(-EINVAL);
9735 
9736 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9737 		/*
9738 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9739 		 * each scan plan already specifies its own interval
9740 		 */
9741 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9742 			return ERR_PTR(-EINVAL);
9743 
9744 		nla_for_each_nested(attr,
9745 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9746 			n_plans++;
9747 	} else {
9748 		/*
9749 		 * The scan interval attribute is kept for backward
9750 		 * compatibility. If no scan plans are specified and sched scan
9751 		 * interval is specified, one scan plan will be set with this
9752 		 * scan interval and infinite number of iterations.
9753 		 */
9754 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9755 			return ERR_PTR(-EINVAL);
9756 
9757 		n_plans = 1;
9758 	}
9759 
9760 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9761 		return ERR_PTR(-EINVAL);
9762 
9763 	if (!wiphy_ext_feature_isset(
9764 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9765 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9766 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9767 		return ERR_PTR(-EINVAL);
9768 
9769 	size = struct_size(request, channels, n_channels);
9770 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9771 	size = size_add(size, array_size(sizeof(*request->match_sets),
9772 					 n_match_sets));
9773 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9774 					 n_plans));
9775 	size = size_add(size, ie_len);
9776 	request = kzalloc(size, GFP_KERNEL);
9777 	if (!request)
9778 		return ERR_PTR(-ENOMEM);
9779 
9780 	if (n_ssids)
9781 		request->ssids = (void *)&request->channels[n_channels];
9782 	request->n_ssids = n_ssids;
9783 	if (ie_len) {
9784 		if (n_ssids)
9785 			request->ie = (void *)(request->ssids + n_ssids);
9786 		else
9787 			request->ie = (void *)(request->channels + n_channels);
9788 	}
9789 
9790 	if (n_match_sets) {
9791 		if (request->ie)
9792 			request->match_sets = (void *)(request->ie + ie_len);
9793 		else if (n_ssids)
9794 			request->match_sets =
9795 				(void *)(request->ssids + n_ssids);
9796 		else
9797 			request->match_sets =
9798 				(void *)(request->channels + n_channels);
9799 	}
9800 	request->n_match_sets = n_match_sets;
9801 
9802 	if (n_match_sets)
9803 		request->scan_plans = (void *)(request->match_sets +
9804 					       n_match_sets);
9805 	else if (request->ie)
9806 		request->scan_plans = (void *)(request->ie + ie_len);
9807 	else if (n_ssids)
9808 		request->scan_plans = (void *)(request->ssids + n_ssids);
9809 	else
9810 		request->scan_plans = (void *)(request->channels + n_channels);
9811 
9812 	request->n_scan_plans = n_plans;
9813 
9814 	i = 0;
9815 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9816 		/* user specified, bail out if channel not found */
9817 		nla_for_each_nested(attr,
9818 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9819 				    tmp) {
9820 			struct ieee80211_channel *chan;
9821 
9822 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9823 
9824 			if (!chan) {
9825 				err = -EINVAL;
9826 				goto out_free;
9827 			}
9828 
9829 			/* ignore disabled channels */
9830 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9831 				continue;
9832 
9833 			request->channels[i] = chan;
9834 			i++;
9835 		}
9836 	} else {
9837 		/* all channels */
9838 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9839 			int j;
9840 
9841 			if (!wiphy->bands[band])
9842 				continue;
9843 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9844 				struct ieee80211_channel *chan;
9845 
9846 				chan = &wiphy->bands[band]->channels[j];
9847 
9848 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9849 					continue;
9850 
9851 				request->channels[i] = chan;
9852 				i++;
9853 			}
9854 		}
9855 	}
9856 
9857 	if (!i) {
9858 		err = -EINVAL;
9859 		goto out_free;
9860 	}
9861 
9862 	request->n_channels = i;
9863 
9864 	i = 0;
9865 	if (n_ssids) {
9866 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9867 				    tmp) {
9868 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9869 				err = -EINVAL;
9870 				goto out_free;
9871 			}
9872 			request->ssids[i].ssid_len = nla_len(attr);
9873 			memcpy(request->ssids[i].ssid, nla_data(attr),
9874 			       nla_len(attr));
9875 			i++;
9876 		}
9877 	}
9878 
9879 	i = 0;
9880 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9881 		nla_for_each_nested(attr,
9882 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9883 				    tmp) {
9884 			struct nlattr *ssid, *bssid, *rssi;
9885 
9886 			err = nla_parse_nested_deprecated(tb,
9887 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9888 							  attr,
9889 							  nl80211_match_policy,
9890 							  NULL);
9891 			if (err)
9892 				goto out_free;
9893 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9894 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9895 
9896 			if (!ssid && !bssid) {
9897 				i++;
9898 				continue;
9899 			}
9900 
9901 			if (WARN_ON(i >= n_match_sets)) {
9902 				/* this indicates a programming error,
9903 				 * the loop above should have verified
9904 				 * things properly
9905 				 */
9906 				err = -EINVAL;
9907 				goto out_free;
9908 			}
9909 
9910 			if (ssid) {
9911 				memcpy(request->match_sets[i].ssid.ssid,
9912 				       nla_data(ssid), nla_len(ssid));
9913 				request->match_sets[i].ssid.ssid_len =
9914 					nla_len(ssid);
9915 			}
9916 			if (bssid)
9917 				memcpy(request->match_sets[i].bssid,
9918 				       nla_data(bssid), ETH_ALEN);
9919 
9920 			/* special attribute - old implementation w/a */
9921 			request->match_sets[i].rssi_thold = default_match_rssi;
9922 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9923 			if (rssi)
9924 				request->match_sets[i].rssi_thold =
9925 					nla_get_s32(rssi);
9926 			i++;
9927 		}
9928 
9929 		/* there was no other matchset, so the RSSI one is alone */
9930 		if (i == 0 && n_match_sets)
9931 			request->match_sets[0].rssi_thold = default_match_rssi;
9932 
9933 		request->min_rssi_thold = INT_MAX;
9934 		for (i = 0; i < n_match_sets; i++)
9935 			request->min_rssi_thold =
9936 				min(request->match_sets[i].rssi_thold,
9937 				    request->min_rssi_thold);
9938 	} else {
9939 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9940 	}
9941 
9942 	if (ie_len) {
9943 		request->ie_len = ie_len;
9944 		memcpy((void *)request->ie,
9945 		       nla_data(attrs[NL80211_ATTR_IE]),
9946 		       request->ie_len);
9947 	}
9948 
9949 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9950 	if (err)
9951 		goto out_free;
9952 
9953 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9954 		request->delay =
9955 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9956 
9957 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9958 		request->relative_rssi = nla_get_s8(
9959 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9960 		request->relative_rssi_set = true;
9961 	}
9962 
9963 	if (request->relative_rssi_set &&
9964 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9965 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9966 
9967 		rssi_adjust = nla_data(
9968 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9969 		request->rssi_adjust.band = rssi_adjust->band;
9970 		request->rssi_adjust.delta = rssi_adjust->delta;
9971 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9972 			err = -EINVAL;
9973 			goto out_free;
9974 		}
9975 	}
9976 
9977 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9978 	if (err)
9979 		goto out_free;
9980 
9981 	request->scan_start = jiffies;
9982 
9983 	return request;
9984 
9985 out_free:
9986 	kfree(request);
9987 	return ERR_PTR(err);
9988 }
9989 
9990 static int nl80211_start_sched_scan(struct sk_buff *skb,
9991 				    struct genl_info *info)
9992 {
9993 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9994 	struct net_device *dev = info->user_ptr[1];
9995 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9996 	struct cfg80211_sched_scan_request *sched_scan_req;
9997 	bool want_multi;
9998 	int err;
9999 
10000 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10001 		return -EOPNOTSUPP;
10002 
10003 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10004 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10005 	if (err)
10006 		return err;
10007 
10008 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10009 						  info->attrs,
10010 						  rdev->wiphy.max_match_sets);
10011 
10012 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10013 	if (err)
10014 		goto out_err;
10015 
10016 	/* leave request id zero for legacy request
10017 	 * or if driver does not support multi-scheduled scan
10018 	 */
10019 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10020 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10021 
10022 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
10023 	if (err)
10024 		goto out_free;
10025 
10026 	sched_scan_req->dev = dev;
10027 	sched_scan_req->wiphy = &rdev->wiphy;
10028 
10029 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10030 		sched_scan_req->owner_nlportid = info->snd_portid;
10031 
10032 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
10033 
10034 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
10035 	return 0;
10036 
10037 out_free:
10038 	kfree(sched_scan_req);
10039 out_err:
10040 	return err;
10041 }
10042 
10043 static int nl80211_stop_sched_scan(struct sk_buff *skb,
10044 				   struct genl_info *info)
10045 {
10046 	struct cfg80211_sched_scan_request *req;
10047 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10048 	u64 cookie;
10049 
10050 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
10051 		return -EOPNOTSUPP;
10052 
10053 	if (info->attrs[NL80211_ATTR_COOKIE]) {
10054 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10055 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
10056 	}
10057 
10058 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
10059 				     struct cfg80211_sched_scan_request,
10060 				     list);
10061 	if (!req || req->reqid ||
10062 	    (req->owner_nlportid &&
10063 	     req->owner_nlportid != info->snd_portid))
10064 		return -ENOENT;
10065 
10066 	return cfg80211_stop_sched_scan_req(rdev, req, false);
10067 }
10068 
10069 static int nl80211_start_radar_detection(struct sk_buff *skb,
10070 					 struct genl_info *info)
10071 {
10072 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10073 	struct net_device *dev = info->user_ptr[1];
10074 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10075 	struct wiphy *wiphy = wdev->wiphy;
10076 	struct cfg80211_chan_def chandef;
10077 	enum nl80211_dfs_regions dfs_region;
10078 	unsigned int cac_time_ms;
10079 	int err = -EINVAL;
10080 
10081 	flush_delayed_work(&rdev->dfs_update_channels_wk);
10082 
10083 	switch (wdev->iftype) {
10084 	case NL80211_IFTYPE_AP:
10085 	case NL80211_IFTYPE_P2P_GO:
10086 	case NL80211_IFTYPE_MESH_POINT:
10087 	case NL80211_IFTYPE_ADHOC:
10088 		break;
10089 	default:
10090 		/* caution - see cfg80211_beaconing_iface_active() below */
10091 		return -EINVAL;
10092 	}
10093 
10094 	wiphy_lock(wiphy);
10095 
10096 	dfs_region = reg_get_dfs_region(wiphy);
10097 	if (dfs_region == NL80211_DFS_UNSET)
10098 		goto unlock;
10099 
10100 	err = nl80211_parse_chandef(rdev, info, &chandef);
10101 	if (err)
10102 		goto unlock;
10103 
10104 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10105 	if (err < 0)
10106 		goto unlock;
10107 
10108 	if (err == 0) {
10109 		err = -EINVAL;
10110 		goto unlock;
10111 	}
10112 
10113 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
10114 		err = -EINVAL;
10115 		goto unlock;
10116 	}
10117 
10118 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
10119 		err = cfg80211_start_background_radar_detection(rdev, wdev,
10120 								&chandef);
10121 		goto unlock;
10122 	}
10123 
10124 	if (cfg80211_beaconing_iface_active(wdev) || wdev->cac_started) {
10125 		err = -EBUSY;
10126 		goto unlock;
10127 	}
10128 
10129 	/* CAC start is offloaded to HW and can't be started manually */
10130 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
10131 		err = -EOPNOTSUPP;
10132 		goto unlock;
10133 	}
10134 
10135 	if (!rdev->ops->start_radar_detection) {
10136 		err = -EOPNOTSUPP;
10137 		goto unlock;
10138 	}
10139 
10140 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10141 	if (WARN_ON(!cac_time_ms))
10142 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10143 
10144 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
10145 	if (!err) {
10146 		wdev->links[0].ap.chandef = chandef;
10147 		wdev->cac_started = true;
10148 		wdev->cac_start_time = jiffies;
10149 		wdev->cac_time_ms = cac_time_ms;
10150 	}
10151 unlock:
10152 	wiphy_unlock(wiphy);
10153 
10154 	return err;
10155 }
10156 
10157 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10158 					  struct genl_info *info)
10159 {
10160 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10161 	struct net_device *dev = info->user_ptr[1];
10162 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10163 	struct wiphy *wiphy = wdev->wiphy;
10164 	struct cfg80211_chan_def chandef;
10165 	enum nl80211_dfs_regions dfs_region;
10166 	int err;
10167 
10168 	dfs_region = reg_get_dfs_region(wiphy);
10169 	if (dfs_region == NL80211_DFS_UNSET) {
10170 		GENL_SET_ERR_MSG(info,
10171 				 "DFS Region is not set. Unexpected Radar indication");
10172 		return -EINVAL;
10173 	}
10174 
10175 	err = nl80211_parse_chandef(rdev, info, &chandef);
10176 	if (err) {
10177 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10178 		return err;
10179 	}
10180 
10181 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10182 	if (err < 0) {
10183 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10184 		return err;
10185 	}
10186 
10187 	if (err == 0) {
10188 		GENL_SET_ERR_MSG(info,
10189 				 "Unexpected Radar indication for chandef/iftype");
10190 		return -EINVAL;
10191 	}
10192 
10193 	/* Do not process this notification if radar is already detected
10194 	 * by kernel on this channel, and return success.
10195 	 */
10196 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10197 		return 0;
10198 
10199 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10200 
10201 	cfg80211_sched_dfs_chan_update(rdev);
10202 
10203 	rdev->radar_chandef = chandef;
10204 
10205 	/* Propagate this notification to other radios as well */
10206 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10207 
10208 	return 0;
10209 }
10210 
10211 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10212 					 const u8 *data, size_t datalen,
10213 					 int first_count, struct nlattr *attr,
10214 					 const u16 **offsets, unsigned int *n_offsets)
10215 {
10216 	int i;
10217 
10218 	*n_offsets = 0;
10219 
10220 	if (!attr)
10221 		return 0;
10222 
10223 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10224 		return -EINVAL;
10225 
10226 	*n_offsets = nla_len(attr) / sizeof(u16);
10227 	if (rdev->wiphy.max_num_csa_counters &&
10228 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10229 		return -EINVAL;
10230 
10231 	*offsets = nla_data(attr);
10232 
10233 	/* sanity checks - counters should fit and be the same */
10234 	for (i = 0; i < *n_offsets; i++) {
10235 		u16 offset = (*offsets)[i];
10236 
10237 		if (offset >= datalen)
10238 			return -EINVAL;
10239 
10240 		if (first_count != -1 && data[offset] != first_count)
10241 			return -EINVAL;
10242 	}
10243 
10244 	return 0;
10245 }
10246 
10247 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10248 {
10249 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10250 	unsigned int link_id = nl80211_link_id(info->attrs);
10251 	struct net_device *dev = info->user_ptr[1];
10252 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10253 	struct cfg80211_csa_settings params;
10254 	struct nlattr **csa_attrs = NULL;
10255 	int err;
10256 	bool need_new_beacon = false;
10257 	bool need_handle_dfs_flag = true;
10258 	u32 cs_count;
10259 
10260 	if (!rdev->ops->channel_switch ||
10261 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10262 		return -EOPNOTSUPP;
10263 
10264 	switch (dev->ieee80211_ptr->iftype) {
10265 	case NL80211_IFTYPE_AP:
10266 	case NL80211_IFTYPE_P2P_GO:
10267 		need_new_beacon = true;
10268 		/* For all modes except AP the handle_dfs flag needs to be
10269 		 * supplied to tell the kernel that userspace will handle radar
10270 		 * events when they happen. Otherwise a switch to a channel
10271 		 * requiring DFS will be rejected.
10272 		 */
10273 		need_handle_dfs_flag = false;
10274 
10275 		/* useless if AP is not running */
10276 		if (!wdev->links[link_id].ap.beacon_interval)
10277 			return -ENOTCONN;
10278 		break;
10279 	case NL80211_IFTYPE_ADHOC:
10280 		if (!wdev->u.ibss.ssid_len)
10281 			return -ENOTCONN;
10282 		break;
10283 	case NL80211_IFTYPE_MESH_POINT:
10284 		if (!wdev->u.mesh.id_len)
10285 			return -ENOTCONN;
10286 		break;
10287 	default:
10288 		return -EOPNOTSUPP;
10289 	}
10290 
10291 	memset(&params, 0, sizeof(params));
10292 	params.beacon_csa.ftm_responder = -1;
10293 
10294 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10295 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10296 		return -EINVAL;
10297 
10298 	/* only important for AP, IBSS and mesh create IEs internally */
10299 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10300 		return -EINVAL;
10301 
10302 	/* Even though the attribute is u32, the specification says
10303 	 * u8, so let's make sure we don't overflow.
10304 	 */
10305 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10306 	if (cs_count > 255)
10307 		return -EINVAL;
10308 
10309 	params.count = cs_count;
10310 
10311 	if (!need_new_beacon)
10312 		goto skip_beacons;
10313 
10314 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10315 				   info->extack);
10316 	if (err)
10317 		goto free;
10318 
10319 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10320 			    GFP_KERNEL);
10321 	if (!csa_attrs) {
10322 		err = -ENOMEM;
10323 		goto free;
10324 	}
10325 
10326 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10327 					  info->attrs[NL80211_ATTR_CSA_IES],
10328 					  nl80211_policy, info->extack);
10329 	if (err)
10330 		goto free;
10331 
10332 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10333 				   info->extack);
10334 	if (err)
10335 		goto free;
10336 
10337 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10338 		err = -EINVAL;
10339 		goto free;
10340 	}
10341 
10342 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10343 					    params.beacon_csa.tail_len,
10344 					    params.count,
10345 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10346 					    &params.counter_offsets_beacon,
10347 					    &params.n_counter_offsets_beacon);
10348 	if (err)
10349 		goto free;
10350 
10351 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10352 					    params.beacon_csa.probe_resp_len,
10353 					    params.count,
10354 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10355 					    &params.counter_offsets_presp,
10356 					    &params.n_counter_offsets_presp);
10357 	if (err)
10358 		goto free;
10359 
10360 skip_beacons:
10361 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10362 	if (err)
10363 		goto free;
10364 
10365 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10366 					   wdev->iftype)) {
10367 		err = -EINVAL;
10368 		goto free;
10369 	}
10370 
10371 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10372 					    &params.chandef,
10373 					    wdev->iftype);
10374 	if (err < 0)
10375 		goto free;
10376 
10377 	if (err > 0) {
10378 		params.radar_required = true;
10379 		if (need_handle_dfs_flag &&
10380 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10381 			err = -EINVAL;
10382 			goto free;
10383 		}
10384 	}
10385 
10386 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10387 		params.block_tx = true;
10388 
10389 	params.link_id = link_id;
10390 	err = rdev_channel_switch(rdev, dev, &params);
10391 
10392 free:
10393 	kfree(params.beacon_after.mbssid_ies);
10394 	kfree(params.beacon_csa.mbssid_ies);
10395 	kfree(params.beacon_after.rnr_ies);
10396 	kfree(params.beacon_csa.rnr_ies);
10397 	kfree(csa_attrs);
10398 	return err;
10399 }
10400 
10401 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10402 			    u32 seq, int flags,
10403 			    struct cfg80211_registered_device *rdev,
10404 			    struct wireless_dev *wdev,
10405 			    struct cfg80211_internal_bss *intbss)
10406 {
10407 	struct cfg80211_bss *res = &intbss->pub;
10408 	const struct cfg80211_bss_ies *ies;
10409 	unsigned int link_id;
10410 	void *hdr;
10411 	struct nlattr *bss;
10412 
10413 	lockdep_assert_wiphy(wdev->wiphy);
10414 
10415 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10416 			     NL80211_CMD_NEW_SCAN_RESULTS);
10417 	if (!hdr)
10418 		return -1;
10419 
10420 	genl_dump_check_consistent(cb, hdr);
10421 
10422 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10423 		goto nla_put_failure;
10424 	if (wdev->netdev &&
10425 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10426 		goto nla_put_failure;
10427 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10428 			      NL80211_ATTR_PAD))
10429 		goto nla_put_failure;
10430 
10431 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10432 	if (!bss)
10433 		goto nla_put_failure;
10434 	if ((!is_zero_ether_addr(res->bssid) &&
10435 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10436 		goto nla_put_failure;
10437 
10438 	rcu_read_lock();
10439 	/* indicate whether we have probe response data or not */
10440 	if (rcu_access_pointer(res->proberesp_ies) &&
10441 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10442 		goto fail_unlock_rcu;
10443 
10444 	/* this pointer prefers to be pointed to probe response data
10445 	 * but is always valid
10446 	 */
10447 	ies = rcu_dereference(res->ies);
10448 	if (ies) {
10449 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10450 				      NL80211_BSS_PAD))
10451 			goto fail_unlock_rcu;
10452 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10453 					ies->len, ies->data))
10454 			goto fail_unlock_rcu;
10455 	}
10456 
10457 	/* and this pointer is always (unless driver didn't know) beacon data */
10458 	ies = rcu_dereference(res->beacon_ies);
10459 	if (ies && ies->from_beacon) {
10460 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10461 				      NL80211_BSS_PAD))
10462 			goto fail_unlock_rcu;
10463 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10464 					ies->len, ies->data))
10465 			goto fail_unlock_rcu;
10466 	}
10467 	rcu_read_unlock();
10468 
10469 	if (res->beacon_interval &&
10470 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10471 		goto nla_put_failure;
10472 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10473 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10474 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10475 			res->channel->freq_offset) ||
10476 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10477 			jiffies_to_msecs(jiffies - intbss->ts)))
10478 		goto nla_put_failure;
10479 
10480 	if (intbss->parent_tsf &&
10481 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10482 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10483 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10484 		     intbss->parent_bssid)))
10485 		goto nla_put_failure;
10486 
10487 	if (intbss->ts_boottime &&
10488 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10489 			      intbss->ts_boottime, NL80211_BSS_PAD))
10490 		goto nla_put_failure;
10491 
10492 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10493 				intbss->pub.chain_signal,
10494 				NL80211_BSS_CHAIN_SIGNAL))
10495 		goto nla_put_failure;
10496 
10497 	switch (rdev->wiphy.signal_type) {
10498 	case CFG80211_SIGNAL_TYPE_MBM:
10499 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10500 			goto nla_put_failure;
10501 		break;
10502 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10503 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10504 			goto nla_put_failure;
10505 		break;
10506 	default:
10507 		break;
10508 	}
10509 
10510 	switch (wdev->iftype) {
10511 	case NL80211_IFTYPE_P2P_CLIENT:
10512 	case NL80211_IFTYPE_STATION:
10513 		for_each_valid_link(wdev, link_id) {
10514 			if (intbss == wdev->links[link_id].client.current_bss &&
10515 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10516 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10517 			     (wdev->valid_links &&
10518 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10519 					  link_id) ||
10520 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10521 				       wdev->u.client.connected_addr)))))
10522 				goto nla_put_failure;
10523 		}
10524 		break;
10525 	case NL80211_IFTYPE_ADHOC:
10526 		if (intbss == wdev->u.ibss.current_bss &&
10527 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10528 				NL80211_BSS_STATUS_IBSS_JOINED))
10529 			goto nla_put_failure;
10530 		break;
10531 	default:
10532 		break;
10533 	}
10534 
10535 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
10536 		goto nla_put_failure;
10537 
10538 	if (res->cannot_use_reasons &&
10539 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
10540 			      res->cannot_use_reasons,
10541 			      NL80211_BSS_PAD))
10542 		goto nla_put_failure;
10543 
10544 	nla_nest_end(msg, bss);
10545 
10546 	genlmsg_end(msg, hdr);
10547 	return 0;
10548 
10549  fail_unlock_rcu:
10550 	rcu_read_unlock();
10551  nla_put_failure:
10552 	genlmsg_cancel(msg, hdr);
10553 	return -EMSGSIZE;
10554 }
10555 
10556 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10557 {
10558 	struct cfg80211_registered_device *rdev;
10559 	struct cfg80211_internal_bss *scan;
10560 	struct wireless_dev *wdev;
10561 	struct nlattr **attrbuf;
10562 	int start = cb->args[2], idx = 0;
10563 	bool dump_include_use_data;
10564 	int err;
10565 
10566 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10567 	if (!attrbuf)
10568 		return -ENOMEM;
10569 
10570 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10571 	if (err) {
10572 		kfree(attrbuf);
10573 		return err;
10574 	}
10575 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10576 	__acquire(&rdev->wiphy.mtx);
10577 
10578 	dump_include_use_data =
10579 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
10580 	kfree(attrbuf);
10581 
10582 	spin_lock_bh(&rdev->bss_lock);
10583 
10584 	/*
10585 	 * dump_scan will be called multiple times to break up the scan results
10586 	 * into multiple messages.  It is unlikely that any more bss-es will be
10587 	 * expired after the first call, so only call only call this on the
10588 	 * first dump_scan invocation.
10589 	 */
10590 	if (start == 0)
10591 		cfg80211_bss_expire(rdev);
10592 
10593 	cb->seq = rdev->bss_generation;
10594 
10595 	list_for_each_entry(scan, &rdev->bss_list, list) {
10596 		if (++idx <= start)
10597 			continue;
10598 		if (!dump_include_use_data &&
10599 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
10600 			continue;
10601 		if (nl80211_send_bss(skb, cb,
10602 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10603 				rdev, wdev, scan) < 0) {
10604 			idx--;
10605 			break;
10606 		}
10607 	}
10608 
10609 	spin_unlock_bh(&rdev->bss_lock);
10610 
10611 	cb->args[2] = idx;
10612 	wiphy_unlock(&rdev->wiphy);
10613 
10614 	return skb->len;
10615 }
10616 
10617 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10618 			       int flags, struct net_device *dev,
10619 			       bool allow_radio_stats,
10620 			       struct survey_info *survey)
10621 {
10622 	void *hdr;
10623 	struct nlattr *infoattr;
10624 
10625 	/* skip radio stats if userspace didn't request them */
10626 	if (!survey->channel && !allow_radio_stats)
10627 		return 0;
10628 
10629 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10630 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10631 	if (!hdr)
10632 		return -ENOMEM;
10633 
10634 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10635 		goto nla_put_failure;
10636 
10637 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10638 	if (!infoattr)
10639 		goto nla_put_failure;
10640 
10641 	if (survey->channel &&
10642 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10643 			survey->channel->center_freq))
10644 		goto nla_put_failure;
10645 
10646 	if (survey->channel && survey->channel->freq_offset &&
10647 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10648 			survey->channel->freq_offset))
10649 		goto nla_put_failure;
10650 
10651 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10652 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10653 		goto nla_put_failure;
10654 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10655 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10656 		goto nla_put_failure;
10657 	if ((survey->filled & SURVEY_INFO_TIME) &&
10658 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10659 			survey->time, NL80211_SURVEY_INFO_PAD))
10660 		goto nla_put_failure;
10661 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10662 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10663 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10664 		goto nla_put_failure;
10665 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10666 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10667 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10668 		goto nla_put_failure;
10669 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10670 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10671 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10672 		goto nla_put_failure;
10673 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10674 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10675 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10676 		goto nla_put_failure;
10677 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10678 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10679 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10680 		goto nla_put_failure;
10681 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10682 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10683 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10684 		goto nla_put_failure;
10685 
10686 	nla_nest_end(msg, infoattr);
10687 
10688 	genlmsg_end(msg, hdr);
10689 	return 0;
10690 
10691  nla_put_failure:
10692 	genlmsg_cancel(msg, hdr);
10693 	return -EMSGSIZE;
10694 }
10695 
10696 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10697 {
10698 	struct nlattr **attrbuf;
10699 	struct survey_info survey;
10700 	struct cfg80211_registered_device *rdev;
10701 	struct wireless_dev *wdev;
10702 	int survey_idx = cb->args[2];
10703 	int res;
10704 	bool radio_stats;
10705 
10706 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10707 	if (!attrbuf)
10708 		return -ENOMEM;
10709 
10710 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10711 	if (res) {
10712 		kfree(attrbuf);
10713 		return res;
10714 	}
10715 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10716 	__acquire(&rdev->wiphy.mtx);
10717 
10718 	/* prepare_wdev_dump parsed the attributes */
10719 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10720 
10721 	if (!wdev->netdev) {
10722 		res = -EINVAL;
10723 		goto out_err;
10724 	}
10725 
10726 	if (!rdev->ops->dump_survey) {
10727 		res = -EOPNOTSUPP;
10728 		goto out_err;
10729 	}
10730 
10731 	while (1) {
10732 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10733 		if (res == -ENOENT)
10734 			break;
10735 		if (res)
10736 			goto out_err;
10737 
10738 		/* don't send disabled channels, but do send non-channel data */
10739 		if (survey.channel &&
10740 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10741 			survey_idx++;
10742 			continue;
10743 		}
10744 
10745 		if (nl80211_send_survey(skb,
10746 				NETLINK_CB(cb->skb).portid,
10747 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10748 				wdev->netdev, radio_stats, &survey) < 0)
10749 			goto out;
10750 		survey_idx++;
10751 	}
10752 
10753  out:
10754 	cb->args[2] = survey_idx;
10755 	res = skb->len;
10756  out_err:
10757 	kfree(attrbuf);
10758 	wiphy_unlock(&rdev->wiphy);
10759 	return res;
10760 }
10761 
10762 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10763 {
10764 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10765 	struct net_device *dev = info->user_ptr[1];
10766 	struct ieee80211_channel *chan;
10767 	const u8 *bssid, *ssid;
10768 	int err, ssid_len;
10769 	enum nl80211_auth_type auth_type;
10770 	struct key_parse key;
10771 	bool local_state_change;
10772 	struct cfg80211_auth_request req = {};
10773 	u32 freq;
10774 
10775 	if (!info->attrs[NL80211_ATTR_MAC])
10776 		return -EINVAL;
10777 
10778 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10779 		return -EINVAL;
10780 
10781 	if (!info->attrs[NL80211_ATTR_SSID])
10782 		return -EINVAL;
10783 
10784 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10785 		return -EINVAL;
10786 
10787 	err = nl80211_parse_key(info, &key);
10788 	if (err)
10789 		return err;
10790 
10791 	if (key.idx >= 0) {
10792 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10793 			return -EINVAL;
10794 		if (!key.p.key || !key.p.key_len)
10795 			return -EINVAL;
10796 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10797 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10798 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10799 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10800 			return -EINVAL;
10801 		if (key.idx > 3)
10802 			return -EINVAL;
10803 	} else {
10804 		key.p.key_len = 0;
10805 		key.p.key = NULL;
10806 	}
10807 
10808 	if (key.idx >= 0) {
10809 		int i;
10810 		bool ok = false;
10811 
10812 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10813 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10814 				ok = true;
10815 				break;
10816 			}
10817 		}
10818 		if (!ok)
10819 			return -EINVAL;
10820 	}
10821 
10822 	if (!rdev->ops->auth)
10823 		return -EOPNOTSUPP;
10824 
10825 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10826 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10827 		return -EOPNOTSUPP;
10828 
10829 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10830 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10831 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10832 		freq +=
10833 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10834 
10835 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10836 	if (!chan)
10837 		return -EINVAL;
10838 
10839 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10840 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10841 
10842 	if (info->attrs[NL80211_ATTR_IE]) {
10843 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10844 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10845 	}
10846 
10847 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10848 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10849 		return -EINVAL;
10850 
10851 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10852 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10853 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10854 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10855 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10856 		return -EINVAL;
10857 
10858 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10859 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10860 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10861 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10862 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10863 			return -EINVAL;
10864 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10865 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10866 	}
10867 
10868 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10869 
10870 	/*
10871 	 * Since we no longer track auth state, ignore
10872 	 * requests to only change local state.
10873 	 */
10874 	if (local_state_change)
10875 		return 0;
10876 
10877 	req.auth_type = auth_type;
10878 	req.key = key.p.key;
10879 	req.key_len = key.p.key_len;
10880 	req.key_idx = key.idx;
10881 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10882 	if (req.link_id >= 0) {
10883 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10884 			return -EINVAL;
10885 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10886 			return -EINVAL;
10887 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10888 		if (!is_valid_ether_addr(req.ap_mld_addr))
10889 			return -EINVAL;
10890 	}
10891 
10892 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10893 				   IEEE80211_BSS_TYPE_ESS,
10894 				   IEEE80211_PRIVACY_ANY);
10895 	if (!req.bss)
10896 		return -ENOENT;
10897 
10898 	err = cfg80211_mlme_auth(rdev, dev, &req);
10899 
10900 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10901 
10902 	return err;
10903 }
10904 
10905 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10906 				     struct genl_info *info)
10907 {
10908 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10909 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10910 		return -EINVAL;
10911 	}
10912 
10913 	if (!rdev->ops->tx_control_port ||
10914 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10915 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10916 		return -EOPNOTSUPP;
10917 
10918 	return 0;
10919 }
10920 
10921 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10922 				   struct genl_info *info,
10923 				   struct cfg80211_crypto_settings *settings,
10924 				   int cipher_limit)
10925 {
10926 	memset(settings, 0, sizeof(*settings));
10927 
10928 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10929 
10930 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10931 		u16 proto;
10932 
10933 		proto = nla_get_u16(
10934 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10935 		settings->control_port_ethertype = cpu_to_be16(proto);
10936 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10937 		    proto != ETH_P_PAE)
10938 			return -EINVAL;
10939 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10940 			settings->control_port_no_encrypt = true;
10941 	} else
10942 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10943 
10944 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10945 		int r = validate_pae_over_nl80211(rdev, info);
10946 
10947 		if (r < 0)
10948 			return r;
10949 
10950 		settings->control_port_over_nl80211 = true;
10951 
10952 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10953 			settings->control_port_no_preauth = true;
10954 	}
10955 
10956 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10957 		void *data;
10958 		int len, i;
10959 
10960 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10961 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10962 		settings->n_ciphers_pairwise = len / sizeof(u32);
10963 
10964 		if (len % sizeof(u32))
10965 			return -EINVAL;
10966 
10967 		if (settings->n_ciphers_pairwise > cipher_limit)
10968 			return -EINVAL;
10969 
10970 		memcpy(settings->ciphers_pairwise, data, len);
10971 
10972 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10973 			if (!cfg80211_supported_cipher_suite(
10974 					&rdev->wiphy,
10975 					settings->ciphers_pairwise[i]))
10976 				return -EINVAL;
10977 	}
10978 
10979 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10980 		settings->cipher_group =
10981 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10982 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10983 						     settings->cipher_group))
10984 			return -EINVAL;
10985 	}
10986 
10987 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
10988 		settings->wpa_versions =
10989 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10990 
10991 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10992 		void *data;
10993 		int len;
10994 
10995 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10996 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10997 		settings->n_akm_suites = len / sizeof(u32);
10998 
10999 		if (len % sizeof(u32))
11000 			return -EINVAL;
11001 
11002 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
11003 			return -EINVAL;
11004 
11005 		memcpy(settings->akm_suites, data, len);
11006 	}
11007 
11008 	if (info->attrs[NL80211_ATTR_PMK]) {
11009 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
11010 			return -EINVAL;
11011 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11012 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
11013 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11014 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
11015 			return -EINVAL;
11016 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11017 	}
11018 
11019 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
11020 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11021 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
11022 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11023 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
11024 			return -EINVAL;
11025 		settings->sae_pwd =
11026 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11027 		settings->sae_pwd_len =
11028 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11029 	}
11030 
11031 	if (info->attrs[NL80211_ATTR_SAE_PWE])
11032 		settings->sae_pwe =
11033 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
11034 	else
11035 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
11036 
11037 	return 0;
11038 }
11039 
11040 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
11041 					      const u8 *ssid, int ssid_len,
11042 					      struct nlattr **attrs,
11043 					      int assoc_link_id, int link_id)
11044 {
11045 	struct ieee80211_channel *chan;
11046 	struct cfg80211_bss *bss;
11047 	const u8 *bssid;
11048 	u32 freq, use_for = 0;
11049 
11050 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
11051 		return ERR_PTR(-EINVAL);
11052 
11053 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
11054 
11055 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
11056 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11057 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11058 
11059 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11060 	if (!chan)
11061 		return ERR_PTR(-EINVAL);
11062 
11063 	if (assoc_link_id >= 0)
11064 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
11065 	if (assoc_link_id == link_id)
11066 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
11067 
11068 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
11069 				 ssid, ssid_len,
11070 				 IEEE80211_BSS_TYPE_ESS,
11071 				 IEEE80211_PRIVACY_ANY,
11072 				 use_for);
11073 	if (!bss)
11074 		return ERR_PTR(-ENOENT);
11075 
11076 	return bss;
11077 }
11078 
11079 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
11080 {
11081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11082 	struct net_device *dev = info->user_ptr[1];
11083 	struct cfg80211_assoc_request req = {};
11084 	struct nlattr **attrs = NULL;
11085 	const u8 *ap_addr, *ssid;
11086 	unsigned int link_id;
11087 	int err, ssid_len;
11088 
11089 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11090 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11091 		return -EPERM;
11092 
11093 	if (!info->attrs[NL80211_ATTR_SSID])
11094 		return -EINVAL;
11095 
11096 	if (!rdev->ops->assoc)
11097 		return -EOPNOTSUPP;
11098 
11099 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11100 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11101 		return -EOPNOTSUPP;
11102 
11103 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11104 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11105 
11106 	if (info->attrs[NL80211_ATTR_IE]) {
11107 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11108 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11109 
11110 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11111 					   req.ie, req.ie_len)) {
11112 			NL_SET_ERR_MSG_ATTR(info->extack,
11113 					    info->attrs[NL80211_ATTR_IE],
11114 					    "non-inheritance makes no sense");
11115 			return -EINVAL;
11116 		}
11117 	}
11118 
11119 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11120 		enum nl80211_mfp mfp =
11121 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11122 		if (mfp == NL80211_MFP_REQUIRED)
11123 			req.use_mfp = true;
11124 		else if (mfp != NL80211_MFP_NO)
11125 			return -EINVAL;
11126 	}
11127 
11128 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11129 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11130 
11131 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11132 		req.flags |= ASSOC_REQ_DISABLE_HT;
11133 
11134 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11135 		memcpy(&req.ht_capa_mask,
11136 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11137 		       sizeof(req.ht_capa_mask));
11138 
11139 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11140 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11141 			return -EINVAL;
11142 		memcpy(&req.ht_capa,
11143 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11144 		       sizeof(req.ht_capa));
11145 	}
11146 
11147 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11148 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11149 
11150 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11151 		req.flags |= ASSOC_REQ_DISABLE_HE;
11152 
11153 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11154 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11155 
11156 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11157 		memcpy(&req.vht_capa_mask,
11158 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11159 		       sizeof(req.vht_capa_mask));
11160 
11161 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11162 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11163 			return -EINVAL;
11164 		memcpy(&req.vht_capa,
11165 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11166 		       sizeof(req.vht_capa));
11167 	}
11168 
11169 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11170 		if (!((rdev->wiphy.features &
11171 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11172 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11173 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11174 					     NL80211_EXT_FEATURE_RRM))
11175 			return -EINVAL;
11176 		req.flags |= ASSOC_REQ_USE_RRM;
11177 	}
11178 
11179 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11180 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11181 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11182 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11183 			return -EINVAL;
11184 		req.fils_nonces =
11185 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11186 	}
11187 
11188 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11189 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11190 			return -EINVAL;
11191 		memcpy(&req.s1g_capa_mask,
11192 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11193 		       sizeof(req.s1g_capa_mask));
11194 	}
11195 
11196 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11197 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11198 			return -EINVAL;
11199 		memcpy(&req.s1g_capa,
11200 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11201 		       sizeof(req.s1g_capa));
11202 	}
11203 
11204 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11205 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11206 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11207 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11208 			return -EINVAL;
11209 		}
11210 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11211 	}
11212 
11213 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11214 
11215 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11216 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11217 		struct nlattr *link;
11218 		int rem = 0;
11219 
11220 		if (req.link_id < 0)
11221 			return -EINVAL;
11222 
11223 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11224 			return -EINVAL;
11225 
11226 		if (info->attrs[NL80211_ATTR_MAC] ||
11227 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11228 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11229 			return -EINVAL;
11230 
11231 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11232 		ap_addr = req.ap_mld_addr;
11233 
11234 		attrs = kzalloc(attrsize, GFP_KERNEL);
11235 		if (!attrs)
11236 			return -ENOMEM;
11237 
11238 		nla_for_each_nested(link,
11239 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11240 				    rem) {
11241 			memset(attrs, 0, attrsize);
11242 
11243 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11244 					 link, NULL, NULL);
11245 
11246 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11247 				err = -EINVAL;
11248 				NL_SET_BAD_ATTR(info->extack, link);
11249 				goto free;
11250 			}
11251 
11252 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11253 			/* cannot use the same link ID again */
11254 			if (req.links[link_id].bss) {
11255 				err = -EINVAL;
11256 				NL_SET_BAD_ATTR(info->extack, link);
11257 				goto free;
11258 			}
11259 			req.links[link_id].bss =
11260 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11261 						  req.link_id, link_id);
11262 			if (IS_ERR(req.links[link_id].bss)) {
11263 				err = PTR_ERR(req.links[link_id].bss);
11264 				req.links[link_id].bss = NULL;
11265 				NL_SET_ERR_MSG_ATTR(info->extack,
11266 						    link, "Error fetching BSS for link");
11267 				goto free;
11268 			}
11269 
11270 			if (attrs[NL80211_ATTR_IE]) {
11271 				req.links[link_id].elems =
11272 					nla_data(attrs[NL80211_ATTR_IE]);
11273 				req.links[link_id].elems_len =
11274 					nla_len(attrs[NL80211_ATTR_IE]);
11275 
11276 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11277 						       req.links[link_id].elems,
11278 						       req.links[link_id].elems_len)) {
11279 					NL_SET_ERR_MSG_ATTR(info->extack,
11280 							    attrs[NL80211_ATTR_IE],
11281 							    "cannot deal with fragmentation");
11282 					err = -EINVAL;
11283 					goto free;
11284 				}
11285 
11286 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11287 							   req.links[link_id].elems,
11288 							   req.links[link_id].elems_len)) {
11289 					NL_SET_ERR_MSG_ATTR(info->extack,
11290 							    attrs[NL80211_ATTR_IE],
11291 							    "cannot deal with non-inheritance");
11292 					err = -EINVAL;
11293 					goto free;
11294 				}
11295 			}
11296 
11297 			req.links[link_id].disabled =
11298 				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11299 		}
11300 
11301 		if (!req.links[req.link_id].bss) {
11302 			err = -EINVAL;
11303 			goto free;
11304 		}
11305 
11306 		if (req.links[req.link_id].elems_len) {
11307 			GENL_SET_ERR_MSG(info,
11308 					 "cannot have per-link elems on assoc link");
11309 			err = -EINVAL;
11310 			goto free;
11311 		}
11312 
11313 		if (req.links[req.link_id].disabled) {
11314 			GENL_SET_ERR_MSG(info,
11315 					 "cannot have assoc link disabled");
11316 			err = -EINVAL;
11317 			goto free;
11318 		}
11319 
11320 		kfree(attrs);
11321 		attrs = NULL;
11322 	} else {
11323 		if (req.link_id >= 0)
11324 			return -EINVAL;
11325 
11326 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11327 					    -1, -1);
11328 		if (IS_ERR(req.bss))
11329 			return PTR_ERR(req.bss);
11330 		ap_addr = req.bss->bssid;
11331 	}
11332 
11333 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11334 	if (!err) {
11335 		struct nlattr *link;
11336 		int rem = 0;
11337 
11338 		err = cfg80211_mlme_assoc(rdev, dev, &req,
11339 					  info->extack);
11340 
11341 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11342 			dev->ieee80211_ptr->conn_owner_nlportid =
11343 				info->snd_portid;
11344 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11345 			       ap_addr, ETH_ALEN);
11346 		}
11347 
11348 		/* Report error from first problematic link */
11349 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11350 			nla_for_each_nested(link,
11351 					    info->attrs[NL80211_ATTR_MLO_LINKS],
11352 					    rem) {
11353 				struct nlattr *link_id_attr =
11354 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
11355 
11356 				if (!link_id_attr)
11357 					continue;
11358 
11359 				link_id = nla_get_u8(link_id_attr);
11360 
11361 				if (link_id == req.link_id)
11362 					continue;
11363 
11364 				if (!req.links[link_id].error ||
11365 				    WARN_ON(req.links[link_id].error > 0))
11366 					continue;
11367 
11368 				WARN_ON(err >= 0);
11369 
11370 				NL_SET_BAD_ATTR(info->extack, link);
11371 				err = req.links[link_id].error;
11372 				break;
11373 			}
11374 		}
11375 	}
11376 
11377 free:
11378 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11379 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11380 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11381 	kfree(attrs);
11382 
11383 	return err;
11384 }
11385 
11386 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11387 {
11388 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11389 	struct net_device *dev = info->user_ptr[1];
11390 	const u8 *ie = NULL, *bssid;
11391 	int ie_len = 0;
11392 	u16 reason_code;
11393 	bool local_state_change;
11394 
11395 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11396 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11397 		return -EPERM;
11398 
11399 	if (!info->attrs[NL80211_ATTR_MAC])
11400 		return -EINVAL;
11401 
11402 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11403 		return -EINVAL;
11404 
11405 	if (!rdev->ops->deauth)
11406 		return -EOPNOTSUPP;
11407 
11408 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11409 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11410 		return -EOPNOTSUPP;
11411 
11412 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11413 
11414 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11415 	if (reason_code == 0) {
11416 		/* Reason Code 0 is reserved */
11417 		return -EINVAL;
11418 	}
11419 
11420 	if (info->attrs[NL80211_ATTR_IE]) {
11421 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11422 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11423 	}
11424 
11425 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11426 
11427 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11428 				    local_state_change);
11429 }
11430 
11431 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11432 {
11433 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11434 	struct net_device *dev = info->user_ptr[1];
11435 	const u8 *ie = NULL, *bssid;
11436 	int ie_len = 0;
11437 	u16 reason_code;
11438 	bool local_state_change;
11439 
11440 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11441 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11442 		return -EPERM;
11443 
11444 	if (!info->attrs[NL80211_ATTR_MAC])
11445 		return -EINVAL;
11446 
11447 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11448 		return -EINVAL;
11449 
11450 	if (!rdev->ops->disassoc)
11451 		return -EOPNOTSUPP;
11452 
11453 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11454 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11455 		return -EOPNOTSUPP;
11456 
11457 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11458 
11459 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11460 	if (reason_code == 0) {
11461 		/* Reason Code 0 is reserved */
11462 		return -EINVAL;
11463 	}
11464 
11465 	if (info->attrs[NL80211_ATTR_IE]) {
11466 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11467 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11468 	}
11469 
11470 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11471 
11472 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11473 				      local_state_change);
11474 }
11475 
11476 static bool
11477 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11478 			 int mcast_rate[NUM_NL80211_BANDS],
11479 			 int rateval)
11480 {
11481 	struct wiphy *wiphy = &rdev->wiphy;
11482 	bool found = false;
11483 	int band, i;
11484 
11485 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11486 		struct ieee80211_supported_band *sband;
11487 
11488 		sband = wiphy->bands[band];
11489 		if (!sband)
11490 			continue;
11491 
11492 		for (i = 0; i < sband->n_bitrates; i++) {
11493 			if (sband->bitrates[i].bitrate == rateval) {
11494 				mcast_rate[band] = i + 1;
11495 				found = true;
11496 				break;
11497 			}
11498 		}
11499 	}
11500 
11501 	return found;
11502 }
11503 
11504 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11505 {
11506 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11507 	struct net_device *dev = info->user_ptr[1];
11508 	struct cfg80211_ibss_params ibss;
11509 	struct wiphy *wiphy;
11510 	struct cfg80211_cached_keys *connkeys = NULL;
11511 	int err;
11512 
11513 	memset(&ibss, 0, sizeof(ibss));
11514 
11515 	if (!info->attrs[NL80211_ATTR_SSID] ||
11516 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11517 		return -EINVAL;
11518 
11519 	ibss.beacon_interval = 100;
11520 
11521 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11522 		ibss.beacon_interval =
11523 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11524 
11525 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11526 					   ibss.beacon_interval);
11527 	if (err)
11528 		return err;
11529 
11530 	if (!rdev->ops->join_ibss)
11531 		return -EOPNOTSUPP;
11532 
11533 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11534 		return -EOPNOTSUPP;
11535 
11536 	wiphy = &rdev->wiphy;
11537 
11538 	if (info->attrs[NL80211_ATTR_MAC]) {
11539 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11540 
11541 		if (!is_valid_ether_addr(ibss.bssid))
11542 			return -EINVAL;
11543 	}
11544 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11545 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11546 
11547 	if (info->attrs[NL80211_ATTR_IE]) {
11548 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11549 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11550 	}
11551 
11552 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11553 	if (err)
11554 		return err;
11555 
11556 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11557 				     NL80211_IFTYPE_ADHOC))
11558 		return -EINVAL;
11559 
11560 	switch (ibss.chandef.width) {
11561 	case NL80211_CHAN_WIDTH_5:
11562 	case NL80211_CHAN_WIDTH_10:
11563 	case NL80211_CHAN_WIDTH_20_NOHT:
11564 		break;
11565 	case NL80211_CHAN_WIDTH_20:
11566 	case NL80211_CHAN_WIDTH_40:
11567 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11568 			return -EINVAL;
11569 		break;
11570 	case NL80211_CHAN_WIDTH_80:
11571 	case NL80211_CHAN_WIDTH_80P80:
11572 	case NL80211_CHAN_WIDTH_160:
11573 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11574 			return -EINVAL;
11575 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11576 					     NL80211_EXT_FEATURE_VHT_IBSS))
11577 			return -EINVAL;
11578 		break;
11579 	case NL80211_CHAN_WIDTH_320:
11580 		return -EINVAL;
11581 	default:
11582 		return -EINVAL;
11583 	}
11584 
11585 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11586 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11587 
11588 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11589 		u8 *rates =
11590 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11591 		int n_rates =
11592 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11593 		struct ieee80211_supported_band *sband =
11594 			wiphy->bands[ibss.chandef.chan->band];
11595 
11596 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11597 					     &ibss.basic_rates);
11598 		if (err)
11599 			return err;
11600 	}
11601 
11602 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11603 		memcpy(&ibss.ht_capa_mask,
11604 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11605 		       sizeof(ibss.ht_capa_mask));
11606 
11607 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11608 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11609 			return -EINVAL;
11610 		memcpy(&ibss.ht_capa,
11611 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11612 		       sizeof(ibss.ht_capa));
11613 	}
11614 
11615 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11616 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11617 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11618 		return -EINVAL;
11619 
11620 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11621 		bool no_ht = false;
11622 
11623 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11624 		if (IS_ERR(connkeys))
11625 			return PTR_ERR(connkeys);
11626 
11627 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11628 		    no_ht) {
11629 			kfree_sensitive(connkeys);
11630 			return -EINVAL;
11631 		}
11632 	}
11633 
11634 	ibss.control_port =
11635 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11636 
11637 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11638 		int r = validate_pae_over_nl80211(rdev, info);
11639 
11640 		if (r < 0) {
11641 			kfree_sensitive(connkeys);
11642 			return r;
11643 		}
11644 
11645 		ibss.control_port_over_nl80211 = true;
11646 	}
11647 
11648 	ibss.userspace_handles_dfs =
11649 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11650 
11651 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11652 	if (err)
11653 		kfree_sensitive(connkeys);
11654 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11655 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11656 
11657 	return err;
11658 }
11659 
11660 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11661 {
11662 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11663 	struct net_device *dev = info->user_ptr[1];
11664 
11665 	if (!rdev->ops->leave_ibss)
11666 		return -EOPNOTSUPP;
11667 
11668 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11669 		return -EOPNOTSUPP;
11670 
11671 	return cfg80211_leave_ibss(rdev, dev, false);
11672 }
11673 
11674 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11675 {
11676 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11677 	struct net_device *dev = info->user_ptr[1];
11678 	int mcast_rate[NUM_NL80211_BANDS];
11679 	u32 nla_rate;
11680 
11681 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11682 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11683 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11684 		return -EOPNOTSUPP;
11685 
11686 	if (!rdev->ops->set_mcast_rate)
11687 		return -EOPNOTSUPP;
11688 
11689 	memset(mcast_rate, 0, sizeof(mcast_rate));
11690 
11691 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11692 		return -EINVAL;
11693 
11694 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11695 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11696 		return -EINVAL;
11697 
11698 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11699 }
11700 
11701 static struct sk_buff *
11702 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11703 			    struct wireless_dev *wdev, int approxlen,
11704 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11705 			    enum nl80211_attrs attr,
11706 			    const struct nl80211_vendor_cmd_info *info,
11707 			    gfp_t gfp)
11708 {
11709 	struct sk_buff *skb;
11710 	void *hdr;
11711 	struct nlattr *data;
11712 
11713 	skb = nlmsg_new(approxlen + 100, gfp);
11714 	if (!skb)
11715 		return NULL;
11716 
11717 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11718 	if (!hdr) {
11719 		kfree_skb(skb);
11720 		return NULL;
11721 	}
11722 
11723 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11724 		goto nla_put_failure;
11725 
11726 	if (info) {
11727 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11728 				info->vendor_id))
11729 			goto nla_put_failure;
11730 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11731 				info->subcmd))
11732 			goto nla_put_failure;
11733 	}
11734 
11735 	if (wdev) {
11736 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11737 				      wdev_id(wdev), NL80211_ATTR_PAD))
11738 			goto nla_put_failure;
11739 		if (wdev->netdev &&
11740 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11741 				wdev->netdev->ifindex))
11742 			goto nla_put_failure;
11743 	}
11744 
11745 	data = nla_nest_start_noflag(skb, attr);
11746 	if (!data)
11747 		goto nla_put_failure;
11748 
11749 	((void **)skb->cb)[0] = rdev;
11750 	((void **)skb->cb)[1] = hdr;
11751 	((void **)skb->cb)[2] = data;
11752 
11753 	return skb;
11754 
11755  nla_put_failure:
11756 	kfree_skb(skb);
11757 	return NULL;
11758 }
11759 
11760 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11761 					   struct wireless_dev *wdev,
11762 					   enum nl80211_commands cmd,
11763 					   enum nl80211_attrs attr,
11764 					   unsigned int portid,
11765 					   int vendor_event_idx,
11766 					   int approxlen, gfp_t gfp)
11767 {
11768 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11769 	const struct nl80211_vendor_cmd_info *info;
11770 
11771 	switch (cmd) {
11772 	case NL80211_CMD_TESTMODE:
11773 		if (WARN_ON(vendor_event_idx != -1))
11774 			return NULL;
11775 		info = NULL;
11776 		break;
11777 	case NL80211_CMD_VENDOR:
11778 		if (WARN_ON(vendor_event_idx < 0 ||
11779 			    vendor_event_idx >= wiphy->n_vendor_events))
11780 			return NULL;
11781 		info = &wiphy->vendor_events[vendor_event_idx];
11782 		break;
11783 	default:
11784 		WARN_ON(1);
11785 		return NULL;
11786 	}
11787 
11788 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11789 					   cmd, attr, info, gfp);
11790 }
11791 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11792 
11793 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11794 {
11795 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11796 	void *hdr = ((void **)skb->cb)[1];
11797 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11798 	struct nlattr *data = ((void **)skb->cb)[2];
11799 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11800 
11801 	/* clear CB data for netlink core to own from now on */
11802 	memset(skb->cb, 0, sizeof(skb->cb));
11803 
11804 	nla_nest_end(skb, data);
11805 	genlmsg_end(skb, hdr);
11806 
11807 	if (nlhdr->nlmsg_pid) {
11808 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11809 				nlhdr->nlmsg_pid);
11810 	} else {
11811 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11812 			mcgrp = NL80211_MCGRP_VENDOR;
11813 
11814 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11815 					skb, 0, mcgrp, gfp);
11816 	}
11817 }
11818 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11819 
11820 #ifdef CONFIG_NL80211_TESTMODE
11821 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11822 {
11823 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11824 	struct wireless_dev *wdev;
11825 	int err;
11826 
11827 	lockdep_assert_held(&rdev->wiphy.mtx);
11828 
11829 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11830 					  info->attrs);
11831 
11832 	if (!rdev->ops->testmode_cmd)
11833 		return -EOPNOTSUPP;
11834 
11835 	if (IS_ERR(wdev)) {
11836 		err = PTR_ERR(wdev);
11837 		if (err != -EINVAL)
11838 			return err;
11839 		wdev = NULL;
11840 	} else if (wdev->wiphy != &rdev->wiphy) {
11841 		return -EINVAL;
11842 	}
11843 
11844 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11845 		return -EINVAL;
11846 
11847 	rdev->cur_cmd_info = info;
11848 	err = rdev_testmode_cmd(rdev, wdev,
11849 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11850 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11851 	rdev->cur_cmd_info = NULL;
11852 
11853 	return err;
11854 }
11855 
11856 static int nl80211_testmode_dump(struct sk_buff *skb,
11857 				 struct netlink_callback *cb)
11858 {
11859 	struct cfg80211_registered_device *rdev;
11860 	struct nlattr **attrbuf = NULL;
11861 	int err;
11862 	long phy_idx;
11863 	void *data = NULL;
11864 	int data_len = 0;
11865 
11866 	rtnl_lock();
11867 
11868 	if (cb->args[0]) {
11869 		/*
11870 		 * 0 is a valid index, but not valid for args[0],
11871 		 * so we need to offset by 1.
11872 		 */
11873 		phy_idx = cb->args[0] - 1;
11874 
11875 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11876 		if (!rdev) {
11877 			err = -ENOENT;
11878 			goto out_err;
11879 		}
11880 	} else {
11881 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11882 				  GFP_KERNEL);
11883 		if (!attrbuf) {
11884 			err = -ENOMEM;
11885 			goto out_err;
11886 		}
11887 
11888 		err = nlmsg_parse_deprecated(cb->nlh,
11889 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11890 					     attrbuf, nl80211_fam.maxattr,
11891 					     nl80211_policy, NULL);
11892 		if (err)
11893 			goto out_err;
11894 
11895 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11896 		if (IS_ERR(rdev)) {
11897 			err = PTR_ERR(rdev);
11898 			goto out_err;
11899 		}
11900 		phy_idx = rdev->wiphy_idx;
11901 
11902 		if (attrbuf[NL80211_ATTR_TESTDATA])
11903 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11904 	}
11905 
11906 	if (cb->args[1]) {
11907 		data = nla_data((void *)cb->args[1]);
11908 		data_len = nla_len((void *)cb->args[1]);
11909 	}
11910 
11911 	if (!rdev->ops->testmode_dump) {
11912 		err = -EOPNOTSUPP;
11913 		goto out_err;
11914 	}
11915 
11916 	while (1) {
11917 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11918 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11919 					   NL80211_CMD_TESTMODE);
11920 		struct nlattr *tmdata;
11921 
11922 		if (!hdr)
11923 			break;
11924 
11925 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11926 			genlmsg_cancel(skb, hdr);
11927 			break;
11928 		}
11929 
11930 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11931 		if (!tmdata) {
11932 			genlmsg_cancel(skb, hdr);
11933 			break;
11934 		}
11935 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11936 		nla_nest_end(skb, tmdata);
11937 
11938 		if (err == -ENOBUFS || err == -ENOENT) {
11939 			genlmsg_cancel(skb, hdr);
11940 			break;
11941 		} else if (err) {
11942 			genlmsg_cancel(skb, hdr);
11943 			goto out_err;
11944 		}
11945 
11946 		genlmsg_end(skb, hdr);
11947 	}
11948 
11949 	err = skb->len;
11950 	/* see above */
11951 	cb->args[0] = phy_idx + 1;
11952  out_err:
11953 	kfree(attrbuf);
11954 	rtnl_unlock();
11955 	return err;
11956 }
11957 #endif
11958 
11959 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11960 {
11961 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11962 	struct net_device *dev = info->user_ptr[1];
11963 	struct cfg80211_connect_params connect;
11964 	struct wiphy *wiphy;
11965 	struct cfg80211_cached_keys *connkeys = NULL;
11966 	u32 freq = 0;
11967 	int err;
11968 
11969 	memset(&connect, 0, sizeof(connect));
11970 
11971 	if (!info->attrs[NL80211_ATTR_SSID] ||
11972 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11973 		return -EINVAL;
11974 
11975 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11976 		connect.auth_type =
11977 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11978 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11979 					     NL80211_CMD_CONNECT))
11980 			return -EINVAL;
11981 	} else
11982 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11983 
11984 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11985 
11986 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11987 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11988 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11989 		return -EINVAL;
11990 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11991 
11992 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11993 				      NL80211_MAX_NR_CIPHER_SUITES);
11994 	if (err)
11995 		return err;
11996 
11997 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11998 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11999 		return -EOPNOTSUPP;
12000 
12001 	wiphy = &rdev->wiphy;
12002 
12003 	connect.bg_scan_period = -1;
12004 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
12005 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
12006 		connect.bg_scan_period =
12007 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
12008 	}
12009 
12010 	if (info->attrs[NL80211_ATTR_MAC])
12011 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12012 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
12013 		connect.bssid_hint =
12014 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
12015 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12016 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12017 
12018 	if (info->attrs[NL80211_ATTR_IE]) {
12019 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12020 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12021 	}
12022 
12023 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12024 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12025 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
12026 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12027 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
12028 			return -EOPNOTSUPP;
12029 	} else {
12030 		connect.mfp = NL80211_MFP_NO;
12031 	}
12032 
12033 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12034 		connect.prev_bssid =
12035 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12036 
12037 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
12038 		freq = MHZ_TO_KHZ(nla_get_u32(
12039 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12040 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12041 		freq +=
12042 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12043 
12044 	if (freq) {
12045 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
12046 		if (!connect.channel)
12047 			return -EINVAL;
12048 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
12049 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
12050 		freq = MHZ_TO_KHZ(freq);
12051 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
12052 		if (!connect.channel_hint)
12053 			return -EINVAL;
12054 	}
12055 
12056 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
12057 		connect.edmg.channels =
12058 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
12059 
12060 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
12061 			connect.edmg.bw_config =
12062 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
12063 	}
12064 
12065 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12066 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
12067 		if (IS_ERR(connkeys))
12068 			return PTR_ERR(connkeys);
12069 	}
12070 
12071 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12072 		connect.flags |= ASSOC_REQ_DISABLE_HT;
12073 
12074 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12075 		memcpy(&connect.ht_capa_mask,
12076 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12077 		       sizeof(connect.ht_capa_mask));
12078 
12079 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12080 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
12081 			kfree_sensitive(connkeys);
12082 			return -EINVAL;
12083 		}
12084 		memcpy(&connect.ht_capa,
12085 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12086 		       sizeof(connect.ht_capa));
12087 	}
12088 
12089 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12090 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
12091 
12092 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12093 		connect.flags |= ASSOC_REQ_DISABLE_HE;
12094 
12095 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12096 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12097 
12098 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12099 		memcpy(&connect.vht_capa_mask,
12100 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12101 		       sizeof(connect.vht_capa_mask));
12102 
12103 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12104 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12105 			kfree_sensitive(connkeys);
12106 			return -EINVAL;
12107 		}
12108 		memcpy(&connect.vht_capa,
12109 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12110 		       sizeof(connect.vht_capa));
12111 	}
12112 
12113 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12114 		if (!((rdev->wiphy.features &
12115 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12116 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12117 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12118 					     NL80211_EXT_FEATURE_RRM)) {
12119 			kfree_sensitive(connkeys);
12120 			return -EINVAL;
12121 		}
12122 		connect.flags |= ASSOC_REQ_USE_RRM;
12123 	}
12124 
12125 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12126 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12127 		kfree_sensitive(connkeys);
12128 		return -EOPNOTSUPP;
12129 	}
12130 
12131 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12132 		/* bss selection makes no sense if bssid is set */
12133 		if (connect.bssid) {
12134 			kfree_sensitive(connkeys);
12135 			return -EINVAL;
12136 		}
12137 
12138 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12139 				       wiphy, &connect.bss_select);
12140 		if (err) {
12141 			kfree_sensitive(connkeys);
12142 			return err;
12143 		}
12144 	}
12145 
12146 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12147 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12148 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12149 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12150 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12151 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12152 		connect.fils_erp_username =
12153 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12154 		connect.fils_erp_username_len =
12155 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12156 		connect.fils_erp_realm =
12157 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12158 		connect.fils_erp_realm_len =
12159 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12160 		connect.fils_erp_next_seq_num =
12161 			nla_get_u16(
12162 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12163 		connect.fils_erp_rrk =
12164 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12165 		connect.fils_erp_rrk_len =
12166 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12167 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12168 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12169 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12170 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12171 		kfree_sensitive(connkeys);
12172 		return -EINVAL;
12173 	}
12174 
12175 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12176 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12177 			kfree_sensitive(connkeys);
12178 			GENL_SET_ERR_MSG(info,
12179 					 "external auth requires connection ownership");
12180 			return -EINVAL;
12181 		}
12182 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12183 	}
12184 
12185 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12186 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12187 
12188 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12189 			       connect.prev_bssid);
12190 	if (err)
12191 		kfree_sensitive(connkeys);
12192 
12193 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12194 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12195 		if (connect.bssid)
12196 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12197 			       connect.bssid, ETH_ALEN);
12198 		else
12199 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12200 	}
12201 
12202 	return err;
12203 }
12204 
12205 static int nl80211_update_connect_params(struct sk_buff *skb,
12206 					 struct genl_info *info)
12207 {
12208 	struct cfg80211_connect_params connect = {};
12209 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12210 	struct net_device *dev = info->user_ptr[1];
12211 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12212 	bool fils_sk_offload;
12213 	u32 auth_type;
12214 	u32 changed = 0;
12215 
12216 	if (!rdev->ops->update_connect_params)
12217 		return -EOPNOTSUPP;
12218 
12219 	if (info->attrs[NL80211_ATTR_IE]) {
12220 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12221 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12222 		changed |= UPDATE_ASSOC_IES;
12223 	}
12224 
12225 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12226 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12227 
12228 	/*
12229 	 * when driver supports fils-sk offload all attributes must be
12230 	 * provided. So the else covers "fils-sk-not-all" and
12231 	 * "no-fils-sk-any".
12232 	 */
12233 	if (fils_sk_offload &&
12234 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12235 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12236 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12237 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12238 		connect.fils_erp_username =
12239 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12240 		connect.fils_erp_username_len =
12241 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12242 		connect.fils_erp_realm =
12243 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12244 		connect.fils_erp_realm_len =
12245 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12246 		connect.fils_erp_next_seq_num =
12247 			nla_get_u16(
12248 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12249 		connect.fils_erp_rrk =
12250 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12251 		connect.fils_erp_rrk_len =
12252 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12253 		changed |= UPDATE_FILS_ERP_INFO;
12254 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12255 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12256 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12257 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12258 		return -EINVAL;
12259 	}
12260 
12261 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12262 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12263 		if (!nl80211_valid_auth_type(rdev, auth_type,
12264 					     NL80211_CMD_CONNECT))
12265 			return -EINVAL;
12266 
12267 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12268 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12269 			return -EINVAL;
12270 
12271 		connect.auth_type = auth_type;
12272 		changed |= UPDATE_AUTH_TYPE;
12273 	}
12274 
12275 	if (!wdev->connected)
12276 		return -ENOLINK;
12277 
12278 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12279 }
12280 
12281 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12282 {
12283 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12284 	struct net_device *dev = info->user_ptr[1];
12285 	u16 reason;
12286 
12287 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12288 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12289 		return -EPERM;
12290 
12291 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12292 		reason = WLAN_REASON_DEAUTH_LEAVING;
12293 	else
12294 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12295 
12296 	if (reason == 0)
12297 		return -EINVAL;
12298 
12299 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12300 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12301 		return -EOPNOTSUPP;
12302 
12303 	return cfg80211_disconnect(rdev, dev, reason, true);
12304 }
12305 
12306 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12307 {
12308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12309 	struct net *net;
12310 	int err;
12311 
12312 	if (info->attrs[NL80211_ATTR_PID]) {
12313 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12314 
12315 		net = get_net_ns_by_pid(pid);
12316 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12317 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12318 
12319 		net = get_net_ns_by_fd(fd);
12320 	} else {
12321 		return -EINVAL;
12322 	}
12323 
12324 	if (IS_ERR(net))
12325 		return PTR_ERR(net);
12326 
12327 	err = 0;
12328 
12329 	/* check if anything to do */
12330 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12331 		err = cfg80211_switch_netns(rdev, net);
12332 
12333 	put_net(net);
12334 	return err;
12335 }
12336 
12337 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12338 {
12339 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12340 	struct net_device *dev = info->user_ptr[1];
12341 	struct cfg80211_pmksa pmksa;
12342 	bool ap_pmksa_caching_support = false;
12343 
12344 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12345 
12346 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12347 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12348 
12349 	if (!info->attrs[NL80211_ATTR_PMKID])
12350 		return -EINVAL;
12351 
12352 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12353 
12354 	if (info->attrs[NL80211_ATTR_MAC]) {
12355 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12356 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12357 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12358 	           info->attrs[NL80211_ATTR_PMK]) {
12359 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12360 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12361 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12362 	} else {
12363 		return -EINVAL;
12364 	}
12365 
12366 	if (info->attrs[NL80211_ATTR_PMK]) {
12367 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12368 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12369 	}
12370 
12371 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12372 		pmksa.pmk_lifetime =
12373 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12374 
12375 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12376 		pmksa.pmk_reauth_threshold =
12377 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12378 
12379 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12380 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12381 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12382 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12383 	       ap_pmksa_caching_support))
12384 		return -EOPNOTSUPP;
12385 
12386 	if (!rdev->ops->set_pmksa)
12387 		return -EOPNOTSUPP;
12388 
12389 	return rdev_set_pmksa(rdev, dev, &pmksa);
12390 }
12391 
12392 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
12393 {
12394 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12395 	struct net_device *dev = info->user_ptr[1];
12396 	struct cfg80211_pmksa pmksa;
12397 	bool sae_offload_support = false;
12398 	bool owe_offload_support = false;
12399 	bool ap_pmksa_caching_support = false;
12400 
12401 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12402 
12403 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12404 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
12405 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12406 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
12407 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12408 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12409 
12410 	if (info->attrs[NL80211_ATTR_PMKID])
12411 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12412 
12413 	if (info->attrs[NL80211_ATTR_MAC]) {
12414 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12415 	} else if (info->attrs[NL80211_ATTR_SSID]) {
12416 		/* SSID based pmksa flush suppported only for FILS,
12417 		 * OWE/SAE OFFLOAD cases
12418 		 */
12419 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12420 		    info->attrs[NL80211_ATTR_PMK]) {
12421 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12422 		} else if (!sae_offload_support && !owe_offload_support) {
12423 			return -EINVAL;
12424 		}
12425 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12426 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12427 	} else {
12428 		return -EINVAL;
12429 	}
12430 
12431 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12432 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12433 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12434 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12435 	       ap_pmksa_caching_support))
12436 		return -EOPNOTSUPP;
12437 
12438 	if (!rdev->ops->del_pmksa)
12439 		return -EOPNOTSUPP;
12440 
12441 	return rdev_del_pmksa(rdev, dev, &pmksa);
12442 }
12443 
12444 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12445 {
12446 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12447 	struct net_device *dev = info->user_ptr[1];
12448 
12449 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12450 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12451 		return -EOPNOTSUPP;
12452 
12453 	if (!rdev->ops->flush_pmksa)
12454 		return -EOPNOTSUPP;
12455 
12456 	return rdev_flush_pmksa(rdev, dev);
12457 }
12458 
12459 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12460 {
12461 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12462 	struct net_device *dev = info->user_ptr[1];
12463 	u8 action_code, dialog_token;
12464 	u32 peer_capability = 0;
12465 	u16 status_code;
12466 	u8 *peer;
12467 	int link_id;
12468 	bool initiator;
12469 
12470 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12471 	    !rdev->ops->tdls_mgmt)
12472 		return -EOPNOTSUPP;
12473 
12474 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12475 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12476 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12477 	    !info->attrs[NL80211_ATTR_IE] ||
12478 	    !info->attrs[NL80211_ATTR_MAC])
12479 		return -EINVAL;
12480 
12481 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12482 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12483 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12484 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12485 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12486 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12487 		peer_capability =
12488 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12489 	link_id = nl80211_link_id_or_invalid(info->attrs);
12490 
12491 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12492 			      dialog_token, status_code, peer_capability,
12493 			      initiator,
12494 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12495 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12496 }
12497 
12498 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12499 {
12500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12501 	struct net_device *dev = info->user_ptr[1];
12502 	enum nl80211_tdls_operation operation;
12503 	u8 *peer;
12504 
12505 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12506 	    !rdev->ops->tdls_oper)
12507 		return -EOPNOTSUPP;
12508 
12509 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12510 	    !info->attrs[NL80211_ATTR_MAC])
12511 		return -EINVAL;
12512 
12513 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12514 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12515 
12516 	return rdev_tdls_oper(rdev, dev, peer, operation);
12517 }
12518 
12519 static int nl80211_remain_on_channel(struct sk_buff *skb,
12520 				     struct genl_info *info)
12521 {
12522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12523 	unsigned int link_id = nl80211_link_id(info->attrs);
12524 	struct wireless_dev *wdev = info->user_ptr[1];
12525 	struct cfg80211_chan_def chandef;
12526 	struct sk_buff *msg;
12527 	void *hdr;
12528 	u64 cookie;
12529 	u32 duration;
12530 	int err;
12531 
12532 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12533 	    !info->attrs[NL80211_ATTR_DURATION])
12534 		return -EINVAL;
12535 
12536 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12537 
12538 	if (!rdev->ops->remain_on_channel ||
12539 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12540 		return -EOPNOTSUPP;
12541 
12542 	/*
12543 	 * We should be on that channel for at least a minimum amount of
12544 	 * time (10ms) but no longer than the driver supports.
12545 	 */
12546 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12547 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12548 		return -EINVAL;
12549 
12550 	err = nl80211_parse_chandef(rdev, info, &chandef);
12551 	if (err)
12552 		return err;
12553 
12554 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12555 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12556 
12557 		oper_chandef = wdev_chandef(wdev, link_id);
12558 
12559 		if (WARN_ON(!oper_chandef)) {
12560 			/* cannot happen since we must beacon to get here */
12561 			WARN_ON(1);
12562 			return -EBUSY;
12563 		}
12564 
12565 		/* note: returns first one if identical chandefs */
12566 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12567 							     oper_chandef);
12568 
12569 		if (compat_chandef != &chandef)
12570 			return -EBUSY;
12571 	}
12572 
12573 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12574 	if (!msg)
12575 		return -ENOMEM;
12576 
12577 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12578 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12579 	if (!hdr) {
12580 		err = -ENOBUFS;
12581 		goto free_msg;
12582 	}
12583 
12584 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12585 				     duration, &cookie);
12586 
12587 	if (err)
12588 		goto free_msg;
12589 
12590 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12591 			      NL80211_ATTR_PAD))
12592 		goto nla_put_failure;
12593 
12594 	genlmsg_end(msg, hdr);
12595 
12596 	return genlmsg_reply(msg, info);
12597 
12598  nla_put_failure:
12599 	err = -ENOBUFS;
12600  free_msg:
12601 	nlmsg_free(msg);
12602 	return err;
12603 }
12604 
12605 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12606 					    struct genl_info *info)
12607 {
12608 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12609 	struct wireless_dev *wdev = info->user_ptr[1];
12610 	u64 cookie;
12611 
12612 	if (!info->attrs[NL80211_ATTR_COOKIE])
12613 		return -EINVAL;
12614 
12615 	if (!rdev->ops->cancel_remain_on_channel)
12616 		return -EOPNOTSUPP;
12617 
12618 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12619 
12620 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12621 }
12622 
12623 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12624 				       struct genl_info *info)
12625 {
12626 	struct cfg80211_bitrate_mask mask;
12627 	unsigned int link_id = nl80211_link_id(info->attrs);
12628 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12629 	struct net_device *dev = info->user_ptr[1];
12630 	int err;
12631 
12632 	if (!rdev->ops->set_bitrate_mask)
12633 		return -EOPNOTSUPP;
12634 
12635 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12636 					    NL80211_ATTR_TX_RATES, &mask,
12637 					    dev, true, link_id);
12638 	if (err)
12639 		return err;
12640 
12641 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12642 }
12643 
12644 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12645 {
12646 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12647 	struct wireless_dev *wdev = info->user_ptr[1];
12648 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12649 
12650 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12651 		return -EINVAL;
12652 
12653 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12654 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12655 
12656 	switch (wdev->iftype) {
12657 	case NL80211_IFTYPE_STATION:
12658 	case NL80211_IFTYPE_ADHOC:
12659 	case NL80211_IFTYPE_P2P_CLIENT:
12660 	case NL80211_IFTYPE_AP:
12661 	case NL80211_IFTYPE_AP_VLAN:
12662 	case NL80211_IFTYPE_MESH_POINT:
12663 	case NL80211_IFTYPE_P2P_GO:
12664 	case NL80211_IFTYPE_P2P_DEVICE:
12665 		break;
12666 	case NL80211_IFTYPE_NAN:
12667 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12668 					     NL80211_EXT_FEATURE_SECURE_NAN))
12669 			return -EOPNOTSUPP;
12670 		break;
12671 	default:
12672 		return -EOPNOTSUPP;
12673 	}
12674 
12675 	/* not much point in registering if we can't reply */
12676 	if (!rdev->ops->mgmt_tx)
12677 		return -EOPNOTSUPP;
12678 
12679 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12680 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12681 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12682 		GENL_SET_ERR_MSG(info,
12683 				 "multicast RX registrations are not supported");
12684 		return -EOPNOTSUPP;
12685 	}
12686 
12687 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12688 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12689 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12690 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12691 					   info->extack);
12692 }
12693 
12694 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12695 {
12696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12697 	struct wireless_dev *wdev = info->user_ptr[1];
12698 	struct cfg80211_chan_def chandef;
12699 	int err;
12700 	void *hdr = NULL;
12701 	u64 cookie;
12702 	struct sk_buff *msg = NULL;
12703 	struct cfg80211_mgmt_tx_params params = {
12704 		.dont_wait_for_ack =
12705 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12706 	};
12707 
12708 	if (!info->attrs[NL80211_ATTR_FRAME])
12709 		return -EINVAL;
12710 
12711 	if (!rdev->ops->mgmt_tx)
12712 		return -EOPNOTSUPP;
12713 
12714 	switch (wdev->iftype) {
12715 	case NL80211_IFTYPE_P2P_DEVICE:
12716 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12717 			return -EINVAL;
12718 		break;
12719 	case NL80211_IFTYPE_STATION:
12720 	case NL80211_IFTYPE_ADHOC:
12721 	case NL80211_IFTYPE_P2P_CLIENT:
12722 	case NL80211_IFTYPE_AP:
12723 	case NL80211_IFTYPE_AP_VLAN:
12724 	case NL80211_IFTYPE_MESH_POINT:
12725 	case NL80211_IFTYPE_P2P_GO:
12726 		break;
12727 	case NL80211_IFTYPE_NAN:
12728 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12729 					     NL80211_EXT_FEATURE_SECURE_NAN))
12730 			return -EOPNOTSUPP;
12731 		break;
12732 	default:
12733 		return -EOPNOTSUPP;
12734 	}
12735 
12736 	if (info->attrs[NL80211_ATTR_DURATION]) {
12737 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12738 			return -EINVAL;
12739 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12740 
12741 		/*
12742 		 * We should wait on the channel for at least a minimum amount
12743 		 * of time (10ms) but no longer than the driver supports.
12744 		 */
12745 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12746 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12747 			return -EINVAL;
12748 	}
12749 
12750 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12751 
12752 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12753 		return -EINVAL;
12754 
12755 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12756 
12757 	/* get the channel if any has been specified, otherwise pass NULL to
12758 	 * the driver. The latter will use the current one
12759 	 */
12760 	chandef.chan = NULL;
12761 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12762 		err = nl80211_parse_chandef(rdev, info, &chandef);
12763 		if (err)
12764 			return err;
12765 	}
12766 
12767 	if (!chandef.chan && params.offchan)
12768 		return -EINVAL;
12769 
12770 	if (params.offchan &&
12771 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
12772 		return -EBUSY;
12773 
12774 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12775 	/*
12776 	 * This now races due to the unlock, but we cannot check
12777 	 * the valid links for the _station_ anyway, so that's up
12778 	 * to the driver.
12779 	 */
12780 	if (params.link_id >= 0 &&
12781 	    !(wdev->valid_links & BIT(params.link_id)))
12782 		return -EINVAL;
12783 
12784 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12785 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12786 
12787 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
12788 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
12789 					    &params.csa_offsets,
12790 					    &params.n_csa_offsets);
12791 	if (err)
12792 		return err;
12793 
12794 	if (!params.dont_wait_for_ack) {
12795 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12796 		if (!msg)
12797 			return -ENOMEM;
12798 
12799 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12800 				     NL80211_CMD_FRAME);
12801 		if (!hdr) {
12802 			err = -ENOBUFS;
12803 			goto free_msg;
12804 		}
12805 	}
12806 
12807 	params.chan = chandef.chan;
12808 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12809 	if (err)
12810 		goto free_msg;
12811 
12812 	if (msg) {
12813 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12814 				      NL80211_ATTR_PAD))
12815 			goto nla_put_failure;
12816 
12817 		genlmsg_end(msg, hdr);
12818 		return genlmsg_reply(msg, info);
12819 	}
12820 
12821 	return 0;
12822 
12823  nla_put_failure:
12824 	err = -ENOBUFS;
12825  free_msg:
12826 	nlmsg_free(msg);
12827 	return err;
12828 }
12829 
12830 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12831 {
12832 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12833 	struct wireless_dev *wdev = info->user_ptr[1];
12834 	u64 cookie;
12835 
12836 	if (!info->attrs[NL80211_ATTR_COOKIE])
12837 		return -EINVAL;
12838 
12839 	if (!rdev->ops->mgmt_tx_cancel_wait)
12840 		return -EOPNOTSUPP;
12841 
12842 	switch (wdev->iftype) {
12843 	case NL80211_IFTYPE_STATION:
12844 	case NL80211_IFTYPE_ADHOC:
12845 	case NL80211_IFTYPE_P2P_CLIENT:
12846 	case NL80211_IFTYPE_AP:
12847 	case NL80211_IFTYPE_AP_VLAN:
12848 	case NL80211_IFTYPE_P2P_GO:
12849 	case NL80211_IFTYPE_P2P_DEVICE:
12850 		break;
12851 	case NL80211_IFTYPE_NAN:
12852 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12853 					     NL80211_EXT_FEATURE_SECURE_NAN))
12854 			return -EOPNOTSUPP;
12855 		break;
12856 	default:
12857 		return -EOPNOTSUPP;
12858 	}
12859 
12860 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12861 
12862 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12863 }
12864 
12865 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12866 {
12867 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12868 	struct wireless_dev *wdev;
12869 	struct net_device *dev = info->user_ptr[1];
12870 	u8 ps_state;
12871 	bool state;
12872 	int err;
12873 
12874 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12875 		return -EINVAL;
12876 
12877 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12878 
12879 	wdev = dev->ieee80211_ptr;
12880 
12881 	if (!rdev->ops->set_power_mgmt)
12882 		return -EOPNOTSUPP;
12883 
12884 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12885 
12886 	if (state == wdev->ps)
12887 		return 0;
12888 
12889 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12890 	if (!err)
12891 		wdev->ps = state;
12892 	return err;
12893 }
12894 
12895 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12896 {
12897 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12898 	enum nl80211_ps_state ps_state;
12899 	struct wireless_dev *wdev;
12900 	struct net_device *dev = info->user_ptr[1];
12901 	struct sk_buff *msg;
12902 	void *hdr;
12903 	int err;
12904 
12905 	wdev = dev->ieee80211_ptr;
12906 
12907 	if (!rdev->ops->set_power_mgmt)
12908 		return -EOPNOTSUPP;
12909 
12910 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12911 	if (!msg)
12912 		return -ENOMEM;
12913 
12914 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12915 			     NL80211_CMD_GET_POWER_SAVE);
12916 	if (!hdr) {
12917 		err = -ENOBUFS;
12918 		goto free_msg;
12919 	}
12920 
12921 	if (wdev->ps)
12922 		ps_state = NL80211_PS_ENABLED;
12923 	else
12924 		ps_state = NL80211_PS_DISABLED;
12925 
12926 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12927 		goto nla_put_failure;
12928 
12929 	genlmsg_end(msg, hdr);
12930 	return genlmsg_reply(msg, info);
12931 
12932  nla_put_failure:
12933 	err = -ENOBUFS;
12934  free_msg:
12935 	nlmsg_free(msg);
12936 	return err;
12937 }
12938 
12939 static const struct nla_policy
12940 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12941 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12942 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12943 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12944 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12945 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12946 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12947 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12948 };
12949 
12950 static int nl80211_set_cqm_txe(struct genl_info *info,
12951 			       u32 rate, u32 pkts, u32 intvl)
12952 {
12953 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12954 	struct net_device *dev = info->user_ptr[1];
12955 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12956 
12957 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12958 		return -EINVAL;
12959 
12960 	if (!rdev->ops->set_cqm_txe_config)
12961 		return -EOPNOTSUPP;
12962 
12963 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12964 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12965 		return -EOPNOTSUPP;
12966 
12967 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12968 }
12969 
12970 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12971 				    struct net_device *dev,
12972 				    struct cfg80211_cqm_config *cqm_config)
12973 {
12974 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12975 	s32 last, low, high;
12976 	u32 hyst;
12977 	int i, n, low_index;
12978 	int err;
12979 
12980 	/*
12981 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12982 	 * event has been received yet, we should receive an event after a
12983 	 * connection is established and enough beacons received to calculate
12984 	 * the average.
12985 	 */
12986 	if (!cqm_config->last_rssi_event_value &&
12987 	    wdev->links[0].client.current_bss &&
12988 	    rdev->ops->get_station) {
12989 		struct station_info sinfo = {};
12990 		u8 *mac_addr;
12991 
12992 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12993 
12994 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12995 		if (err)
12996 			return err;
12997 
12998 		cfg80211_sinfo_release_content(&sinfo);
12999 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
13000 			cqm_config->last_rssi_event_value =
13001 				(s8) sinfo.rx_beacon_signal_avg;
13002 	}
13003 
13004 	last = cqm_config->last_rssi_event_value;
13005 	hyst = cqm_config->rssi_hyst;
13006 	n = cqm_config->n_rssi_thresholds;
13007 
13008 	for (i = 0; i < n; i++) {
13009 		i = array_index_nospec(i, n);
13010 		if (last < cqm_config->rssi_thresholds[i])
13011 			break;
13012 	}
13013 
13014 	low_index = i - 1;
13015 	if (low_index >= 0) {
13016 		low_index = array_index_nospec(low_index, n);
13017 		low = cqm_config->rssi_thresholds[low_index] - hyst;
13018 	} else {
13019 		low = S32_MIN;
13020 	}
13021 	if (i < n) {
13022 		i = array_index_nospec(i, n);
13023 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
13024 	} else {
13025 		high = S32_MAX;
13026 	}
13027 
13028 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
13029 }
13030 
13031 static int nl80211_set_cqm_rssi(struct genl_info *info,
13032 				const s32 *thresholds, int n_thresholds,
13033 				u32 hysteresis)
13034 {
13035 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13036 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
13037 	struct net_device *dev = info->user_ptr[1];
13038 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13039 	s32 prev = S32_MIN;
13040 	int i, err;
13041 
13042 	/* Check all values negative and sorted */
13043 	for (i = 0; i < n_thresholds; i++) {
13044 		if (thresholds[i] > 0 || thresholds[i] <= prev)
13045 			return -EINVAL;
13046 
13047 		prev = thresholds[i];
13048 	}
13049 
13050 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13051 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13052 		return -EOPNOTSUPP;
13053 
13054 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
13055 		n_thresholds = 0;
13056 
13057 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
13058 
13059 	/* if already disabled just succeed */
13060 	if (!n_thresholds && !old)
13061 		return 0;
13062 
13063 	if (n_thresholds > 1) {
13064 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13065 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
13066 		    !rdev->ops->set_cqm_rssi_range_config)
13067 			return -EOPNOTSUPP;
13068 	} else {
13069 		if (!rdev->ops->set_cqm_rssi_config)
13070 			return -EOPNOTSUPP;
13071 	}
13072 
13073 	if (n_thresholds) {
13074 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
13075 						 n_thresholds),
13076 				     GFP_KERNEL);
13077 		if (!cqm_config)
13078 			return -ENOMEM;
13079 
13080 		cqm_config->rssi_hyst = hysteresis;
13081 		cqm_config->n_rssi_thresholds = n_thresholds;
13082 		memcpy(cqm_config->rssi_thresholds, thresholds,
13083 		       flex_array_size(cqm_config, rssi_thresholds,
13084 				       n_thresholds));
13085 		cqm_config->use_range_api = n_thresholds > 1 ||
13086 					    !rdev->ops->set_cqm_rssi_config;
13087 
13088 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
13089 
13090 		if (cqm_config->use_range_api)
13091 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
13092 		else
13093 			err = rdev_set_cqm_rssi_config(rdev, dev,
13094 						       thresholds[0],
13095 						       hysteresis);
13096 	} else {
13097 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13098 		/* if enabled as range also disable via range */
13099 		if (old->use_range_api)
13100 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13101 		else
13102 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13103 	}
13104 
13105 	if (err) {
13106 		rcu_assign_pointer(wdev->cqm_config, old);
13107 		kfree_rcu(cqm_config, rcu_head);
13108 	} else {
13109 		kfree_rcu(old, rcu_head);
13110 	}
13111 
13112 	return err;
13113 }
13114 
13115 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13116 {
13117 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13118 	struct nlattr *cqm;
13119 	int err;
13120 
13121 	cqm = info->attrs[NL80211_ATTR_CQM];
13122 	if (!cqm)
13123 		return -EINVAL;
13124 
13125 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13126 					  nl80211_attr_cqm_policy,
13127 					  info->extack);
13128 	if (err)
13129 		return err;
13130 
13131 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13132 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13133 		const s32 *thresholds =
13134 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13135 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13136 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13137 
13138 		if (len % 4)
13139 			return -EINVAL;
13140 
13141 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13142 					    hysteresis);
13143 	}
13144 
13145 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13146 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13147 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13148 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13149 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13150 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13151 
13152 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13153 	}
13154 
13155 	return -EINVAL;
13156 }
13157 
13158 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13159 {
13160 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13161 	struct net_device *dev = info->user_ptr[1];
13162 	struct ocb_setup setup = {};
13163 	int err;
13164 
13165 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13166 	if (err)
13167 		return err;
13168 
13169 	return cfg80211_join_ocb(rdev, dev, &setup);
13170 }
13171 
13172 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13173 {
13174 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13175 	struct net_device *dev = info->user_ptr[1];
13176 
13177 	return cfg80211_leave_ocb(rdev, dev);
13178 }
13179 
13180 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13181 {
13182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13183 	struct net_device *dev = info->user_ptr[1];
13184 	struct mesh_config cfg;
13185 	struct mesh_setup setup;
13186 	int err;
13187 
13188 	/* start with default */
13189 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13190 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13191 
13192 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13193 		/* and parse parameters if given */
13194 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13195 		if (err)
13196 			return err;
13197 	}
13198 
13199 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13200 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13201 		return -EINVAL;
13202 
13203 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13204 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13205 
13206 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13207 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13208 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13209 			return -EINVAL;
13210 
13211 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13212 		setup.beacon_interval =
13213 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13214 
13215 		err = cfg80211_validate_beacon_int(rdev,
13216 						   NL80211_IFTYPE_MESH_POINT,
13217 						   setup.beacon_interval);
13218 		if (err)
13219 			return err;
13220 	}
13221 
13222 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13223 		setup.dtim_period =
13224 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13225 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13226 			return -EINVAL;
13227 	}
13228 
13229 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13230 		/* parse additional setup parameters if given */
13231 		err = nl80211_parse_mesh_setup(info, &setup);
13232 		if (err)
13233 			return err;
13234 	}
13235 
13236 	if (setup.user_mpm)
13237 		cfg.auto_open_plinks = false;
13238 
13239 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13240 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13241 		if (err)
13242 			return err;
13243 	} else {
13244 		/* __cfg80211_join_mesh() will sort it out */
13245 		setup.chandef.chan = NULL;
13246 	}
13247 
13248 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13249 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13250 		int n_rates =
13251 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13252 		struct ieee80211_supported_band *sband;
13253 
13254 		if (!setup.chandef.chan)
13255 			return -EINVAL;
13256 
13257 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13258 
13259 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13260 					     &setup.basic_rates);
13261 		if (err)
13262 			return err;
13263 	}
13264 
13265 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13266 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13267 						    NL80211_ATTR_TX_RATES,
13268 						    &setup.beacon_rate,
13269 						    dev, false, 0);
13270 		if (err)
13271 			return err;
13272 
13273 		if (!setup.chandef.chan)
13274 			return -EINVAL;
13275 
13276 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13277 					      &setup.beacon_rate);
13278 		if (err)
13279 			return err;
13280 	}
13281 
13282 	setup.userspace_handles_dfs =
13283 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13284 
13285 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13286 		int r = validate_pae_over_nl80211(rdev, info);
13287 
13288 		if (r < 0)
13289 			return r;
13290 
13291 		setup.control_port_over_nl80211 = true;
13292 	}
13293 
13294 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13295 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13296 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13297 
13298 	return err;
13299 }
13300 
13301 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13302 {
13303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13304 	struct net_device *dev = info->user_ptr[1];
13305 
13306 	return cfg80211_leave_mesh(rdev, dev);
13307 }
13308 
13309 #ifdef CONFIG_PM
13310 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13311 					struct cfg80211_registered_device *rdev)
13312 {
13313 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13314 	struct nlattr *nl_pats, *nl_pat;
13315 	int i, pat_len;
13316 
13317 	if (!wowlan->n_patterns)
13318 		return 0;
13319 
13320 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13321 	if (!nl_pats)
13322 		return -ENOBUFS;
13323 
13324 	for (i = 0; i < wowlan->n_patterns; i++) {
13325 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13326 		if (!nl_pat)
13327 			return -ENOBUFS;
13328 		pat_len = wowlan->patterns[i].pattern_len;
13329 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13330 			    wowlan->patterns[i].mask) ||
13331 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13332 			    wowlan->patterns[i].pattern) ||
13333 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13334 				wowlan->patterns[i].pkt_offset))
13335 			return -ENOBUFS;
13336 		nla_nest_end(msg, nl_pat);
13337 	}
13338 	nla_nest_end(msg, nl_pats);
13339 
13340 	return 0;
13341 }
13342 
13343 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13344 				   struct cfg80211_wowlan_tcp *tcp)
13345 {
13346 	struct nlattr *nl_tcp;
13347 
13348 	if (!tcp)
13349 		return 0;
13350 
13351 	nl_tcp = nla_nest_start_noflag(msg,
13352 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13353 	if (!nl_tcp)
13354 		return -ENOBUFS;
13355 
13356 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13357 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13358 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13359 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13360 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13361 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13362 		    tcp->payload_len, tcp->payload) ||
13363 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13364 			tcp->data_interval) ||
13365 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13366 		    tcp->wake_len, tcp->wake_data) ||
13367 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13368 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13369 		return -ENOBUFS;
13370 
13371 	if (tcp->payload_seq.len &&
13372 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13373 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13374 		return -ENOBUFS;
13375 
13376 	if (tcp->payload_tok.len &&
13377 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13378 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13379 		    &tcp->payload_tok))
13380 		return -ENOBUFS;
13381 
13382 	nla_nest_end(msg, nl_tcp);
13383 
13384 	return 0;
13385 }
13386 
13387 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13388 				  struct cfg80211_sched_scan_request *req)
13389 {
13390 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13391 	int i;
13392 
13393 	if (!req)
13394 		return 0;
13395 
13396 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13397 	if (!nd)
13398 		return -ENOBUFS;
13399 
13400 	if (req->n_scan_plans == 1 &&
13401 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13402 			req->scan_plans[0].interval * 1000))
13403 		return -ENOBUFS;
13404 
13405 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13406 		return -ENOBUFS;
13407 
13408 	if (req->relative_rssi_set) {
13409 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13410 
13411 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13412 			       req->relative_rssi))
13413 			return -ENOBUFS;
13414 
13415 		rssi_adjust.band = req->rssi_adjust.band;
13416 		rssi_adjust.delta = req->rssi_adjust.delta;
13417 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13418 			    sizeof(rssi_adjust), &rssi_adjust))
13419 			return -ENOBUFS;
13420 	}
13421 
13422 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13423 	if (!freqs)
13424 		return -ENOBUFS;
13425 
13426 	for (i = 0; i < req->n_channels; i++) {
13427 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13428 			return -ENOBUFS;
13429 	}
13430 
13431 	nla_nest_end(msg, freqs);
13432 
13433 	if (req->n_match_sets) {
13434 		matches = nla_nest_start_noflag(msg,
13435 						NL80211_ATTR_SCHED_SCAN_MATCH);
13436 		if (!matches)
13437 			return -ENOBUFS;
13438 
13439 		for (i = 0; i < req->n_match_sets; i++) {
13440 			match = nla_nest_start_noflag(msg, i);
13441 			if (!match)
13442 				return -ENOBUFS;
13443 
13444 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13445 				    req->match_sets[i].ssid.ssid_len,
13446 				    req->match_sets[i].ssid.ssid))
13447 				return -ENOBUFS;
13448 			nla_nest_end(msg, match);
13449 		}
13450 		nla_nest_end(msg, matches);
13451 	}
13452 
13453 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13454 	if (!scan_plans)
13455 		return -ENOBUFS;
13456 
13457 	for (i = 0; i < req->n_scan_plans; i++) {
13458 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13459 		if (!scan_plan)
13460 			return -ENOBUFS;
13461 
13462 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13463 				req->scan_plans[i].interval) ||
13464 		    (req->scan_plans[i].iterations &&
13465 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13466 				 req->scan_plans[i].iterations)))
13467 			return -ENOBUFS;
13468 		nla_nest_end(msg, scan_plan);
13469 	}
13470 	nla_nest_end(msg, scan_plans);
13471 
13472 	nla_nest_end(msg, nd);
13473 
13474 	return 0;
13475 }
13476 
13477 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13478 {
13479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13480 	struct sk_buff *msg;
13481 	void *hdr;
13482 	u32 size = NLMSG_DEFAULT_SIZE;
13483 
13484 	if (!rdev->wiphy.wowlan)
13485 		return -EOPNOTSUPP;
13486 
13487 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13488 		/* adjust size to have room for all the data */
13489 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13490 			rdev->wiphy.wowlan_config->tcp->payload_len +
13491 			rdev->wiphy.wowlan_config->tcp->wake_len +
13492 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13493 	}
13494 
13495 	msg = nlmsg_new(size, GFP_KERNEL);
13496 	if (!msg)
13497 		return -ENOMEM;
13498 
13499 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13500 			     NL80211_CMD_GET_WOWLAN);
13501 	if (!hdr)
13502 		goto nla_put_failure;
13503 
13504 	if (rdev->wiphy.wowlan_config) {
13505 		struct nlattr *nl_wowlan;
13506 
13507 		nl_wowlan = nla_nest_start_noflag(msg,
13508 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13509 		if (!nl_wowlan)
13510 			goto nla_put_failure;
13511 
13512 		if ((rdev->wiphy.wowlan_config->any &&
13513 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13514 		    (rdev->wiphy.wowlan_config->disconnect &&
13515 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13516 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13517 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13518 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13519 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13520 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13521 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13522 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13523 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13524 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13525 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13526 			goto nla_put_failure;
13527 
13528 		if (nl80211_send_wowlan_patterns(msg, rdev))
13529 			goto nla_put_failure;
13530 
13531 		if (nl80211_send_wowlan_tcp(msg,
13532 					    rdev->wiphy.wowlan_config->tcp))
13533 			goto nla_put_failure;
13534 
13535 		if (nl80211_send_wowlan_nd(
13536 			    msg,
13537 			    rdev->wiphy.wowlan_config->nd_config))
13538 			goto nla_put_failure;
13539 
13540 		nla_nest_end(msg, nl_wowlan);
13541 	}
13542 
13543 	genlmsg_end(msg, hdr);
13544 	return genlmsg_reply(msg, info);
13545 
13546 nla_put_failure:
13547 	nlmsg_free(msg);
13548 	return -ENOBUFS;
13549 }
13550 
13551 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13552 				    struct nlattr *attr,
13553 				    struct cfg80211_wowlan *trig)
13554 {
13555 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13556 	struct cfg80211_wowlan_tcp *cfg;
13557 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13558 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13559 	u32 size;
13560 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13561 	int err, port;
13562 
13563 	if (!rdev->wiphy.wowlan->tcp)
13564 		return -EINVAL;
13565 
13566 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13567 					  nl80211_wowlan_tcp_policy, NULL);
13568 	if (err)
13569 		return err;
13570 
13571 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13572 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13573 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13574 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13575 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13576 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13577 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13578 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13579 		return -EINVAL;
13580 
13581 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13582 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13583 		return -EINVAL;
13584 
13585 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13586 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13587 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13588 		return -EINVAL;
13589 
13590 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13591 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13592 		return -EINVAL;
13593 
13594 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13595 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13596 		return -EINVAL;
13597 
13598 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13599 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13600 
13601 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13602 		tokens_size = tokln - sizeof(*tok);
13603 
13604 		if (!tok->len || tokens_size % tok->len)
13605 			return -EINVAL;
13606 		if (!rdev->wiphy.wowlan->tcp->tok)
13607 			return -EINVAL;
13608 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13609 			return -EINVAL;
13610 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13611 			return -EINVAL;
13612 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13613 			return -EINVAL;
13614 		if (tok->offset + tok->len > data_size)
13615 			return -EINVAL;
13616 	}
13617 
13618 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13619 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13620 		if (!rdev->wiphy.wowlan->tcp->seq)
13621 			return -EINVAL;
13622 		if (seq->len == 0 || seq->len > 4)
13623 			return -EINVAL;
13624 		if (seq->len + seq->offset > data_size)
13625 			return -EINVAL;
13626 	}
13627 
13628 	size = sizeof(*cfg);
13629 	size += data_size;
13630 	size += wake_size + wake_mask_size;
13631 	size += tokens_size;
13632 
13633 	cfg = kzalloc(size, GFP_KERNEL);
13634 	if (!cfg)
13635 		return -ENOMEM;
13636 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13637 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13638 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13639 	       ETH_ALEN);
13640 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13641 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13642 	else
13643 		port = 0;
13644 #ifdef CONFIG_INET
13645 	/* allocate a socket and port for it and use it */
13646 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13647 			    IPPROTO_TCP, &cfg->sock, 1);
13648 	if (err) {
13649 		kfree(cfg);
13650 		return err;
13651 	}
13652 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13653 		sock_release(cfg->sock);
13654 		kfree(cfg);
13655 		return -EADDRINUSE;
13656 	}
13657 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13658 #else
13659 	if (!port) {
13660 		kfree(cfg);
13661 		return -EINVAL;
13662 	}
13663 	cfg->src_port = port;
13664 #endif
13665 
13666 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13667 	cfg->payload_len = data_size;
13668 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13669 	memcpy((void *)cfg->payload,
13670 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13671 	       data_size);
13672 	if (seq)
13673 		cfg->payload_seq = *seq;
13674 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13675 	cfg->wake_len = wake_size;
13676 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13677 	memcpy((void *)cfg->wake_data,
13678 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13679 	       wake_size);
13680 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13681 			 data_size + wake_size;
13682 	memcpy((void *)cfg->wake_mask,
13683 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13684 	       wake_mask_size);
13685 	if (tok) {
13686 		cfg->tokens_size = tokens_size;
13687 		cfg->payload_tok = *tok;
13688 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13689 		       tokens_size);
13690 	}
13691 
13692 	trig->tcp = cfg;
13693 
13694 	return 0;
13695 }
13696 
13697 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13698 				   const struct wiphy_wowlan_support *wowlan,
13699 				   struct nlattr *attr,
13700 				   struct cfg80211_wowlan *trig)
13701 {
13702 	struct nlattr **tb;
13703 	int err;
13704 
13705 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13706 	if (!tb)
13707 		return -ENOMEM;
13708 
13709 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13710 		err = -EOPNOTSUPP;
13711 		goto out;
13712 	}
13713 
13714 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13715 					  nl80211_policy, NULL);
13716 	if (err)
13717 		goto out;
13718 
13719 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13720 						   wowlan->max_nd_match_sets);
13721 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13722 	if (err)
13723 		trig->nd_config = NULL;
13724 
13725 out:
13726 	kfree(tb);
13727 	return err;
13728 }
13729 
13730 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13731 {
13732 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13733 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13734 	struct cfg80211_wowlan new_triggers = {};
13735 	struct cfg80211_wowlan *ntrig;
13736 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13737 	int err, i;
13738 	bool prev_enabled = rdev->wiphy.wowlan_config;
13739 	bool regular = false;
13740 
13741 	if (!wowlan)
13742 		return -EOPNOTSUPP;
13743 
13744 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13745 		cfg80211_rdev_free_wowlan(rdev);
13746 		rdev->wiphy.wowlan_config = NULL;
13747 		goto set_wakeup;
13748 	}
13749 
13750 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13751 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13752 					  nl80211_wowlan_policy, info->extack);
13753 	if (err)
13754 		return err;
13755 
13756 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13757 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13758 			return -EINVAL;
13759 		new_triggers.any = true;
13760 	}
13761 
13762 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13763 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13764 			return -EINVAL;
13765 		new_triggers.disconnect = true;
13766 		regular = true;
13767 	}
13768 
13769 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13770 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13771 			return -EINVAL;
13772 		new_triggers.magic_pkt = true;
13773 		regular = true;
13774 	}
13775 
13776 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13777 		return -EINVAL;
13778 
13779 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13780 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13781 			return -EINVAL;
13782 		new_triggers.gtk_rekey_failure = true;
13783 		regular = true;
13784 	}
13785 
13786 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13787 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13788 			return -EINVAL;
13789 		new_triggers.eap_identity_req = true;
13790 		regular = true;
13791 	}
13792 
13793 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13794 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13795 			return -EINVAL;
13796 		new_triggers.four_way_handshake = true;
13797 		regular = true;
13798 	}
13799 
13800 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13801 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13802 			return -EINVAL;
13803 		new_triggers.rfkill_release = true;
13804 		regular = true;
13805 	}
13806 
13807 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13808 		struct nlattr *pat;
13809 		int n_patterns = 0;
13810 		int rem, pat_len, mask_len, pkt_offset;
13811 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13812 
13813 		regular = true;
13814 
13815 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13816 				    rem)
13817 			n_patterns++;
13818 		if (n_patterns > wowlan->n_patterns)
13819 			return -EINVAL;
13820 
13821 		new_triggers.patterns = kcalloc(n_patterns,
13822 						sizeof(new_triggers.patterns[0]),
13823 						GFP_KERNEL);
13824 		if (!new_triggers.patterns)
13825 			return -ENOMEM;
13826 
13827 		new_triggers.n_patterns = n_patterns;
13828 		i = 0;
13829 
13830 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13831 				    rem) {
13832 			u8 *mask_pat;
13833 
13834 			err = nla_parse_nested_deprecated(pat_tb,
13835 							  MAX_NL80211_PKTPAT,
13836 							  pat,
13837 							  nl80211_packet_pattern_policy,
13838 							  info->extack);
13839 			if (err)
13840 				goto error;
13841 
13842 			err = -EINVAL;
13843 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13844 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13845 				goto error;
13846 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13847 			mask_len = DIV_ROUND_UP(pat_len, 8);
13848 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13849 				goto error;
13850 			if (pat_len > wowlan->pattern_max_len ||
13851 			    pat_len < wowlan->pattern_min_len)
13852 				goto error;
13853 
13854 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13855 				pkt_offset = 0;
13856 			else
13857 				pkt_offset = nla_get_u32(
13858 					pat_tb[NL80211_PKTPAT_OFFSET]);
13859 			if (pkt_offset > wowlan->max_pkt_offset)
13860 				goto error;
13861 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13862 
13863 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13864 			if (!mask_pat) {
13865 				err = -ENOMEM;
13866 				goto error;
13867 			}
13868 			new_triggers.patterns[i].mask = mask_pat;
13869 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13870 			       mask_len);
13871 			mask_pat += mask_len;
13872 			new_triggers.patterns[i].pattern = mask_pat;
13873 			new_triggers.patterns[i].pattern_len = pat_len;
13874 			memcpy(mask_pat,
13875 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13876 			       pat_len);
13877 			i++;
13878 		}
13879 	}
13880 
13881 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13882 		regular = true;
13883 		err = nl80211_parse_wowlan_tcp(
13884 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13885 			&new_triggers);
13886 		if (err)
13887 			goto error;
13888 	}
13889 
13890 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13891 		regular = true;
13892 		err = nl80211_parse_wowlan_nd(
13893 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13894 			&new_triggers);
13895 		if (err)
13896 			goto error;
13897 	}
13898 
13899 	/* The 'any' trigger means the device continues operating more or less
13900 	 * as in its normal operation mode and wakes up the host on most of the
13901 	 * normal interrupts (like packet RX, ...)
13902 	 * It therefore makes little sense to combine with the more constrained
13903 	 * wakeup trigger modes.
13904 	 */
13905 	if (new_triggers.any && regular) {
13906 		err = -EINVAL;
13907 		goto error;
13908 	}
13909 
13910 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13911 	if (!ntrig) {
13912 		err = -ENOMEM;
13913 		goto error;
13914 	}
13915 	cfg80211_rdev_free_wowlan(rdev);
13916 	rdev->wiphy.wowlan_config = ntrig;
13917 
13918  set_wakeup:
13919 	if (rdev->ops->set_wakeup &&
13920 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13921 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13922 
13923 	return 0;
13924  error:
13925 	for (i = 0; i < new_triggers.n_patterns; i++)
13926 		kfree(new_triggers.patterns[i].mask);
13927 	kfree(new_triggers.patterns);
13928 	if (new_triggers.tcp && new_triggers.tcp->sock)
13929 		sock_release(new_triggers.tcp->sock);
13930 	kfree(new_triggers.tcp);
13931 	kfree(new_triggers.nd_config);
13932 	return err;
13933 }
13934 #endif
13935 
13936 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13937 				       struct cfg80211_registered_device *rdev)
13938 {
13939 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13940 	int i, j, pat_len;
13941 	struct cfg80211_coalesce_rules *rule;
13942 
13943 	if (!rdev->coalesce->n_rules)
13944 		return 0;
13945 
13946 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13947 	if (!nl_rules)
13948 		return -ENOBUFS;
13949 
13950 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13951 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13952 		if (!nl_rule)
13953 			return -ENOBUFS;
13954 
13955 		rule = &rdev->coalesce->rules[i];
13956 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13957 				rule->delay))
13958 			return -ENOBUFS;
13959 
13960 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13961 				rule->condition))
13962 			return -ENOBUFS;
13963 
13964 		nl_pats = nla_nest_start_noflag(msg,
13965 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13966 		if (!nl_pats)
13967 			return -ENOBUFS;
13968 
13969 		for (j = 0; j < rule->n_patterns; j++) {
13970 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13971 			if (!nl_pat)
13972 				return -ENOBUFS;
13973 			pat_len = rule->patterns[j].pattern_len;
13974 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13975 				    DIV_ROUND_UP(pat_len, 8),
13976 				    rule->patterns[j].mask) ||
13977 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13978 				    rule->patterns[j].pattern) ||
13979 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13980 					rule->patterns[j].pkt_offset))
13981 				return -ENOBUFS;
13982 			nla_nest_end(msg, nl_pat);
13983 		}
13984 		nla_nest_end(msg, nl_pats);
13985 		nla_nest_end(msg, nl_rule);
13986 	}
13987 	nla_nest_end(msg, nl_rules);
13988 
13989 	return 0;
13990 }
13991 
13992 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13993 {
13994 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13995 	struct sk_buff *msg;
13996 	void *hdr;
13997 
13998 	if (!rdev->wiphy.coalesce)
13999 		return -EOPNOTSUPP;
14000 
14001 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14002 	if (!msg)
14003 		return -ENOMEM;
14004 
14005 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14006 			     NL80211_CMD_GET_COALESCE);
14007 	if (!hdr)
14008 		goto nla_put_failure;
14009 
14010 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
14011 		goto nla_put_failure;
14012 
14013 	genlmsg_end(msg, hdr);
14014 	return genlmsg_reply(msg, info);
14015 
14016 nla_put_failure:
14017 	nlmsg_free(msg);
14018 	return -ENOBUFS;
14019 }
14020 
14021 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
14022 {
14023 	int i, j;
14024 	struct cfg80211_coalesce_rules *rule;
14025 
14026 	if (!coalesce)
14027 		return;
14028 
14029 	for (i = 0; i < coalesce->n_rules; i++) {
14030 		rule = &coalesce->rules[i];
14031 		if (!rule)
14032 			continue;
14033 		for (j = 0; j < rule->n_patterns; j++)
14034 			kfree(rule->patterns[j].mask);
14035 		kfree(rule->patterns);
14036 	}
14037 	kfree(coalesce);
14038 }
14039 
14040 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
14041 				       struct nlattr *rule,
14042 				       struct cfg80211_coalesce_rules *new_rule)
14043 {
14044 	int err, i;
14045 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14046 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
14047 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
14048 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14049 
14050 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
14051 					  rule, nl80211_coalesce_policy, NULL);
14052 	if (err)
14053 		return err;
14054 
14055 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
14056 		new_rule->delay =
14057 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
14058 	if (new_rule->delay > coalesce->max_delay)
14059 		return -EINVAL;
14060 
14061 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
14062 		new_rule->condition =
14063 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
14064 
14065 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
14066 		return -EINVAL;
14067 
14068 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14069 			    rem)
14070 		n_patterns++;
14071 	if (n_patterns > coalesce->n_patterns)
14072 		return -EINVAL;
14073 
14074 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
14075 				     GFP_KERNEL);
14076 	if (!new_rule->patterns)
14077 		return -ENOMEM;
14078 
14079 	new_rule->n_patterns = n_patterns;
14080 	i = 0;
14081 
14082 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14083 			    rem) {
14084 		u8 *mask_pat;
14085 
14086 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
14087 						  pat,
14088 						  nl80211_packet_pattern_policy,
14089 						  NULL);
14090 		if (err)
14091 			return err;
14092 
14093 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
14094 		    !pat_tb[NL80211_PKTPAT_PATTERN])
14095 			return -EINVAL;
14096 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14097 		mask_len = DIV_ROUND_UP(pat_len, 8);
14098 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14099 			return -EINVAL;
14100 		if (pat_len > coalesce->pattern_max_len ||
14101 		    pat_len < coalesce->pattern_min_len)
14102 			return -EINVAL;
14103 
14104 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
14105 			pkt_offset = 0;
14106 		else
14107 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
14108 		if (pkt_offset > coalesce->max_pkt_offset)
14109 			return -EINVAL;
14110 		new_rule->patterns[i].pkt_offset = pkt_offset;
14111 
14112 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14113 		if (!mask_pat)
14114 			return -ENOMEM;
14115 
14116 		new_rule->patterns[i].mask = mask_pat;
14117 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14118 		       mask_len);
14119 
14120 		mask_pat += mask_len;
14121 		new_rule->patterns[i].pattern = mask_pat;
14122 		new_rule->patterns[i].pattern_len = pat_len;
14123 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14124 		       pat_len);
14125 		i++;
14126 	}
14127 
14128 	return 0;
14129 }
14130 
14131 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14132 {
14133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14134 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14135 	struct cfg80211_coalesce *new_coalesce;
14136 	int err, rem_rule, n_rules = 0, i;
14137 	struct nlattr *rule;
14138 
14139 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14140 		return -EOPNOTSUPP;
14141 
14142 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14143 		cfg80211_free_coalesce(rdev->coalesce);
14144 		rdev->coalesce = NULL;
14145 		rdev_set_coalesce(rdev, NULL);
14146 		return 0;
14147 	}
14148 
14149 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14150 			    rem_rule)
14151 		n_rules++;
14152 	if (n_rules > coalesce->n_rules)
14153 		return -EINVAL;
14154 
14155 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14156 			       GFP_KERNEL);
14157 	if (!new_coalesce)
14158 		return -ENOMEM;
14159 
14160 	new_coalesce->n_rules = n_rules;
14161 	i = 0;
14162 
14163 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14164 			    rem_rule) {
14165 		err = nl80211_parse_coalesce_rule(rdev, rule,
14166 						  &new_coalesce->rules[i]);
14167 		if (err)
14168 			goto error;
14169 
14170 		i++;
14171 	}
14172 
14173 	err = rdev_set_coalesce(rdev, new_coalesce);
14174 	if (err)
14175 		goto error;
14176 
14177 	cfg80211_free_coalesce(rdev->coalesce);
14178 	rdev->coalesce = new_coalesce;
14179 
14180 	return 0;
14181 error:
14182 	cfg80211_free_coalesce(new_coalesce);
14183 
14184 	return err;
14185 }
14186 
14187 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14188 {
14189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14190 	struct net_device *dev = info->user_ptr[1];
14191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14192 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14193 	struct cfg80211_gtk_rekey_data rekey_data = {};
14194 	int err;
14195 
14196 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14197 		return -EINVAL;
14198 
14199 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14200 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14201 					  nl80211_rekey_policy, info->extack);
14202 	if (err)
14203 		return err;
14204 
14205 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14206 	    !tb[NL80211_REKEY_DATA_KCK])
14207 		return -EINVAL;
14208 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14209 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14210 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14211 		return -ERANGE;
14212 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14213 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14214 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14215 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14216 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14217 		return -ERANGE;
14218 
14219 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14220 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14221 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14222 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14223 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14224 	if (tb[NL80211_REKEY_DATA_AKM])
14225 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14226 
14227 	if (!wdev->connected)
14228 		return -ENOTCONN;
14229 
14230 	if (!rdev->ops->set_rekey_data)
14231 		return -EOPNOTSUPP;
14232 
14233 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14234 }
14235 
14236 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14237 					     struct genl_info *info)
14238 {
14239 	struct net_device *dev = info->user_ptr[1];
14240 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14241 
14242 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14243 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14244 		return -EINVAL;
14245 
14246 	if (wdev->ap_unexpected_nlportid)
14247 		return -EBUSY;
14248 
14249 	wdev->ap_unexpected_nlportid = info->snd_portid;
14250 	return 0;
14251 }
14252 
14253 static int nl80211_probe_client(struct sk_buff *skb,
14254 				struct genl_info *info)
14255 {
14256 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14257 	struct net_device *dev = info->user_ptr[1];
14258 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14259 	struct sk_buff *msg;
14260 	void *hdr;
14261 	const u8 *addr;
14262 	u64 cookie;
14263 	int err;
14264 
14265 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14266 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14267 		return -EOPNOTSUPP;
14268 
14269 	if (!info->attrs[NL80211_ATTR_MAC])
14270 		return -EINVAL;
14271 
14272 	if (!rdev->ops->probe_client)
14273 		return -EOPNOTSUPP;
14274 
14275 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14276 	if (!msg)
14277 		return -ENOMEM;
14278 
14279 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14280 			     NL80211_CMD_PROBE_CLIENT);
14281 	if (!hdr) {
14282 		err = -ENOBUFS;
14283 		goto free_msg;
14284 	}
14285 
14286 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14287 
14288 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14289 	if (err)
14290 		goto free_msg;
14291 
14292 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14293 			      NL80211_ATTR_PAD))
14294 		goto nla_put_failure;
14295 
14296 	genlmsg_end(msg, hdr);
14297 
14298 	return genlmsg_reply(msg, info);
14299 
14300  nla_put_failure:
14301 	err = -ENOBUFS;
14302  free_msg:
14303 	nlmsg_free(msg);
14304 	return err;
14305 }
14306 
14307 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14308 {
14309 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14310 	struct cfg80211_beacon_registration *reg, *nreg;
14311 	int rv;
14312 
14313 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14314 		return -EOPNOTSUPP;
14315 
14316 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14317 	if (!nreg)
14318 		return -ENOMEM;
14319 
14320 	/* First, check if already registered. */
14321 	spin_lock_bh(&rdev->beacon_registrations_lock);
14322 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14323 		if (reg->nlportid == info->snd_portid) {
14324 			rv = -EALREADY;
14325 			goto out_err;
14326 		}
14327 	}
14328 	/* Add it to the list */
14329 	nreg->nlportid = info->snd_portid;
14330 	list_add(&nreg->list, &rdev->beacon_registrations);
14331 
14332 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14333 
14334 	return 0;
14335 out_err:
14336 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14337 	kfree(nreg);
14338 	return rv;
14339 }
14340 
14341 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14342 {
14343 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14344 	struct wireless_dev *wdev = info->user_ptr[1];
14345 	int err;
14346 
14347 	if (!rdev->ops->start_p2p_device)
14348 		return -EOPNOTSUPP;
14349 
14350 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14351 		return -EOPNOTSUPP;
14352 
14353 	if (wdev_running(wdev))
14354 		return 0;
14355 
14356 	if (rfkill_blocked(rdev->wiphy.rfkill))
14357 		return -ERFKILL;
14358 
14359 	err = rdev_start_p2p_device(rdev, wdev);
14360 	if (err)
14361 		return err;
14362 
14363 	wdev->is_running = true;
14364 	rdev->opencount++;
14365 
14366 	return 0;
14367 }
14368 
14369 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14370 {
14371 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14372 	struct wireless_dev *wdev = info->user_ptr[1];
14373 
14374 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14375 		return -EOPNOTSUPP;
14376 
14377 	if (!rdev->ops->stop_p2p_device)
14378 		return -EOPNOTSUPP;
14379 
14380 	cfg80211_stop_p2p_device(rdev, wdev);
14381 
14382 	return 0;
14383 }
14384 
14385 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14386 {
14387 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14388 	struct wireless_dev *wdev = info->user_ptr[1];
14389 	struct cfg80211_nan_conf conf = {};
14390 	int err;
14391 
14392 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14393 		return -EOPNOTSUPP;
14394 
14395 	if (wdev_running(wdev))
14396 		return -EEXIST;
14397 
14398 	if (rfkill_blocked(rdev->wiphy.rfkill))
14399 		return -ERFKILL;
14400 
14401 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14402 		return -EINVAL;
14403 
14404 	conf.master_pref =
14405 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14406 
14407 	if (info->attrs[NL80211_ATTR_BANDS]) {
14408 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14409 
14410 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14411 			return -EOPNOTSUPP;
14412 
14413 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14414 			return -EINVAL;
14415 
14416 		conf.bands = bands;
14417 	}
14418 
14419 	err = rdev_start_nan(rdev, wdev, &conf);
14420 	if (err)
14421 		return err;
14422 
14423 	wdev->is_running = true;
14424 	rdev->opencount++;
14425 
14426 	return 0;
14427 }
14428 
14429 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14430 {
14431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14432 	struct wireless_dev *wdev = info->user_ptr[1];
14433 
14434 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14435 		return -EOPNOTSUPP;
14436 
14437 	cfg80211_stop_nan(rdev, wdev);
14438 
14439 	return 0;
14440 }
14441 
14442 static int validate_nan_filter(struct nlattr *filter_attr)
14443 {
14444 	struct nlattr *attr;
14445 	int len = 0, n_entries = 0, rem;
14446 
14447 	nla_for_each_nested(attr, filter_attr, rem) {
14448 		len += nla_len(attr);
14449 		n_entries++;
14450 	}
14451 
14452 	if (len >= U8_MAX)
14453 		return -EINVAL;
14454 
14455 	return n_entries;
14456 }
14457 
14458 static int handle_nan_filter(struct nlattr *attr_filter,
14459 			     struct cfg80211_nan_func *func,
14460 			     bool tx)
14461 {
14462 	struct nlattr *attr;
14463 	int n_entries, rem, i;
14464 	struct cfg80211_nan_func_filter *filter;
14465 
14466 	n_entries = validate_nan_filter(attr_filter);
14467 	if (n_entries < 0)
14468 		return n_entries;
14469 
14470 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14471 
14472 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14473 	if (!filter)
14474 		return -ENOMEM;
14475 
14476 	i = 0;
14477 	nla_for_each_nested(attr, attr_filter, rem) {
14478 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14479 		if (!filter[i].filter)
14480 			goto err;
14481 
14482 		filter[i].len = nla_len(attr);
14483 		i++;
14484 	}
14485 	if (tx) {
14486 		func->num_tx_filters = n_entries;
14487 		func->tx_filters = filter;
14488 	} else {
14489 		func->num_rx_filters = n_entries;
14490 		func->rx_filters = filter;
14491 	}
14492 
14493 	return 0;
14494 
14495 err:
14496 	i = 0;
14497 	nla_for_each_nested(attr, attr_filter, rem) {
14498 		kfree(filter[i].filter);
14499 		i++;
14500 	}
14501 	kfree(filter);
14502 	return -ENOMEM;
14503 }
14504 
14505 static int nl80211_nan_add_func(struct sk_buff *skb,
14506 				struct genl_info *info)
14507 {
14508 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14509 	struct wireless_dev *wdev = info->user_ptr[1];
14510 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14511 	struct cfg80211_nan_func *func;
14512 	struct sk_buff *msg = NULL;
14513 	void *hdr = NULL;
14514 	int err = 0;
14515 
14516 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14517 		return -EOPNOTSUPP;
14518 
14519 	if (!wdev_running(wdev))
14520 		return -ENOTCONN;
14521 
14522 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14523 		return -EINVAL;
14524 
14525 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14526 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14527 					  nl80211_nan_func_policy,
14528 					  info->extack);
14529 	if (err)
14530 		return err;
14531 
14532 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14533 	if (!func)
14534 		return -ENOMEM;
14535 
14536 	func->cookie = cfg80211_assign_cookie(rdev);
14537 
14538 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14539 		err = -EINVAL;
14540 		goto out;
14541 	}
14542 
14543 
14544 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14545 
14546 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14547 		err = -EINVAL;
14548 		goto out;
14549 	}
14550 
14551 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14552 	       sizeof(func->service_id));
14553 
14554 	func->close_range =
14555 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14556 
14557 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14558 		func->serv_spec_info_len =
14559 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14560 		func->serv_spec_info =
14561 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14562 				func->serv_spec_info_len,
14563 				GFP_KERNEL);
14564 		if (!func->serv_spec_info) {
14565 			err = -ENOMEM;
14566 			goto out;
14567 		}
14568 	}
14569 
14570 	if (tb[NL80211_NAN_FUNC_TTL])
14571 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14572 
14573 	switch (func->type) {
14574 	case NL80211_NAN_FUNC_PUBLISH:
14575 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14576 			err = -EINVAL;
14577 			goto out;
14578 		}
14579 
14580 		func->publish_type =
14581 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14582 		func->publish_bcast =
14583 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14584 
14585 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14586 			func->publish_bcast) {
14587 			err = -EINVAL;
14588 			goto out;
14589 		}
14590 		break;
14591 	case NL80211_NAN_FUNC_SUBSCRIBE:
14592 		func->subscribe_active =
14593 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14594 		break;
14595 	case NL80211_NAN_FUNC_FOLLOW_UP:
14596 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14597 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14598 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14599 			err = -EINVAL;
14600 			goto out;
14601 		}
14602 
14603 		func->followup_id =
14604 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14605 		func->followup_reqid =
14606 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14607 		memcpy(func->followup_dest.addr,
14608 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14609 		       sizeof(func->followup_dest.addr));
14610 		if (func->ttl) {
14611 			err = -EINVAL;
14612 			goto out;
14613 		}
14614 		break;
14615 	default:
14616 		err = -EINVAL;
14617 		goto out;
14618 	}
14619 
14620 	if (tb[NL80211_NAN_FUNC_SRF]) {
14621 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14622 
14623 		err = nla_parse_nested_deprecated(srf_tb,
14624 						  NL80211_NAN_SRF_ATTR_MAX,
14625 						  tb[NL80211_NAN_FUNC_SRF],
14626 						  nl80211_nan_srf_policy,
14627 						  info->extack);
14628 		if (err)
14629 			goto out;
14630 
14631 		func->srf_include =
14632 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14633 
14634 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14635 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14636 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14637 				err = -EINVAL;
14638 				goto out;
14639 			}
14640 
14641 			func->srf_bf_len =
14642 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14643 			func->srf_bf =
14644 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14645 					func->srf_bf_len, GFP_KERNEL);
14646 			if (!func->srf_bf) {
14647 				err = -ENOMEM;
14648 				goto out;
14649 			}
14650 
14651 			func->srf_bf_idx =
14652 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14653 		} else {
14654 			struct nlattr *attr, *mac_attr =
14655 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14656 			int n_entries, rem, i = 0;
14657 
14658 			if (!mac_attr) {
14659 				err = -EINVAL;
14660 				goto out;
14661 			}
14662 
14663 			n_entries = validate_acl_mac_addrs(mac_attr);
14664 			if (n_entries <= 0) {
14665 				err = -EINVAL;
14666 				goto out;
14667 			}
14668 
14669 			func->srf_num_macs = n_entries;
14670 			func->srf_macs =
14671 				kcalloc(n_entries, sizeof(*func->srf_macs),
14672 					GFP_KERNEL);
14673 			if (!func->srf_macs) {
14674 				err = -ENOMEM;
14675 				goto out;
14676 			}
14677 
14678 			nla_for_each_nested(attr, mac_attr, rem)
14679 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14680 				       sizeof(*func->srf_macs));
14681 		}
14682 	}
14683 
14684 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14685 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14686 					func, true);
14687 		if (err)
14688 			goto out;
14689 	}
14690 
14691 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14692 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14693 					func, false);
14694 		if (err)
14695 			goto out;
14696 	}
14697 
14698 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14699 	if (!msg) {
14700 		err = -ENOMEM;
14701 		goto out;
14702 	}
14703 
14704 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14705 			     NL80211_CMD_ADD_NAN_FUNCTION);
14706 	/* This can't really happen - we just allocated 4KB */
14707 	if (WARN_ON(!hdr)) {
14708 		err = -ENOMEM;
14709 		goto out;
14710 	}
14711 
14712 	err = rdev_add_nan_func(rdev, wdev, func);
14713 out:
14714 	if (err < 0) {
14715 		cfg80211_free_nan_func(func);
14716 		nlmsg_free(msg);
14717 		return err;
14718 	}
14719 
14720 	/* propagate the instance id and cookie to userspace  */
14721 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14722 			      NL80211_ATTR_PAD))
14723 		goto nla_put_failure;
14724 
14725 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14726 	if (!func_attr)
14727 		goto nla_put_failure;
14728 
14729 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14730 		       func->instance_id))
14731 		goto nla_put_failure;
14732 
14733 	nla_nest_end(msg, func_attr);
14734 
14735 	genlmsg_end(msg, hdr);
14736 	return genlmsg_reply(msg, info);
14737 
14738 nla_put_failure:
14739 	nlmsg_free(msg);
14740 	return -ENOBUFS;
14741 }
14742 
14743 static int nl80211_nan_del_func(struct sk_buff *skb,
14744 			       struct genl_info *info)
14745 {
14746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14747 	struct wireless_dev *wdev = info->user_ptr[1];
14748 	u64 cookie;
14749 
14750 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14751 		return -EOPNOTSUPP;
14752 
14753 	if (!wdev_running(wdev))
14754 		return -ENOTCONN;
14755 
14756 	if (!info->attrs[NL80211_ATTR_COOKIE])
14757 		return -EINVAL;
14758 
14759 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14760 
14761 	rdev_del_nan_func(rdev, wdev, cookie);
14762 
14763 	return 0;
14764 }
14765 
14766 static int nl80211_nan_change_config(struct sk_buff *skb,
14767 				     struct genl_info *info)
14768 {
14769 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14770 	struct wireless_dev *wdev = info->user_ptr[1];
14771 	struct cfg80211_nan_conf conf = {};
14772 	u32 changed = 0;
14773 
14774 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14775 		return -EOPNOTSUPP;
14776 
14777 	if (!wdev_running(wdev))
14778 		return -ENOTCONN;
14779 
14780 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14781 		conf.master_pref =
14782 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14783 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14784 			return -EINVAL;
14785 
14786 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14787 	}
14788 
14789 	if (info->attrs[NL80211_ATTR_BANDS]) {
14790 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14791 
14792 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14793 			return -EOPNOTSUPP;
14794 
14795 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14796 			return -EINVAL;
14797 
14798 		conf.bands = bands;
14799 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14800 	}
14801 
14802 	if (!changed)
14803 		return -EINVAL;
14804 
14805 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14806 }
14807 
14808 void cfg80211_nan_match(struct wireless_dev *wdev,
14809 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14810 {
14811 	struct wiphy *wiphy = wdev->wiphy;
14812 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14813 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14814 	struct sk_buff *msg;
14815 	void *hdr;
14816 
14817 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14818 		return;
14819 
14820 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14821 	if (!msg)
14822 		return;
14823 
14824 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14825 	if (!hdr) {
14826 		nlmsg_free(msg);
14827 		return;
14828 	}
14829 
14830 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14831 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14832 					 wdev->netdev->ifindex)) ||
14833 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14834 			      NL80211_ATTR_PAD))
14835 		goto nla_put_failure;
14836 
14837 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14838 			      NL80211_ATTR_PAD) ||
14839 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14840 		goto nla_put_failure;
14841 
14842 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14843 	if (!match_attr)
14844 		goto nla_put_failure;
14845 
14846 	local_func_attr = nla_nest_start_noflag(msg,
14847 						NL80211_NAN_MATCH_FUNC_LOCAL);
14848 	if (!local_func_attr)
14849 		goto nla_put_failure;
14850 
14851 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14852 		goto nla_put_failure;
14853 
14854 	nla_nest_end(msg, local_func_attr);
14855 
14856 	peer_func_attr = nla_nest_start_noflag(msg,
14857 					       NL80211_NAN_MATCH_FUNC_PEER);
14858 	if (!peer_func_attr)
14859 		goto nla_put_failure;
14860 
14861 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14862 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14863 		goto nla_put_failure;
14864 
14865 	if (match->info && match->info_len &&
14866 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14867 		    match->info))
14868 		goto nla_put_failure;
14869 
14870 	nla_nest_end(msg, peer_func_attr);
14871 	nla_nest_end(msg, match_attr);
14872 	genlmsg_end(msg, hdr);
14873 
14874 	if (!wdev->owner_nlportid)
14875 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14876 					msg, 0, NL80211_MCGRP_NAN, gfp);
14877 	else
14878 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14879 				wdev->owner_nlportid);
14880 
14881 	return;
14882 
14883 nla_put_failure:
14884 	nlmsg_free(msg);
14885 }
14886 EXPORT_SYMBOL(cfg80211_nan_match);
14887 
14888 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14889 				  u8 inst_id,
14890 				  enum nl80211_nan_func_term_reason reason,
14891 				  u64 cookie, gfp_t gfp)
14892 {
14893 	struct wiphy *wiphy = wdev->wiphy;
14894 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14895 	struct sk_buff *msg;
14896 	struct nlattr *func_attr;
14897 	void *hdr;
14898 
14899 	if (WARN_ON(!inst_id))
14900 		return;
14901 
14902 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14903 	if (!msg)
14904 		return;
14905 
14906 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14907 	if (!hdr) {
14908 		nlmsg_free(msg);
14909 		return;
14910 	}
14911 
14912 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14913 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14914 					 wdev->netdev->ifindex)) ||
14915 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14916 			      NL80211_ATTR_PAD))
14917 		goto nla_put_failure;
14918 
14919 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14920 			      NL80211_ATTR_PAD))
14921 		goto nla_put_failure;
14922 
14923 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14924 	if (!func_attr)
14925 		goto nla_put_failure;
14926 
14927 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14928 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14929 		goto nla_put_failure;
14930 
14931 	nla_nest_end(msg, func_attr);
14932 	genlmsg_end(msg, hdr);
14933 
14934 	if (!wdev->owner_nlportid)
14935 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14936 					msg, 0, NL80211_MCGRP_NAN, gfp);
14937 	else
14938 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14939 				wdev->owner_nlportid);
14940 
14941 	return;
14942 
14943 nla_put_failure:
14944 	nlmsg_free(msg);
14945 }
14946 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14947 
14948 static int nl80211_get_protocol_features(struct sk_buff *skb,
14949 					 struct genl_info *info)
14950 {
14951 	void *hdr;
14952 	struct sk_buff *msg;
14953 
14954 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14955 	if (!msg)
14956 		return -ENOMEM;
14957 
14958 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14959 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14960 	if (!hdr)
14961 		goto nla_put_failure;
14962 
14963 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14964 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14965 		goto nla_put_failure;
14966 
14967 	genlmsg_end(msg, hdr);
14968 	return genlmsg_reply(msg, info);
14969 
14970  nla_put_failure:
14971 	kfree_skb(msg);
14972 	return -ENOBUFS;
14973 }
14974 
14975 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14976 {
14977 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14978 	struct cfg80211_update_ft_ies_params ft_params;
14979 	struct net_device *dev = info->user_ptr[1];
14980 
14981 	if (!rdev->ops->update_ft_ies)
14982 		return -EOPNOTSUPP;
14983 
14984 	if (!info->attrs[NL80211_ATTR_MDID] ||
14985 	    !info->attrs[NL80211_ATTR_IE])
14986 		return -EINVAL;
14987 
14988 	memset(&ft_params, 0, sizeof(ft_params));
14989 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14990 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14991 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14992 
14993 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14994 }
14995 
14996 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14997 				       struct genl_info *info)
14998 {
14999 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15000 	struct wireless_dev *wdev = info->user_ptr[1];
15001 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
15002 	u16 duration;
15003 	int ret;
15004 
15005 	if (!rdev->ops->crit_proto_start)
15006 		return -EOPNOTSUPP;
15007 
15008 	if (WARN_ON(!rdev->ops->crit_proto_stop))
15009 		return -EINVAL;
15010 
15011 	if (rdev->crit_proto_nlportid)
15012 		return -EBUSY;
15013 
15014 	/* determine protocol if provided */
15015 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
15016 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
15017 
15018 	if (proto >= NUM_NL80211_CRIT_PROTO)
15019 		return -EINVAL;
15020 
15021 	/* timeout must be provided */
15022 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
15023 		return -EINVAL;
15024 
15025 	duration =
15026 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
15027 
15028 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
15029 	if (!ret)
15030 		rdev->crit_proto_nlportid = info->snd_portid;
15031 
15032 	return ret;
15033 }
15034 
15035 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
15036 				      struct genl_info *info)
15037 {
15038 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15039 	struct wireless_dev *wdev = info->user_ptr[1];
15040 
15041 	if (!rdev->ops->crit_proto_stop)
15042 		return -EOPNOTSUPP;
15043 
15044 	if (rdev->crit_proto_nlportid) {
15045 		rdev->crit_proto_nlportid = 0;
15046 		rdev_crit_proto_stop(rdev, wdev);
15047 	}
15048 	return 0;
15049 }
15050 
15051 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
15052 				       struct nlattr *attr,
15053 				       struct netlink_ext_ack *extack)
15054 {
15055 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
15056 		if (attr->nla_type & NLA_F_NESTED) {
15057 			NL_SET_ERR_MSG_ATTR(extack, attr,
15058 					    "unexpected nested data");
15059 			return -EINVAL;
15060 		}
15061 
15062 		return 0;
15063 	}
15064 
15065 	if (!(attr->nla_type & NLA_F_NESTED)) {
15066 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
15067 		return -EINVAL;
15068 	}
15069 
15070 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
15071 }
15072 
15073 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
15074 {
15075 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15076 	struct wireless_dev *wdev =
15077 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
15078 					   info->attrs);
15079 	int i, err;
15080 	u32 vid, subcmd;
15081 
15082 	if (!rdev->wiphy.vendor_commands)
15083 		return -EOPNOTSUPP;
15084 
15085 	if (IS_ERR(wdev)) {
15086 		err = PTR_ERR(wdev);
15087 		if (err != -EINVAL)
15088 			return err;
15089 		wdev = NULL;
15090 	} else if (wdev->wiphy != &rdev->wiphy) {
15091 		return -EINVAL;
15092 	}
15093 
15094 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15095 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15096 		return -EINVAL;
15097 
15098 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15099 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15100 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15101 		const struct wiphy_vendor_command *vcmd;
15102 		void *data = NULL;
15103 		int len = 0;
15104 
15105 		vcmd = &rdev->wiphy.vendor_commands[i];
15106 
15107 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15108 			continue;
15109 
15110 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15111 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15112 			if (!wdev)
15113 				return -EINVAL;
15114 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15115 			    !wdev->netdev)
15116 				return -EINVAL;
15117 
15118 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15119 				if (!wdev_running(wdev))
15120 					return -ENETDOWN;
15121 			}
15122 		} else {
15123 			wdev = NULL;
15124 		}
15125 
15126 		if (!vcmd->doit)
15127 			return -EOPNOTSUPP;
15128 
15129 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15130 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15131 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15132 
15133 			err = nl80211_vendor_check_policy(vcmd,
15134 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15135 					info->extack);
15136 			if (err)
15137 				return err;
15138 		}
15139 
15140 		rdev->cur_cmd_info = info;
15141 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15142 		rdev->cur_cmd_info = NULL;
15143 		return err;
15144 	}
15145 
15146 	return -EOPNOTSUPP;
15147 }
15148 
15149 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15150 				       struct netlink_callback *cb,
15151 				       struct cfg80211_registered_device **rdev,
15152 				       struct wireless_dev **wdev)
15153 {
15154 	struct nlattr **attrbuf;
15155 	u32 vid, subcmd;
15156 	unsigned int i;
15157 	int vcmd_idx = -1;
15158 	int err;
15159 	void *data = NULL;
15160 	unsigned int data_len = 0;
15161 
15162 	if (cb->args[0]) {
15163 		/* subtract the 1 again here */
15164 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15165 		struct wireless_dev *tmp;
15166 
15167 		if (!wiphy)
15168 			return -ENODEV;
15169 		*rdev = wiphy_to_rdev(wiphy);
15170 		*wdev = NULL;
15171 
15172 		if (cb->args[1]) {
15173 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15174 				if (tmp->identifier == cb->args[1] - 1) {
15175 					*wdev = tmp;
15176 					break;
15177 				}
15178 			}
15179 		}
15180 
15181 		/* keep rtnl locked in successful case */
15182 		return 0;
15183 	}
15184 
15185 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15186 	if (!attrbuf)
15187 		return -ENOMEM;
15188 
15189 	err = nlmsg_parse_deprecated(cb->nlh,
15190 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15191 				     attrbuf, nl80211_fam.maxattr,
15192 				     nl80211_policy, NULL);
15193 	if (err)
15194 		goto out;
15195 
15196 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15197 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15198 		err = -EINVAL;
15199 		goto out;
15200 	}
15201 
15202 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15203 	if (IS_ERR(*wdev))
15204 		*wdev = NULL;
15205 
15206 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15207 	if (IS_ERR(*rdev)) {
15208 		err = PTR_ERR(*rdev);
15209 		goto out;
15210 	}
15211 
15212 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15213 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15214 
15215 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15216 		const struct wiphy_vendor_command *vcmd;
15217 
15218 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15219 
15220 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15221 			continue;
15222 
15223 		if (!vcmd->dumpit) {
15224 			err = -EOPNOTSUPP;
15225 			goto out;
15226 		}
15227 
15228 		vcmd_idx = i;
15229 		break;
15230 	}
15231 
15232 	if (vcmd_idx < 0) {
15233 		err = -EOPNOTSUPP;
15234 		goto out;
15235 	}
15236 
15237 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15238 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15239 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15240 
15241 		err = nl80211_vendor_check_policy(
15242 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15243 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15244 				cb->extack);
15245 		if (err)
15246 			goto out;
15247 	}
15248 
15249 	/* 0 is the first index - add 1 to parse only once */
15250 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15251 	/* add 1 to know if it was NULL */
15252 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15253 	cb->args[2] = vcmd_idx;
15254 	cb->args[3] = (unsigned long)data;
15255 	cb->args[4] = data_len;
15256 
15257 	/* keep rtnl locked in successful case */
15258 	err = 0;
15259 out:
15260 	kfree(attrbuf);
15261 	return err;
15262 }
15263 
15264 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15265 				   struct netlink_callback *cb)
15266 {
15267 	struct cfg80211_registered_device *rdev;
15268 	struct wireless_dev *wdev;
15269 	unsigned int vcmd_idx;
15270 	const struct wiphy_vendor_command *vcmd;
15271 	void *data;
15272 	int data_len;
15273 	int err;
15274 	struct nlattr *vendor_data;
15275 
15276 	rtnl_lock();
15277 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15278 	if (err)
15279 		goto out;
15280 
15281 	vcmd_idx = cb->args[2];
15282 	data = (void *)cb->args[3];
15283 	data_len = cb->args[4];
15284 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15285 
15286 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15287 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15288 		if (!wdev) {
15289 			err = -EINVAL;
15290 			goto out;
15291 		}
15292 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15293 		    !wdev->netdev) {
15294 			err = -EINVAL;
15295 			goto out;
15296 		}
15297 
15298 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15299 			if (!wdev_running(wdev)) {
15300 				err = -ENETDOWN;
15301 				goto out;
15302 			}
15303 		}
15304 	}
15305 
15306 	while (1) {
15307 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15308 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15309 					   NL80211_CMD_VENDOR);
15310 		if (!hdr)
15311 			break;
15312 
15313 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15314 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15315 					       wdev_id(wdev),
15316 					       NL80211_ATTR_PAD))) {
15317 			genlmsg_cancel(skb, hdr);
15318 			break;
15319 		}
15320 
15321 		vendor_data = nla_nest_start_noflag(skb,
15322 						    NL80211_ATTR_VENDOR_DATA);
15323 		if (!vendor_data) {
15324 			genlmsg_cancel(skb, hdr);
15325 			break;
15326 		}
15327 
15328 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15329 				   (unsigned long *)&cb->args[5]);
15330 		nla_nest_end(skb, vendor_data);
15331 
15332 		if (err == -ENOBUFS || err == -ENOENT) {
15333 			genlmsg_cancel(skb, hdr);
15334 			break;
15335 		} else if (err <= 0) {
15336 			genlmsg_cancel(skb, hdr);
15337 			goto out;
15338 		}
15339 
15340 		genlmsg_end(skb, hdr);
15341 	}
15342 
15343 	err = skb->len;
15344  out:
15345 	rtnl_unlock();
15346 	return err;
15347 }
15348 
15349 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15350 					   enum nl80211_commands cmd,
15351 					   enum nl80211_attrs attr,
15352 					   int approxlen)
15353 {
15354 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15355 
15356 	if (WARN_ON(!rdev->cur_cmd_info))
15357 		return NULL;
15358 
15359 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15360 					   rdev->cur_cmd_info->snd_portid,
15361 					   rdev->cur_cmd_info->snd_seq,
15362 					   cmd, attr, NULL, GFP_KERNEL);
15363 }
15364 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15365 
15366 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15367 {
15368 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15369 	void *hdr = ((void **)skb->cb)[1];
15370 	struct nlattr *data = ((void **)skb->cb)[2];
15371 
15372 	/* clear CB data for netlink core to own from now on */
15373 	memset(skb->cb, 0, sizeof(skb->cb));
15374 
15375 	if (WARN_ON(!rdev->cur_cmd_info)) {
15376 		kfree_skb(skb);
15377 		return -EINVAL;
15378 	}
15379 
15380 	nla_nest_end(skb, data);
15381 	genlmsg_end(skb, hdr);
15382 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15383 }
15384 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15385 
15386 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15387 {
15388 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15389 
15390 	if (WARN_ON(!rdev->cur_cmd_info))
15391 		return 0;
15392 
15393 	return rdev->cur_cmd_info->snd_portid;
15394 }
15395 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15396 
15397 static int nl80211_set_qos_map(struct sk_buff *skb,
15398 			       struct genl_info *info)
15399 {
15400 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15401 	struct cfg80211_qos_map *qos_map = NULL;
15402 	struct net_device *dev = info->user_ptr[1];
15403 	u8 *pos, len, num_des, des_len, des;
15404 	int ret;
15405 
15406 	if (!rdev->ops->set_qos_map)
15407 		return -EOPNOTSUPP;
15408 
15409 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15410 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15411 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15412 
15413 		if (len % 2)
15414 			return -EINVAL;
15415 
15416 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15417 		if (!qos_map)
15418 			return -ENOMEM;
15419 
15420 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15421 		if (num_des) {
15422 			des_len = num_des *
15423 				sizeof(struct cfg80211_dscp_exception);
15424 			memcpy(qos_map->dscp_exception, pos, des_len);
15425 			qos_map->num_des = num_des;
15426 			for (des = 0; des < num_des; des++) {
15427 				if (qos_map->dscp_exception[des].up > 7) {
15428 					kfree(qos_map);
15429 					return -EINVAL;
15430 				}
15431 			}
15432 			pos += des_len;
15433 		}
15434 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15435 	}
15436 
15437 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15438 	if (!ret)
15439 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15440 
15441 	kfree(qos_map);
15442 	return ret;
15443 }
15444 
15445 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15446 {
15447 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15448 	struct net_device *dev = info->user_ptr[1];
15449 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15450 	const u8 *peer;
15451 	u8 tsid, up;
15452 	u16 admitted_time = 0;
15453 
15454 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15455 		return -EOPNOTSUPP;
15456 
15457 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15458 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15459 		return -EINVAL;
15460 
15461 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15462 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15463 
15464 	/* WMM uses TIDs 0-7 even for TSPEC */
15465 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15466 		/* TODO: handle 802.11 TSPEC/admission control
15467 		 * need more attributes for that (e.g. BA session requirement);
15468 		 * change the WMM adminssion test above to allow both then
15469 		 */
15470 		return -EINVAL;
15471 	}
15472 
15473 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15474 
15475 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15476 		admitted_time =
15477 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15478 		if (!admitted_time)
15479 			return -EINVAL;
15480 	}
15481 
15482 	switch (wdev->iftype) {
15483 	case NL80211_IFTYPE_STATION:
15484 	case NL80211_IFTYPE_P2P_CLIENT:
15485 		if (wdev->connected)
15486 			break;
15487 		return -ENOTCONN;
15488 	default:
15489 		return -EOPNOTSUPP;
15490 	}
15491 
15492 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15493 }
15494 
15495 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15496 {
15497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15498 	struct net_device *dev = info->user_ptr[1];
15499 	const u8 *peer;
15500 	u8 tsid;
15501 
15502 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15503 		return -EINVAL;
15504 
15505 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15506 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15507 
15508 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
15509 }
15510 
15511 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15512 				       struct genl_info *info)
15513 {
15514 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15515 	struct net_device *dev = info->user_ptr[1];
15516 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15517 	struct cfg80211_chan_def chandef = {};
15518 	const u8 *addr;
15519 	u8 oper_class;
15520 	int err;
15521 
15522 	if (!rdev->ops->tdls_channel_switch ||
15523 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15524 		return -EOPNOTSUPP;
15525 
15526 	switch (dev->ieee80211_ptr->iftype) {
15527 	case NL80211_IFTYPE_STATION:
15528 	case NL80211_IFTYPE_P2P_CLIENT:
15529 		break;
15530 	default:
15531 		return -EOPNOTSUPP;
15532 	}
15533 
15534 	if (!info->attrs[NL80211_ATTR_MAC] ||
15535 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15536 		return -EINVAL;
15537 
15538 	err = nl80211_parse_chandef(rdev, info, &chandef);
15539 	if (err)
15540 		return err;
15541 
15542 	/*
15543 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15544 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15545 	 * specification is not defined for them.
15546 	 */
15547 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15548 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15549 	    chandef.width != NL80211_CHAN_WIDTH_20)
15550 		return -EINVAL;
15551 
15552 	/* we will be active on the TDLS link */
15553 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15554 					   wdev->iftype))
15555 		return -EINVAL;
15556 
15557 	/* don't allow switching to DFS channels */
15558 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15559 		return -EINVAL;
15560 
15561 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15562 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15563 
15564 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15565 }
15566 
15567 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15568 					      struct genl_info *info)
15569 {
15570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15571 	struct net_device *dev = info->user_ptr[1];
15572 	const u8 *addr;
15573 
15574 	if (!rdev->ops->tdls_channel_switch ||
15575 	    !rdev->ops->tdls_cancel_channel_switch ||
15576 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15577 		return -EOPNOTSUPP;
15578 
15579 	switch (dev->ieee80211_ptr->iftype) {
15580 	case NL80211_IFTYPE_STATION:
15581 	case NL80211_IFTYPE_P2P_CLIENT:
15582 		break;
15583 	default:
15584 		return -EOPNOTSUPP;
15585 	}
15586 
15587 	if (!info->attrs[NL80211_ATTR_MAC])
15588 		return -EINVAL;
15589 
15590 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15591 
15592 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15593 
15594 	return 0;
15595 }
15596 
15597 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15598 					    struct genl_info *info)
15599 {
15600 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15601 	struct net_device *dev = info->user_ptr[1];
15602 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15603 	const struct nlattr *nla;
15604 	bool enabled;
15605 
15606 	if (!rdev->ops->set_multicast_to_unicast)
15607 		return -EOPNOTSUPP;
15608 
15609 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15610 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15611 		return -EOPNOTSUPP;
15612 
15613 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15614 	enabled = nla_get_flag(nla);
15615 
15616 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15617 }
15618 
15619 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15620 {
15621 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15622 	struct net_device *dev = info->user_ptr[1];
15623 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15624 	struct cfg80211_pmk_conf pmk_conf = {};
15625 
15626 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15627 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15628 		return -EOPNOTSUPP;
15629 
15630 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15631 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15632 		return -EOPNOTSUPP;
15633 
15634 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15635 		return -EINVAL;
15636 
15637 	if (!wdev->connected)
15638 		return -ENOTCONN;
15639 
15640 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15641 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
15642 		return -EINVAL;
15643 
15644 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15645 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15646 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15647 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
15648 		return -EINVAL;
15649 
15650 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15651 		pmk_conf.pmk_r0_name =
15652 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15653 
15654 	return rdev_set_pmk(rdev, dev, &pmk_conf);
15655 }
15656 
15657 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15658 {
15659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15660 	struct net_device *dev = info->user_ptr[1];
15661 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15662 	const u8 *aa;
15663 
15664 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15665 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15666 		return -EOPNOTSUPP;
15667 
15668 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15669 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15670 		return -EOPNOTSUPP;
15671 
15672 	if (!info->attrs[NL80211_ATTR_MAC])
15673 		return -EINVAL;
15674 
15675 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15676 	return rdev_del_pmk(rdev, dev, aa);
15677 }
15678 
15679 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15680 {
15681 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15682 	struct net_device *dev = info->user_ptr[1];
15683 	struct cfg80211_external_auth_params params;
15684 
15685 	if (!rdev->ops->external_auth)
15686 		return -EOPNOTSUPP;
15687 
15688 	if (!info->attrs[NL80211_ATTR_SSID] &&
15689 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15690 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15691 		return -EINVAL;
15692 
15693 	if (!info->attrs[NL80211_ATTR_BSSID])
15694 		return -EINVAL;
15695 
15696 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15697 		return -EINVAL;
15698 
15699 	memset(&params, 0, sizeof(params));
15700 
15701 	if (info->attrs[NL80211_ATTR_SSID]) {
15702 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15703 		if (params.ssid.ssid_len == 0)
15704 			return -EINVAL;
15705 		memcpy(params.ssid.ssid,
15706 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15707 		       params.ssid.ssid_len);
15708 	}
15709 
15710 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15711 	       ETH_ALEN);
15712 
15713 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15714 
15715 	if (info->attrs[NL80211_ATTR_PMKID])
15716 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15717 
15718 	return rdev_external_auth(rdev, dev, &params);
15719 }
15720 
15721 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15722 {
15723 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15724 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15725 	struct net_device *dev = info->user_ptr[1];
15726 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15727 	const u8 *buf;
15728 	size_t len;
15729 	u8 *dest;
15730 	u16 proto;
15731 	bool noencrypt;
15732 	u64 cookie = 0;
15733 	int link_id;
15734 	int err;
15735 
15736 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15737 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15738 		return -EOPNOTSUPP;
15739 
15740 	if (!rdev->ops->tx_control_port)
15741 		return -EOPNOTSUPP;
15742 
15743 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15744 	    !info->attrs[NL80211_ATTR_MAC] ||
15745 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15746 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15747 		return -EINVAL;
15748 	}
15749 
15750 	switch (wdev->iftype) {
15751 	case NL80211_IFTYPE_AP:
15752 	case NL80211_IFTYPE_P2P_GO:
15753 	case NL80211_IFTYPE_MESH_POINT:
15754 		break;
15755 	case NL80211_IFTYPE_ADHOC:
15756 		if (wdev->u.ibss.current_bss)
15757 			break;
15758 		return -ENOTCONN;
15759 	case NL80211_IFTYPE_STATION:
15760 	case NL80211_IFTYPE_P2P_CLIENT:
15761 		if (wdev->connected)
15762 			break;
15763 		return -ENOTCONN;
15764 	default:
15765 		return -EOPNOTSUPP;
15766 	}
15767 
15768 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15769 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15770 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15771 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15772 	noencrypt =
15773 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15774 
15775 	link_id = nl80211_link_id_or_invalid(info->attrs);
15776 
15777 	err = rdev_tx_control_port(rdev, dev, buf, len,
15778 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15779 				   dont_wait_for_ack ? NULL : &cookie);
15780 	if (!err && !dont_wait_for_ack)
15781 		nl_set_extack_cookie_u64(info->extack, cookie);
15782 	return err;
15783 }
15784 
15785 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15786 					   struct genl_info *info)
15787 {
15788 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15789 	struct net_device *dev = info->user_ptr[1];
15790 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15791 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15792 	unsigned int link_id = nl80211_link_id(info->attrs);
15793 	struct sk_buff *msg;
15794 	void *hdr;
15795 	struct nlattr *ftm_stats_attr;
15796 	int err;
15797 
15798 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15799 	    !wdev->links[link_id].ap.beacon_interval)
15800 		return -EOPNOTSUPP;
15801 
15802 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15803 	if (err)
15804 		return err;
15805 
15806 	if (!ftm_stats.filled)
15807 		return -ENODATA;
15808 
15809 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15810 	if (!msg)
15811 		return -ENOMEM;
15812 
15813 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15814 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15815 	if (!hdr)
15816 		goto nla_put_failure;
15817 
15818 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15819 		goto nla_put_failure;
15820 
15821 	ftm_stats_attr = nla_nest_start_noflag(msg,
15822 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15823 	if (!ftm_stats_attr)
15824 		goto nla_put_failure;
15825 
15826 #define SET_FTM(field, name, type)					 \
15827 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15828 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15829 			     ftm_stats.field))				 \
15830 		goto nla_put_failure; } while (0)
15831 #define SET_FTM_U64(field, name)					 \
15832 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15833 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15834 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15835 		goto nla_put_failure; } while (0)
15836 
15837 	SET_FTM(success_num, SUCCESS_NUM, u32);
15838 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15839 	SET_FTM(failed_num, FAILED_NUM, u32);
15840 	SET_FTM(asap_num, ASAP_NUM, u32);
15841 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15842 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15843 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15844 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15845 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15846 #undef SET_FTM
15847 
15848 	nla_nest_end(msg, ftm_stats_attr);
15849 
15850 	genlmsg_end(msg, hdr);
15851 	return genlmsg_reply(msg, info);
15852 
15853 nla_put_failure:
15854 	nlmsg_free(msg);
15855 	return -ENOBUFS;
15856 }
15857 
15858 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15859 {
15860 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15861 	struct cfg80211_update_owe_info owe_info;
15862 	struct net_device *dev = info->user_ptr[1];
15863 
15864 	if (!rdev->ops->update_owe_info)
15865 		return -EOPNOTSUPP;
15866 
15867 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15868 	    !info->attrs[NL80211_ATTR_MAC])
15869 		return -EINVAL;
15870 
15871 	memset(&owe_info, 0, sizeof(owe_info));
15872 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15873 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15874 
15875 	if (info->attrs[NL80211_ATTR_IE]) {
15876 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15877 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15878 	}
15879 
15880 	return rdev_update_owe_info(rdev, dev, &owe_info);
15881 }
15882 
15883 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15884 {
15885 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15886 	struct net_device *dev = info->user_ptr[1];
15887 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15888 	struct station_info sinfo = {};
15889 	const u8 *buf;
15890 	size_t len;
15891 	u8 *dest;
15892 	int err;
15893 
15894 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15895 		return -EOPNOTSUPP;
15896 
15897 	if (!info->attrs[NL80211_ATTR_MAC] ||
15898 	    !info->attrs[NL80211_ATTR_FRAME]) {
15899 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15900 		return -EINVAL;
15901 	}
15902 
15903 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15904 		return -EOPNOTSUPP;
15905 
15906 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15907 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15908 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15909 
15910 	if (len < sizeof(struct ethhdr))
15911 		return -EINVAL;
15912 
15913 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15914 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15915 		return -EINVAL;
15916 
15917 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15918 	if (err)
15919 		return err;
15920 
15921 	cfg80211_sinfo_release_content(&sinfo);
15922 
15923 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15924 }
15925 
15926 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15927 			  struct nlattr *attrs[], struct net_device *dev,
15928 			  struct cfg80211_tid_cfg *tid_conf,
15929 			  struct genl_info *info, const u8 *peer,
15930 			  unsigned int link_id)
15931 {
15932 	struct netlink_ext_ack *extack = info->extack;
15933 	u64 mask;
15934 	int err;
15935 
15936 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15937 		return -EINVAL;
15938 
15939 	tid_conf->config_override =
15940 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15941 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15942 
15943 	if (tid_conf->config_override) {
15944 		if (rdev->ops->reset_tid_config) {
15945 			err = rdev_reset_tid_config(rdev, dev, peer,
15946 						    tid_conf->tids);
15947 			if (err)
15948 				return err;
15949 		} else {
15950 			return -EINVAL;
15951 		}
15952 	}
15953 
15954 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15955 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15956 		tid_conf->noack =
15957 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15958 	}
15959 
15960 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15961 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15962 		tid_conf->retry_short =
15963 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15964 
15965 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15966 			return -EINVAL;
15967 	}
15968 
15969 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15970 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15971 		tid_conf->retry_long =
15972 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15973 
15974 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15975 			return -EINVAL;
15976 	}
15977 
15978 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15979 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15980 		tid_conf->ampdu =
15981 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15982 	}
15983 
15984 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15985 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15986 		tid_conf->rtscts =
15987 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15988 	}
15989 
15990 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15991 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15992 		tid_conf->amsdu =
15993 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15994 	}
15995 
15996 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15997 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15998 
15999 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
16000 
16001 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
16002 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
16003 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
16004 						    &tid_conf->txrate_mask, dev,
16005 						    true, link_id);
16006 			if (err)
16007 				return err;
16008 
16009 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
16010 		}
16011 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
16012 	}
16013 
16014 	if (peer)
16015 		mask = rdev->wiphy.tid_config_support.peer;
16016 	else
16017 		mask = rdev->wiphy.tid_config_support.vif;
16018 
16019 	if (tid_conf->mask & ~mask) {
16020 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
16021 		return -EOPNOTSUPP;
16022 	}
16023 
16024 	return 0;
16025 }
16026 
16027 static int nl80211_set_tid_config(struct sk_buff *skb,
16028 				  struct genl_info *info)
16029 {
16030 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16031 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
16032 	unsigned int link_id = nl80211_link_id(info->attrs);
16033 	struct net_device *dev = info->user_ptr[1];
16034 	struct cfg80211_tid_config *tid_config;
16035 	struct nlattr *tid;
16036 	int conf_idx = 0, rem_conf;
16037 	int ret = -EINVAL;
16038 	u32 num_conf = 0;
16039 
16040 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
16041 		return -EINVAL;
16042 
16043 	if (!rdev->ops->set_tid_config)
16044 		return -EOPNOTSUPP;
16045 
16046 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16047 			    rem_conf)
16048 		num_conf++;
16049 
16050 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16051 			     GFP_KERNEL);
16052 	if (!tid_config)
16053 		return -ENOMEM;
16054 
16055 	tid_config->n_tid_conf = num_conf;
16056 
16057 	if (info->attrs[NL80211_ATTR_MAC])
16058 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16059 
16060 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16061 			    rem_conf) {
16062 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16063 				       tid, NULL, NULL);
16064 
16065 		if (ret)
16066 			goto bad_tid_conf;
16067 
16068 		ret = parse_tid_conf(rdev, attrs, dev,
16069 				     &tid_config->tid_conf[conf_idx],
16070 				     info, tid_config->peer, link_id);
16071 		if (ret)
16072 			goto bad_tid_conf;
16073 
16074 		conf_idx++;
16075 	}
16076 
16077 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16078 
16079 bad_tid_conf:
16080 	kfree(tid_config);
16081 	return ret;
16082 }
16083 
16084 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16085 {
16086 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16087 	struct cfg80211_color_change_settings params = {};
16088 	struct net_device *dev = info->user_ptr[1];
16089 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16090 	struct nlattr **tb;
16091 	u16 offset;
16092 	int err;
16093 
16094 	if (!rdev->ops->color_change)
16095 		return -EOPNOTSUPP;
16096 
16097 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16098 				     NL80211_EXT_FEATURE_BSS_COLOR))
16099 		return -EOPNOTSUPP;
16100 
16101 	if (wdev->iftype != NL80211_IFTYPE_AP)
16102 		return -EOPNOTSUPP;
16103 
16104 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16105 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16106 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16107 		return -EINVAL;
16108 
16109 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16110 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16111 
16112 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16113 				   info->extack);
16114 	if (err)
16115 		return err;
16116 
16117 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16118 	if (!tb)
16119 		return -ENOMEM;
16120 
16121 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16122 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16123 			       nl80211_policy, info->extack);
16124 	if (err)
16125 		goto out;
16126 
16127 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16128 				   info->extack);
16129 	if (err)
16130 		goto out;
16131 
16132 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16133 		err = -EINVAL;
16134 		goto out;
16135 	}
16136 
16137 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16138 		err = -EINVAL;
16139 		goto out;
16140 	}
16141 
16142 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16143 	if (offset >= params.beacon_color_change.tail_len) {
16144 		err = -EINVAL;
16145 		goto out;
16146 	}
16147 
16148 	if (params.beacon_color_change.tail[offset] != params.count) {
16149 		err = -EINVAL;
16150 		goto out;
16151 	}
16152 
16153 	params.counter_offset_beacon = offset;
16154 
16155 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16156 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16157 		    sizeof(u16)) {
16158 			err = -EINVAL;
16159 			goto out;
16160 		}
16161 
16162 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16163 		if (offset >= params.beacon_color_change.probe_resp_len) {
16164 			err = -EINVAL;
16165 			goto out;
16166 		}
16167 
16168 		if (params.beacon_color_change.probe_resp[offset] !=
16169 		    params.count) {
16170 			err = -EINVAL;
16171 			goto out;
16172 		}
16173 
16174 		params.counter_offset_presp = offset;
16175 	}
16176 
16177 	params.link_id = nl80211_link_id(info->attrs);
16178 	err = rdev_color_change(rdev, dev, &params);
16179 
16180 out:
16181 	kfree(params.beacon_next.mbssid_ies);
16182 	kfree(params.beacon_color_change.mbssid_ies);
16183 	kfree(params.beacon_next.rnr_ies);
16184 	kfree(params.beacon_color_change.rnr_ies);
16185 	kfree(tb);
16186 	return err;
16187 }
16188 
16189 static int nl80211_set_fils_aad(struct sk_buff *skb,
16190 				struct genl_info *info)
16191 {
16192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16193 	struct net_device *dev = info->user_ptr[1];
16194 	struct cfg80211_fils_aad fils_aad = {};
16195 	u8 *nonces;
16196 
16197 	if (!info->attrs[NL80211_ATTR_MAC] ||
16198 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16199 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16200 		return -EINVAL;
16201 
16202 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16203 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16204 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16205 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16206 	fils_aad.snonce = nonces;
16207 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16208 
16209 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16210 }
16211 
16212 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16213 {
16214 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16215 	unsigned int link_id = nl80211_link_id(info->attrs);
16216 	struct net_device *dev = info->user_ptr[1];
16217 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16218 	int ret;
16219 
16220 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16221 		return -EINVAL;
16222 
16223 	switch (wdev->iftype) {
16224 	case NL80211_IFTYPE_AP:
16225 		break;
16226 	default:
16227 		return -EINVAL;
16228 	}
16229 
16230 	if (!info->attrs[NL80211_ATTR_MAC] ||
16231 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16232 		return -EINVAL;
16233 
16234 	wdev->valid_links |= BIT(link_id);
16235 	ether_addr_copy(wdev->links[link_id].addr,
16236 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16237 
16238 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16239 	if (ret) {
16240 		wdev->valid_links &= ~BIT(link_id);
16241 		eth_zero_addr(wdev->links[link_id].addr);
16242 	}
16243 
16244 	return ret;
16245 }
16246 
16247 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16248 {
16249 	unsigned int link_id = nl80211_link_id(info->attrs);
16250 	struct net_device *dev = info->user_ptr[1];
16251 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16252 
16253 	/* cannot remove if there's no link */
16254 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16255 		return -EINVAL;
16256 
16257 	switch (wdev->iftype) {
16258 	case NL80211_IFTYPE_AP:
16259 		break;
16260 	default:
16261 		return -EINVAL;
16262 	}
16263 
16264 	cfg80211_remove_link(wdev, link_id);
16265 
16266 	return 0;
16267 }
16268 
16269 static int
16270 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16271 			     bool add)
16272 {
16273 	struct link_station_parameters params = {};
16274 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16275 	struct net_device *dev = info->user_ptr[1];
16276 	int err;
16277 
16278 	if ((add && !rdev->ops->add_link_station) ||
16279 	    (!add && !rdev->ops->mod_link_station))
16280 		return -EOPNOTSUPP;
16281 
16282 	if (add && !info->attrs[NL80211_ATTR_MAC])
16283 		return -EINVAL;
16284 
16285 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16286 		return -EINVAL;
16287 
16288 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16289 		return -EINVAL;
16290 
16291 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16292 
16293 	if (info->attrs[NL80211_ATTR_MAC]) {
16294 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16295 		if (!is_valid_ether_addr(params.link_mac))
16296 			return -EINVAL;
16297 	}
16298 
16299 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16300 		return -EINVAL;
16301 
16302 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16303 
16304 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16305 		params.supported_rates =
16306 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16307 		params.supported_rates_len =
16308 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16309 	}
16310 
16311 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16312 		params.ht_capa =
16313 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16314 
16315 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16316 		params.vht_capa =
16317 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16318 
16319 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16320 		params.he_capa =
16321 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16322 		params.he_capa_len =
16323 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16324 
16325 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16326 			params.eht_capa =
16327 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16328 			params.eht_capa_len =
16329 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16330 
16331 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16332 							(const u8 *)params.eht_capa,
16333 							params.eht_capa_len,
16334 							false))
16335 				return -EINVAL;
16336 		}
16337 	}
16338 
16339 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16340 		params.he_6ghz_capa =
16341 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16342 
16343 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16344 		params.opmode_notif_used = true;
16345 		params.opmode_notif =
16346 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16347 	}
16348 
16349 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16350 						&params.txpwr_set);
16351 	if (err)
16352 		return err;
16353 
16354 	if (add)
16355 		return rdev_add_link_station(rdev, dev, &params);
16356 
16357 	return rdev_mod_link_station(rdev, dev, &params);
16358 }
16359 
16360 static int
16361 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16362 {
16363 	return nl80211_add_mod_link_station(skb, info, true);
16364 }
16365 
16366 static int
16367 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16368 {
16369 	return nl80211_add_mod_link_station(skb, info, false);
16370 }
16371 
16372 static int
16373 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16374 {
16375 	struct link_station_del_parameters params = {};
16376 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16377 	struct net_device *dev = info->user_ptr[1];
16378 
16379 	if (!rdev->ops->del_link_station)
16380 		return -EOPNOTSUPP;
16381 
16382 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16383 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16384 		return -EINVAL;
16385 
16386 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16387 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16388 
16389 	return rdev_del_link_station(rdev, dev, &params);
16390 }
16391 
16392 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16393 				    struct genl_info *info)
16394 {
16395 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16396 	struct net_device *dev = info->user_ptr[1];
16397 	struct cfg80211_set_hw_timestamp hwts = {};
16398 
16399 	if (!rdev->wiphy.hw_timestamp_max_peers)
16400 		return -EOPNOTSUPP;
16401 
16402 	if (!info->attrs[NL80211_ATTR_MAC] &&
16403 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16404 		return -EOPNOTSUPP;
16405 
16406 	if (info->attrs[NL80211_ATTR_MAC])
16407 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16408 
16409 	hwts.enable =
16410 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16411 
16412 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16413 }
16414 
16415 static int
16416 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
16417 {
16418 	struct cfg80211_ttlm_params params = {};
16419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16420 	struct net_device *dev = info->user_ptr[1];
16421 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16422 
16423 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16424 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16425 		return -EOPNOTSUPP;
16426 
16427 	if (!wdev->connected)
16428 		return -ENOLINK;
16429 
16430 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
16431 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
16432 		return -EINVAL;
16433 
16434 	nla_memcpy(params.dlink,
16435 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
16436 		   sizeof(params.dlink));
16437 	nla_memcpy(params.ulink,
16438 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
16439 		   sizeof(params.ulink));
16440 
16441 	return rdev_set_ttlm(rdev, dev, &params);
16442 }
16443 
16444 #define NL80211_FLAG_NEED_WIPHY		0x01
16445 #define NL80211_FLAG_NEED_NETDEV	0x02
16446 #define NL80211_FLAG_NEED_RTNL		0x04
16447 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16448 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16449 					 NL80211_FLAG_CHECK_NETDEV_UP)
16450 #define NL80211_FLAG_NEED_WDEV		0x10
16451 /* If a netdev is associated, it must be UP, P2P must be started */
16452 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16453 					 NL80211_FLAG_CHECK_NETDEV_UP)
16454 #define NL80211_FLAG_CLEAR_SKB		0x20
16455 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16456 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16457 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16458 
16459 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16460 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16461 	SELECTOR(__sel, WIPHY,				\
16462 		 NL80211_FLAG_NEED_WIPHY)		\
16463 	SELECTOR(__sel, WDEV,				\
16464 		 NL80211_FLAG_NEED_WDEV)		\
16465 	SELECTOR(__sel, NETDEV,				\
16466 		 NL80211_FLAG_NEED_NETDEV)		\
16467 	SELECTOR(__sel, NETDEV_LINK,			\
16468 		 NL80211_FLAG_NEED_NETDEV |		\
16469 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16470 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16471 		 NL80211_FLAG_NEED_NETDEV |		\
16472 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16473 	SELECTOR(__sel, WIPHY_RTNL,			\
16474 		 NL80211_FLAG_NEED_WIPHY |		\
16475 		 NL80211_FLAG_NEED_RTNL)		\
16476 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16477 		 NL80211_FLAG_NEED_WIPHY |		\
16478 		 NL80211_FLAG_NEED_RTNL |		\
16479 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16480 	SELECTOR(__sel, WDEV_RTNL,			\
16481 		 NL80211_FLAG_NEED_WDEV |		\
16482 		 NL80211_FLAG_NEED_RTNL)		\
16483 	SELECTOR(__sel, NETDEV_RTNL,			\
16484 		 NL80211_FLAG_NEED_NETDEV |		\
16485 		 NL80211_FLAG_NEED_RTNL)		\
16486 	SELECTOR(__sel, NETDEV_UP,			\
16487 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16488 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16489 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16490 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16491 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16492 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16493 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16494 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16495 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16496 		 NL80211_FLAG_CLEAR_SKB |		\
16497 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16498 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16499 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16500 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16501 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16502 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16503 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16504 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16505 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16506 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16507 		 NL80211_FLAG_CLEAR_SKB)		\
16508 	SELECTOR(__sel, WDEV_UP,			\
16509 		 NL80211_FLAG_NEED_WDEV_UP)		\
16510 	SELECTOR(__sel, WDEV_UP_LINK,			\
16511 		 NL80211_FLAG_NEED_WDEV_UP |		\
16512 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16513 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16514 		 NL80211_FLAG_NEED_WDEV_UP |		\
16515 		 NL80211_FLAG_NEED_RTNL)		\
16516 	SELECTOR(__sel, WIPHY_CLEAR,			\
16517 		 NL80211_FLAG_NEED_WIPHY |		\
16518 		 NL80211_FLAG_CLEAR_SKB)
16519 
16520 enum nl80211_internal_flags_selector {
16521 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16522 	INTERNAL_FLAG_SELECTORS(_)
16523 #undef SELECTOR
16524 };
16525 
16526 static u32 nl80211_internal_flags[] = {
16527 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16528 	INTERNAL_FLAG_SELECTORS(_)
16529 #undef SELECTOR
16530 };
16531 
16532 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16533 			    struct sk_buff *skb,
16534 			    struct genl_info *info)
16535 {
16536 	struct cfg80211_registered_device *rdev = NULL;
16537 	struct wireless_dev *wdev = NULL;
16538 	struct net_device *dev = NULL;
16539 	u32 internal_flags;
16540 	int err;
16541 
16542 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16543 		return -EINVAL;
16544 
16545 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16546 
16547 	rtnl_lock();
16548 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16549 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16550 		if (IS_ERR(rdev)) {
16551 			err = PTR_ERR(rdev);
16552 			goto out_unlock;
16553 		}
16554 		info->user_ptr[0] = rdev;
16555 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16556 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16557 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16558 						  info->attrs);
16559 		if (IS_ERR(wdev)) {
16560 			err = PTR_ERR(wdev);
16561 			goto out_unlock;
16562 		}
16563 
16564 		dev = wdev->netdev;
16565 		dev_hold(dev);
16566 		rdev = wiphy_to_rdev(wdev->wiphy);
16567 
16568 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16569 			if (!dev) {
16570 				err = -EINVAL;
16571 				goto out_unlock;
16572 			}
16573 
16574 			info->user_ptr[1] = dev;
16575 		} else {
16576 			info->user_ptr[1] = wdev;
16577 		}
16578 
16579 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16580 		    !wdev_running(wdev)) {
16581 			err = -ENETDOWN;
16582 			goto out_unlock;
16583 		}
16584 
16585 		info->user_ptr[0] = rdev;
16586 	}
16587 
16588 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16589 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16590 
16591 		if (!wdev) {
16592 			err = -EINVAL;
16593 			goto out_unlock;
16594 		}
16595 
16596 		/* MLO -> require valid link ID */
16597 		if (wdev->valid_links &&
16598 		    (!link_id ||
16599 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16600 			err = -EINVAL;
16601 			goto out_unlock;
16602 		}
16603 
16604 		/* non-MLO -> no link ID attribute accepted */
16605 		if (!wdev->valid_links && link_id) {
16606 			err = -EINVAL;
16607 			goto out_unlock;
16608 		}
16609 	}
16610 
16611 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16612 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16613 		    (wdev && wdev->valid_links)) {
16614 			err = -EINVAL;
16615 			goto out_unlock;
16616 		}
16617 	}
16618 
16619 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16620 		wiphy_lock(&rdev->wiphy);
16621 		/* we keep the mutex locked until post_doit */
16622 		__release(&rdev->wiphy.mtx);
16623 	}
16624 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16625 		rtnl_unlock();
16626 
16627 	return 0;
16628 out_unlock:
16629 	rtnl_unlock();
16630 	dev_put(dev);
16631 	return err;
16632 }
16633 
16634 static void nl80211_post_doit(const struct genl_split_ops *ops,
16635 			      struct sk_buff *skb,
16636 			      struct genl_info *info)
16637 {
16638 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16639 
16640 	if (info->user_ptr[1]) {
16641 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16642 			struct wireless_dev *wdev = info->user_ptr[1];
16643 
16644 			dev_put(wdev->netdev);
16645 		} else {
16646 			dev_put(info->user_ptr[1]);
16647 		}
16648 	}
16649 
16650 	if (info->user_ptr[0] &&
16651 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16652 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16653 
16654 		/* we kept the mutex locked since pre_doit */
16655 		__acquire(&rdev->wiphy.mtx);
16656 		wiphy_unlock(&rdev->wiphy);
16657 	}
16658 
16659 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16660 		rtnl_unlock();
16661 
16662 	/* If needed, clear the netlink message payload from the SKB
16663 	 * as it might contain key data that shouldn't stick around on
16664 	 * the heap after the SKB is freed. The netlink message header
16665 	 * is still needed for further processing, so leave it intact.
16666 	 */
16667 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16668 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16669 
16670 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16671 	}
16672 }
16673 
16674 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16675 				     struct cfg80211_sar_specs *sar_specs,
16676 				     struct nlattr *spec[], int index)
16677 {
16678 	u32 range_index, i;
16679 
16680 	if (!sar_specs || !spec)
16681 		return -EINVAL;
16682 
16683 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16684 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16685 		return -EINVAL;
16686 
16687 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16688 
16689 	/* check if range_index exceeds num_freq_ranges */
16690 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16691 		return -EINVAL;
16692 
16693 	/* check if range_index duplicates */
16694 	for (i = 0; i < index; i++) {
16695 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16696 			return -EINVAL;
16697 	}
16698 
16699 	sar_specs->sub_specs[index].power =
16700 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16701 
16702 	sar_specs->sub_specs[index].freq_range_index = range_index;
16703 
16704 	return 0;
16705 }
16706 
16707 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16708 {
16709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16710 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16711 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16712 	struct cfg80211_sar_specs *sar_spec;
16713 	enum nl80211_sar_type type;
16714 	struct nlattr *spec_list;
16715 	u32 specs;
16716 	int rem, err;
16717 
16718 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16719 		return -EOPNOTSUPP;
16720 
16721 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16722 		return -EINVAL;
16723 
16724 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16725 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16726 			 NULL, NULL);
16727 
16728 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16729 		return -EINVAL;
16730 
16731 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16732 	if (type != rdev->wiphy.sar_capa->type)
16733 		return -EINVAL;
16734 
16735 	specs = 0;
16736 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16737 		specs++;
16738 
16739 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16740 		return -EINVAL;
16741 
16742 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16743 	if (!sar_spec)
16744 		return -ENOMEM;
16745 
16746 	sar_spec->type = type;
16747 	specs = 0;
16748 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16749 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16750 				 spec_list, NULL, NULL);
16751 
16752 		switch (type) {
16753 		case NL80211_SAR_TYPE_POWER:
16754 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16755 						      spec, specs)) {
16756 				err = -EINVAL;
16757 				goto error;
16758 			}
16759 			break;
16760 		default:
16761 			err = -EINVAL;
16762 			goto error;
16763 		}
16764 		specs++;
16765 	}
16766 
16767 	sar_spec->num_sub_specs = specs;
16768 
16769 	rdev->cur_cmd_info = info;
16770 	err = rdev_set_sar_specs(rdev, sar_spec);
16771 	rdev->cur_cmd_info = NULL;
16772 error:
16773 	kfree(sar_spec);
16774 	return err;
16775 }
16776 
16777 #define SELECTOR(__sel, name, value) \
16778 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16779 int __missing_selector(void);
16780 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16781 
16782 static const struct genl_ops nl80211_ops[] = {
16783 	{
16784 		.cmd = NL80211_CMD_GET_WIPHY,
16785 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16786 		.doit = nl80211_get_wiphy,
16787 		.dumpit = nl80211_dump_wiphy,
16788 		.done = nl80211_dump_wiphy_done,
16789 		/* can be retrieved by unprivileged users */
16790 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16791 	},
16792 };
16793 
16794 static const struct genl_small_ops nl80211_small_ops[] = {
16795 	{
16796 		.cmd = NL80211_CMD_SET_WIPHY,
16797 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16798 		.doit = nl80211_set_wiphy,
16799 		.flags = GENL_UNS_ADMIN_PERM,
16800 	},
16801 	{
16802 		.cmd = NL80211_CMD_GET_INTERFACE,
16803 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16804 		.doit = nl80211_get_interface,
16805 		.dumpit = nl80211_dump_interface,
16806 		/* can be retrieved by unprivileged users */
16807 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16808 	},
16809 	{
16810 		.cmd = NL80211_CMD_SET_INTERFACE,
16811 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16812 		.doit = nl80211_set_interface,
16813 		.flags = GENL_UNS_ADMIN_PERM,
16814 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16815 					 NL80211_FLAG_NEED_RTNL),
16816 	},
16817 	{
16818 		.cmd = NL80211_CMD_NEW_INTERFACE,
16819 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16820 		.doit = nl80211_new_interface,
16821 		.flags = GENL_UNS_ADMIN_PERM,
16822 		.internal_flags =
16823 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16824 			       NL80211_FLAG_NEED_RTNL |
16825 			       /* we take the wiphy mutex later ourselves */
16826 			       NL80211_FLAG_NO_WIPHY_MTX),
16827 	},
16828 	{
16829 		.cmd = NL80211_CMD_DEL_INTERFACE,
16830 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16831 		.doit = nl80211_del_interface,
16832 		.flags = GENL_UNS_ADMIN_PERM,
16833 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16834 					 NL80211_FLAG_NEED_RTNL),
16835 	},
16836 	{
16837 		.cmd = NL80211_CMD_GET_KEY,
16838 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16839 		.doit = nl80211_get_key,
16840 		.flags = GENL_UNS_ADMIN_PERM,
16841 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16842 	},
16843 	{
16844 		.cmd = NL80211_CMD_SET_KEY,
16845 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16846 		.doit = nl80211_set_key,
16847 		.flags = GENL_UNS_ADMIN_PERM,
16848 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16849 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16850 					 NL80211_FLAG_CLEAR_SKB),
16851 	},
16852 	{
16853 		.cmd = NL80211_CMD_NEW_KEY,
16854 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16855 		.doit = nl80211_new_key,
16856 		.flags = GENL_UNS_ADMIN_PERM,
16857 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16858 					 NL80211_FLAG_CLEAR_SKB),
16859 	},
16860 	{
16861 		.cmd = NL80211_CMD_DEL_KEY,
16862 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16863 		.doit = nl80211_del_key,
16864 		.flags = GENL_UNS_ADMIN_PERM,
16865 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16866 	},
16867 	{
16868 		.cmd = NL80211_CMD_SET_BEACON,
16869 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16870 		.flags = GENL_UNS_ADMIN_PERM,
16871 		.doit = nl80211_set_beacon,
16872 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16873 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16874 	},
16875 	{
16876 		.cmd = NL80211_CMD_START_AP,
16877 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16878 		.flags = GENL_UNS_ADMIN_PERM,
16879 		.doit = nl80211_start_ap,
16880 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16881 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16882 	},
16883 	{
16884 		.cmd = NL80211_CMD_STOP_AP,
16885 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16886 		.flags = GENL_UNS_ADMIN_PERM,
16887 		.doit = nl80211_stop_ap,
16888 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16889 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16890 	},
16891 	{
16892 		.cmd = NL80211_CMD_GET_STATION,
16893 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16894 		.doit = nl80211_get_station,
16895 		.dumpit = nl80211_dump_station,
16896 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16897 	},
16898 	{
16899 		.cmd = NL80211_CMD_SET_STATION,
16900 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16901 		.doit = nl80211_set_station,
16902 		.flags = GENL_UNS_ADMIN_PERM,
16903 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16904 	},
16905 	{
16906 		.cmd = NL80211_CMD_NEW_STATION,
16907 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16908 		.doit = nl80211_new_station,
16909 		.flags = GENL_UNS_ADMIN_PERM,
16910 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16911 	},
16912 	{
16913 		.cmd = NL80211_CMD_DEL_STATION,
16914 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16915 		.doit = nl80211_del_station,
16916 		.flags = GENL_UNS_ADMIN_PERM,
16917 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
16918 		 * whether MAC address is passed or not. If MAC address is
16919 		 * passed, then even during MLO, link ID is not required.
16920 		 */
16921 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16922 	},
16923 	{
16924 		.cmd = NL80211_CMD_GET_MPATH,
16925 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16926 		.doit = nl80211_get_mpath,
16927 		.dumpit = nl80211_dump_mpath,
16928 		.flags = GENL_UNS_ADMIN_PERM,
16929 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16930 	},
16931 	{
16932 		.cmd = NL80211_CMD_GET_MPP,
16933 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16934 		.doit = nl80211_get_mpp,
16935 		.dumpit = nl80211_dump_mpp,
16936 		.flags = GENL_UNS_ADMIN_PERM,
16937 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16938 	},
16939 	{
16940 		.cmd = NL80211_CMD_SET_MPATH,
16941 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16942 		.doit = nl80211_set_mpath,
16943 		.flags = GENL_UNS_ADMIN_PERM,
16944 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16945 	},
16946 	{
16947 		.cmd = NL80211_CMD_NEW_MPATH,
16948 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16949 		.doit = nl80211_new_mpath,
16950 		.flags = GENL_UNS_ADMIN_PERM,
16951 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16952 	},
16953 	{
16954 		.cmd = NL80211_CMD_DEL_MPATH,
16955 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16956 		.doit = nl80211_del_mpath,
16957 		.flags = GENL_UNS_ADMIN_PERM,
16958 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16959 	},
16960 	{
16961 		.cmd = NL80211_CMD_SET_BSS,
16962 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16963 		.doit = nl80211_set_bss,
16964 		.flags = GENL_UNS_ADMIN_PERM,
16965 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16966 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16967 	},
16968 	{
16969 		.cmd = NL80211_CMD_GET_REG,
16970 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16971 		.doit = nl80211_get_reg_do,
16972 		.dumpit = nl80211_get_reg_dump,
16973 		/* can be retrieved by unprivileged users */
16974 	},
16975 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16976 	{
16977 		.cmd = NL80211_CMD_SET_REG,
16978 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16979 		.doit = nl80211_set_reg,
16980 		.flags = GENL_ADMIN_PERM,
16981 	},
16982 #endif
16983 	{
16984 		.cmd = NL80211_CMD_REQ_SET_REG,
16985 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16986 		.doit = nl80211_req_set_reg,
16987 		.flags = GENL_ADMIN_PERM,
16988 	},
16989 	{
16990 		.cmd = NL80211_CMD_RELOAD_REGDB,
16991 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16992 		.doit = nl80211_reload_regdb,
16993 		.flags = GENL_ADMIN_PERM,
16994 	},
16995 	{
16996 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16997 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16998 		.doit = nl80211_get_mesh_config,
16999 		/* can be retrieved by unprivileged users */
17000 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17001 	},
17002 	{
17003 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
17004 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17005 		.doit = nl80211_update_mesh_config,
17006 		.flags = GENL_UNS_ADMIN_PERM,
17007 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17008 	},
17009 	{
17010 		.cmd = NL80211_CMD_TRIGGER_SCAN,
17011 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17012 		.doit = nl80211_trigger_scan,
17013 		.flags = GENL_UNS_ADMIN_PERM,
17014 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17015 	},
17016 	{
17017 		.cmd = NL80211_CMD_ABORT_SCAN,
17018 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17019 		.doit = nl80211_abort_scan,
17020 		.flags = GENL_UNS_ADMIN_PERM,
17021 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17022 	},
17023 	{
17024 		.cmd = NL80211_CMD_GET_SCAN,
17025 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17026 		.dumpit = nl80211_dump_scan,
17027 	},
17028 	{
17029 		.cmd = NL80211_CMD_START_SCHED_SCAN,
17030 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17031 		.doit = nl80211_start_sched_scan,
17032 		.flags = GENL_UNS_ADMIN_PERM,
17033 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17034 	},
17035 	{
17036 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
17037 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17038 		.doit = nl80211_stop_sched_scan,
17039 		.flags = GENL_UNS_ADMIN_PERM,
17040 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17041 	},
17042 	{
17043 		.cmd = NL80211_CMD_AUTHENTICATE,
17044 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17045 		.doit = nl80211_authenticate,
17046 		.flags = GENL_UNS_ADMIN_PERM,
17047 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17048 					 NL80211_FLAG_CLEAR_SKB),
17049 	},
17050 	{
17051 		.cmd = NL80211_CMD_ASSOCIATE,
17052 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17053 		.doit = nl80211_associate,
17054 		.flags = GENL_UNS_ADMIN_PERM,
17055 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17056 					 NL80211_FLAG_CLEAR_SKB),
17057 	},
17058 	{
17059 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17060 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17061 		.doit = nl80211_deauthenticate,
17062 		.flags = GENL_UNS_ADMIN_PERM,
17063 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17064 	},
17065 	{
17066 		.cmd = NL80211_CMD_DISASSOCIATE,
17067 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17068 		.doit = nl80211_disassociate,
17069 		.flags = GENL_UNS_ADMIN_PERM,
17070 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17071 	},
17072 	{
17073 		.cmd = NL80211_CMD_JOIN_IBSS,
17074 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17075 		.doit = nl80211_join_ibss,
17076 		.flags = GENL_UNS_ADMIN_PERM,
17077 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17078 	},
17079 	{
17080 		.cmd = NL80211_CMD_LEAVE_IBSS,
17081 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17082 		.doit = nl80211_leave_ibss,
17083 		.flags = GENL_UNS_ADMIN_PERM,
17084 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17085 	},
17086 #ifdef CONFIG_NL80211_TESTMODE
17087 	{
17088 		.cmd = NL80211_CMD_TESTMODE,
17089 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17090 		.doit = nl80211_testmode_do,
17091 		.dumpit = nl80211_testmode_dump,
17092 		.flags = GENL_UNS_ADMIN_PERM,
17093 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17094 	},
17095 #endif
17096 	{
17097 		.cmd = NL80211_CMD_CONNECT,
17098 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17099 		.doit = nl80211_connect,
17100 		.flags = GENL_UNS_ADMIN_PERM,
17101 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17102 					 NL80211_FLAG_CLEAR_SKB),
17103 	},
17104 	{
17105 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17106 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17107 		.doit = nl80211_update_connect_params,
17108 		.flags = GENL_ADMIN_PERM,
17109 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17110 					 NL80211_FLAG_CLEAR_SKB),
17111 	},
17112 	{
17113 		.cmd = NL80211_CMD_DISCONNECT,
17114 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17115 		.doit = nl80211_disconnect,
17116 		.flags = GENL_UNS_ADMIN_PERM,
17117 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17118 	},
17119 	{
17120 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17121 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17122 		.doit = nl80211_wiphy_netns,
17123 		.flags = GENL_UNS_ADMIN_PERM,
17124 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17125 					 NL80211_FLAG_NEED_RTNL |
17126 					 NL80211_FLAG_NO_WIPHY_MTX),
17127 	},
17128 	{
17129 		.cmd = NL80211_CMD_GET_SURVEY,
17130 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17131 		.dumpit = nl80211_dump_survey,
17132 	},
17133 	{
17134 		.cmd = NL80211_CMD_SET_PMKSA,
17135 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17136 		.doit = nl80211_set_pmksa,
17137 		.flags = GENL_UNS_ADMIN_PERM,
17138 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17139 					 NL80211_FLAG_CLEAR_SKB),
17140 	},
17141 	{
17142 		.cmd = NL80211_CMD_DEL_PMKSA,
17143 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17144 		.doit = nl80211_del_pmksa,
17145 		.flags = GENL_UNS_ADMIN_PERM,
17146 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17147 	},
17148 	{
17149 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17150 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17151 		.doit = nl80211_flush_pmksa,
17152 		.flags = GENL_UNS_ADMIN_PERM,
17153 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17154 	},
17155 	{
17156 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17157 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17158 		.doit = nl80211_remain_on_channel,
17159 		.flags = GENL_UNS_ADMIN_PERM,
17160 		/* FIXME: requiring a link ID here is probably not good */
17161 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17162 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17163 	},
17164 	{
17165 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17166 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17167 		.doit = nl80211_cancel_remain_on_channel,
17168 		.flags = GENL_UNS_ADMIN_PERM,
17169 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17170 	},
17171 	{
17172 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17173 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17174 		.doit = nl80211_set_tx_bitrate_mask,
17175 		.flags = GENL_UNS_ADMIN_PERM,
17176 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17177 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17178 	},
17179 	{
17180 		.cmd = NL80211_CMD_REGISTER_FRAME,
17181 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17182 		.doit = nl80211_register_mgmt,
17183 		.flags = GENL_UNS_ADMIN_PERM,
17184 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17185 	},
17186 	{
17187 		.cmd = NL80211_CMD_FRAME,
17188 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17189 		.doit = nl80211_tx_mgmt,
17190 		.flags = GENL_UNS_ADMIN_PERM,
17191 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17192 	},
17193 	{
17194 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17195 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17196 		.doit = nl80211_tx_mgmt_cancel_wait,
17197 		.flags = GENL_UNS_ADMIN_PERM,
17198 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17199 	},
17200 	{
17201 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17202 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17203 		.doit = nl80211_set_power_save,
17204 		.flags = GENL_UNS_ADMIN_PERM,
17205 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17206 	},
17207 	{
17208 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17209 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17210 		.doit = nl80211_get_power_save,
17211 		/* can be retrieved by unprivileged users */
17212 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17213 	},
17214 	{
17215 		.cmd = NL80211_CMD_SET_CQM,
17216 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17217 		.doit = nl80211_set_cqm,
17218 		.flags = GENL_UNS_ADMIN_PERM,
17219 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17220 	},
17221 	{
17222 		.cmd = NL80211_CMD_SET_CHANNEL,
17223 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17224 		.doit = nl80211_set_channel,
17225 		.flags = GENL_UNS_ADMIN_PERM,
17226 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17227 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17228 	},
17229 	{
17230 		.cmd = NL80211_CMD_JOIN_MESH,
17231 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17232 		.doit = nl80211_join_mesh,
17233 		.flags = GENL_UNS_ADMIN_PERM,
17234 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17235 	},
17236 	{
17237 		.cmd = NL80211_CMD_LEAVE_MESH,
17238 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17239 		.doit = nl80211_leave_mesh,
17240 		.flags = GENL_UNS_ADMIN_PERM,
17241 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17242 	},
17243 	{
17244 		.cmd = NL80211_CMD_JOIN_OCB,
17245 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17246 		.doit = nl80211_join_ocb,
17247 		.flags = GENL_UNS_ADMIN_PERM,
17248 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17249 	},
17250 	{
17251 		.cmd = NL80211_CMD_LEAVE_OCB,
17252 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17253 		.doit = nl80211_leave_ocb,
17254 		.flags = GENL_UNS_ADMIN_PERM,
17255 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17256 	},
17257 #ifdef CONFIG_PM
17258 	{
17259 		.cmd = NL80211_CMD_GET_WOWLAN,
17260 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17261 		.doit = nl80211_get_wowlan,
17262 		/* can be retrieved by unprivileged users */
17263 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17264 	},
17265 	{
17266 		.cmd = NL80211_CMD_SET_WOWLAN,
17267 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17268 		.doit = nl80211_set_wowlan,
17269 		.flags = GENL_UNS_ADMIN_PERM,
17270 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17271 	},
17272 #endif
17273 	{
17274 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17275 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17276 		.doit = nl80211_set_rekey_data,
17277 		.flags = GENL_UNS_ADMIN_PERM,
17278 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17279 					 NL80211_FLAG_CLEAR_SKB),
17280 	},
17281 	{
17282 		.cmd = NL80211_CMD_TDLS_MGMT,
17283 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17284 		.doit = nl80211_tdls_mgmt,
17285 		.flags = GENL_UNS_ADMIN_PERM,
17286 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17287 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17288 	},
17289 	{
17290 		.cmd = NL80211_CMD_TDLS_OPER,
17291 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17292 		.doit = nl80211_tdls_oper,
17293 		.flags = GENL_UNS_ADMIN_PERM,
17294 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17295 	},
17296 	{
17297 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17298 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17299 		.doit = nl80211_register_unexpected_frame,
17300 		.flags = GENL_UNS_ADMIN_PERM,
17301 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17302 	},
17303 	{
17304 		.cmd = NL80211_CMD_PROBE_CLIENT,
17305 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17306 		.doit = nl80211_probe_client,
17307 		.flags = GENL_UNS_ADMIN_PERM,
17308 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17309 	},
17310 	{
17311 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17312 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17313 		.doit = nl80211_register_beacons,
17314 		.flags = GENL_UNS_ADMIN_PERM,
17315 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17316 	},
17317 	{
17318 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17319 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17320 		.doit = nl80211_set_noack_map,
17321 		.flags = GENL_UNS_ADMIN_PERM,
17322 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17323 	},
17324 	{
17325 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17326 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17327 		.doit = nl80211_start_p2p_device,
17328 		.flags = GENL_UNS_ADMIN_PERM,
17329 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17330 					 NL80211_FLAG_NEED_RTNL),
17331 	},
17332 	{
17333 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17334 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17335 		.doit = nl80211_stop_p2p_device,
17336 		.flags = GENL_UNS_ADMIN_PERM,
17337 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17338 					 NL80211_FLAG_NEED_RTNL),
17339 	},
17340 	{
17341 		.cmd = NL80211_CMD_START_NAN,
17342 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17343 		.doit = nl80211_start_nan,
17344 		.flags = GENL_ADMIN_PERM,
17345 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17346 					 NL80211_FLAG_NEED_RTNL),
17347 	},
17348 	{
17349 		.cmd = NL80211_CMD_STOP_NAN,
17350 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17351 		.doit = nl80211_stop_nan,
17352 		.flags = GENL_ADMIN_PERM,
17353 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17354 					 NL80211_FLAG_NEED_RTNL),
17355 	},
17356 	{
17357 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17358 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17359 		.doit = nl80211_nan_add_func,
17360 		.flags = GENL_ADMIN_PERM,
17361 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17362 	},
17363 	{
17364 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17365 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17366 		.doit = nl80211_nan_del_func,
17367 		.flags = GENL_ADMIN_PERM,
17368 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17369 	},
17370 	{
17371 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17372 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17373 		.doit = nl80211_nan_change_config,
17374 		.flags = GENL_ADMIN_PERM,
17375 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17376 	},
17377 	{
17378 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17379 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17380 		.doit = nl80211_set_mcast_rate,
17381 		.flags = GENL_UNS_ADMIN_PERM,
17382 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17383 	},
17384 	{
17385 		.cmd = NL80211_CMD_SET_MAC_ACL,
17386 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17387 		.doit = nl80211_set_mac_acl,
17388 		.flags = GENL_UNS_ADMIN_PERM,
17389 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17390 					 NL80211_FLAG_MLO_UNSUPPORTED),
17391 	},
17392 	{
17393 		.cmd = NL80211_CMD_RADAR_DETECT,
17394 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17395 		.doit = nl80211_start_radar_detection,
17396 		.flags = GENL_UNS_ADMIN_PERM,
17397 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17398 					 NL80211_FLAG_NO_WIPHY_MTX |
17399 					 NL80211_FLAG_MLO_UNSUPPORTED),
17400 	},
17401 	{
17402 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17403 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17404 		.doit = nl80211_get_protocol_features,
17405 	},
17406 	{
17407 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17408 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17409 		.doit = nl80211_update_ft_ies,
17410 		.flags = GENL_UNS_ADMIN_PERM,
17411 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17412 	},
17413 	{
17414 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17415 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17416 		.doit = nl80211_crit_protocol_start,
17417 		.flags = GENL_UNS_ADMIN_PERM,
17418 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17419 	},
17420 	{
17421 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17423 		.doit = nl80211_crit_protocol_stop,
17424 		.flags = GENL_UNS_ADMIN_PERM,
17425 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17426 	},
17427 	{
17428 		.cmd = NL80211_CMD_GET_COALESCE,
17429 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17430 		.doit = nl80211_get_coalesce,
17431 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17432 	},
17433 	{
17434 		.cmd = NL80211_CMD_SET_COALESCE,
17435 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17436 		.doit = nl80211_set_coalesce,
17437 		.flags = GENL_UNS_ADMIN_PERM,
17438 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17439 	},
17440 	{
17441 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17442 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17443 		.doit = nl80211_channel_switch,
17444 		.flags = GENL_UNS_ADMIN_PERM,
17445 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17446 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17447 	},
17448 	{
17449 		.cmd = NL80211_CMD_VENDOR,
17450 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17451 		.doit = nl80211_vendor_cmd,
17452 		.dumpit = nl80211_vendor_cmd_dump,
17453 		.flags = GENL_UNS_ADMIN_PERM,
17454 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17455 					 NL80211_FLAG_CLEAR_SKB),
17456 	},
17457 	{
17458 		.cmd = NL80211_CMD_SET_QOS_MAP,
17459 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17460 		.doit = nl80211_set_qos_map,
17461 		.flags = GENL_UNS_ADMIN_PERM,
17462 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17463 	},
17464 	{
17465 		.cmd = NL80211_CMD_ADD_TX_TS,
17466 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17467 		.doit = nl80211_add_tx_ts,
17468 		.flags = GENL_UNS_ADMIN_PERM,
17469 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17470 					 NL80211_FLAG_MLO_UNSUPPORTED),
17471 	},
17472 	{
17473 		.cmd = NL80211_CMD_DEL_TX_TS,
17474 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17475 		.doit = nl80211_del_tx_ts,
17476 		.flags = GENL_UNS_ADMIN_PERM,
17477 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17478 	},
17479 	{
17480 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17481 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17482 		.doit = nl80211_tdls_channel_switch,
17483 		.flags = GENL_UNS_ADMIN_PERM,
17484 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17485 	},
17486 	{
17487 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17488 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17489 		.doit = nl80211_tdls_cancel_channel_switch,
17490 		.flags = GENL_UNS_ADMIN_PERM,
17491 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17492 	},
17493 	{
17494 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17495 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17496 		.doit = nl80211_set_multicast_to_unicast,
17497 		.flags = GENL_UNS_ADMIN_PERM,
17498 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17499 	},
17500 	{
17501 		.cmd = NL80211_CMD_SET_PMK,
17502 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17503 		.doit = nl80211_set_pmk,
17504 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17505 					 NL80211_FLAG_CLEAR_SKB),
17506 	},
17507 	{
17508 		.cmd = NL80211_CMD_DEL_PMK,
17509 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17510 		.doit = nl80211_del_pmk,
17511 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17512 	},
17513 	{
17514 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17515 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17516 		.doit = nl80211_external_auth,
17517 		.flags = GENL_ADMIN_PERM,
17518 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17519 	},
17520 	{
17521 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17522 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17523 		.doit = nl80211_tx_control_port,
17524 		.flags = GENL_UNS_ADMIN_PERM,
17525 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17526 	},
17527 	{
17528 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17529 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17530 		.doit = nl80211_get_ftm_responder_stats,
17531 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17532 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17533 	},
17534 	{
17535 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17536 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17537 		.doit = nl80211_pmsr_start,
17538 		.flags = GENL_UNS_ADMIN_PERM,
17539 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17540 	},
17541 	{
17542 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17543 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17544 		.doit = nl80211_notify_radar_detection,
17545 		.flags = GENL_UNS_ADMIN_PERM,
17546 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17547 	},
17548 	{
17549 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17550 		.doit = nl80211_update_owe_info,
17551 		.flags = GENL_ADMIN_PERM,
17552 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17553 	},
17554 	{
17555 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17556 		.doit = nl80211_probe_mesh_link,
17557 		.flags = GENL_UNS_ADMIN_PERM,
17558 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17559 	},
17560 	{
17561 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17562 		.doit = nl80211_set_tid_config,
17563 		.flags = GENL_UNS_ADMIN_PERM,
17564 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17565 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17566 	},
17567 	{
17568 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17569 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17570 		.doit = nl80211_set_sar_specs,
17571 		.flags = GENL_UNS_ADMIN_PERM,
17572 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17573 					 NL80211_FLAG_NEED_RTNL),
17574 	},
17575 	{
17576 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17577 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17578 		.doit = nl80211_color_change,
17579 		.flags = GENL_UNS_ADMIN_PERM,
17580 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17581 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17582 	},
17583 	{
17584 		.cmd = NL80211_CMD_SET_FILS_AAD,
17585 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17586 		.doit = nl80211_set_fils_aad,
17587 		.flags = GENL_UNS_ADMIN_PERM,
17588 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17589 	},
17590 	{
17591 		.cmd = NL80211_CMD_ADD_LINK,
17592 		.doit = nl80211_add_link,
17593 		.flags = GENL_UNS_ADMIN_PERM,
17594 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17595 	},
17596 	{
17597 		.cmd = NL80211_CMD_REMOVE_LINK,
17598 		.doit = nl80211_remove_link,
17599 		.flags = GENL_UNS_ADMIN_PERM,
17600 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17601 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17602 	},
17603 	{
17604 		.cmd = NL80211_CMD_ADD_LINK_STA,
17605 		.doit = nl80211_add_link_station,
17606 		.flags = GENL_UNS_ADMIN_PERM,
17607 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17608 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17609 	},
17610 	{
17611 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17612 		.doit = nl80211_modify_link_station,
17613 		.flags = GENL_UNS_ADMIN_PERM,
17614 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17615 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17616 	},
17617 	{
17618 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17619 		.doit = nl80211_remove_link_station,
17620 		.flags = GENL_UNS_ADMIN_PERM,
17621 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17622 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17623 	},
17624 	{
17625 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17626 		.doit = nl80211_set_hw_timestamp,
17627 		.flags = GENL_UNS_ADMIN_PERM,
17628 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17629 	},
17630 	{
17631 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
17632 		.doit = nl80211_set_ttlm,
17633 		.flags = GENL_UNS_ADMIN_PERM,
17634 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17635 	},
17636 };
17637 
17638 static struct genl_family nl80211_fam __ro_after_init = {
17639 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17640 	.hdrsize = 0,			/* no private header */
17641 	.version = 1,			/* no particular meaning now */
17642 	.maxattr = NL80211_ATTR_MAX,
17643 	.policy = nl80211_policy,
17644 	.netnsok = true,
17645 	.pre_doit = nl80211_pre_doit,
17646 	.post_doit = nl80211_post_doit,
17647 	.module = THIS_MODULE,
17648 	.ops = nl80211_ops,
17649 	.n_ops = ARRAY_SIZE(nl80211_ops),
17650 	.small_ops = nl80211_small_ops,
17651 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17652 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17653 	.mcgrps = nl80211_mcgrps,
17654 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17655 	.parallel_ops = true,
17656 };
17657 
17658 /* notification functions */
17659 
17660 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17661 			  enum nl80211_commands cmd)
17662 {
17663 	struct sk_buff *msg;
17664 	struct nl80211_dump_wiphy_state state = {};
17665 
17666 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17667 		cmd != NL80211_CMD_DEL_WIPHY);
17668 
17669 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17670 	if (!msg)
17671 		return;
17672 
17673 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17674 		nlmsg_free(msg);
17675 		return;
17676 	}
17677 
17678 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17679 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17680 }
17681 
17682 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17683 				struct wireless_dev *wdev,
17684 				enum nl80211_commands cmd)
17685 {
17686 	struct sk_buff *msg;
17687 
17688 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17689 	if (!msg)
17690 		return;
17691 
17692 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17693 		nlmsg_free(msg);
17694 		return;
17695 	}
17696 
17697 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17698 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17699 }
17700 
17701 static int nl80211_add_scan_req(struct sk_buff *msg,
17702 				struct cfg80211_registered_device *rdev)
17703 {
17704 	struct cfg80211_scan_request *req = rdev->scan_req;
17705 	struct nlattr *nest;
17706 	int i;
17707 	struct cfg80211_scan_info *info;
17708 
17709 	if (WARN_ON(!req))
17710 		return 0;
17711 
17712 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17713 	if (!nest)
17714 		goto nla_put_failure;
17715 	for (i = 0; i < req->n_ssids; i++) {
17716 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17717 			goto nla_put_failure;
17718 	}
17719 	nla_nest_end(msg, nest);
17720 
17721 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17722 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17723 		if (!nest)
17724 			goto nla_put_failure;
17725 		for (i = 0; i < req->n_channels; i++) {
17726 			if (nla_put_u32(msg, i,
17727 				   ieee80211_channel_to_khz(req->channels[i])))
17728 				goto nla_put_failure;
17729 		}
17730 		nla_nest_end(msg, nest);
17731 	} else {
17732 		nest = nla_nest_start_noflag(msg,
17733 					     NL80211_ATTR_SCAN_FREQUENCIES);
17734 		if (!nest)
17735 			goto nla_put_failure;
17736 		for (i = 0; i < req->n_channels; i++) {
17737 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17738 				goto nla_put_failure;
17739 		}
17740 		nla_nest_end(msg, nest);
17741 	}
17742 
17743 	if (req->ie &&
17744 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17745 		goto nla_put_failure;
17746 
17747 	if (req->flags &&
17748 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17749 		goto nla_put_failure;
17750 
17751 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17752 		&rdev->scan_req->info;
17753 	if (info->scan_start_tsf &&
17754 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17755 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17756 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17757 		     info->tsf_bssid)))
17758 		goto nla_put_failure;
17759 
17760 	return 0;
17761  nla_put_failure:
17762 	return -ENOBUFS;
17763 }
17764 
17765 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17766 				 struct cfg80211_registered_device *rdev,
17767 				 struct wireless_dev *wdev,
17768 				 u32 portid, u32 seq, int flags,
17769 				 u32 cmd)
17770 {
17771 	void *hdr;
17772 
17773 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17774 	if (!hdr)
17775 		return -1;
17776 
17777 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17778 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17779 					 wdev->netdev->ifindex)) ||
17780 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17781 			      NL80211_ATTR_PAD))
17782 		goto nla_put_failure;
17783 
17784 	/* ignore errors and send incomplete event anyway */
17785 	nl80211_add_scan_req(msg, rdev);
17786 
17787 	genlmsg_end(msg, hdr);
17788 	return 0;
17789 
17790  nla_put_failure:
17791 	genlmsg_cancel(msg, hdr);
17792 	return -EMSGSIZE;
17793 }
17794 
17795 static int
17796 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17797 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17798 {
17799 	void *hdr;
17800 
17801 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17802 	if (!hdr)
17803 		return -1;
17804 
17805 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17806 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17807 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17808 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17809 			      NL80211_ATTR_PAD))
17810 		goto nla_put_failure;
17811 
17812 	genlmsg_end(msg, hdr);
17813 	return 0;
17814 
17815  nla_put_failure:
17816 	genlmsg_cancel(msg, hdr);
17817 	return -EMSGSIZE;
17818 }
17819 
17820 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17821 			     struct wireless_dev *wdev)
17822 {
17823 	struct sk_buff *msg;
17824 
17825 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17826 	if (!msg)
17827 		return;
17828 
17829 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17830 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17831 		nlmsg_free(msg);
17832 		return;
17833 	}
17834 
17835 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17836 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17837 }
17838 
17839 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17840 				       struct wireless_dev *wdev, bool aborted)
17841 {
17842 	struct sk_buff *msg;
17843 
17844 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17845 	if (!msg)
17846 		return NULL;
17847 
17848 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17849 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17850 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17851 		nlmsg_free(msg);
17852 		return NULL;
17853 	}
17854 
17855 	return msg;
17856 }
17857 
17858 /* send message created by nl80211_build_scan_msg() */
17859 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17860 			   struct sk_buff *msg)
17861 {
17862 	if (!msg)
17863 		return;
17864 
17865 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17866 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17867 }
17868 
17869 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17870 {
17871 	struct sk_buff *msg;
17872 
17873 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17874 	if (!msg)
17875 		return;
17876 
17877 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17878 		nlmsg_free(msg);
17879 		return;
17880 	}
17881 
17882 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17883 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17884 }
17885 
17886 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17887 					  struct regulatory_request *request)
17888 {
17889 	/* Userspace can always count this one always being set */
17890 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17891 		goto nla_put_failure;
17892 
17893 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17894 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17895 			       NL80211_REGDOM_TYPE_WORLD))
17896 			goto nla_put_failure;
17897 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17898 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17899 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17900 			goto nla_put_failure;
17901 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17902 		   request->intersect) {
17903 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17904 			       NL80211_REGDOM_TYPE_INTERSECTION))
17905 			goto nla_put_failure;
17906 	} else {
17907 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17908 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17909 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17910 				   request->alpha2))
17911 			goto nla_put_failure;
17912 	}
17913 
17914 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17915 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17916 
17917 		if (wiphy &&
17918 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17919 			goto nla_put_failure;
17920 
17921 		if (wiphy &&
17922 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17923 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17924 			goto nla_put_failure;
17925 	}
17926 
17927 	return true;
17928 
17929 nla_put_failure:
17930 	return false;
17931 }
17932 
17933 /*
17934  * This can happen on global regulatory changes or device specific settings
17935  * based on custom regulatory domains.
17936  */
17937 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17938 				     struct regulatory_request *request)
17939 {
17940 	struct sk_buff *msg;
17941 	void *hdr;
17942 
17943 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17944 	if (!msg)
17945 		return;
17946 
17947 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17948 	if (!hdr)
17949 		goto nla_put_failure;
17950 
17951 	if (!nl80211_reg_change_event_fill(msg, request))
17952 		goto nla_put_failure;
17953 
17954 	genlmsg_end(msg, hdr);
17955 
17956 	rcu_read_lock();
17957 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17958 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17959 	rcu_read_unlock();
17960 
17961 	return;
17962 
17963 nla_put_failure:
17964 	nlmsg_free(msg);
17965 }
17966 
17967 struct nl80211_mlme_event {
17968 	enum nl80211_commands cmd;
17969 	const u8 *buf;
17970 	size_t buf_len;
17971 	int uapsd_queues;
17972 	const u8 *req_ies;
17973 	size_t req_ies_len;
17974 	bool reconnect;
17975 };
17976 
17977 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17978 				    struct net_device *netdev,
17979 				    const struct nl80211_mlme_event *event,
17980 				    gfp_t gfp)
17981 {
17982 	struct sk_buff *msg;
17983 	void *hdr;
17984 
17985 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
17986 	if (!msg)
17987 		return;
17988 
17989 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
17990 	if (!hdr) {
17991 		nlmsg_free(msg);
17992 		return;
17993 	}
17994 
17995 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17996 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17997 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
17998 	    (event->req_ies &&
17999 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
18000 		     event->req_ies)))
18001 		goto nla_put_failure;
18002 
18003 	if (event->reconnect &&
18004 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
18005 		goto nla_put_failure;
18006 
18007 	if (event->uapsd_queues >= 0) {
18008 		struct nlattr *nla_wmm =
18009 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
18010 		if (!nla_wmm)
18011 			goto nla_put_failure;
18012 
18013 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
18014 			       event->uapsd_queues))
18015 			goto nla_put_failure;
18016 
18017 		nla_nest_end(msg, nla_wmm);
18018 	}
18019 
18020 	genlmsg_end(msg, hdr);
18021 
18022 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18023 				NL80211_MCGRP_MLME, gfp);
18024 	return;
18025 
18026  nla_put_failure:
18027 	nlmsg_free(msg);
18028 }
18029 
18030 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
18031 			  struct net_device *netdev, const u8 *buf,
18032 			  size_t len, gfp_t gfp)
18033 {
18034 	struct nl80211_mlme_event event = {
18035 		.cmd = NL80211_CMD_AUTHENTICATE,
18036 		.buf = buf,
18037 		.buf_len = len,
18038 		.uapsd_queues = -1,
18039 	};
18040 
18041 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18042 }
18043 
18044 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
18045 			   struct net_device *netdev,
18046 			   const struct cfg80211_rx_assoc_resp_data *data)
18047 {
18048 	struct nl80211_mlme_event event = {
18049 		.cmd = NL80211_CMD_ASSOCIATE,
18050 		.buf = data->buf,
18051 		.buf_len = data->len,
18052 		.uapsd_queues = data->uapsd_queues,
18053 		.req_ies = data->req_ies,
18054 		.req_ies_len = data->req_ies_len,
18055 	};
18056 
18057 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
18058 }
18059 
18060 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
18061 			 struct net_device *netdev, const u8 *buf,
18062 			 size_t len, bool reconnect, gfp_t gfp)
18063 {
18064 	struct nl80211_mlme_event event = {
18065 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18066 		.buf = buf,
18067 		.buf_len = len,
18068 		.reconnect = reconnect,
18069 		.uapsd_queues = -1,
18070 	};
18071 
18072 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18073 }
18074 
18075 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
18076 			   struct net_device *netdev, const u8 *buf,
18077 			   size_t len, bool reconnect, gfp_t gfp)
18078 {
18079 	struct nl80211_mlme_event event = {
18080 		.cmd = NL80211_CMD_DISASSOCIATE,
18081 		.buf = buf,
18082 		.buf_len = len,
18083 		.reconnect = reconnect,
18084 		.uapsd_queues = -1,
18085 	};
18086 
18087 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18088 }
18089 
18090 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
18091 				  size_t len)
18092 {
18093 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18094 	struct wiphy *wiphy = wdev->wiphy;
18095 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18096 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18097 	struct nl80211_mlme_event event = {
18098 		.buf = buf,
18099 		.buf_len = len,
18100 		.uapsd_queues = -1,
18101 	};
18102 
18103 	if (WARN_ON(len < 2))
18104 		return;
18105 
18106 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18107 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18108 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18109 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18110 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18111 		if (wdev->unprot_beacon_reported &&
18112 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18113 			return;
18114 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18115 		wdev->unprot_beacon_reported = jiffies;
18116 	} else {
18117 		return;
18118 	}
18119 
18120 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18121 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18122 }
18123 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18124 
18125 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18126 				      struct net_device *netdev, int cmd,
18127 				      const u8 *addr, gfp_t gfp)
18128 {
18129 	struct sk_buff *msg;
18130 	void *hdr;
18131 
18132 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18133 	if (!msg)
18134 		return;
18135 
18136 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18137 	if (!hdr) {
18138 		nlmsg_free(msg);
18139 		return;
18140 	}
18141 
18142 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18143 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18144 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18145 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18146 		goto nla_put_failure;
18147 
18148 	genlmsg_end(msg, hdr);
18149 
18150 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18151 				NL80211_MCGRP_MLME, gfp);
18152 	return;
18153 
18154  nla_put_failure:
18155 	nlmsg_free(msg);
18156 }
18157 
18158 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18159 			       struct net_device *netdev, const u8 *addr,
18160 			       gfp_t gfp)
18161 {
18162 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18163 				  addr, gfp);
18164 }
18165 
18166 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18167 				struct net_device *netdev, const u8 *addr,
18168 				gfp_t gfp)
18169 {
18170 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18171 				  addr, gfp);
18172 }
18173 
18174 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18175 				 struct net_device *netdev,
18176 				 struct cfg80211_connect_resp_params *cr,
18177 				 gfp_t gfp)
18178 {
18179 	struct sk_buff *msg;
18180 	void *hdr;
18181 	unsigned int link;
18182 	size_t link_info_size = 0;
18183 	const u8 *connected_addr = cr->valid_links ?
18184 				   cr->ap_mld_addr : cr->links[0].bssid;
18185 
18186 	if (cr->valid_links) {
18187 		for_each_valid_link(cr, link) {
18188 			/* Nested attribute header */
18189 			link_info_size += NLA_HDRLEN;
18190 			/* Link ID */
18191 			link_info_size += nla_total_size(sizeof(u8));
18192 			link_info_size += cr->links[link].addr ?
18193 					  nla_total_size(ETH_ALEN) : 0;
18194 			link_info_size += (cr->links[link].bssid ||
18195 					   cr->links[link].bss) ?
18196 					  nla_total_size(ETH_ALEN) : 0;
18197 			link_info_size += nla_total_size(sizeof(u16));
18198 		}
18199 	}
18200 
18201 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18202 			cr->fils.kek_len + cr->fils.pmk_len +
18203 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18204 			gfp);
18205 	if (!msg)
18206 		return;
18207 
18208 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18209 	if (!hdr) {
18210 		nlmsg_free(msg);
18211 		return;
18212 	}
18213 
18214 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18215 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18216 	    (connected_addr &&
18217 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18218 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18219 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18220 			cr->status) ||
18221 	    (cr->status < 0 &&
18222 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18223 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18224 			  cr->timeout_reason))) ||
18225 	    (cr->req_ie &&
18226 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18227 	    (cr->resp_ie &&
18228 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18229 		     cr->resp_ie)) ||
18230 	    (cr->fils.update_erp_next_seq_num &&
18231 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18232 			 cr->fils.erp_next_seq_num)) ||
18233 	    (cr->status == WLAN_STATUS_SUCCESS &&
18234 	     ((cr->fils.kek &&
18235 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18236 		       cr->fils.kek)) ||
18237 	      (cr->fils.pmk &&
18238 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18239 	      (cr->fils.pmkid &&
18240 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18241 		goto nla_put_failure;
18242 
18243 	if (cr->valid_links) {
18244 		int i = 1;
18245 		struct nlattr *nested;
18246 
18247 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18248 		if (!nested)
18249 			goto nla_put_failure;
18250 
18251 		for_each_valid_link(cr, link) {
18252 			struct nlattr *nested_mlo_links;
18253 			const u8 *bssid = cr->links[link].bss ?
18254 					  cr->links[link].bss->bssid :
18255 					  cr->links[link].bssid;
18256 
18257 			nested_mlo_links = nla_nest_start(msg, i);
18258 			if (!nested_mlo_links)
18259 				goto nla_put_failure;
18260 
18261 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18262 			    (bssid &&
18263 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18264 			    (cr->links[link].addr &&
18265 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18266 				     cr->links[link].addr)) ||
18267 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18268 					cr->links[link].status))
18269 				goto nla_put_failure;
18270 
18271 			nla_nest_end(msg, nested_mlo_links);
18272 			i++;
18273 		}
18274 		nla_nest_end(msg, nested);
18275 	}
18276 
18277 	genlmsg_end(msg, hdr);
18278 
18279 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18280 				NL80211_MCGRP_MLME, gfp);
18281 	return;
18282 
18283  nla_put_failure:
18284 	nlmsg_free(msg);
18285 }
18286 
18287 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18288 			 struct net_device *netdev,
18289 			 struct cfg80211_roam_info *info, gfp_t gfp)
18290 {
18291 	struct sk_buff *msg;
18292 	void *hdr;
18293 	size_t link_info_size = 0;
18294 	unsigned int link;
18295 	const u8 *connected_addr = info->ap_mld_addr ?
18296 				   info->ap_mld_addr :
18297 				   (info->links[0].bss ?
18298 				    info->links[0].bss->bssid :
18299 				    info->links[0].bssid);
18300 
18301 	if (info->valid_links) {
18302 		for_each_valid_link(info, link) {
18303 			/* Nested attribute header */
18304 			link_info_size += NLA_HDRLEN;
18305 			/* Link ID */
18306 			link_info_size += nla_total_size(sizeof(u8));
18307 			link_info_size += info->links[link].addr ?
18308 					  nla_total_size(ETH_ALEN) : 0;
18309 			link_info_size += (info->links[link].bssid ||
18310 					   info->links[link].bss) ?
18311 					  nla_total_size(ETH_ALEN) : 0;
18312 		}
18313 	}
18314 
18315 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18316 			info->fils.kek_len + info->fils.pmk_len +
18317 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18318 			link_info_size, gfp);
18319 	if (!msg)
18320 		return;
18321 
18322 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18323 	if (!hdr) {
18324 		nlmsg_free(msg);
18325 		return;
18326 	}
18327 
18328 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18329 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18330 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18331 	    (info->req_ie &&
18332 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18333 		     info->req_ie)) ||
18334 	    (info->resp_ie &&
18335 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18336 		     info->resp_ie)) ||
18337 	    (info->fils.update_erp_next_seq_num &&
18338 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18339 			 info->fils.erp_next_seq_num)) ||
18340 	    (info->fils.kek &&
18341 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18342 		     info->fils.kek)) ||
18343 	    (info->fils.pmk &&
18344 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18345 	    (info->fils.pmkid &&
18346 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18347 		goto nla_put_failure;
18348 
18349 	if (info->valid_links) {
18350 		int i = 1;
18351 		struct nlattr *nested;
18352 
18353 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18354 		if (!nested)
18355 			goto nla_put_failure;
18356 
18357 		for_each_valid_link(info, link) {
18358 			struct nlattr *nested_mlo_links;
18359 			const u8 *bssid = info->links[link].bss ?
18360 					  info->links[link].bss->bssid :
18361 					  info->links[link].bssid;
18362 
18363 			nested_mlo_links = nla_nest_start(msg, i);
18364 			if (!nested_mlo_links)
18365 				goto nla_put_failure;
18366 
18367 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18368 			    (bssid &&
18369 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18370 			    (info->links[link].addr &&
18371 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18372 				     info->links[link].addr)))
18373 				goto nla_put_failure;
18374 
18375 			nla_nest_end(msg, nested_mlo_links);
18376 			i++;
18377 		}
18378 		nla_nest_end(msg, nested);
18379 	}
18380 
18381 	genlmsg_end(msg, hdr);
18382 
18383 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18384 				NL80211_MCGRP_MLME, gfp);
18385 	return;
18386 
18387  nla_put_failure:
18388 	nlmsg_free(msg);
18389 }
18390 
18391 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18392 				  struct net_device *netdev, const u8 *peer_addr,
18393 				  const u8 *td_bitmap, u8 td_bitmap_len)
18394 {
18395 	struct sk_buff *msg;
18396 	void *hdr;
18397 
18398 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18399 	if (!msg)
18400 		return;
18401 
18402 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18403 	if (!hdr) {
18404 		nlmsg_free(msg);
18405 		return;
18406 	}
18407 
18408 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18409 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18410 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
18411 		goto nla_put_failure;
18412 
18413 	if ((td_bitmap_len > 0) && td_bitmap)
18414 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18415 			    td_bitmap_len, td_bitmap))
18416 			goto nla_put_failure;
18417 
18418 	genlmsg_end(msg, hdr);
18419 
18420 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18421 				NL80211_MCGRP_MLME, GFP_KERNEL);
18422 	return;
18423 
18424  nla_put_failure:
18425 	nlmsg_free(msg);
18426 }
18427 
18428 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18429 			       struct net_device *netdev, u16 reason,
18430 			       const u8 *ie, size_t ie_len, bool from_ap)
18431 {
18432 	struct sk_buff *msg;
18433 	void *hdr;
18434 
18435 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18436 	if (!msg)
18437 		return;
18438 
18439 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18440 	if (!hdr) {
18441 		nlmsg_free(msg);
18442 		return;
18443 	}
18444 
18445 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18446 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18447 	    (reason &&
18448 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18449 	    (from_ap &&
18450 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18451 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18452 		goto nla_put_failure;
18453 
18454 	genlmsg_end(msg, hdr);
18455 
18456 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18457 				NL80211_MCGRP_MLME, GFP_KERNEL);
18458 	return;
18459 
18460  nla_put_failure:
18461 	nlmsg_free(msg);
18462 }
18463 
18464 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18465 {
18466 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18467 	struct wiphy *wiphy = wdev->wiphy;
18468 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18469 	struct sk_buff *msg;
18470 	struct nlattr *links;
18471 	void *hdr;
18472 
18473 	lockdep_assert_wiphy(wdev->wiphy);
18474 	trace_cfg80211_links_removed(dev, link_mask);
18475 
18476 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18477 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18478 		return;
18479 
18480 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18481 		    (wdev->valid_links & link_mask) != link_mask ||
18482 		    wdev->valid_links == link_mask))
18483 		return;
18484 
18485 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18486 	wdev->valid_links &= ~link_mask;
18487 
18488 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18489 	if (!msg)
18490 		return;
18491 
18492 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18493 	if (!hdr) {
18494 		nlmsg_free(msg);
18495 		return;
18496 	}
18497 
18498 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18499 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18500 		goto nla_put_failure;
18501 
18502 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18503 	if (!links)
18504 		goto nla_put_failure;
18505 
18506 	while (link_mask) {
18507 		struct nlattr *link;
18508 		int link_id = __ffs(link_mask);
18509 
18510 		link = nla_nest_start(msg, link_id + 1);
18511 		if (!link)
18512 			goto nla_put_failure;
18513 
18514 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18515 			goto nla_put_failure;
18516 
18517 		nla_nest_end(msg, link);
18518 		link_mask &= ~(1 << link_id);
18519 	}
18520 
18521 	nla_nest_end(msg, links);
18522 
18523 	genlmsg_end(msg, hdr);
18524 
18525 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18526 				NL80211_MCGRP_MLME, GFP_KERNEL);
18527 	return;
18528 
18529  nla_put_failure:
18530 	nlmsg_free(msg);
18531 }
18532 EXPORT_SYMBOL(cfg80211_links_removed);
18533 
18534 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18535 			     struct net_device *netdev, const u8 *bssid,
18536 			     gfp_t gfp)
18537 {
18538 	struct sk_buff *msg;
18539 	void *hdr;
18540 
18541 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18542 	if (!msg)
18543 		return;
18544 
18545 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18546 	if (!hdr) {
18547 		nlmsg_free(msg);
18548 		return;
18549 	}
18550 
18551 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18552 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18553 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18554 		goto nla_put_failure;
18555 
18556 	genlmsg_end(msg, hdr);
18557 
18558 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18559 				NL80211_MCGRP_MLME, gfp);
18560 	return;
18561 
18562  nla_put_failure:
18563 	nlmsg_free(msg);
18564 }
18565 
18566 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18567 					const u8 *ie, u8 ie_len,
18568 					int sig_dbm, gfp_t gfp)
18569 {
18570 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18571 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18572 	struct sk_buff *msg;
18573 	void *hdr;
18574 
18575 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18576 		return;
18577 
18578 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18579 
18580 	msg = nlmsg_new(100 + ie_len, gfp);
18581 	if (!msg)
18582 		return;
18583 
18584 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18585 	if (!hdr) {
18586 		nlmsg_free(msg);
18587 		return;
18588 	}
18589 
18590 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18591 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18592 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18593 	    (ie_len && ie &&
18594 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18595 	    (sig_dbm &&
18596 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18597 		goto nla_put_failure;
18598 
18599 	genlmsg_end(msg, hdr);
18600 
18601 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18602 				NL80211_MCGRP_MLME, gfp);
18603 	return;
18604 
18605  nla_put_failure:
18606 	nlmsg_free(msg);
18607 }
18608 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18609 
18610 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18611 				 struct net_device *netdev, const u8 *addr,
18612 				 enum nl80211_key_type key_type, int key_id,
18613 				 const u8 *tsc, gfp_t gfp)
18614 {
18615 	struct sk_buff *msg;
18616 	void *hdr;
18617 
18618 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18619 	if (!msg)
18620 		return;
18621 
18622 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18623 	if (!hdr) {
18624 		nlmsg_free(msg);
18625 		return;
18626 	}
18627 
18628 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18629 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18630 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18631 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18632 	    (key_id != -1 &&
18633 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18634 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18635 		goto nla_put_failure;
18636 
18637 	genlmsg_end(msg, hdr);
18638 
18639 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18640 				NL80211_MCGRP_MLME, gfp);
18641 	return;
18642 
18643  nla_put_failure:
18644 	nlmsg_free(msg);
18645 }
18646 
18647 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18648 				    struct ieee80211_channel *channel_before,
18649 				    struct ieee80211_channel *channel_after)
18650 {
18651 	struct sk_buff *msg;
18652 	void *hdr;
18653 	struct nlattr *nl_freq;
18654 
18655 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18656 	if (!msg)
18657 		return;
18658 
18659 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18660 	if (!hdr) {
18661 		nlmsg_free(msg);
18662 		return;
18663 	}
18664 
18665 	/*
18666 	 * Since we are applying the beacon hint to a wiphy we know its
18667 	 * wiphy_idx is valid
18668 	 */
18669 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18670 		goto nla_put_failure;
18671 
18672 	/* Before */
18673 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18674 	if (!nl_freq)
18675 		goto nla_put_failure;
18676 
18677 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18678 		goto nla_put_failure;
18679 	nla_nest_end(msg, nl_freq);
18680 
18681 	/* After */
18682 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18683 	if (!nl_freq)
18684 		goto nla_put_failure;
18685 
18686 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18687 		goto nla_put_failure;
18688 	nla_nest_end(msg, nl_freq);
18689 
18690 	genlmsg_end(msg, hdr);
18691 
18692 	rcu_read_lock();
18693 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18694 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18695 	rcu_read_unlock();
18696 
18697 	return;
18698 
18699 nla_put_failure:
18700 	nlmsg_free(msg);
18701 }
18702 
18703 static void nl80211_send_remain_on_chan_event(
18704 	int cmd, struct cfg80211_registered_device *rdev,
18705 	struct wireless_dev *wdev, u64 cookie,
18706 	struct ieee80211_channel *chan,
18707 	unsigned int duration, gfp_t gfp)
18708 {
18709 	struct sk_buff *msg;
18710 	void *hdr;
18711 
18712 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18713 	if (!msg)
18714 		return;
18715 
18716 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18717 	if (!hdr) {
18718 		nlmsg_free(msg);
18719 		return;
18720 	}
18721 
18722 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18723 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18724 					 wdev->netdev->ifindex)) ||
18725 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18726 			      NL80211_ATTR_PAD) ||
18727 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18728 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18729 			NL80211_CHAN_NO_HT) ||
18730 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18731 			      NL80211_ATTR_PAD))
18732 		goto nla_put_failure;
18733 
18734 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18735 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18736 		goto nla_put_failure;
18737 
18738 	genlmsg_end(msg, hdr);
18739 
18740 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18741 				NL80211_MCGRP_MLME, gfp);
18742 	return;
18743 
18744  nla_put_failure:
18745 	nlmsg_free(msg);
18746 }
18747 
18748 void cfg80211_assoc_comeback(struct net_device *netdev,
18749 			     const u8 *ap_addr, u32 timeout)
18750 {
18751 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18752 	struct wiphy *wiphy = wdev->wiphy;
18753 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18754 	struct sk_buff *msg;
18755 	void *hdr;
18756 
18757 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18758 
18759 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18760 	if (!msg)
18761 		return;
18762 
18763 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18764 	if (!hdr) {
18765 		nlmsg_free(msg);
18766 		return;
18767 	}
18768 
18769 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18770 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18771 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18772 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18773 		goto nla_put_failure;
18774 
18775 	genlmsg_end(msg, hdr);
18776 
18777 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18778 				NL80211_MCGRP_MLME, GFP_KERNEL);
18779 	return;
18780 
18781  nla_put_failure:
18782 	nlmsg_free(msg);
18783 }
18784 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18785 
18786 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18787 			       struct ieee80211_channel *chan,
18788 			       unsigned int duration, gfp_t gfp)
18789 {
18790 	struct wiphy *wiphy = wdev->wiphy;
18791 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18792 
18793 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18794 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18795 					  rdev, wdev, cookie, chan,
18796 					  duration, gfp);
18797 }
18798 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18799 
18800 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18801 					struct ieee80211_channel *chan,
18802 					gfp_t gfp)
18803 {
18804 	struct wiphy *wiphy = wdev->wiphy;
18805 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18806 
18807 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18808 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18809 					  rdev, wdev, cookie, chan, 0, gfp);
18810 }
18811 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18812 
18813 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18814 					struct ieee80211_channel *chan,
18815 					gfp_t gfp)
18816 {
18817 	struct wiphy *wiphy = wdev->wiphy;
18818 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18819 
18820 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18821 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18822 					  rdev, wdev, cookie, chan, 0, gfp);
18823 }
18824 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18825 
18826 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18827 		      struct station_info *sinfo, gfp_t gfp)
18828 {
18829 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18830 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18831 	struct sk_buff *msg;
18832 
18833 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18834 
18835 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18836 	if (!msg)
18837 		return;
18838 
18839 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18840 				 rdev, dev, mac_addr, sinfo) < 0) {
18841 		nlmsg_free(msg);
18842 		return;
18843 	}
18844 
18845 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18846 				NL80211_MCGRP_MLME, gfp);
18847 }
18848 EXPORT_SYMBOL(cfg80211_new_sta);
18849 
18850 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18851 			    struct station_info *sinfo, gfp_t gfp)
18852 {
18853 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18854 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18855 	struct sk_buff *msg;
18856 	struct station_info empty_sinfo = {};
18857 
18858 	if (!sinfo)
18859 		sinfo = &empty_sinfo;
18860 
18861 	trace_cfg80211_del_sta(dev, mac_addr);
18862 
18863 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18864 	if (!msg) {
18865 		cfg80211_sinfo_release_content(sinfo);
18866 		return;
18867 	}
18868 
18869 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18870 				 rdev, dev, mac_addr, sinfo) < 0) {
18871 		nlmsg_free(msg);
18872 		return;
18873 	}
18874 
18875 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18876 				NL80211_MCGRP_MLME, gfp);
18877 }
18878 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18879 
18880 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18881 			  enum nl80211_connect_failed_reason reason,
18882 			  gfp_t gfp)
18883 {
18884 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18885 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18886 	struct sk_buff *msg;
18887 	void *hdr;
18888 
18889 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18890 	if (!msg)
18891 		return;
18892 
18893 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18894 	if (!hdr) {
18895 		nlmsg_free(msg);
18896 		return;
18897 	}
18898 
18899 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18900 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18901 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18902 		goto nla_put_failure;
18903 
18904 	genlmsg_end(msg, hdr);
18905 
18906 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18907 				NL80211_MCGRP_MLME, gfp);
18908 	return;
18909 
18910  nla_put_failure:
18911 	nlmsg_free(msg);
18912 }
18913 EXPORT_SYMBOL(cfg80211_conn_failed);
18914 
18915 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18916 				       const u8 *addr, gfp_t gfp)
18917 {
18918 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18919 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18920 	struct sk_buff *msg;
18921 	void *hdr;
18922 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18923 
18924 	if (!nlportid)
18925 		return false;
18926 
18927 	msg = nlmsg_new(100, gfp);
18928 	if (!msg)
18929 		return true;
18930 
18931 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18932 	if (!hdr) {
18933 		nlmsg_free(msg);
18934 		return true;
18935 	}
18936 
18937 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18938 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18939 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18940 		goto nla_put_failure;
18941 
18942 	genlmsg_end(msg, hdr);
18943 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18944 	return true;
18945 
18946  nla_put_failure:
18947 	nlmsg_free(msg);
18948 	return true;
18949 }
18950 
18951 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18952 				const u8 *addr, gfp_t gfp)
18953 {
18954 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18955 	bool ret;
18956 
18957 	trace_cfg80211_rx_spurious_frame(dev, addr);
18958 
18959 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18960 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18961 		trace_cfg80211_return_bool(false);
18962 		return false;
18963 	}
18964 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18965 					 addr, gfp);
18966 	trace_cfg80211_return_bool(ret);
18967 	return ret;
18968 }
18969 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18970 
18971 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18972 					const u8 *addr, gfp_t gfp)
18973 {
18974 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18975 	bool ret;
18976 
18977 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18978 
18979 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18980 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18981 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18982 		trace_cfg80211_return_bool(false);
18983 		return false;
18984 	}
18985 	ret = __nl80211_unexpected_frame(dev,
18986 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18987 					 addr, gfp);
18988 	trace_cfg80211_return_bool(ret);
18989 	return ret;
18990 }
18991 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18992 
18993 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18994 		      struct wireless_dev *wdev, u32 nlportid,
18995 		      struct cfg80211_rx_info *info, gfp_t gfp)
18996 {
18997 	struct net_device *netdev = wdev->netdev;
18998 	struct sk_buff *msg;
18999 	void *hdr;
19000 
19001 	msg = nlmsg_new(100 + info->len, gfp);
19002 	if (!msg)
19003 		return -ENOMEM;
19004 
19005 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19006 	if (!hdr) {
19007 		nlmsg_free(msg);
19008 		return -ENOMEM;
19009 	}
19010 
19011 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19012 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19013 					netdev->ifindex)) ||
19014 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19015 			      NL80211_ATTR_PAD) ||
19016 	    (info->have_link_id &&
19017 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
19018 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
19019 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
19020 	    (info->sig_dbm &&
19021 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
19022 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
19023 	    (info->flags &&
19024 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
19025 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
19026 						  NL80211_ATTR_RX_HW_TIMESTAMP,
19027 						  info->rx_tstamp,
19028 						  NL80211_ATTR_PAD)) ||
19029 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
19030 						   NL80211_ATTR_TX_HW_TIMESTAMP,
19031 						   info->ack_tstamp,
19032 						   NL80211_ATTR_PAD)))
19033 		goto nla_put_failure;
19034 
19035 	genlmsg_end(msg, hdr);
19036 
19037 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19038 
19039  nla_put_failure:
19040 	nlmsg_free(msg);
19041 	return -ENOBUFS;
19042 }
19043 
19044 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
19045 				    struct cfg80211_tx_status *status,
19046 				    gfp_t gfp, enum nl80211_commands command)
19047 {
19048 	struct wiphy *wiphy = wdev->wiphy;
19049 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19050 	struct net_device *netdev = wdev->netdev;
19051 	struct sk_buff *msg;
19052 	void *hdr;
19053 
19054 	if (command == NL80211_CMD_FRAME_TX_STATUS)
19055 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
19056 					      status->ack);
19057 	else
19058 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
19059 						      status->ack);
19060 
19061 	msg = nlmsg_new(100 + status->len, gfp);
19062 	if (!msg)
19063 		return;
19064 
19065 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
19066 	if (!hdr) {
19067 		nlmsg_free(msg);
19068 		return;
19069 	}
19070 
19071 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19072 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19073 				   netdev->ifindex)) ||
19074 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19075 			      NL80211_ATTR_PAD) ||
19076 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
19077 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
19078 			      NL80211_ATTR_PAD) ||
19079 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19080 	    (status->tx_tstamp &&
19081 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
19082 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
19083 	    (status->ack_tstamp &&
19084 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
19085 			       status->ack_tstamp, NL80211_ATTR_PAD)))
19086 		goto nla_put_failure;
19087 
19088 	genlmsg_end(msg, hdr);
19089 
19090 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19091 				NL80211_MCGRP_MLME, gfp);
19092 	return;
19093 
19094 nla_put_failure:
19095 	nlmsg_free(msg);
19096 }
19097 
19098 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19099 				     const u8 *buf, size_t len, bool ack,
19100 				     gfp_t gfp)
19101 {
19102 	struct cfg80211_tx_status status = {
19103 		.cookie = cookie,
19104 		.buf = buf,
19105 		.len = len,
19106 		.ack = ack
19107 	};
19108 
19109 	nl80211_frame_tx_status(wdev, &status, gfp,
19110 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19111 }
19112 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19113 
19114 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19115 				 struct cfg80211_tx_status *status, gfp_t gfp)
19116 {
19117 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19118 }
19119 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19120 
19121 static int __nl80211_rx_control_port(struct net_device *dev,
19122 				     struct sk_buff *skb,
19123 				     bool unencrypted,
19124 				     int link_id,
19125 				     gfp_t gfp)
19126 {
19127 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19128 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19129 	struct ethhdr *ehdr = eth_hdr(skb);
19130 	const u8 *addr = ehdr->h_source;
19131 	u16 proto = be16_to_cpu(skb->protocol);
19132 	struct sk_buff *msg;
19133 	void *hdr;
19134 	struct nlattr *frame;
19135 
19136 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19137 
19138 	if (!nlportid)
19139 		return -ENOENT;
19140 
19141 	msg = nlmsg_new(100 + skb->len, gfp);
19142 	if (!msg)
19143 		return -ENOMEM;
19144 
19145 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19146 	if (!hdr) {
19147 		nlmsg_free(msg);
19148 		return -ENOBUFS;
19149 	}
19150 
19151 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19152 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19153 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19154 			      NL80211_ATTR_PAD) ||
19155 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19156 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19157 	    (link_id >= 0 &&
19158 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19159 	    (unencrypted && nla_put_flag(msg,
19160 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19161 		goto nla_put_failure;
19162 
19163 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19164 	if (!frame)
19165 		goto nla_put_failure;
19166 
19167 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19168 	genlmsg_end(msg, hdr);
19169 
19170 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19171 
19172  nla_put_failure:
19173 	nlmsg_free(msg);
19174 	return -ENOBUFS;
19175 }
19176 
19177 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19178 			      bool unencrypted, int link_id)
19179 {
19180 	int ret;
19181 
19182 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19183 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19184 					GFP_ATOMIC);
19185 	trace_cfg80211_return_bool(ret == 0);
19186 	return ret == 0;
19187 }
19188 EXPORT_SYMBOL(cfg80211_rx_control_port);
19189 
19190 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19191 					    const char *mac, gfp_t gfp)
19192 {
19193 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19194 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19195 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19196 	void **cb;
19197 
19198 	if (!msg)
19199 		return NULL;
19200 
19201 	cb = (void **)msg->cb;
19202 
19203 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19204 	if (!cb[0]) {
19205 		nlmsg_free(msg);
19206 		return NULL;
19207 	}
19208 
19209 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19210 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19211 		goto nla_put_failure;
19212 
19213 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19214 		goto nla_put_failure;
19215 
19216 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19217 	if (!cb[1])
19218 		goto nla_put_failure;
19219 
19220 	cb[2] = rdev;
19221 
19222 	return msg;
19223  nla_put_failure:
19224 	nlmsg_free(msg);
19225 	return NULL;
19226 }
19227 
19228 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19229 {
19230 	void **cb = (void **)msg->cb;
19231 	struct cfg80211_registered_device *rdev = cb[2];
19232 
19233 	nla_nest_end(msg, cb[1]);
19234 	genlmsg_end(msg, cb[0]);
19235 
19236 	memset(msg->cb, 0, sizeof(msg->cb));
19237 
19238 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19239 				NL80211_MCGRP_MLME, gfp);
19240 }
19241 
19242 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19243 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19244 			      s32 rssi_level, gfp_t gfp)
19245 {
19246 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19247 	struct cfg80211_cqm_config *cqm_config;
19248 
19249 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19250 
19251 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19252 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19253 		return;
19254 
19255 	rcu_read_lock();
19256 	cqm_config = rcu_dereference(wdev->cqm_config);
19257 	if (cqm_config) {
19258 		cqm_config->last_rssi_event_value = rssi_level;
19259 		cqm_config->last_rssi_event_type = rssi_event;
19260 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19261 	}
19262 	rcu_read_unlock();
19263 }
19264 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19265 
19266 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19267 {
19268 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19269 						 cqm_rssi_work);
19270 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19271 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19272 	struct cfg80211_cqm_config *cqm_config;
19273 	struct sk_buff *msg;
19274 	s32 rssi_level;
19275 
19276 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
19277 	if (!cqm_config)
19278 		return;
19279 
19280 	if (cqm_config->use_range_api)
19281 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19282 
19283 	rssi_level = cqm_config->last_rssi_event_value;
19284 	rssi_event = cqm_config->last_rssi_event_type;
19285 
19286 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19287 	if (!msg)
19288 		return;
19289 
19290 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19291 			rssi_event))
19292 		goto nla_put_failure;
19293 
19294 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19295 				      rssi_level))
19296 		goto nla_put_failure;
19297 
19298 	cfg80211_send_cqm(msg, GFP_KERNEL);
19299 
19300 	return;
19301 
19302  nla_put_failure:
19303 	nlmsg_free(msg);
19304 }
19305 
19306 void cfg80211_cqm_txe_notify(struct net_device *dev,
19307 			     const u8 *peer, u32 num_packets,
19308 			     u32 rate, u32 intvl, gfp_t gfp)
19309 {
19310 	struct sk_buff *msg;
19311 
19312 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19313 	if (!msg)
19314 		return;
19315 
19316 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19317 		goto nla_put_failure;
19318 
19319 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19320 		goto nla_put_failure;
19321 
19322 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19323 		goto nla_put_failure;
19324 
19325 	cfg80211_send_cqm(msg, gfp);
19326 	return;
19327 
19328  nla_put_failure:
19329 	nlmsg_free(msg);
19330 }
19331 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19332 
19333 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19334 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19335 {
19336 	struct sk_buff *msg;
19337 
19338 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19339 
19340 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19341 	if (!msg)
19342 		return;
19343 
19344 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19345 		goto nla_put_failure;
19346 
19347 	cfg80211_send_cqm(msg, gfp);
19348 	return;
19349 
19350  nla_put_failure:
19351 	nlmsg_free(msg);
19352 }
19353 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19354 
19355 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19356 {
19357 	struct sk_buff *msg;
19358 
19359 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19360 	if (!msg)
19361 		return;
19362 
19363 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19364 		goto nla_put_failure;
19365 
19366 	cfg80211_send_cqm(msg, gfp);
19367 	return;
19368 
19369  nla_put_failure:
19370 	nlmsg_free(msg);
19371 }
19372 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19373 
19374 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19375 				     struct net_device *netdev, const u8 *bssid,
19376 				     const u8 *replay_ctr, gfp_t gfp)
19377 {
19378 	struct sk_buff *msg;
19379 	struct nlattr *rekey_attr;
19380 	void *hdr;
19381 
19382 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19383 	if (!msg)
19384 		return;
19385 
19386 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19387 	if (!hdr) {
19388 		nlmsg_free(msg);
19389 		return;
19390 	}
19391 
19392 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19393 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19394 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19395 		goto nla_put_failure;
19396 
19397 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19398 	if (!rekey_attr)
19399 		goto nla_put_failure;
19400 
19401 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19402 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19403 		goto nla_put_failure;
19404 
19405 	nla_nest_end(msg, rekey_attr);
19406 
19407 	genlmsg_end(msg, hdr);
19408 
19409 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19410 				NL80211_MCGRP_MLME, gfp);
19411 	return;
19412 
19413  nla_put_failure:
19414 	nlmsg_free(msg);
19415 }
19416 
19417 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19418 			       const u8 *replay_ctr, gfp_t gfp)
19419 {
19420 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19421 	struct wiphy *wiphy = wdev->wiphy;
19422 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19423 
19424 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19425 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19426 }
19427 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19428 
19429 static void
19430 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19431 			       struct net_device *netdev, int index,
19432 			       const u8 *bssid, bool preauth, gfp_t gfp)
19433 {
19434 	struct sk_buff *msg;
19435 	struct nlattr *attr;
19436 	void *hdr;
19437 
19438 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19439 	if (!msg)
19440 		return;
19441 
19442 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19443 	if (!hdr) {
19444 		nlmsg_free(msg);
19445 		return;
19446 	}
19447 
19448 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19449 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19450 		goto nla_put_failure;
19451 
19452 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19453 	if (!attr)
19454 		goto nla_put_failure;
19455 
19456 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19457 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19458 	    (preauth &&
19459 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19460 		goto nla_put_failure;
19461 
19462 	nla_nest_end(msg, attr);
19463 
19464 	genlmsg_end(msg, hdr);
19465 
19466 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19467 				NL80211_MCGRP_MLME, gfp);
19468 	return;
19469 
19470  nla_put_failure:
19471 	nlmsg_free(msg);
19472 }
19473 
19474 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19475 				     const u8 *bssid, bool preauth, gfp_t gfp)
19476 {
19477 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19478 	struct wiphy *wiphy = wdev->wiphy;
19479 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19480 
19481 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19482 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19483 }
19484 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19485 
19486 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19487 				     struct net_device *netdev,
19488 				     unsigned int link_id,
19489 				     struct cfg80211_chan_def *chandef,
19490 				     gfp_t gfp,
19491 				     enum nl80211_commands notif,
19492 				     u8 count, bool quiet)
19493 {
19494 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19495 	struct sk_buff *msg;
19496 	void *hdr;
19497 
19498 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19499 	if (!msg)
19500 		return;
19501 
19502 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19503 	if (!hdr) {
19504 		nlmsg_free(msg);
19505 		return;
19506 	}
19507 
19508 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19509 		goto nla_put_failure;
19510 
19511 	if (wdev->valid_links &&
19512 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19513 		goto nla_put_failure;
19514 
19515 	if (nl80211_send_chandef(msg, chandef))
19516 		goto nla_put_failure;
19517 
19518 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19519 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19520 			goto nla_put_failure;
19521 		if (quiet &&
19522 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19523 			goto nla_put_failure;
19524 	}
19525 
19526 	genlmsg_end(msg, hdr);
19527 
19528 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19529 				NL80211_MCGRP_MLME, gfp);
19530 	return;
19531 
19532  nla_put_failure:
19533 	nlmsg_free(msg);
19534 }
19535 
19536 void cfg80211_ch_switch_notify(struct net_device *dev,
19537 			       struct cfg80211_chan_def *chandef,
19538 			       unsigned int link_id)
19539 {
19540 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19541 	struct wiphy *wiphy = wdev->wiphy;
19542 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19543 
19544 	lockdep_assert_wiphy(wdev->wiphy);
19545 	WARN_INVALID_LINK_ID(wdev, link_id);
19546 
19547 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19548 
19549 	switch (wdev->iftype) {
19550 	case NL80211_IFTYPE_STATION:
19551 	case NL80211_IFTYPE_P2P_CLIENT:
19552 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19553 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19554 							chandef->chan);
19555 		break;
19556 	case NL80211_IFTYPE_MESH_POINT:
19557 		wdev->u.mesh.chandef = *chandef;
19558 		wdev->u.mesh.preset_chandef = *chandef;
19559 		break;
19560 	case NL80211_IFTYPE_AP:
19561 	case NL80211_IFTYPE_P2P_GO:
19562 		wdev->links[link_id].ap.chandef = *chandef;
19563 		break;
19564 	case NL80211_IFTYPE_ADHOC:
19565 		wdev->u.ibss.chandef = *chandef;
19566 		break;
19567 	default:
19568 		WARN_ON(1);
19569 		break;
19570 	}
19571 
19572 	cfg80211_schedule_channels_check(wdev);
19573 	cfg80211_sched_dfs_chan_update(rdev);
19574 
19575 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19576 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19577 }
19578 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19579 
19580 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19581 				       struct cfg80211_chan_def *chandef,
19582 				       unsigned int link_id, u8 count,
19583 				       bool quiet)
19584 {
19585 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19586 	struct wiphy *wiphy = wdev->wiphy;
19587 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19588 
19589 	lockdep_assert_wiphy(wdev->wiphy);
19590 	WARN_INVALID_LINK_ID(wdev, link_id);
19591 
19592 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19593 
19594 
19595 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19596 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19597 				 count, quiet);
19598 }
19599 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19600 
19601 int cfg80211_bss_color_notify(struct net_device *dev,
19602 			      enum nl80211_commands cmd, u8 count,
19603 			      u64 color_bitmap, u8 link_id)
19604 {
19605 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19606 	struct wiphy *wiphy = wdev->wiphy;
19607 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19608 	struct sk_buff *msg;
19609 	void *hdr;
19610 
19611 	lockdep_assert_wiphy(wdev->wiphy);
19612 
19613 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19614 
19615 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19616 	if (!msg)
19617 		return -ENOMEM;
19618 
19619 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19620 	if (!hdr)
19621 		goto nla_put_failure;
19622 
19623 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19624 		goto nla_put_failure;
19625 
19626 	if (wdev->valid_links &&
19627 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19628 		goto nla_put_failure;
19629 
19630 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19631 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19632 		goto nla_put_failure;
19633 
19634 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19635 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19636 			      color_bitmap, NL80211_ATTR_PAD))
19637 		goto nla_put_failure;
19638 
19639 	genlmsg_end(msg, hdr);
19640 
19641 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19642 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19643 
19644 nla_put_failure:
19645 	nlmsg_free(msg);
19646 	return -EINVAL;
19647 }
19648 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19649 
19650 void
19651 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19652 		     const struct cfg80211_chan_def *chandef,
19653 		     enum nl80211_radar_event event,
19654 		     struct net_device *netdev, gfp_t gfp)
19655 {
19656 	struct sk_buff *msg;
19657 	void *hdr;
19658 
19659 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19660 	if (!msg)
19661 		return;
19662 
19663 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19664 	if (!hdr) {
19665 		nlmsg_free(msg);
19666 		return;
19667 	}
19668 
19669 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19670 		goto nla_put_failure;
19671 
19672 	/* NOP and radar events don't need a netdev parameter */
19673 	if (netdev) {
19674 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19675 
19676 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19677 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19678 				      NL80211_ATTR_PAD))
19679 			goto nla_put_failure;
19680 	}
19681 
19682 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19683 		goto nla_put_failure;
19684 
19685 	if (nl80211_send_chandef(msg, chandef))
19686 		goto nla_put_failure;
19687 
19688 	genlmsg_end(msg, hdr);
19689 
19690 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19691 				NL80211_MCGRP_MLME, gfp);
19692 	return;
19693 
19694  nla_put_failure:
19695 	nlmsg_free(msg);
19696 }
19697 
19698 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19699 				       struct sta_opmode_info *sta_opmode,
19700 				       gfp_t gfp)
19701 {
19702 	struct sk_buff *msg;
19703 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19704 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19705 	void *hdr;
19706 
19707 	if (WARN_ON(!mac))
19708 		return;
19709 
19710 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19711 	if (!msg)
19712 		return;
19713 
19714 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19715 	if (!hdr) {
19716 		nlmsg_free(msg);
19717 		return;
19718 	}
19719 
19720 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19721 		goto nla_put_failure;
19722 
19723 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19724 		goto nla_put_failure;
19725 
19726 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19727 		goto nla_put_failure;
19728 
19729 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19730 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19731 		goto nla_put_failure;
19732 
19733 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19734 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19735 		goto nla_put_failure;
19736 
19737 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19738 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19739 		goto nla_put_failure;
19740 
19741 	genlmsg_end(msg, hdr);
19742 
19743 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19744 				NL80211_MCGRP_MLME, gfp);
19745 
19746 	return;
19747 
19748 nla_put_failure:
19749 	nlmsg_free(msg);
19750 }
19751 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19752 
19753 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19754 			   u64 cookie, bool acked, s32 ack_signal,
19755 			   bool is_valid_ack_signal, gfp_t gfp)
19756 {
19757 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19758 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19759 	struct sk_buff *msg;
19760 	void *hdr;
19761 
19762 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19763 
19764 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19765 
19766 	if (!msg)
19767 		return;
19768 
19769 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19770 	if (!hdr) {
19771 		nlmsg_free(msg);
19772 		return;
19773 	}
19774 
19775 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19776 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19777 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19778 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19779 			      NL80211_ATTR_PAD) ||
19780 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19781 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19782 						ack_signal)))
19783 		goto nla_put_failure;
19784 
19785 	genlmsg_end(msg, hdr);
19786 
19787 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19788 				NL80211_MCGRP_MLME, gfp);
19789 	return;
19790 
19791  nla_put_failure:
19792 	nlmsg_free(msg);
19793 }
19794 EXPORT_SYMBOL(cfg80211_probe_status);
19795 
19796 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19797 				     size_t len, int freq, int sig_dbm)
19798 {
19799 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19800 	struct sk_buff *msg;
19801 	void *hdr;
19802 	struct cfg80211_beacon_registration *reg;
19803 
19804 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19805 
19806 	spin_lock_bh(&rdev->beacon_registrations_lock);
19807 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19808 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19809 		if (!msg) {
19810 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19811 			return;
19812 		}
19813 
19814 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19815 		if (!hdr)
19816 			goto nla_put_failure;
19817 
19818 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19819 		    (freq &&
19820 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19821 				  KHZ_TO_MHZ(freq)) ||
19822 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19823 				  freq % 1000))) ||
19824 		    (sig_dbm &&
19825 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19826 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19827 			goto nla_put_failure;
19828 
19829 		genlmsg_end(msg, hdr);
19830 
19831 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19832 	}
19833 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19834 	return;
19835 
19836  nla_put_failure:
19837 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19838 	nlmsg_free(msg);
19839 }
19840 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19841 
19842 #ifdef CONFIG_PM
19843 static int cfg80211_net_detect_results(struct sk_buff *msg,
19844 				       struct cfg80211_wowlan_wakeup *wakeup)
19845 {
19846 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19847 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19848 	int i, j;
19849 
19850 	nl_results = nla_nest_start_noflag(msg,
19851 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19852 	if (!nl_results)
19853 		return -EMSGSIZE;
19854 
19855 	for (i = 0; i < nd->n_matches; i++) {
19856 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19857 
19858 		nl_match = nla_nest_start_noflag(msg, i);
19859 		if (!nl_match)
19860 			break;
19861 
19862 		/* The SSID attribute is optional in nl80211, but for
19863 		 * simplicity reasons it's always present in the
19864 		 * cfg80211 structure.  If a driver can't pass the
19865 		 * SSID, that needs to be changed.  A zero length SSID
19866 		 * is still a valid SSID (wildcard), so it cannot be
19867 		 * used for this purpose.
19868 		 */
19869 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19870 			    match->ssid.ssid)) {
19871 			nla_nest_cancel(msg, nl_match);
19872 			goto out;
19873 		}
19874 
19875 		if (match->n_channels) {
19876 			nl_freqs = nla_nest_start_noflag(msg,
19877 							 NL80211_ATTR_SCAN_FREQUENCIES);
19878 			if (!nl_freqs) {
19879 				nla_nest_cancel(msg, nl_match);
19880 				goto out;
19881 			}
19882 
19883 			for (j = 0; j < match->n_channels; j++) {
19884 				if (nla_put_u32(msg, j, match->channels[j])) {
19885 					nla_nest_cancel(msg, nl_freqs);
19886 					nla_nest_cancel(msg, nl_match);
19887 					goto out;
19888 				}
19889 			}
19890 
19891 			nla_nest_end(msg, nl_freqs);
19892 		}
19893 
19894 		nla_nest_end(msg, nl_match);
19895 	}
19896 
19897 out:
19898 	nla_nest_end(msg, nl_results);
19899 	return 0;
19900 }
19901 
19902 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19903 				   struct cfg80211_wowlan_wakeup *wakeup,
19904 				   gfp_t gfp)
19905 {
19906 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19907 	struct sk_buff *msg;
19908 	void *hdr;
19909 	int size = 200;
19910 
19911 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19912 
19913 	if (wakeup)
19914 		size += wakeup->packet_present_len;
19915 
19916 	msg = nlmsg_new(size, gfp);
19917 	if (!msg)
19918 		return;
19919 
19920 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19921 	if (!hdr)
19922 		goto free_msg;
19923 
19924 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19925 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19926 			      NL80211_ATTR_PAD))
19927 		goto free_msg;
19928 
19929 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19930 					wdev->netdev->ifindex))
19931 		goto free_msg;
19932 
19933 	if (wakeup) {
19934 		struct nlattr *reasons;
19935 
19936 		reasons = nla_nest_start_noflag(msg,
19937 						NL80211_ATTR_WOWLAN_TRIGGERS);
19938 		if (!reasons)
19939 			goto free_msg;
19940 
19941 		if (wakeup->disconnect &&
19942 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19943 			goto free_msg;
19944 		if (wakeup->magic_pkt &&
19945 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19946 			goto free_msg;
19947 		if (wakeup->gtk_rekey_failure &&
19948 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19949 			goto free_msg;
19950 		if (wakeup->eap_identity_req &&
19951 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19952 			goto free_msg;
19953 		if (wakeup->four_way_handshake &&
19954 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19955 			goto free_msg;
19956 		if (wakeup->rfkill_release &&
19957 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19958 			goto free_msg;
19959 
19960 		if (wakeup->pattern_idx >= 0 &&
19961 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19962 				wakeup->pattern_idx))
19963 			goto free_msg;
19964 
19965 		if (wakeup->tcp_match &&
19966 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19967 			goto free_msg;
19968 
19969 		if (wakeup->tcp_connlost &&
19970 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19971 			goto free_msg;
19972 
19973 		if (wakeup->tcp_nomoretokens &&
19974 		    nla_put_flag(msg,
19975 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19976 			goto free_msg;
19977 
19978 		if (wakeup->unprot_deauth_disassoc &&
19979 		    nla_put_flag(msg,
19980 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
19981 			goto free_msg;
19982 
19983 		if (wakeup->packet) {
19984 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19985 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19986 
19987 			if (!wakeup->packet_80211) {
19988 				pkt_attr =
19989 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19990 				len_attr =
19991 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19992 			}
19993 
19994 			if (wakeup->packet_len &&
19995 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19996 				goto free_msg;
19997 
19998 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19999 				    wakeup->packet))
20000 				goto free_msg;
20001 		}
20002 
20003 		if (wakeup->net_detect &&
20004 		    cfg80211_net_detect_results(msg, wakeup))
20005 				goto free_msg;
20006 
20007 		nla_nest_end(msg, reasons);
20008 	}
20009 
20010 	genlmsg_end(msg, hdr);
20011 
20012 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20013 				NL80211_MCGRP_MLME, gfp);
20014 	return;
20015 
20016  free_msg:
20017 	nlmsg_free(msg);
20018 }
20019 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
20020 #endif
20021 
20022 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
20023 				enum nl80211_tdls_operation oper,
20024 				u16 reason_code, gfp_t gfp)
20025 {
20026 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20027 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20028 	struct sk_buff *msg;
20029 	void *hdr;
20030 
20031 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
20032 					 reason_code);
20033 
20034 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20035 	if (!msg)
20036 		return;
20037 
20038 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
20039 	if (!hdr) {
20040 		nlmsg_free(msg);
20041 		return;
20042 	}
20043 
20044 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20045 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20046 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
20047 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
20048 	    (reason_code > 0 &&
20049 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
20050 		goto nla_put_failure;
20051 
20052 	genlmsg_end(msg, hdr);
20053 
20054 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20055 				NL80211_MCGRP_MLME, gfp);
20056 	return;
20057 
20058  nla_put_failure:
20059 	nlmsg_free(msg);
20060 }
20061 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
20062 
20063 static int nl80211_netlink_notify(struct notifier_block * nb,
20064 				  unsigned long state,
20065 				  void *_notify)
20066 {
20067 	struct netlink_notify *notify = _notify;
20068 	struct cfg80211_registered_device *rdev;
20069 	struct wireless_dev *wdev;
20070 	struct cfg80211_beacon_registration *reg, *tmp;
20071 
20072 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
20073 		return NOTIFY_DONE;
20074 
20075 	rcu_read_lock();
20076 
20077 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
20078 		struct cfg80211_sched_scan_request *sched_scan_req;
20079 
20080 		list_for_each_entry_rcu(sched_scan_req,
20081 					&rdev->sched_scan_req_list,
20082 					list) {
20083 			if (sched_scan_req->owner_nlportid == notify->portid) {
20084 				sched_scan_req->nl_owner_dead = true;
20085 				wiphy_work_queue(&rdev->wiphy,
20086 						 &rdev->sched_scan_stop_wk);
20087 			}
20088 		}
20089 
20090 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
20091 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
20092 
20093 			if (wdev->owner_nlportid == notify->portid) {
20094 				wdev->nl_owner_dead = true;
20095 				schedule_work(&rdev->destroy_work);
20096 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20097 				schedule_work(&wdev->disconnect_wk);
20098 			}
20099 
20100 			cfg80211_release_pmsr(wdev, notify->portid);
20101 		}
20102 
20103 		spin_lock_bh(&rdev->beacon_registrations_lock);
20104 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20105 					 list) {
20106 			if (reg->nlportid == notify->portid) {
20107 				list_del(&reg->list);
20108 				kfree(reg);
20109 				break;
20110 			}
20111 		}
20112 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20113 	}
20114 
20115 	rcu_read_unlock();
20116 
20117 	/*
20118 	 * It is possible that the user space process that is controlling the
20119 	 * indoor setting disappeared, so notify the regulatory core.
20120 	 */
20121 	regulatory_netlink_notify(notify->portid);
20122 	return NOTIFY_OK;
20123 }
20124 
20125 static struct notifier_block nl80211_netlink_notifier = {
20126 	.notifier_call = nl80211_netlink_notify,
20127 };
20128 
20129 void cfg80211_ft_event(struct net_device *netdev,
20130 		       struct cfg80211_ft_event_params *ft_event)
20131 {
20132 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20133 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20134 	struct sk_buff *msg;
20135 	void *hdr;
20136 
20137 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20138 
20139 	if (!ft_event->target_ap)
20140 		return;
20141 
20142 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20143 			GFP_KERNEL);
20144 	if (!msg)
20145 		return;
20146 
20147 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20148 	if (!hdr)
20149 		goto out;
20150 
20151 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20152 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20153 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20154 		goto out;
20155 
20156 	if (ft_event->ies &&
20157 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20158 		goto out;
20159 	if (ft_event->ric_ies &&
20160 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20161 		    ft_event->ric_ies))
20162 		goto out;
20163 
20164 	genlmsg_end(msg, hdr);
20165 
20166 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20167 				NL80211_MCGRP_MLME, GFP_KERNEL);
20168 	return;
20169  out:
20170 	nlmsg_free(msg);
20171 }
20172 EXPORT_SYMBOL(cfg80211_ft_event);
20173 
20174 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20175 {
20176 	struct cfg80211_registered_device *rdev;
20177 	struct sk_buff *msg;
20178 	void *hdr;
20179 	u32 nlportid;
20180 
20181 	rdev = wiphy_to_rdev(wdev->wiphy);
20182 	if (!rdev->crit_proto_nlportid)
20183 		return;
20184 
20185 	nlportid = rdev->crit_proto_nlportid;
20186 	rdev->crit_proto_nlportid = 0;
20187 
20188 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20189 	if (!msg)
20190 		return;
20191 
20192 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20193 	if (!hdr)
20194 		goto nla_put_failure;
20195 
20196 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20197 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20198 			      NL80211_ATTR_PAD))
20199 		goto nla_put_failure;
20200 
20201 	genlmsg_end(msg, hdr);
20202 
20203 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20204 	return;
20205 
20206  nla_put_failure:
20207 	nlmsg_free(msg);
20208 }
20209 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20210 
20211 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20212 {
20213 	struct wiphy *wiphy = wdev->wiphy;
20214 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20215 	struct sk_buff *msg;
20216 	void *hdr;
20217 
20218 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20219 	if (!msg)
20220 		return;
20221 
20222 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20223 	if (!hdr)
20224 		goto out;
20225 
20226 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20227 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20228 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20229 			      NL80211_ATTR_PAD) ||
20230 	    (wdev->valid_links &&
20231 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20232 		goto out;
20233 
20234 	genlmsg_end(msg, hdr);
20235 
20236 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20237 				NL80211_MCGRP_MLME, GFP_KERNEL);
20238 	return;
20239  out:
20240 	nlmsg_free(msg);
20241 }
20242 
20243 int cfg80211_external_auth_request(struct net_device *dev,
20244 				   struct cfg80211_external_auth_params *params,
20245 				   gfp_t gfp)
20246 {
20247 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20248 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20249 	struct sk_buff *msg;
20250 	void *hdr;
20251 
20252 	if (!wdev->conn_owner_nlportid)
20253 		return -EINVAL;
20254 
20255 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20256 	if (!msg)
20257 		return -ENOMEM;
20258 
20259 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20260 	if (!hdr)
20261 		goto nla_put_failure;
20262 
20263 	/* Some historical mistakes in drivers <-> userspace interface (notably
20264 	 * between drivers and wpa_supplicant) led to a big-endian conversion
20265 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
20266 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
20267 	 * benefit of older wpa_supplicant versions, send this particular value
20268 	 * in big-endian. Note that newer wpa_supplicant will also detect this
20269 	 * particular value in big endian still, so it all continues to work.
20270 	 */
20271 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
20272 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
20273 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
20274 			goto nla_put_failure;
20275 	} else {
20276 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
20277 				params->key_mgmt_suite))
20278 			goto nla_put_failure;
20279 	}
20280 
20281 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20282 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20283 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20284 			params->action) ||
20285 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20286 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20287 		    params->ssid.ssid) ||
20288 	    (!is_zero_ether_addr(params->mld_addr) &&
20289 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20290 		goto nla_put_failure;
20291 
20292 	genlmsg_end(msg, hdr);
20293 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20294 			wdev->conn_owner_nlportid);
20295 	return 0;
20296 
20297  nla_put_failure:
20298 	nlmsg_free(msg);
20299 	return -ENOBUFS;
20300 }
20301 EXPORT_SYMBOL(cfg80211_external_auth_request);
20302 
20303 void cfg80211_update_owe_info_event(struct net_device *netdev,
20304 				    struct cfg80211_update_owe_info *owe_info,
20305 				    gfp_t gfp)
20306 {
20307 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20308 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20309 	struct sk_buff *msg;
20310 	void *hdr;
20311 
20312 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20313 
20314 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20315 	if (!msg)
20316 		return;
20317 
20318 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20319 	if (!hdr)
20320 		goto nla_put_failure;
20321 
20322 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20323 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20324 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20325 		goto nla_put_failure;
20326 
20327 	if (!owe_info->ie_len ||
20328 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20329 		goto nla_put_failure;
20330 
20331 	if (owe_info->assoc_link_id != -1) {
20332 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20333 			       owe_info->assoc_link_id))
20334 			goto nla_put_failure;
20335 
20336 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20337 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20338 			    owe_info->peer_mld_addr))
20339 			goto nla_put_failure;
20340 	}
20341 
20342 	genlmsg_end(msg, hdr);
20343 
20344 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20345 				NL80211_MCGRP_MLME, gfp);
20346 	return;
20347 
20348 nla_put_failure:
20349 	genlmsg_cancel(msg, hdr);
20350 	nlmsg_free(msg);
20351 }
20352 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20353 
20354 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
20355 {
20356 	struct wiphy *wiphy = wdev->wiphy;
20357 
20358 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
20359 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
20360 	    (wiphy_ext_feature_isset(wiphy,
20361 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
20362 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
20363 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
20364 		reg_check_channels();
20365 }
20366 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
20367 
20368 /* initialisation/exit functions */
20369 
20370 int __init nl80211_init(void)
20371 {
20372 	int err;
20373 
20374 	err = genl_register_family(&nl80211_fam);
20375 	if (err)
20376 		return err;
20377 
20378 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20379 	if (err)
20380 		goto err_out;
20381 
20382 	return 0;
20383  err_out:
20384 	genl_unregister_family(&nl80211_fam);
20385 	return err;
20386 }
20387 
20388 void nl80211_exit(void)
20389 {
20390 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20391 	genl_unregister_family(&nl80211_fam);
20392 }
20393