xref: /linux/net/wireless/nl80211.c (revision 8a3dc0f7c4ccf13098dba804be06799b4bd46c7a) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2024 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 static int validate_supported_selectors(const struct nlattr *attr,
298 					struct netlink_ext_ack *extack)
299 {
300 	const u8 *supported_selectors = nla_data(attr);
301 	u8 supported_selectors_len = nla_len(attr);
302 
303 	/* The top bit must not be set as it is not part of the selector */
304 	for (int i = 0; i < supported_selectors_len; i++) {
305 		if (supported_selectors[i] & 0x80)
306 			return -EINVAL;
307 	}
308 
309 	return 0;
310 }
311 
312 /* policy for the attributes */
313 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
314 
315 static const struct nla_policy
316 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
317 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
318 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
319 					.len = U8_MAX },
320 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
321 					     .len = U8_MAX },
322 };
323 
324 static const struct nla_policy
325 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
326 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
327 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
328 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
329 		NLA_POLICY_MAX(NLA_U8, 15),
330 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
331 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
332 		NLA_POLICY_MAX(NLA_U8, 15),
333 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
334 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
335 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
336 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
337 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
338 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
339 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
340 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
341 };
342 
343 static const struct nla_policy
344 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
345 	[NL80211_PMSR_TYPE_FTM] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
347 };
348 
349 static const struct nla_policy
350 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
351 	[NL80211_PMSR_REQ_ATTR_DATA] =
352 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
353 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
354 };
355 
356 static const struct nla_policy
357 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
358 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
359 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
360 	[NL80211_PMSR_PEER_ATTR_REQ] =
361 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
362 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
363 };
364 
365 static const struct nla_policy
366 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
367 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
368 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
369 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
370 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
371 	[NL80211_PMSR_ATTR_PEERS] =
372 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
373 };
374 
375 static const struct nla_policy
376 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
377 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
378 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
379 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
380 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
381 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
382 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
383 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
384 		NLA_POLICY_EXACT_LEN(8),
385 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
386 		NLA_POLICY_EXACT_LEN(8),
387 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
388 };
389 
390 static const struct nla_policy
391 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
392 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
393 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
394 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
395 };
396 
397 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
398 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
399 				    .len = NL80211_MAX_SUPP_RATES },
400 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
401 				.len = NL80211_MAX_SUPP_HT_RATES },
402 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
403 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
404 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
405 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
406 						   NL80211_RATE_INFO_HE_GI_0_8,
407 						   NL80211_RATE_INFO_HE_GI_3_2),
408 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
409 						   NL80211_RATE_INFO_HE_1XLTF,
410 						   NL80211_RATE_INFO_HE_4XLTF),
411 };
412 
413 static const struct nla_policy
414 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
415 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
416 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
417 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
418 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
419 	[NL80211_TID_CONFIG_ATTR_NOACK] =
420 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
421 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
422 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
423 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
424 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
425 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
426 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
427 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
428 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
429 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
430 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
431 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
432 			NLA_POLICY_NESTED(nl80211_txattr_policy),
433 };
434 
435 static const struct nla_policy
436 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
437 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
438 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
439 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
440 			NLA_POLICY_RANGE(NLA_BINARY,
441 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
442 					 IEEE80211_MAX_DATA_LEN),
443 };
444 
445 static const struct nla_policy
446 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
447 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
448 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
449 						       .len = IEEE80211_MAX_DATA_LEN }
450 };
451 
452 static const struct nla_policy
453 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
454 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
455 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
456 };
457 
458 static const struct nla_policy
459 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
460 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
461 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
462 };
463 
464 static const struct nla_policy
465 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
466 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
467 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
468 						NLA_POLICY_MIN(NLA_U8, 1),
469 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
470 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
471 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
472 };
473 
474 static const struct nla_policy
475 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
476 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
477 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
478 };
479 
480 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
481 	.min = 0,
482 	.max = 0xffff,
483 };
484 
485 static const struct netlink_range_validation q_range = {
486 	.max = INT_MAX,
487 };
488 
489 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
490 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
491 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
492 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
493 				      .len = 20-1 },
494 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
495 
496 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
497 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
498 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
499 						NL80211_EDMG_CHANNELS_MIN,
500 						NL80211_EDMG_CHANNELS_MAX),
501 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
502 						NL80211_EDMG_BW_CONFIG_MIN,
503 						NL80211_EDMG_BW_CONFIG_MAX),
504 
505 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
506 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
507 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
508 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
509 
510 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
511 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
512 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
513 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
514 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
515 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
516 
517 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
518 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
519 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
520 
521 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
522 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
523 
524 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
525 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
526 				    .len = WLAN_MAX_KEY_LEN },
527 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
528 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
529 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
530 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
531 	[NL80211_ATTR_KEY_TYPE] =
532 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
533 
534 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
535 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
536 	[NL80211_ATTR_BEACON_HEAD] =
537 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
538 				       IEEE80211_MAX_DATA_LEN),
539 	[NL80211_ATTR_BEACON_TAIL] =
540 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
541 				       IEEE80211_MAX_DATA_LEN),
542 	[NL80211_ATTR_STA_AID] =
543 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
544 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
545 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
546 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
547 					       .len = NL80211_MAX_SUPP_RATES },
548 	[NL80211_ATTR_STA_PLINK_ACTION] =
549 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
550 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
551 		NLA_POLICY_RANGE(NLA_U8,
552 				 NL80211_TX_POWER_AUTOMATIC,
553 				 NL80211_TX_POWER_FIXED),
554 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
555 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
556 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
557 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
558 				   .len = IEEE80211_MAX_MESH_ID_LEN },
559 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
560 
561 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
562 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
563 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
564 
565 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
566 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
567 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
568 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
569 					   .len = NL80211_MAX_SUPP_RATES },
570 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
571 
572 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
573 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
574 
575 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
576 
577 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
578 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
579 						   validate_ie_attr,
580 						   IEEE80211_MAX_DATA_LEN),
581 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
582 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
583 
584 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
585 				.len = IEEE80211_MAX_SSID_LEN },
586 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
587 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
588 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
589 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
590 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
591 						  NL80211_MFP_NO,
592 						  NL80211_MFP_OPTIONAL),
593 	[NL80211_ATTR_STA_FLAGS2] =
594 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
595 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
596 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
597 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
598 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
600 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
601 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
602 	[NL80211_ATTR_WPA_VERSIONS] =
603 		NLA_POLICY_RANGE(NLA_U32, 0,
604 				 NL80211_WPA_VERSION_1 |
605 				 NL80211_WPA_VERSION_2 |
606 				 NL80211_WPA_VERSION_3),
607 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
608 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
609 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
610 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
611 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
612 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
613 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
614 				 .len = IEEE80211_MAX_DATA_LEN },
615 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
616 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
617 						   NL80211_PS_DISABLED,
618 						   NL80211_PS_ENABLED),
619 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
620 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
621 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
622 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
623 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
624 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
625 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
626 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
627 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
628 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
629 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
630 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
631 	[NL80211_ATTR_STA_PLINK_STATE] =
632 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
633 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
634 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
635 	[NL80211_ATTR_MESH_PEER_AID] =
636 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
637 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
638 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
639 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
640 	[NL80211_ATTR_HIDDEN_SSID] =
641 		NLA_POLICY_RANGE(NLA_U32,
642 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
643 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
644 	[NL80211_ATTR_IE_PROBE_RESP] =
645 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
646 				       IEEE80211_MAX_DATA_LEN),
647 	[NL80211_ATTR_IE_ASSOC_RESP] =
648 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
649 				       IEEE80211_MAX_DATA_LEN),
650 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
651 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
652 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
654 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
655 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
656 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
657 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
658 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
659 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
660 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
661 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
662 				      .len = IEEE80211_MAX_DATA_LEN },
663 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
664 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
665 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
666 		.len = NL80211_HT_CAPABILITY_LEN
667 	},
668 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
669 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
670 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
671 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
672 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
673 
674 	/* need to include at least Auth Transaction and Status Code */
675 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
676 
677 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
678 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
679 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
680 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
681 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
682 		NLA_POLICY_RANGE(NLA_U32,
683 				 NL80211_MESH_POWER_UNKNOWN + 1,
684 				 NL80211_MESH_POWER_MAX),
685 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
686 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
687 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
688 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
689 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
690 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
691 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
692 		.len = NL80211_VHT_CAPABILITY_LEN,
693 	},
694 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
695 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
696 				  .len = IEEE80211_MAX_DATA_LEN },
697 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
698 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
699 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
700 	[NL80211_ATTR_PEER_AID] =
701 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
702 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
703 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
705 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
706 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
707 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
708 	/*
709 	 * The value of the Length field of the Supported Operating
710 	 * Classes element is between 2 and 253.
711 	 */
712 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
713 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
714 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
715 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
716 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
717 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
718 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
719 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
720 						  IEEE80211_QOS_MAP_LEN_MIN,
721 						  IEEE80211_QOS_MAP_LEN_MAX),
722 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
723 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
724 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
725 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
726 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
727 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
728 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
729 	[NL80211_ATTR_USER_PRIO] =
730 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
731 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
732 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
733 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
734 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
735 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
736 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
737 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
738 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
739 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
740 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
741 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
742 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
743 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
744 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
745 	},
746 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
747 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
748 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
749 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
750 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
751 				    .len = FILS_MAX_KEK_LEN },
752 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
753 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
754 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
755 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
756 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
757 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
758 	},
759 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
760 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
761 					     .len = FILS_ERP_MAX_USERNAME_LEN },
762 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
763 					  .len = FILS_ERP_MAX_REALM_LEN },
764 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
765 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
766 					.len = FILS_ERP_MAX_RRK_LEN },
767 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
768 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
769 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
770 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
771 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
772 
773 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
774 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
775 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
776 	[NL80211_ATTR_HE_CAPABILITY] =
777 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
778 				       NL80211_HE_MAX_CAPABILITY_LEN),
779 	[NL80211_ATTR_FTM_RESPONDER] =
780 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
781 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
782 	[NL80211_ATTR_PEER_MEASUREMENTS] =
783 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
784 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
785 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
786 					.len = SAE_PASSWORD_MAX_LEN },
787 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
788 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
789 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
790 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
791 	[NL80211_ATTR_TID_CONFIG] =
792 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
793 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
794 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
795 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
796 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
797 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
798 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
799 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
800 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
801 	[NL80211_ATTR_FILS_DISCOVERY] =
802 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
803 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
804 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
805 	[NL80211_ATTR_S1G_CAPABILITY] =
806 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
807 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
808 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
809 	[NL80211_ATTR_SAE_PWE] =
810 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
811 				 NL80211_SAE_PWE_BOTH),
812 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
813 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
814 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
815 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
816 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
817 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
818 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
819 	[NL80211_ATTR_MBSSID_CONFIG] =
820 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
821 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
822 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
823 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
824 	[NL80211_ATTR_EHT_CAPABILITY] =
825 		NLA_POLICY_RANGE(NLA_BINARY,
826 				 NL80211_EHT_MIN_CAPABILITY_LEN,
827 				 NL80211_EHT_MAX_CAPABILITY_LEN),
828 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
829 	[NL80211_ATTR_MLO_LINKS] =
830 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
831 	[NL80211_ATTR_MLO_LINK_ID] =
832 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
833 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
834 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
835 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
836 	[NL80211_ATTR_PUNCT_BITMAP] =
837 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
838 
839 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
840 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
841 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
842 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
843 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
844 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
845 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
846 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
847 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
848 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
849 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
850 				       NL80211_MAX_SUPP_SELECTORS),
851 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
852 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
853 };
854 
855 /* policy for the key attributes */
856 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
857 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
858 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
859 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
860 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
861 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
862 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
863 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
864 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
865 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
866 };
867 
868 /* policy for the key default flags */
869 static const struct nla_policy
870 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
871 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
872 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
873 };
874 
875 #ifdef CONFIG_PM
876 /* policy for WoWLAN attributes */
877 static const struct nla_policy
878 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
879 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
880 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
881 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
882 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
883 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
884 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
885 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
886 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
887 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
888 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
889 };
890 
891 static const struct nla_policy
892 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
893 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
894 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
895 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
896 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
897 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
898 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
899 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
900 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
901 	},
902 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
903 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
904 	},
905 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
906 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
907 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
908 };
909 #endif /* CONFIG_PM */
910 
911 /* policy for coalesce rule attributes */
912 static const struct nla_policy
913 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
914 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
915 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
916 		NLA_POLICY_RANGE(NLA_U32,
917 				 NL80211_COALESCE_CONDITION_MATCH,
918 				 NL80211_COALESCE_CONDITION_NO_MATCH),
919 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
920 };
921 
922 /* policy for GTK rekey offload attributes */
923 static const struct nla_policy
924 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
925 	[NL80211_REKEY_DATA_KEK] = {
926 		.type = NLA_BINARY,
927 		.len = NL80211_KEK_EXT_LEN
928 	},
929 	[NL80211_REKEY_DATA_KCK] = {
930 		.type = NLA_BINARY,
931 		.len = NL80211_KCK_EXT_LEN_32
932 	},
933 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
934 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
935 };
936 
937 static const struct nla_policy
938 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
939 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
940 						 .len = IEEE80211_MAX_SSID_LEN },
941 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
942 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
943 };
944 
945 static const struct nla_policy
946 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
947 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
948 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
949 };
950 
951 static const struct nla_policy
952 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
953 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
954 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
955 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
956 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
957 	},
958 };
959 
960 /* policy for NAN function attributes */
961 static const struct nla_policy
962 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
963 	[NL80211_NAN_FUNC_TYPE] =
964 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
965 	[NL80211_NAN_FUNC_SERVICE_ID] = {
966 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
967 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
968 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
969 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
970 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
971 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
972 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
973 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
974 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
975 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
976 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
977 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
978 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
979 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
980 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
981 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
982 };
983 
984 /* policy for Service Response Filter attributes */
985 static const struct nla_policy
986 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
987 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
988 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
989 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
990 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
991 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
992 };
993 
994 /* policy for packet pattern attributes */
995 static const struct nla_policy
996 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
997 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
998 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
999 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1000 };
1001 
1002 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1003 				     struct cfg80211_registered_device **rdev,
1004 				     struct wireless_dev **wdev,
1005 				     struct nlattr **attrbuf)
1006 {
1007 	int err;
1008 
1009 	if (!cb->args[0]) {
1010 		struct nlattr **attrbuf_free = NULL;
1011 
1012 		if (!attrbuf) {
1013 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
1014 					  GFP_KERNEL);
1015 			if (!attrbuf)
1016 				return -ENOMEM;
1017 			attrbuf_free = attrbuf;
1018 		}
1019 
1020 		err = nlmsg_parse_deprecated(cb->nlh,
1021 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1022 					     attrbuf, nl80211_fam.maxattr,
1023 					     nl80211_policy, NULL);
1024 		if (err) {
1025 			kfree(attrbuf_free);
1026 			return err;
1027 		}
1028 
1029 		rtnl_lock();
1030 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1031 						   attrbuf);
1032 		kfree(attrbuf_free);
1033 		if (IS_ERR(*wdev)) {
1034 			rtnl_unlock();
1035 			return PTR_ERR(*wdev);
1036 		}
1037 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1038 		mutex_lock(&(*rdev)->wiphy.mtx);
1039 		rtnl_unlock();
1040 		/* 0 is the first index - add 1 to parse only once */
1041 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1042 		cb->args[1] = (*wdev)->identifier;
1043 	} else {
1044 		/* subtract the 1 again here */
1045 		struct wiphy *wiphy;
1046 		struct wireless_dev *tmp;
1047 
1048 		rtnl_lock();
1049 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1050 		if (!wiphy) {
1051 			rtnl_unlock();
1052 			return -ENODEV;
1053 		}
1054 		*rdev = wiphy_to_rdev(wiphy);
1055 		*wdev = NULL;
1056 
1057 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1058 			if (tmp->identifier == cb->args[1]) {
1059 				*wdev = tmp;
1060 				break;
1061 			}
1062 		}
1063 
1064 		if (!*wdev) {
1065 			rtnl_unlock();
1066 			return -ENODEV;
1067 		}
1068 		mutex_lock(&(*rdev)->wiphy.mtx);
1069 		rtnl_unlock();
1070 	}
1071 
1072 	return 0;
1073 }
1074 
1075 /* message building helper */
1076 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1077 		     int flags, u8 cmd)
1078 {
1079 	/* since there is no private header just add the generic one */
1080 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1081 }
1082 
1083 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1084 				     const struct ieee80211_reg_rule *rule)
1085 {
1086 	int j;
1087 	struct nlattr *nl_wmm_rules =
1088 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1089 
1090 	if (!nl_wmm_rules)
1091 		goto nla_put_failure;
1092 
1093 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1094 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1095 
1096 		if (!nl_wmm_rule)
1097 			goto nla_put_failure;
1098 
1099 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1100 				rule->wmm_rule.client[j].cw_min) ||
1101 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1102 				rule->wmm_rule.client[j].cw_max) ||
1103 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1104 			       rule->wmm_rule.client[j].aifsn) ||
1105 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1106 			        rule->wmm_rule.client[j].cot))
1107 			goto nla_put_failure;
1108 
1109 		nla_nest_end(msg, nl_wmm_rule);
1110 	}
1111 	nla_nest_end(msg, nl_wmm_rules);
1112 
1113 	return 0;
1114 
1115 nla_put_failure:
1116 	return -ENOBUFS;
1117 }
1118 
1119 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1120 				   struct ieee80211_channel *chan,
1121 				   bool large)
1122 {
1123 	/* Some channels must be completely excluded from the
1124 	 * list to protect old user-space tools from breaking
1125 	 */
1126 	if (!large && chan->flags &
1127 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1128 		return 0;
1129 	if (!large && chan->freq_offset)
1130 		return 0;
1131 
1132 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1133 			chan->center_freq))
1134 		goto nla_put_failure;
1135 
1136 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1137 		goto nla_put_failure;
1138 
1139 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1140 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1141 		goto nla_put_failure;
1142 
1143 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1144 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1145 		goto nla_put_failure;
1146 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1147 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1148 			goto nla_put_failure;
1149 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1150 			goto nla_put_failure;
1151 	}
1152 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1153 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1154 			goto nla_put_failure;
1155 		if (large) {
1156 			u32 time;
1157 
1158 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1159 
1160 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1161 					chan->dfs_state))
1162 				goto nla_put_failure;
1163 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1164 					time))
1165 				goto nla_put_failure;
1166 			if (nla_put_u32(msg,
1167 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1168 					chan->dfs_cac_ms))
1169 				goto nla_put_failure;
1170 		}
1171 	}
1172 
1173 	if (large) {
1174 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1175 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1176 			goto nla_put_failure;
1177 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1178 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1179 			goto nla_put_failure;
1180 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1181 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1182 			goto nla_put_failure;
1183 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1184 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1185 			goto nla_put_failure;
1186 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1187 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1188 			goto nla_put_failure;
1189 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1190 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1191 			goto nla_put_failure;
1192 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1193 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1194 			goto nla_put_failure;
1195 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1196 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1197 			goto nla_put_failure;
1198 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1199 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1200 			goto nla_put_failure;
1201 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1202 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1203 			goto nla_put_failure;
1204 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1205 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1206 			goto nla_put_failure;
1207 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1208 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1209 			goto nla_put_failure;
1210 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1211 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1212 			goto nla_put_failure;
1213 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1214 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1215 			goto nla_put_failure;
1216 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1217 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1218 			goto nla_put_failure;
1219 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1220 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1221 			goto nla_put_failure;
1222 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1223 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1224 			goto nla_put_failure;
1225 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1226 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1227 			goto nla_put_failure;
1228 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1229 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1230 			goto nla_put_failure;
1231 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1232 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1233 			goto nla_put_failure;
1234 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1235 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1236 			goto nla_put_failure;
1237 	}
1238 
1239 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1240 			DBM_TO_MBM(chan->max_power)))
1241 		goto nla_put_failure;
1242 
1243 	if (large) {
1244 		const struct ieee80211_reg_rule *rule =
1245 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1246 
1247 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1248 			if (nl80211_msg_put_wmm_rules(msg, rule))
1249 				goto nla_put_failure;
1250 		}
1251 	}
1252 
1253 	return 0;
1254 
1255  nla_put_failure:
1256 	return -ENOBUFS;
1257 }
1258 
1259 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1260 				  struct cfg80211_txq_stats *txqstats,
1261 				  int attrtype)
1262 {
1263 	struct nlattr *txqattr;
1264 
1265 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1266 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1267 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1268 		return false;						  \
1269 	} while (0)
1270 
1271 	txqattr = nla_nest_start_noflag(msg, attrtype);
1272 	if (!txqattr)
1273 		return false;
1274 
1275 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1276 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1277 	PUT_TXQVAL_U32(FLOWS, flows);
1278 	PUT_TXQVAL_U32(DROPS, drops);
1279 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1280 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1281 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1282 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1283 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1284 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1285 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1286 	nla_nest_end(msg, txqattr);
1287 
1288 #undef PUT_TXQVAL_U32
1289 	return true;
1290 }
1291 
1292 /* netlink command implementations */
1293 
1294 /**
1295  * nl80211_link_id - return link ID
1296  * @attrs: attributes to look at
1297  *
1298  * Returns: the link ID or 0 if not given
1299  *
1300  * Note this function doesn't do any validation of the link
1301  * ID validity wrt. links that were actually added, so it must
1302  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1303  * or if additional validation is done.
1304  */
1305 static unsigned int nl80211_link_id(struct nlattr **attrs)
1306 {
1307 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1308 
1309 	return nla_get_u8_default(linkid, 0);
1310 }
1311 
1312 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1313 {
1314 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1315 
1316 	if (!linkid)
1317 		return -1;
1318 
1319 	return nla_get_u8(linkid);
1320 }
1321 
1322 struct key_parse {
1323 	struct key_params p;
1324 	int idx;
1325 	int type;
1326 	bool def, defmgmt, defbeacon;
1327 	bool def_uni, def_multi;
1328 };
1329 
1330 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1331 				 struct key_parse *k)
1332 {
1333 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1334 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1335 					      nl80211_key_policy,
1336 					      info->extack);
1337 	if (err)
1338 		return err;
1339 
1340 	k->def = !!tb[NL80211_KEY_DEFAULT];
1341 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1342 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1343 
1344 	if (k->def) {
1345 		k->def_uni = true;
1346 		k->def_multi = true;
1347 	}
1348 	if (k->defmgmt || k->defbeacon)
1349 		k->def_multi = true;
1350 
1351 	if (tb[NL80211_KEY_IDX])
1352 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1353 
1354 	if (tb[NL80211_KEY_DATA]) {
1355 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1356 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1357 	}
1358 
1359 	if (tb[NL80211_KEY_SEQ]) {
1360 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1361 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1362 	}
1363 
1364 	if (tb[NL80211_KEY_CIPHER])
1365 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1366 
1367 	if (tb[NL80211_KEY_TYPE])
1368 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1369 
1370 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1371 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1372 
1373 		err = nla_parse_nested_deprecated(kdt,
1374 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1375 						  tb[NL80211_KEY_DEFAULT_TYPES],
1376 						  nl80211_key_default_policy,
1377 						  info->extack);
1378 		if (err)
1379 			return err;
1380 
1381 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1382 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1383 	}
1384 
1385 	if (tb[NL80211_KEY_MODE])
1386 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1387 
1388 	return 0;
1389 }
1390 
1391 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1392 {
1393 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1394 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1395 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1396 	}
1397 
1398 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1399 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1400 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1401 	}
1402 
1403 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1404 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1405 
1406 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1407 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1408 
1409 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1410 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1411 
1412 	if (k->def) {
1413 		k->def_uni = true;
1414 		k->def_multi = true;
1415 	}
1416 	if (k->defmgmt)
1417 		k->def_multi = true;
1418 
1419 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1420 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1421 
1422 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1423 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1424 		int err = nla_parse_nested_deprecated(kdt,
1425 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1426 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1427 						      nl80211_key_default_policy,
1428 						      info->extack);
1429 		if (err)
1430 			return err;
1431 
1432 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1433 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1434 	}
1435 
1436 	return 0;
1437 }
1438 
1439 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1440 {
1441 	int err;
1442 
1443 	memset(k, 0, sizeof(*k));
1444 	k->idx = -1;
1445 	k->type = -1;
1446 
1447 	if (info->attrs[NL80211_ATTR_KEY])
1448 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1449 	else
1450 		err = nl80211_parse_key_old(info, k);
1451 
1452 	if (err)
1453 		return err;
1454 
1455 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1456 	    (k->defbeacon ? 1 : 0) > 1) {
1457 		GENL_SET_ERR_MSG(info,
1458 				 "key with multiple default flags is invalid");
1459 		return -EINVAL;
1460 	}
1461 
1462 	if (k->defmgmt || k->defbeacon) {
1463 		if (k->def_uni || !k->def_multi) {
1464 			GENL_SET_ERR_MSG(info,
1465 					 "defmgmt/defbeacon key must be mcast");
1466 			return -EINVAL;
1467 		}
1468 	}
1469 
1470 	if (k->idx != -1) {
1471 		if (k->defmgmt) {
1472 			if (k->idx < 4 || k->idx > 5) {
1473 				GENL_SET_ERR_MSG(info,
1474 						 "defmgmt key idx not 4 or 5");
1475 				return -EINVAL;
1476 			}
1477 		} else if (k->defbeacon) {
1478 			if (k->idx < 6 || k->idx > 7) {
1479 				GENL_SET_ERR_MSG(info,
1480 						 "defbeacon key idx not 6 or 7");
1481 				return -EINVAL;
1482 			}
1483 		} else if (k->def) {
1484 			if (k->idx < 0 || k->idx > 3) {
1485 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1486 				return -EINVAL;
1487 			}
1488 		} else {
1489 			if (k->idx < 0 || k->idx > 7) {
1490 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1491 				return -EINVAL;
1492 			}
1493 		}
1494 	}
1495 
1496 	return 0;
1497 }
1498 
1499 static struct cfg80211_cached_keys *
1500 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1501 		       struct genl_info *info, bool *no_ht)
1502 {
1503 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1504 	struct key_parse parse;
1505 	struct nlattr *key;
1506 	struct cfg80211_cached_keys *result;
1507 	int rem, err, def = 0;
1508 	bool have_key = false;
1509 
1510 	nla_for_each_nested(key, keys, rem) {
1511 		have_key = true;
1512 		break;
1513 	}
1514 
1515 	if (!have_key)
1516 		return NULL;
1517 
1518 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1519 	if (!result)
1520 		return ERR_PTR(-ENOMEM);
1521 
1522 	result->def = -1;
1523 
1524 	nla_for_each_nested(key, keys, rem) {
1525 		memset(&parse, 0, sizeof(parse));
1526 		parse.idx = -1;
1527 
1528 		err = nl80211_parse_key_new(info, key, &parse);
1529 		if (err)
1530 			goto error;
1531 		err = -EINVAL;
1532 		if (!parse.p.key)
1533 			goto error;
1534 		if (parse.idx < 0 || parse.idx > 3) {
1535 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1536 			goto error;
1537 		}
1538 		if (parse.def) {
1539 			if (def) {
1540 				GENL_SET_ERR_MSG(info,
1541 						 "only one key can be default");
1542 				goto error;
1543 			}
1544 			def = 1;
1545 			result->def = parse.idx;
1546 			if (!parse.def_uni || !parse.def_multi)
1547 				goto error;
1548 		} else if (parse.defmgmt)
1549 			goto error;
1550 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1551 						     parse.idx, false, NULL);
1552 		if (err)
1553 			goto error;
1554 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1555 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1556 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1557 			err = -EINVAL;
1558 			goto error;
1559 		}
1560 		result->params[parse.idx].cipher = parse.p.cipher;
1561 		result->params[parse.idx].key_len = parse.p.key_len;
1562 		result->params[parse.idx].key = result->data[parse.idx];
1563 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1564 
1565 		/* must be WEP key if we got here */
1566 		if (no_ht)
1567 			*no_ht = true;
1568 	}
1569 
1570 	if (result->def < 0) {
1571 		err = -EINVAL;
1572 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1573 		goto error;
1574 	}
1575 
1576 	return result;
1577  error:
1578 	kfree(result);
1579 	return ERR_PTR(err);
1580 }
1581 
1582 static int nl80211_key_allowed(struct wireless_dev *wdev)
1583 {
1584 	lockdep_assert_wiphy(wdev->wiphy);
1585 
1586 	switch (wdev->iftype) {
1587 	case NL80211_IFTYPE_AP:
1588 	case NL80211_IFTYPE_AP_VLAN:
1589 	case NL80211_IFTYPE_P2P_GO:
1590 	case NL80211_IFTYPE_MESH_POINT:
1591 		break;
1592 	case NL80211_IFTYPE_ADHOC:
1593 		if (wdev->u.ibss.current_bss)
1594 			return 0;
1595 		return -ENOLINK;
1596 	case NL80211_IFTYPE_STATION:
1597 	case NL80211_IFTYPE_P2P_CLIENT:
1598 		if (wdev->connected)
1599 			return 0;
1600 		return -ENOLINK;
1601 	case NL80211_IFTYPE_NAN:
1602 		if (wiphy_ext_feature_isset(wdev->wiphy,
1603 					    NL80211_EXT_FEATURE_SECURE_NAN))
1604 			return 0;
1605 		return -EINVAL;
1606 	case NL80211_IFTYPE_UNSPECIFIED:
1607 	case NL80211_IFTYPE_OCB:
1608 	case NL80211_IFTYPE_MONITOR:
1609 	case NL80211_IFTYPE_P2P_DEVICE:
1610 	case NL80211_IFTYPE_WDS:
1611 	case NUM_NL80211_IFTYPES:
1612 		return -EINVAL;
1613 	}
1614 
1615 	return 0;
1616 }
1617 
1618 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1619 							u32 freq)
1620 {
1621 	struct ieee80211_channel *chan;
1622 
1623 	chan = ieee80211_get_channel_khz(wiphy, freq);
1624 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1625 		return NULL;
1626 	return chan;
1627 }
1628 
1629 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1630 {
1631 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1632 	int i;
1633 
1634 	if (!nl_modes)
1635 		goto nla_put_failure;
1636 
1637 	i = 0;
1638 	while (ifmodes) {
1639 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1640 			goto nla_put_failure;
1641 		ifmodes >>= 1;
1642 		i++;
1643 	}
1644 
1645 	nla_nest_end(msg, nl_modes);
1646 	return 0;
1647 
1648 nla_put_failure:
1649 	return -ENOBUFS;
1650 }
1651 
1652 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1653 				   const struct ieee80211_iface_combination *c,
1654 				   u16 nested)
1655 {
1656 	struct nlattr *nl_combi, *nl_limits;
1657 	int i;
1658 
1659 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1660 	if (!nl_combi)
1661 		goto nla_put_failure;
1662 
1663 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1664 					       nested);
1665 	if (!nl_limits)
1666 		goto nla_put_failure;
1667 
1668 	for (i = 0; i < c->n_limits; i++) {
1669 		struct nlattr *nl_limit;
1670 
1671 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1672 		if (!nl_limit)
1673 			goto nla_put_failure;
1674 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1675 			goto nla_put_failure;
1676 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1677 					c->limits[i].types))
1678 			goto nla_put_failure;
1679 		nla_nest_end(msg, nl_limit);
1680 	}
1681 
1682 	nla_nest_end(msg, nl_limits);
1683 
1684 	if (c->beacon_int_infra_match &&
1685 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1686 		goto nla_put_failure;
1687 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1688 			c->num_different_channels) ||
1689 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1690 			c->max_interfaces))
1691 		goto nla_put_failure;
1692 	if (large &&
1693 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1694 			c->radar_detect_widths) ||
1695 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1696 			c->radar_detect_regions)))
1697 		goto nla_put_failure;
1698 	if (c->beacon_int_min_gcd &&
1699 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1700 			c->beacon_int_min_gcd))
1701 		goto nla_put_failure;
1702 
1703 	nla_nest_end(msg, nl_combi);
1704 
1705 	return 0;
1706 nla_put_failure:
1707 	return -ENOBUFS;
1708 }
1709 
1710 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1711 					  struct sk_buff *msg,
1712 					  int attr, int radio,
1713 					  bool large, u16 nested)
1714 {
1715 	const struct ieee80211_iface_combination *c;
1716 	struct nlattr *nl_combis;
1717 	int i, n;
1718 
1719 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1720 	if (!nl_combis)
1721 		goto nla_put_failure;
1722 
1723 	if (radio >= 0) {
1724 		c = wiphy->radio[0].iface_combinations;
1725 		n = wiphy->radio[0].n_iface_combinations;
1726 	} else {
1727 		c = wiphy->iface_combinations;
1728 		n = wiphy->n_iface_combinations;
1729 	}
1730 	for (i = 0; i < n; i++)
1731 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1732 			goto nla_put_failure;
1733 
1734 	nla_nest_end(msg, nl_combis);
1735 
1736 	return 0;
1737 nla_put_failure:
1738 	return -ENOBUFS;
1739 }
1740 
1741 #ifdef CONFIG_PM
1742 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1743 					struct sk_buff *msg)
1744 {
1745 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1746 	struct nlattr *nl_tcp;
1747 
1748 	if (!tcp)
1749 		return 0;
1750 
1751 	nl_tcp = nla_nest_start_noflag(msg,
1752 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1753 	if (!nl_tcp)
1754 		return -ENOBUFS;
1755 
1756 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1757 			tcp->data_payload_max))
1758 		return -ENOBUFS;
1759 
1760 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1761 			tcp->data_payload_max))
1762 		return -ENOBUFS;
1763 
1764 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1765 		return -ENOBUFS;
1766 
1767 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1768 				sizeof(*tcp->tok), tcp->tok))
1769 		return -ENOBUFS;
1770 
1771 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1772 			tcp->data_interval_max))
1773 		return -ENOBUFS;
1774 
1775 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1776 			tcp->wake_payload_max))
1777 		return -ENOBUFS;
1778 
1779 	nla_nest_end(msg, nl_tcp);
1780 	return 0;
1781 }
1782 
1783 static int nl80211_send_wowlan(struct sk_buff *msg,
1784 			       struct cfg80211_registered_device *rdev,
1785 			       bool large)
1786 {
1787 	struct nlattr *nl_wowlan;
1788 
1789 	if (!rdev->wiphy.wowlan)
1790 		return 0;
1791 
1792 	nl_wowlan = nla_nest_start_noflag(msg,
1793 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1794 	if (!nl_wowlan)
1795 		return -ENOBUFS;
1796 
1797 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1798 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1799 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1800 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1801 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1802 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1803 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1804 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1805 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1806 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1807 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1808 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1809 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1810 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1811 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1812 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1813 		return -ENOBUFS;
1814 
1815 	if (rdev->wiphy.wowlan->n_patterns) {
1816 		struct nl80211_pattern_support pat = {
1817 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1818 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1819 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1820 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1821 		};
1822 
1823 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1824 			    sizeof(pat), &pat))
1825 			return -ENOBUFS;
1826 	}
1827 
1828 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1829 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1830 			rdev->wiphy.wowlan->max_nd_match_sets))
1831 		return -ENOBUFS;
1832 
1833 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1834 		return -ENOBUFS;
1835 
1836 	nla_nest_end(msg, nl_wowlan);
1837 
1838 	return 0;
1839 }
1840 #endif
1841 
1842 static int nl80211_send_coalesce(struct sk_buff *msg,
1843 				 struct cfg80211_registered_device *rdev)
1844 {
1845 	struct nl80211_coalesce_rule_support rule;
1846 
1847 	if (!rdev->wiphy.coalesce)
1848 		return 0;
1849 
1850 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1851 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1852 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1853 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1854 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1855 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1856 
1857 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1858 		return -ENOBUFS;
1859 
1860 	return 0;
1861 }
1862 
1863 static int
1864 nl80211_send_iftype_data(struct sk_buff *msg,
1865 			 const struct ieee80211_supported_band *sband,
1866 			 const struct ieee80211_sband_iftype_data *iftdata)
1867 {
1868 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1869 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1870 
1871 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1872 				iftdata->types_mask))
1873 		return -ENOBUFS;
1874 
1875 	if (he_cap->has_he) {
1876 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1877 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1878 			    he_cap->he_cap_elem.mac_cap_info) ||
1879 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1880 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1881 			    he_cap->he_cap_elem.phy_cap_info) ||
1882 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1883 			    sizeof(he_cap->he_mcs_nss_supp),
1884 			    &he_cap->he_mcs_nss_supp) ||
1885 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1886 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1887 			return -ENOBUFS;
1888 	}
1889 
1890 	if (eht_cap->has_eht && he_cap->has_he) {
1891 		u8 mcs_nss_size, ppe_thresh_size;
1892 		u16 ppe_thres_hdr;
1893 		bool is_ap;
1894 
1895 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1896 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1897 
1898 		mcs_nss_size =
1899 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1900 						   &eht_cap->eht_cap_elem,
1901 						   is_ap);
1902 
1903 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1904 		ppe_thresh_size =
1905 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1906 					       eht_cap->eht_cap_elem.phy_cap_info);
1907 
1908 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1909 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1910 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1911 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1912 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1913 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1914 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1915 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1916 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1917 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1918 			return -ENOBUFS;
1919 	}
1920 
1921 	if (sband->band == NL80211_BAND_6GHZ &&
1922 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1923 		    sizeof(iftdata->he_6ghz_capa),
1924 		    &iftdata->he_6ghz_capa))
1925 		return -ENOBUFS;
1926 
1927 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1928 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1929 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1930 		return -ENOBUFS;
1931 
1932 	return 0;
1933 }
1934 
1935 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1936 				      struct ieee80211_supported_band *sband,
1937 				      bool large)
1938 {
1939 	struct nlattr *nl_rates, *nl_rate;
1940 	struct ieee80211_rate *rate;
1941 	int i;
1942 
1943 	/* add HT info */
1944 	if (sband->ht_cap.ht_supported &&
1945 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1946 		     sizeof(sband->ht_cap.mcs),
1947 		     &sband->ht_cap.mcs) ||
1948 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1949 			 sband->ht_cap.cap) ||
1950 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1951 			sband->ht_cap.ampdu_factor) ||
1952 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1953 			sband->ht_cap.ampdu_density)))
1954 		return -ENOBUFS;
1955 
1956 	/* add VHT info */
1957 	if (sband->vht_cap.vht_supported &&
1958 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1959 		     sizeof(sband->vht_cap.vht_mcs),
1960 		     &sband->vht_cap.vht_mcs) ||
1961 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1962 			 sband->vht_cap.cap)))
1963 		return -ENOBUFS;
1964 
1965 	if (large && sband->n_iftype_data) {
1966 		struct nlattr *nl_iftype_data =
1967 			nla_nest_start_noflag(msg,
1968 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1969 		const struct ieee80211_sband_iftype_data *iftd;
1970 		int err;
1971 
1972 		if (!nl_iftype_data)
1973 			return -ENOBUFS;
1974 
1975 		for_each_sband_iftype_data(sband, i, iftd) {
1976 			struct nlattr *iftdata;
1977 
1978 			iftdata = nla_nest_start_noflag(msg, i + 1);
1979 			if (!iftdata)
1980 				return -ENOBUFS;
1981 
1982 			err = nl80211_send_iftype_data(msg, sband, iftd);
1983 			if (err)
1984 				return err;
1985 
1986 			nla_nest_end(msg, iftdata);
1987 		}
1988 
1989 		nla_nest_end(msg, nl_iftype_data);
1990 	}
1991 
1992 	/* add EDMG info */
1993 	if (large && sband->edmg_cap.channels &&
1994 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1995 		       sband->edmg_cap.channels) ||
1996 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1997 		       sband->edmg_cap.bw_config)))
1998 
1999 		return -ENOBUFS;
2000 
2001 	/* add bitrates */
2002 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2003 	if (!nl_rates)
2004 		return -ENOBUFS;
2005 
2006 	for (i = 0; i < sband->n_bitrates; i++) {
2007 		nl_rate = nla_nest_start_noflag(msg, i);
2008 		if (!nl_rate)
2009 			return -ENOBUFS;
2010 
2011 		rate = &sband->bitrates[i];
2012 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2013 				rate->bitrate))
2014 			return -ENOBUFS;
2015 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2016 		    nla_put_flag(msg,
2017 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2018 			return -ENOBUFS;
2019 
2020 		nla_nest_end(msg, nl_rate);
2021 	}
2022 
2023 	nla_nest_end(msg, nl_rates);
2024 
2025 	/* S1G capabilities */
2026 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2027 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2028 		     sizeof(sband->s1g_cap.cap),
2029 		     sband->s1g_cap.cap) ||
2030 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2031 		     sizeof(sband->s1g_cap.nss_mcs),
2032 		     sband->s1g_cap.nss_mcs)))
2033 		return -ENOBUFS;
2034 
2035 	return 0;
2036 }
2037 
2038 static int
2039 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2040 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2041 {
2042 	u16 stypes;
2043 	struct nlattr *nl_ftypes, *nl_ifs;
2044 	enum nl80211_iftype ift;
2045 	int i;
2046 
2047 	if (!mgmt_stypes)
2048 		return 0;
2049 
2050 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2051 	if (!nl_ifs)
2052 		return -ENOBUFS;
2053 
2054 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2055 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2056 		if (!nl_ftypes)
2057 			return -ENOBUFS;
2058 		i = 0;
2059 		stypes = mgmt_stypes[ift].tx;
2060 		while (stypes) {
2061 			if ((stypes & 1) &&
2062 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2063 					(i << 4) | IEEE80211_FTYPE_MGMT))
2064 				return -ENOBUFS;
2065 			stypes >>= 1;
2066 			i++;
2067 		}
2068 		nla_nest_end(msg, nl_ftypes);
2069 	}
2070 
2071 	nla_nest_end(msg, nl_ifs);
2072 
2073 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2074 	if (!nl_ifs)
2075 		return -ENOBUFS;
2076 
2077 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2078 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2079 		if (!nl_ftypes)
2080 			return -ENOBUFS;
2081 		i = 0;
2082 		stypes = mgmt_stypes[ift].rx;
2083 		while (stypes) {
2084 			if ((stypes & 1) &&
2085 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2086 					(i << 4) | IEEE80211_FTYPE_MGMT))
2087 				return -ENOBUFS;
2088 			stypes >>= 1;
2089 			i++;
2090 		}
2091 		nla_nest_end(msg, nl_ftypes);
2092 	}
2093 	nla_nest_end(msg, nl_ifs);
2094 
2095 	return 0;
2096 }
2097 
2098 #define CMD(op, n)							\
2099 	 do {								\
2100 		if (rdev->ops->op) {					\
2101 			i++;						\
2102 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2103 				goto nla_put_failure;			\
2104 		}							\
2105 	} while (0)
2106 
2107 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2108 					struct sk_buff *msg)
2109 {
2110 	int i = 0;
2111 
2112 	/*
2113 	 * do *NOT* add anything into this function, new things need to be
2114 	 * advertised only to new versions of userspace that can deal with
2115 	 * the split (and they can't possibly care about new features...
2116 	 */
2117 	CMD(add_virtual_intf, NEW_INTERFACE);
2118 	CMD(change_virtual_intf, SET_INTERFACE);
2119 	CMD(add_key, NEW_KEY);
2120 	CMD(start_ap, START_AP);
2121 	CMD(add_station, NEW_STATION);
2122 	CMD(add_mpath, NEW_MPATH);
2123 	CMD(update_mesh_config, SET_MESH_CONFIG);
2124 	CMD(change_bss, SET_BSS);
2125 	CMD(auth, AUTHENTICATE);
2126 	CMD(assoc, ASSOCIATE);
2127 	CMD(deauth, DEAUTHENTICATE);
2128 	CMD(disassoc, DISASSOCIATE);
2129 	CMD(join_ibss, JOIN_IBSS);
2130 	CMD(join_mesh, JOIN_MESH);
2131 	CMD(set_pmksa, SET_PMKSA);
2132 	CMD(del_pmksa, DEL_PMKSA);
2133 	CMD(flush_pmksa, FLUSH_PMKSA);
2134 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2135 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2136 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2137 	CMD(mgmt_tx, FRAME);
2138 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2139 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2140 		i++;
2141 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2142 			goto nla_put_failure;
2143 	}
2144 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2145 	    rdev->ops->join_mesh) {
2146 		i++;
2147 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2148 			goto nla_put_failure;
2149 	}
2150 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2151 		CMD(tdls_mgmt, TDLS_MGMT);
2152 		CMD(tdls_oper, TDLS_OPER);
2153 	}
2154 	if (rdev->wiphy.max_sched_scan_reqs)
2155 		CMD(sched_scan_start, START_SCHED_SCAN);
2156 	CMD(probe_client, PROBE_CLIENT);
2157 	CMD(set_noack_map, SET_NOACK_MAP);
2158 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2159 		i++;
2160 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2161 			goto nla_put_failure;
2162 	}
2163 	CMD(start_p2p_device, START_P2P_DEVICE);
2164 	CMD(set_mcast_rate, SET_MCAST_RATE);
2165 #ifdef CONFIG_NL80211_TESTMODE
2166 	CMD(testmode_cmd, TESTMODE);
2167 #endif
2168 
2169 	if (rdev->ops->connect || rdev->ops->auth) {
2170 		i++;
2171 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2172 			goto nla_put_failure;
2173 	}
2174 
2175 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2176 		i++;
2177 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2178 			goto nla_put_failure;
2179 	}
2180 
2181 	return i;
2182  nla_put_failure:
2183 	return -ENOBUFS;
2184 }
2185 
2186 static int
2187 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2188 			   struct sk_buff *msg)
2189 {
2190 	struct nlattr *ftm;
2191 
2192 	if (!cap->ftm.supported)
2193 		return 0;
2194 
2195 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2196 	if (!ftm)
2197 		return -ENOBUFS;
2198 
2199 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2200 		return -ENOBUFS;
2201 	if (cap->ftm.non_asap &&
2202 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2203 		return -ENOBUFS;
2204 	if (cap->ftm.request_lci &&
2205 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2206 		return -ENOBUFS;
2207 	if (cap->ftm.request_civicloc &&
2208 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2209 		return -ENOBUFS;
2210 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2211 			cap->ftm.preambles))
2212 		return -ENOBUFS;
2213 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2214 			cap->ftm.bandwidths))
2215 		return -ENOBUFS;
2216 	if (cap->ftm.max_bursts_exponent >= 0 &&
2217 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2218 			cap->ftm.max_bursts_exponent))
2219 		return -ENOBUFS;
2220 	if (cap->ftm.max_ftms_per_burst &&
2221 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2222 			cap->ftm.max_ftms_per_burst))
2223 		return -ENOBUFS;
2224 	if (cap->ftm.trigger_based &&
2225 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2226 		return -ENOBUFS;
2227 	if (cap->ftm.non_trigger_based &&
2228 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2229 		return -ENOBUFS;
2230 
2231 	nla_nest_end(msg, ftm);
2232 	return 0;
2233 }
2234 
2235 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2236 				  struct sk_buff *msg)
2237 {
2238 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2239 	struct nlattr *pmsr, *caps;
2240 
2241 	if (!cap)
2242 		return 0;
2243 
2244 	/*
2245 	 * we don't need to clean up anything here since the caller
2246 	 * will genlmsg_cancel() if we fail
2247 	 */
2248 
2249 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2250 	if (!pmsr)
2251 		return -ENOBUFS;
2252 
2253 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2254 		return -ENOBUFS;
2255 
2256 	if (cap->report_ap_tsf &&
2257 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2258 		return -ENOBUFS;
2259 
2260 	if (cap->randomize_mac_addr &&
2261 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2262 		return -ENOBUFS;
2263 
2264 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2265 	if (!caps)
2266 		return -ENOBUFS;
2267 
2268 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2269 		return -ENOBUFS;
2270 
2271 	nla_nest_end(msg, caps);
2272 	nla_nest_end(msg, pmsr);
2273 
2274 	return 0;
2275 }
2276 
2277 static int
2278 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2279 			      struct sk_buff *msg)
2280 {
2281 	int i;
2282 	struct nlattr *nested, *nested_akms;
2283 	const struct wiphy_iftype_akm_suites *iftype_akms;
2284 
2285 	if (!rdev->wiphy.num_iftype_akm_suites ||
2286 	    !rdev->wiphy.iftype_akm_suites)
2287 		return 0;
2288 
2289 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2290 	if (!nested)
2291 		return -ENOBUFS;
2292 
2293 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2294 		nested_akms = nla_nest_start(msg, i + 1);
2295 		if (!nested_akms)
2296 			return -ENOBUFS;
2297 
2298 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2299 
2300 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2301 					iftype_akms->iftypes_mask))
2302 			return -ENOBUFS;
2303 
2304 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2305 			    sizeof(u32) * iftype_akms->n_akm_suites,
2306 			    iftype_akms->akm_suites)) {
2307 			return -ENOBUFS;
2308 		}
2309 		nla_nest_end(msg, nested_akms);
2310 	}
2311 
2312 	nla_nest_end(msg, nested);
2313 
2314 	return 0;
2315 }
2316 
2317 static int
2318 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2319 			       struct sk_buff *msg)
2320 {
2321 	struct nlattr *supp;
2322 
2323 	if (!rdev->wiphy.tid_config_support.vif &&
2324 	    !rdev->wiphy.tid_config_support.peer)
2325 		return 0;
2326 
2327 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2328 	if (!supp)
2329 		return -ENOSPC;
2330 
2331 	if (rdev->wiphy.tid_config_support.vif &&
2332 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2333 			      rdev->wiphy.tid_config_support.vif,
2334 			      NL80211_TID_CONFIG_ATTR_PAD))
2335 		goto fail;
2336 
2337 	if (rdev->wiphy.tid_config_support.peer &&
2338 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2339 			      rdev->wiphy.tid_config_support.peer,
2340 			      NL80211_TID_CONFIG_ATTR_PAD))
2341 		goto fail;
2342 
2343 	/* for now we just use the same value ... makes more sense */
2344 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2345 		       rdev->wiphy.tid_config_support.max_retry))
2346 		goto fail;
2347 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2348 		       rdev->wiphy.tid_config_support.max_retry))
2349 		goto fail;
2350 
2351 	nla_nest_end(msg, supp);
2352 
2353 	return 0;
2354 fail:
2355 	nla_nest_cancel(msg, supp);
2356 	return -ENOBUFS;
2357 }
2358 
2359 static int
2360 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2361 		      struct sk_buff *msg)
2362 {
2363 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2364 	u8 num_freq_ranges;
2365 	int i;
2366 
2367 	if (!rdev->wiphy.sar_capa)
2368 		return 0;
2369 
2370 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2371 
2372 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2373 	if (!sar_capa)
2374 		return -ENOSPC;
2375 
2376 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2377 		goto fail;
2378 
2379 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2380 	if (!specs)
2381 		goto fail;
2382 
2383 	/* report supported freq_ranges */
2384 	for (i = 0; i < num_freq_ranges; i++) {
2385 		sub_freq_range = nla_nest_start(msg, i + 1);
2386 		if (!sub_freq_range)
2387 			goto fail;
2388 
2389 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2390 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2391 			goto fail;
2392 
2393 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2394 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2395 			goto fail;
2396 
2397 		nla_nest_end(msg, sub_freq_range);
2398 	}
2399 
2400 	nla_nest_end(msg, specs);
2401 	nla_nest_end(msg, sar_capa);
2402 
2403 	return 0;
2404 fail:
2405 	nla_nest_cancel(msg, sar_capa);
2406 	return -ENOBUFS;
2407 }
2408 
2409 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2410 {
2411 	struct nlattr *config;
2412 
2413 	if (!wiphy->mbssid_max_interfaces)
2414 		return 0;
2415 
2416 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2417 	if (!config)
2418 		return -ENOBUFS;
2419 
2420 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2421 		       wiphy->mbssid_max_interfaces))
2422 		goto fail;
2423 
2424 	if (wiphy->ema_max_profile_periodicity &&
2425 	    nla_put_u8(msg,
2426 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2427 		       wiphy->ema_max_profile_periodicity))
2428 		goto fail;
2429 
2430 	nla_nest_end(msg, config);
2431 	return 0;
2432 
2433 fail:
2434 	nla_nest_cancel(msg, config);
2435 	return -ENOBUFS;
2436 }
2437 
2438 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2439 {
2440 	const struct wiphy_radio *r = &wiphy->radio[idx];
2441 	struct nlattr *radio, *freq;
2442 	int i;
2443 
2444 	radio = nla_nest_start(msg, idx);
2445 	if (!radio)
2446 		return -ENOBUFS;
2447 
2448 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2449 		goto nla_put_failure;
2450 
2451 	if (r->antenna_mask &&
2452 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2453 			r->antenna_mask))
2454 		goto nla_put_failure;
2455 
2456 	for (i = 0; i < r->n_freq_range; i++) {
2457 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2458 
2459 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2460 		if (!freq)
2461 			goto nla_put_failure;
2462 
2463 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2464 				range->start_freq) ||
2465 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2466 				range->end_freq))
2467 			goto nla_put_failure;
2468 
2469 		nla_nest_end(msg, freq);
2470 	}
2471 
2472 	for (i = 0; i < r->n_iface_combinations; i++)
2473 		if (nl80211_put_ifcomb_data(msg, true,
2474 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2475 					    &r->iface_combinations[i],
2476 					    NLA_F_NESTED))
2477 			goto nla_put_failure;
2478 
2479 	nla_nest_end(msg, radio);
2480 
2481 	return 0;
2482 
2483 nla_put_failure:
2484 	return -ENOBUFS;
2485 }
2486 
2487 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2488 {
2489 	struct nlattr *radios;
2490 	int i;
2491 
2492 	if (!wiphy->n_radio)
2493 		return 0;
2494 
2495 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2496 	if (!radios)
2497 		return -ENOBUFS;
2498 
2499 	for (i = 0; i < wiphy->n_radio; i++)
2500 		if (nl80211_put_radio(wiphy, msg, i))
2501 			goto fail;
2502 
2503 	nla_nest_end(msg, radios);
2504 
2505 	if (nl80211_put_iface_combinations(wiphy, msg,
2506 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2507 					   -1, true, NLA_F_NESTED))
2508 		return -ENOBUFS;
2509 
2510 	return 0;
2511 
2512 fail:
2513 	nla_nest_cancel(msg, radios);
2514 	return -ENOBUFS;
2515 }
2516 
2517 struct nl80211_dump_wiphy_state {
2518 	s64 filter_wiphy;
2519 	long start;
2520 	long split_start, band_start, chan_start, capa_start;
2521 	bool split;
2522 };
2523 
2524 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2525 			      enum nl80211_commands cmd,
2526 			      struct sk_buff *msg, u32 portid, u32 seq,
2527 			      int flags, struct nl80211_dump_wiphy_state *state)
2528 {
2529 	void *hdr;
2530 	struct nlattr *nl_bands, *nl_band;
2531 	struct nlattr *nl_freqs, *nl_freq;
2532 	struct nlattr *nl_cmds;
2533 	enum nl80211_band band;
2534 	struct ieee80211_channel *chan;
2535 	int i;
2536 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2537 				rdev->wiphy.mgmt_stypes;
2538 	u32 features;
2539 
2540 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2541 	if (!hdr)
2542 		return -ENOBUFS;
2543 
2544 	if (WARN_ON(!state))
2545 		return -EINVAL;
2546 
2547 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2548 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2549 			   wiphy_name(&rdev->wiphy)) ||
2550 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2551 			cfg80211_rdev_list_generation))
2552 		goto nla_put_failure;
2553 
2554 	if (cmd != NL80211_CMD_NEW_WIPHY)
2555 		goto finish;
2556 
2557 	switch (state->split_start) {
2558 	case 0:
2559 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2560 			       rdev->wiphy.retry_short) ||
2561 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2562 			       rdev->wiphy.retry_long) ||
2563 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2564 				rdev->wiphy.frag_threshold) ||
2565 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2566 				rdev->wiphy.rts_threshold) ||
2567 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2568 			       rdev->wiphy.coverage_class) ||
2569 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2570 			       rdev->wiphy.max_scan_ssids) ||
2571 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2572 			       rdev->wiphy.max_sched_scan_ssids) ||
2573 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2574 				rdev->wiphy.max_scan_ie_len) ||
2575 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2576 				rdev->wiphy.max_sched_scan_ie_len) ||
2577 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2578 			       rdev->wiphy.max_match_sets))
2579 			goto nla_put_failure;
2580 
2581 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2582 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2583 			goto nla_put_failure;
2584 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2585 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2586 			goto nla_put_failure;
2587 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2588 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2589 			goto nla_put_failure;
2590 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2591 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2592 			goto nla_put_failure;
2593 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2594 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2595 			goto nla_put_failure;
2596 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2597 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2598 			goto nla_put_failure;
2599 		state->split_start++;
2600 		if (state->split)
2601 			break;
2602 		fallthrough;
2603 	case 1:
2604 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2605 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2606 			    rdev->wiphy.cipher_suites))
2607 			goto nla_put_failure;
2608 
2609 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2610 			       rdev->wiphy.max_num_pmkids))
2611 			goto nla_put_failure;
2612 
2613 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2614 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2615 			goto nla_put_failure;
2616 
2617 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2618 				rdev->wiphy.available_antennas_tx) ||
2619 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2620 				rdev->wiphy.available_antennas_rx))
2621 			goto nla_put_failure;
2622 
2623 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2624 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2625 				rdev->wiphy.probe_resp_offload))
2626 			goto nla_put_failure;
2627 
2628 		if ((rdev->wiphy.available_antennas_tx ||
2629 		     rdev->wiphy.available_antennas_rx) &&
2630 		    rdev->ops->get_antenna) {
2631 			u32 tx_ant = 0, rx_ant = 0;
2632 			int res;
2633 
2634 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2635 			if (!res) {
2636 				if (nla_put_u32(msg,
2637 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2638 						tx_ant) ||
2639 				    nla_put_u32(msg,
2640 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2641 						rx_ant))
2642 					goto nla_put_failure;
2643 			}
2644 		}
2645 
2646 		state->split_start++;
2647 		if (state->split)
2648 			break;
2649 		fallthrough;
2650 	case 2:
2651 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2652 					rdev->wiphy.interface_modes))
2653 				goto nla_put_failure;
2654 		state->split_start++;
2655 		if (state->split)
2656 			break;
2657 		fallthrough;
2658 	case 3:
2659 		nl_bands = nla_nest_start_noflag(msg,
2660 						 NL80211_ATTR_WIPHY_BANDS);
2661 		if (!nl_bands)
2662 			goto nla_put_failure;
2663 
2664 		for (band = state->band_start;
2665 		     band < (state->split ?
2666 				NUM_NL80211_BANDS :
2667 				NL80211_BAND_60GHZ + 1);
2668 		     band++) {
2669 			struct ieee80211_supported_band *sband;
2670 
2671 			/* omit higher bands for ancient software */
2672 			if (band > NL80211_BAND_5GHZ && !state->split)
2673 				break;
2674 
2675 			sband = rdev->wiphy.bands[band];
2676 
2677 			if (!sband)
2678 				continue;
2679 
2680 			nl_band = nla_nest_start_noflag(msg, band);
2681 			if (!nl_band)
2682 				goto nla_put_failure;
2683 
2684 			switch (state->chan_start) {
2685 			case 0:
2686 				if (nl80211_send_band_rateinfo(msg, sband,
2687 							       state->split))
2688 					goto nla_put_failure;
2689 				state->chan_start++;
2690 				if (state->split)
2691 					break;
2692 				fallthrough;
2693 			default:
2694 				/* add frequencies */
2695 				nl_freqs = nla_nest_start_noflag(msg,
2696 								 NL80211_BAND_ATTR_FREQS);
2697 				if (!nl_freqs)
2698 					goto nla_put_failure;
2699 
2700 				for (i = state->chan_start - 1;
2701 				     i < sband->n_channels;
2702 				     i++) {
2703 					nl_freq = nla_nest_start_noflag(msg,
2704 									i);
2705 					if (!nl_freq)
2706 						goto nla_put_failure;
2707 
2708 					chan = &sband->channels[i];
2709 
2710 					if (nl80211_msg_put_channel(
2711 							msg, &rdev->wiphy, chan,
2712 							state->split))
2713 						goto nla_put_failure;
2714 
2715 					nla_nest_end(msg, nl_freq);
2716 					if (state->split)
2717 						break;
2718 				}
2719 				if (i < sband->n_channels)
2720 					state->chan_start = i + 2;
2721 				else
2722 					state->chan_start = 0;
2723 				nla_nest_end(msg, nl_freqs);
2724 			}
2725 
2726 			nla_nest_end(msg, nl_band);
2727 
2728 			if (state->split) {
2729 				/* start again here */
2730 				if (state->chan_start)
2731 					band--;
2732 				break;
2733 			}
2734 		}
2735 		nla_nest_end(msg, nl_bands);
2736 
2737 		if (band < NUM_NL80211_BANDS)
2738 			state->band_start = band + 1;
2739 		else
2740 			state->band_start = 0;
2741 
2742 		/* if bands & channels are done, continue outside */
2743 		if (state->band_start == 0 && state->chan_start == 0)
2744 			state->split_start++;
2745 		if (state->split)
2746 			break;
2747 		fallthrough;
2748 	case 4:
2749 		nl_cmds = nla_nest_start_noflag(msg,
2750 						NL80211_ATTR_SUPPORTED_COMMANDS);
2751 		if (!nl_cmds)
2752 			goto nla_put_failure;
2753 
2754 		i = nl80211_add_commands_unsplit(rdev, msg);
2755 		if (i < 0)
2756 			goto nla_put_failure;
2757 		if (state->split) {
2758 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2759 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2760 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2761 				CMD(channel_switch, CHANNEL_SWITCH);
2762 			CMD(set_qos_map, SET_QOS_MAP);
2763 			if (rdev->wiphy.features &
2764 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2765 				CMD(add_tx_ts, ADD_TX_TS);
2766 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2767 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2768 			CMD(update_ft_ies, UPDATE_FT_IES);
2769 			if (rdev->wiphy.sar_capa)
2770 				CMD(set_sar_specs, SET_SAR_SPECS);
2771 		}
2772 #undef CMD
2773 
2774 		nla_nest_end(msg, nl_cmds);
2775 		state->split_start++;
2776 		if (state->split)
2777 			break;
2778 		fallthrough;
2779 	case 5:
2780 		if (rdev->ops->remain_on_channel &&
2781 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2782 		    nla_put_u32(msg,
2783 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2784 				rdev->wiphy.max_remain_on_channel_duration))
2785 			goto nla_put_failure;
2786 
2787 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2788 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2789 			goto nla_put_failure;
2790 
2791 		state->split_start++;
2792 		if (state->split)
2793 			break;
2794 		fallthrough;
2795 	case 6:
2796 #ifdef CONFIG_PM
2797 		if (nl80211_send_wowlan(msg, rdev, state->split))
2798 			goto nla_put_failure;
2799 		state->split_start++;
2800 		if (state->split)
2801 			break;
2802 #else
2803 		state->split_start++;
2804 #endif
2805 		fallthrough;
2806 	case 7:
2807 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2808 					rdev->wiphy.software_iftypes))
2809 			goto nla_put_failure;
2810 
2811 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2812 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2813 						   rdev->wiphy.n_radio ? 0 : -1,
2814 						   state->split, 0))
2815 			goto nla_put_failure;
2816 
2817 		state->split_start++;
2818 		if (state->split)
2819 			break;
2820 		fallthrough;
2821 	case 8:
2822 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2823 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2824 				rdev->wiphy.ap_sme_capa))
2825 			goto nla_put_failure;
2826 
2827 		features = rdev->wiphy.features;
2828 		/*
2829 		 * We can only add the per-channel limit information if the
2830 		 * dump is split, otherwise it makes it too big. Therefore
2831 		 * only advertise it in that case.
2832 		 */
2833 		if (state->split)
2834 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2835 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2836 			goto nla_put_failure;
2837 
2838 		if (rdev->wiphy.ht_capa_mod_mask &&
2839 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2840 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2841 			    rdev->wiphy.ht_capa_mod_mask))
2842 			goto nla_put_failure;
2843 
2844 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2845 		    rdev->wiphy.max_acl_mac_addrs &&
2846 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2847 				rdev->wiphy.max_acl_mac_addrs))
2848 			goto nla_put_failure;
2849 
2850 		/*
2851 		 * Any information below this point is only available to
2852 		 * applications that can deal with it being split. This
2853 		 * helps ensure that newly added capabilities don't break
2854 		 * older tools by overrunning their buffers.
2855 		 *
2856 		 * We still increment split_start so that in the split
2857 		 * case we'll continue with more data in the next round,
2858 		 * but break unconditionally so unsplit data stops here.
2859 		 */
2860 		if (state->split)
2861 			state->split_start++;
2862 		else
2863 			state->split_start = 0;
2864 		break;
2865 	case 9:
2866 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2867 			goto nla_put_failure;
2868 
2869 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2870 				rdev->wiphy.max_sched_scan_plans) ||
2871 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2872 				rdev->wiphy.max_sched_scan_plan_interval) ||
2873 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2874 				rdev->wiphy.max_sched_scan_plan_iterations))
2875 			goto nla_put_failure;
2876 
2877 		if (rdev->wiphy.extended_capabilities &&
2878 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2879 			     rdev->wiphy.extended_capabilities_len,
2880 			     rdev->wiphy.extended_capabilities) ||
2881 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2882 			     rdev->wiphy.extended_capabilities_len,
2883 			     rdev->wiphy.extended_capabilities_mask)))
2884 			goto nla_put_failure;
2885 
2886 		if (rdev->wiphy.vht_capa_mod_mask &&
2887 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2888 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2889 			    rdev->wiphy.vht_capa_mod_mask))
2890 			goto nla_put_failure;
2891 
2892 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2893 			    rdev->wiphy.perm_addr))
2894 			goto nla_put_failure;
2895 
2896 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2897 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2898 			    rdev->wiphy.addr_mask))
2899 			goto nla_put_failure;
2900 
2901 		if (rdev->wiphy.n_addresses > 1) {
2902 			void *attr;
2903 
2904 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2905 			if (!attr)
2906 				goto nla_put_failure;
2907 
2908 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2909 				if (nla_put(msg, i + 1, ETH_ALEN,
2910 					    rdev->wiphy.addresses[i].addr))
2911 					goto nla_put_failure;
2912 
2913 			nla_nest_end(msg, attr);
2914 		}
2915 
2916 		state->split_start++;
2917 		break;
2918 	case 10:
2919 		if (nl80211_send_coalesce(msg, rdev))
2920 			goto nla_put_failure;
2921 
2922 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2923 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2924 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2925 			goto nla_put_failure;
2926 
2927 		if (rdev->wiphy.max_ap_assoc_sta &&
2928 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2929 				rdev->wiphy.max_ap_assoc_sta))
2930 			goto nla_put_failure;
2931 
2932 		state->split_start++;
2933 		break;
2934 	case 11:
2935 		if (rdev->wiphy.n_vendor_commands) {
2936 			const struct nl80211_vendor_cmd_info *info;
2937 			struct nlattr *nested;
2938 
2939 			nested = nla_nest_start_noflag(msg,
2940 						       NL80211_ATTR_VENDOR_DATA);
2941 			if (!nested)
2942 				goto nla_put_failure;
2943 
2944 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2945 				info = &rdev->wiphy.vendor_commands[i].info;
2946 				if (nla_put(msg, i + 1, sizeof(*info), info))
2947 					goto nla_put_failure;
2948 			}
2949 			nla_nest_end(msg, nested);
2950 		}
2951 
2952 		if (rdev->wiphy.n_vendor_events) {
2953 			const struct nl80211_vendor_cmd_info *info;
2954 			struct nlattr *nested;
2955 
2956 			nested = nla_nest_start_noflag(msg,
2957 						       NL80211_ATTR_VENDOR_EVENTS);
2958 			if (!nested)
2959 				goto nla_put_failure;
2960 
2961 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2962 				info = &rdev->wiphy.vendor_events[i];
2963 				if (nla_put(msg, i + 1, sizeof(*info), info))
2964 					goto nla_put_failure;
2965 			}
2966 			nla_nest_end(msg, nested);
2967 		}
2968 		state->split_start++;
2969 		break;
2970 	case 12:
2971 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2972 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2973 			       rdev->wiphy.max_num_csa_counters))
2974 			goto nla_put_failure;
2975 
2976 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2977 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2978 			goto nla_put_failure;
2979 
2980 		if (rdev->wiphy.max_sched_scan_reqs &&
2981 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2982 				rdev->wiphy.max_sched_scan_reqs))
2983 			goto nla_put_failure;
2984 
2985 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2986 			    sizeof(rdev->wiphy.ext_features),
2987 			    rdev->wiphy.ext_features))
2988 			goto nla_put_failure;
2989 
2990 		if (rdev->wiphy.bss_select_support) {
2991 			struct nlattr *nested;
2992 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2993 
2994 			nested = nla_nest_start_noflag(msg,
2995 						       NL80211_ATTR_BSS_SELECT);
2996 			if (!nested)
2997 				goto nla_put_failure;
2998 
2999 			i = 0;
3000 			while (bss_select_support) {
3001 				if ((bss_select_support & 1) &&
3002 				    nla_put_flag(msg, i))
3003 					goto nla_put_failure;
3004 				i++;
3005 				bss_select_support >>= 1;
3006 			}
3007 			nla_nest_end(msg, nested);
3008 		}
3009 
3010 		state->split_start++;
3011 		break;
3012 	case 13:
3013 		if (rdev->wiphy.num_iftype_ext_capab &&
3014 		    rdev->wiphy.iftype_ext_capab) {
3015 			struct nlattr *nested_ext_capab, *nested;
3016 
3017 			nested = nla_nest_start_noflag(msg,
3018 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3019 			if (!nested)
3020 				goto nla_put_failure;
3021 
3022 			for (i = state->capa_start;
3023 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3024 				const struct wiphy_iftype_ext_capab *capab;
3025 
3026 				capab = &rdev->wiphy.iftype_ext_capab[i];
3027 
3028 				nested_ext_capab = nla_nest_start_noflag(msg,
3029 									 i);
3030 				if (!nested_ext_capab ||
3031 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3032 						capab->iftype) ||
3033 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3034 					    capab->extended_capabilities_len,
3035 					    capab->extended_capabilities) ||
3036 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3037 					    capab->extended_capabilities_len,
3038 					    capab->extended_capabilities_mask))
3039 					goto nla_put_failure;
3040 
3041 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3042 				    (nla_put_u16(msg,
3043 						 NL80211_ATTR_EML_CAPABILITY,
3044 						 capab->eml_capabilities) ||
3045 				     nla_put_u16(msg,
3046 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3047 						 capab->mld_capa_and_ops)))
3048 					goto nla_put_failure;
3049 
3050 				nla_nest_end(msg, nested_ext_capab);
3051 				if (state->split)
3052 					break;
3053 			}
3054 			nla_nest_end(msg, nested);
3055 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3056 				state->capa_start = i + 1;
3057 				break;
3058 			}
3059 		}
3060 
3061 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3062 				rdev->wiphy.nan_supported_bands))
3063 			goto nla_put_failure;
3064 
3065 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3066 					    NL80211_EXT_FEATURE_TXQS)) {
3067 			struct cfg80211_txq_stats txqstats = {};
3068 			int res;
3069 
3070 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3071 			if (!res &&
3072 			    !nl80211_put_txq_stats(msg, &txqstats,
3073 						   NL80211_ATTR_TXQ_STATS))
3074 				goto nla_put_failure;
3075 
3076 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3077 					rdev->wiphy.txq_limit))
3078 				goto nla_put_failure;
3079 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3080 					rdev->wiphy.txq_memory_limit))
3081 				goto nla_put_failure;
3082 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3083 					rdev->wiphy.txq_quantum))
3084 				goto nla_put_failure;
3085 		}
3086 
3087 		state->split_start++;
3088 		break;
3089 	case 14:
3090 		if (nl80211_send_pmsr_capa(rdev, msg))
3091 			goto nla_put_failure;
3092 
3093 		state->split_start++;
3094 		break;
3095 	case 15:
3096 		if (rdev->wiphy.akm_suites &&
3097 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3098 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3099 			    rdev->wiphy.akm_suites))
3100 			goto nla_put_failure;
3101 
3102 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3103 			goto nla_put_failure;
3104 
3105 		if (nl80211_put_tid_config_support(rdev, msg))
3106 			goto nla_put_failure;
3107 		state->split_start++;
3108 		break;
3109 	case 16:
3110 		if (nl80211_put_sar_specs(rdev, msg))
3111 			goto nla_put_failure;
3112 
3113 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3114 			goto nla_put_failure;
3115 
3116 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3117 				rdev->wiphy.max_num_akm_suites))
3118 			goto nla_put_failure;
3119 
3120 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3121 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3122 
3123 		if (rdev->wiphy.hw_timestamp_max_peers &&
3124 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3125 				rdev->wiphy.hw_timestamp_max_peers))
3126 			goto nla_put_failure;
3127 
3128 		state->split_start++;
3129 		break;
3130 	case 17:
3131 		if (nl80211_put_radios(&rdev->wiphy, msg))
3132 			goto nla_put_failure;
3133 
3134 		/* done */
3135 		state->split_start = 0;
3136 		break;
3137 	}
3138  finish:
3139 	genlmsg_end(msg, hdr);
3140 	return 0;
3141 
3142  nla_put_failure:
3143 	genlmsg_cancel(msg, hdr);
3144 	return -EMSGSIZE;
3145 }
3146 
3147 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3148 				    struct netlink_callback *cb,
3149 				    struct nl80211_dump_wiphy_state *state)
3150 {
3151 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3152 	int ret;
3153 
3154 	if (!tb)
3155 		return -ENOMEM;
3156 
3157 	ret = nlmsg_parse_deprecated(cb->nlh,
3158 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3159 				     tb, nl80211_fam.maxattr,
3160 				     nl80211_policy, NULL);
3161 	/* ignore parse errors for backward compatibility */
3162 	if (ret) {
3163 		ret = 0;
3164 		goto out;
3165 	}
3166 
3167 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3168 	if (tb[NL80211_ATTR_WIPHY])
3169 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3170 	if (tb[NL80211_ATTR_WDEV])
3171 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3172 	if (tb[NL80211_ATTR_IFINDEX]) {
3173 		struct net_device *netdev;
3174 		struct cfg80211_registered_device *rdev;
3175 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3176 
3177 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3178 		if (!netdev) {
3179 			ret = -ENODEV;
3180 			goto out;
3181 		}
3182 		if (netdev->ieee80211_ptr) {
3183 			rdev = wiphy_to_rdev(
3184 				netdev->ieee80211_ptr->wiphy);
3185 			state->filter_wiphy = rdev->wiphy_idx;
3186 		}
3187 	}
3188 
3189 	ret = 0;
3190 out:
3191 	kfree(tb);
3192 	return ret;
3193 }
3194 
3195 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3196 {
3197 	int idx = 0, ret;
3198 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3199 	struct cfg80211_registered_device *rdev;
3200 
3201 	rtnl_lock();
3202 	if (!state) {
3203 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3204 		if (!state) {
3205 			rtnl_unlock();
3206 			return -ENOMEM;
3207 		}
3208 		state->filter_wiphy = -1;
3209 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3210 		if (ret) {
3211 			kfree(state);
3212 			rtnl_unlock();
3213 			return ret;
3214 		}
3215 		cb->args[0] = (long)state;
3216 	}
3217 
3218 	for_each_rdev(rdev) {
3219 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3220 			continue;
3221 		if (++idx <= state->start)
3222 			continue;
3223 		if (state->filter_wiphy != -1 &&
3224 		    state->filter_wiphy != rdev->wiphy_idx)
3225 			continue;
3226 		wiphy_lock(&rdev->wiphy);
3227 		/* attempt to fit multiple wiphy data chunks into the skb */
3228 		do {
3229 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3230 						 skb,
3231 						 NETLINK_CB(cb->skb).portid,
3232 						 cb->nlh->nlmsg_seq,
3233 						 NLM_F_MULTI, state);
3234 			if (ret < 0) {
3235 				/*
3236 				 * If sending the wiphy data didn't fit (ENOBUFS
3237 				 * or EMSGSIZE returned), this SKB is still
3238 				 * empty (so it's not too big because another
3239 				 * wiphy dataset is already in the skb) and
3240 				 * we've not tried to adjust the dump allocation
3241 				 * yet ... then adjust the alloc size to be
3242 				 * bigger, and return 1 but with the empty skb.
3243 				 * This results in an empty message being RX'ed
3244 				 * in userspace, but that is ignored.
3245 				 *
3246 				 * We can then retry with the larger buffer.
3247 				 */
3248 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3249 				    !skb->len && !state->split &&
3250 				    cb->min_dump_alloc < 4096) {
3251 					cb->min_dump_alloc = 4096;
3252 					state->split_start = 0;
3253 					wiphy_unlock(&rdev->wiphy);
3254 					rtnl_unlock();
3255 					return 1;
3256 				}
3257 				idx--;
3258 				break;
3259 			}
3260 		} while (state->split_start > 0);
3261 		wiphy_unlock(&rdev->wiphy);
3262 		break;
3263 	}
3264 	rtnl_unlock();
3265 
3266 	state->start = idx;
3267 
3268 	return skb->len;
3269 }
3270 
3271 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3272 {
3273 	kfree((void *)cb->args[0]);
3274 	return 0;
3275 }
3276 
3277 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3278 {
3279 	struct sk_buff *msg;
3280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3281 	struct nl80211_dump_wiphy_state state = {};
3282 
3283 	msg = nlmsg_new(4096, GFP_KERNEL);
3284 	if (!msg)
3285 		return -ENOMEM;
3286 
3287 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3288 			       info->snd_portid, info->snd_seq, 0,
3289 			       &state) < 0) {
3290 		nlmsg_free(msg);
3291 		return -ENOBUFS;
3292 	}
3293 
3294 	return genlmsg_reply(msg, info);
3295 }
3296 
3297 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3298 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3299 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3300 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3301 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3302 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3303 };
3304 
3305 static int parse_txq_params(struct nlattr *tb[],
3306 			    struct ieee80211_txq_params *txq_params)
3307 {
3308 	u8 ac;
3309 
3310 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3311 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3312 	    !tb[NL80211_TXQ_ATTR_AIFS])
3313 		return -EINVAL;
3314 
3315 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3316 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3317 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3318 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3319 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3320 
3321 	if (ac >= NL80211_NUM_ACS)
3322 		return -EINVAL;
3323 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3324 	return 0;
3325 }
3326 
3327 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3328 {
3329 	/*
3330 	 * You can only set the channel explicitly for some interfaces,
3331 	 * most have their channel managed via their respective
3332 	 * "establish a connection" command (connect, join, ...)
3333 	 *
3334 	 * For AP/GO and mesh mode, the channel can be set with the
3335 	 * channel userspace API, but is only stored and passed to the
3336 	 * low-level driver when the AP starts or the mesh is joined.
3337 	 * This is for backward compatibility, userspace can also give
3338 	 * the channel in the start-ap or join-mesh commands instead.
3339 	 *
3340 	 * Monitors are special as they are normally slaved to
3341 	 * whatever else is going on, so they have their own special
3342 	 * operation to set the monitor channel if possible.
3343 	 */
3344 	return !wdev ||
3345 		wdev->iftype == NL80211_IFTYPE_AP ||
3346 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3347 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3348 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3349 }
3350 
3351 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3352 				  struct genl_info *info, bool monitor,
3353 				  struct cfg80211_chan_def *chandef)
3354 {
3355 	struct netlink_ext_ack *extack = info->extack;
3356 	struct nlattr **attrs = info->attrs;
3357 	u32 control_freq;
3358 
3359 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3360 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3361 				    "Frequency is missing");
3362 		return -EINVAL;
3363 	}
3364 
3365 	control_freq = MHZ_TO_KHZ(
3366 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3367 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3368 		control_freq +=
3369 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3370 
3371 	memset(chandef, 0, sizeof(*chandef));
3372 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3373 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3374 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3375 	chandef->freq1_offset = control_freq % 1000;
3376 	chandef->center_freq2 = 0;
3377 
3378 	if (!chandef->chan) {
3379 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3380 				    "Unknown channel");
3381 		return -EINVAL;
3382 	}
3383 
3384 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3385 		enum nl80211_channel_type chantype;
3386 
3387 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3388 
3389 		switch (chantype) {
3390 		case NL80211_CHAN_NO_HT:
3391 		case NL80211_CHAN_HT20:
3392 		case NL80211_CHAN_HT40PLUS:
3393 		case NL80211_CHAN_HT40MINUS:
3394 			cfg80211_chandef_create(chandef, chandef->chan,
3395 						chantype);
3396 			/* user input for center_freq is incorrect */
3397 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3398 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3399 				NL_SET_ERR_MSG_ATTR(extack,
3400 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3401 						    "bad center frequency 1");
3402 				return -EINVAL;
3403 			}
3404 			/* center_freq2 must be zero */
3405 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3406 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3407 				NL_SET_ERR_MSG_ATTR(extack,
3408 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3409 						    "center frequency 2 can't be used");
3410 				return -EINVAL;
3411 			}
3412 			break;
3413 		default:
3414 			NL_SET_ERR_MSG_ATTR(extack,
3415 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3416 					    "invalid channel type");
3417 			return -EINVAL;
3418 		}
3419 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3420 		chandef->width =
3421 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3422 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3423 			/* User input error for channel width doesn't match channel  */
3424 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3425 				NL_SET_ERR_MSG_ATTR(extack,
3426 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3427 						    "bad channel width");
3428 				return -EINVAL;
3429 			}
3430 		}
3431 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3432 			chandef->center_freq1 =
3433 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3434 			chandef->freq1_offset =
3435 				nla_get_u32_default(attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET],
3436 						    0);
3437 		}
3438 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3439 			chandef->center_freq2 =
3440 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3441 	}
3442 
3443 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3444 		chandef->edmg.channels =
3445 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3446 
3447 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3448 			chandef->edmg.bw_config =
3449 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3450 	} else {
3451 		chandef->edmg.bw_config = 0;
3452 		chandef->edmg.channels = 0;
3453 	}
3454 
3455 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3456 		chandef->punctured =
3457 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3458 
3459 		if (chandef->punctured &&
3460 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3461 					     NL80211_EXT_FEATURE_PUNCT)) {
3462 			NL_SET_ERR_MSG(extack,
3463 				       "driver doesn't support puncturing");
3464 			return -EINVAL;
3465 		}
3466 	}
3467 
3468 	if (!cfg80211_chandef_valid(chandef)) {
3469 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3470 		return -EINVAL;
3471 	}
3472 
3473 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3474 				      IEEE80211_CHAN_DISABLED,
3475 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3476 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3477 		return -EINVAL;
3478 	}
3479 
3480 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3481 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3482 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3483 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3484 		return -EINVAL;
3485 	}
3486 
3487 	return 0;
3488 }
3489 
3490 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3491 			  struct genl_info *info,
3492 			  struct cfg80211_chan_def *chandef)
3493 {
3494 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3495 }
3496 
3497 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3498 				 struct net_device *dev,
3499 				 struct genl_info *info,
3500 				 int _link_id)
3501 {
3502 	struct cfg80211_chan_def chandef;
3503 	int result;
3504 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3505 	struct wireless_dev *wdev = NULL;
3506 	int link_id = _link_id;
3507 
3508 	if (dev)
3509 		wdev = dev->ieee80211_ptr;
3510 	if (!nl80211_can_set_dev_channel(wdev))
3511 		return -EOPNOTSUPP;
3512 	if (wdev)
3513 		iftype = wdev->iftype;
3514 
3515 	if (link_id < 0) {
3516 		if (wdev && wdev->valid_links)
3517 			return -EINVAL;
3518 		link_id = 0;
3519 	}
3520 
3521 	result = _nl80211_parse_chandef(rdev, info,
3522 					iftype == NL80211_IFTYPE_MONITOR,
3523 					&chandef);
3524 	if (result)
3525 		return result;
3526 
3527 	switch (iftype) {
3528 	case NL80211_IFTYPE_AP:
3529 	case NL80211_IFTYPE_P2P_GO:
3530 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3531 						   iftype))
3532 			return -EINVAL;
3533 		if (wdev->links[link_id].ap.beacon_interval) {
3534 			struct ieee80211_channel *cur_chan;
3535 
3536 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3537 			    !(rdev->wiphy.features &
3538 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3539 				return -EBUSY;
3540 
3541 			/* Only allow dynamic channel width changes */
3542 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3543 			if (chandef.chan != cur_chan)
3544 				return -EBUSY;
3545 
3546 			/* only allow this for regular channel widths */
3547 			switch (wdev->links[link_id].ap.chandef.width) {
3548 			case NL80211_CHAN_WIDTH_20_NOHT:
3549 			case NL80211_CHAN_WIDTH_20:
3550 			case NL80211_CHAN_WIDTH_40:
3551 			case NL80211_CHAN_WIDTH_80:
3552 			case NL80211_CHAN_WIDTH_80P80:
3553 			case NL80211_CHAN_WIDTH_160:
3554 			case NL80211_CHAN_WIDTH_320:
3555 				break;
3556 			default:
3557 				return -EINVAL;
3558 			}
3559 
3560 			switch (chandef.width) {
3561 			case NL80211_CHAN_WIDTH_20_NOHT:
3562 			case NL80211_CHAN_WIDTH_20:
3563 			case NL80211_CHAN_WIDTH_40:
3564 			case NL80211_CHAN_WIDTH_80:
3565 			case NL80211_CHAN_WIDTH_80P80:
3566 			case NL80211_CHAN_WIDTH_160:
3567 			case NL80211_CHAN_WIDTH_320:
3568 				break;
3569 			default:
3570 				return -EINVAL;
3571 			}
3572 
3573 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3574 						       &chandef);
3575 			if (result)
3576 				return result;
3577 			wdev->links[link_id].ap.chandef = chandef;
3578 		} else {
3579 			wdev->u.ap.preset_chandef = chandef;
3580 		}
3581 		return 0;
3582 	case NL80211_IFTYPE_MESH_POINT:
3583 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3584 	case NL80211_IFTYPE_MONITOR:
3585 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3586 	default:
3587 		break;
3588 	}
3589 
3590 	return -EINVAL;
3591 }
3592 
3593 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3594 {
3595 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3596 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3597 	struct net_device *netdev = info->user_ptr[1];
3598 
3599 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3600 }
3601 
3602 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3603 {
3604 	struct cfg80211_registered_device *rdev = NULL;
3605 	struct net_device *netdev = NULL;
3606 	struct wireless_dev *wdev;
3607 	int result = 0, rem_txq_params = 0;
3608 	struct nlattr *nl_txq_params;
3609 	u32 changed;
3610 	u8 retry_short = 0, retry_long = 0;
3611 	u32 frag_threshold = 0, rts_threshold = 0;
3612 	u8 coverage_class = 0;
3613 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3614 
3615 	rtnl_lock();
3616 	/*
3617 	 * Try to find the wiphy and netdev. Normally this
3618 	 * function shouldn't need the netdev, but this is
3619 	 * done for backward compatibility -- previously
3620 	 * setting the channel was done per wiphy, but now
3621 	 * it is per netdev. Previous userland like hostapd
3622 	 * also passed a netdev to set_wiphy, so that it is
3623 	 * possible to let that go to the right netdev!
3624 	 */
3625 
3626 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3627 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3628 
3629 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3630 		if (netdev && netdev->ieee80211_ptr)
3631 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3632 		else
3633 			netdev = NULL;
3634 	}
3635 
3636 	if (!netdev) {
3637 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3638 						  info->attrs);
3639 		if (IS_ERR(rdev)) {
3640 			rtnl_unlock();
3641 			return PTR_ERR(rdev);
3642 		}
3643 		wdev = NULL;
3644 		netdev = NULL;
3645 		result = 0;
3646 	} else
3647 		wdev = netdev->ieee80211_ptr;
3648 
3649 	guard(wiphy)(&rdev->wiphy);
3650 
3651 	/*
3652 	 * end workaround code, by now the rdev is available
3653 	 * and locked, and wdev may or may not be NULL.
3654 	 */
3655 
3656 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3657 		result = cfg80211_dev_rename(
3658 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3659 	rtnl_unlock();
3660 
3661 	if (result)
3662 		return result;
3663 
3664 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3665 		struct ieee80211_txq_params txq_params;
3666 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3667 
3668 		if (!rdev->ops->set_txq_params)
3669 			return -EOPNOTSUPP;
3670 
3671 		if (!netdev)
3672 			return -EINVAL;
3673 
3674 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3675 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3676 			return -EINVAL;
3677 
3678 		if (!netif_running(netdev))
3679 			return -ENETDOWN;
3680 
3681 		nla_for_each_nested(nl_txq_params,
3682 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3683 				    rem_txq_params) {
3684 			result = nla_parse_nested_deprecated(tb,
3685 							     NL80211_TXQ_ATTR_MAX,
3686 							     nl_txq_params,
3687 							     txq_params_policy,
3688 							     info->extack);
3689 			if (result)
3690 				return result;
3691 
3692 			result = parse_txq_params(tb, &txq_params);
3693 			if (result)
3694 				return result;
3695 
3696 			txq_params.link_id =
3697 				nl80211_link_id_or_invalid(info->attrs);
3698 
3699 			if (txq_params.link_id >= 0 &&
3700 			    !(netdev->ieee80211_ptr->valid_links &
3701 			      BIT(txq_params.link_id)))
3702 				result = -ENOLINK;
3703 			else if (txq_params.link_id >= 0 &&
3704 				 !netdev->ieee80211_ptr->valid_links)
3705 				result = -EINVAL;
3706 			else
3707 				result = rdev_set_txq_params(rdev, netdev,
3708 							     &txq_params);
3709 			if (result)
3710 				return result;
3711 		}
3712 	}
3713 
3714 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3715 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3716 
3717 		if (wdev) {
3718 			result = __nl80211_set_channel(
3719 				rdev,
3720 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3721 				info, link_id);
3722 		} else {
3723 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3724 		}
3725 
3726 		if (result)
3727 			return result;
3728 	}
3729 
3730 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3731 		struct wireless_dev *txp_wdev = wdev;
3732 		enum nl80211_tx_power_setting type;
3733 		int idx, mbm = 0;
3734 
3735 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3736 			txp_wdev = NULL;
3737 
3738 		if (!rdev->ops->set_tx_power)
3739 			return -EOPNOTSUPP;
3740 
3741 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3742 		type = nla_get_u32(info->attrs[idx]);
3743 
3744 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3745 		    (type != NL80211_TX_POWER_AUTOMATIC))
3746 			return -EINVAL;
3747 
3748 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3749 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3750 			mbm = nla_get_u32(info->attrs[idx]);
3751 		}
3752 
3753 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3754 		if (result)
3755 			return result;
3756 	}
3757 
3758 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3759 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3760 		u32 tx_ant, rx_ant;
3761 
3762 		if ((!rdev->wiphy.available_antennas_tx &&
3763 		     !rdev->wiphy.available_antennas_rx) ||
3764 		    !rdev->ops->set_antenna)
3765 			return -EOPNOTSUPP;
3766 
3767 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3768 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3769 
3770 		/* reject antenna configurations which don't match the
3771 		 * available antenna masks, except for the "all" mask */
3772 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3773 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3774 			return -EINVAL;
3775 
3776 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3777 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3778 
3779 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3780 		if (result)
3781 			return result;
3782 	}
3783 
3784 	changed = 0;
3785 
3786 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3787 		retry_short = nla_get_u8(
3788 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3789 
3790 		changed |= WIPHY_PARAM_RETRY_SHORT;
3791 	}
3792 
3793 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3794 		retry_long = nla_get_u8(
3795 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3796 
3797 		changed |= WIPHY_PARAM_RETRY_LONG;
3798 	}
3799 
3800 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3801 		frag_threshold = nla_get_u32(
3802 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3803 		if (frag_threshold < 256)
3804 			return -EINVAL;
3805 
3806 		if (frag_threshold != (u32) -1) {
3807 			/*
3808 			 * Fragments (apart from the last one) are required to
3809 			 * have even length. Make the fragmentation code
3810 			 * simpler by stripping LSB should someone try to use
3811 			 * odd threshold value.
3812 			 */
3813 			frag_threshold &= ~0x1;
3814 		}
3815 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3816 	}
3817 
3818 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3819 		rts_threshold = nla_get_u32(
3820 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3821 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3822 	}
3823 
3824 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3825 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3826 			return -EINVAL;
3827 
3828 		coverage_class = nla_get_u8(
3829 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3830 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3831 	}
3832 
3833 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3834 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3835 			return -EOPNOTSUPP;
3836 
3837 		changed |= WIPHY_PARAM_DYN_ACK;
3838 	}
3839 
3840 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3841 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3842 					     NL80211_EXT_FEATURE_TXQS))
3843 			return -EOPNOTSUPP;
3844 
3845 		txq_limit = nla_get_u32(
3846 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3847 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3848 	}
3849 
3850 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3851 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3852 					     NL80211_EXT_FEATURE_TXQS))
3853 			return -EOPNOTSUPP;
3854 
3855 		txq_memory_limit = nla_get_u32(
3856 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3857 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3858 	}
3859 
3860 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3861 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3862 					     NL80211_EXT_FEATURE_TXQS))
3863 			return -EOPNOTSUPP;
3864 
3865 		txq_quantum = nla_get_u32(
3866 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3867 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3868 	}
3869 
3870 	if (changed) {
3871 		u8 old_retry_short, old_retry_long;
3872 		u32 old_frag_threshold, old_rts_threshold;
3873 		u8 old_coverage_class;
3874 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3875 
3876 		if (!rdev->ops->set_wiphy_params)
3877 			return -EOPNOTSUPP;
3878 
3879 		old_retry_short = rdev->wiphy.retry_short;
3880 		old_retry_long = rdev->wiphy.retry_long;
3881 		old_frag_threshold = rdev->wiphy.frag_threshold;
3882 		old_rts_threshold = rdev->wiphy.rts_threshold;
3883 		old_coverage_class = rdev->wiphy.coverage_class;
3884 		old_txq_limit = rdev->wiphy.txq_limit;
3885 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3886 		old_txq_quantum = rdev->wiphy.txq_quantum;
3887 
3888 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3889 			rdev->wiphy.retry_short = retry_short;
3890 		if (changed & WIPHY_PARAM_RETRY_LONG)
3891 			rdev->wiphy.retry_long = retry_long;
3892 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3893 			rdev->wiphy.frag_threshold = frag_threshold;
3894 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3895 			rdev->wiphy.rts_threshold = rts_threshold;
3896 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3897 			rdev->wiphy.coverage_class = coverage_class;
3898 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3899 			rdev->wiphy.txq_limit = txq_limit;
3900 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3901 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3902 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3903 			rdev->wiphy.txq_quantum = txq_quantum;
3904 
3905 		result = rdev_set_wiphy_params(rdev, changed);
3906 		if (result) {
3907 			rdev->wiphy.retry_short = old_retry_short;
3908 			rdev->wiphy.retry_long = old_retry_long;
3909 			rdev->wiphy.frag_threshold = old_frag_threshold;
3910 			rdev->wiphy.rts_threshold = old_rts_threshold;
3911 			rdev->wiphy.coverage_class = old_coverage_class;
3912 			rdev->wiphy.txq_limit = old_txq_limit;
3913 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3914 			rdev->wiphy.txq_quantum = old_txq_quantum;
3915 			return result;
3916 		}
3917 	}
3918 
3919 	return 0;
3920 }
3921 
3922 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3923 {
3924 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3925 		return -EINVAL;
3926 
3927 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3928 			chandef->chan->center_freq))
3929 		return -ENOBUFS;
3930 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3931 			chandef->chan->freq_offset))
3932 		return -ENOBUFS;
3933 	switch (chandef->width) {
3934 	case NL80211_CHAN_WIDTH_20_NOHT:
3935 	case NL80211_CHAN_WIDTH_20:
3936 	case NL80211_CHAN_WIDTH_40:
3937 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3938 				cfg80211_get_chandef_type(chandef)))
3939 			return -ENOBUFS;
3940 		break;
3941 	default:
3942 		break;
3943 	}
3944 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3945 		return -ENOBUFS;
3946 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3947 		return -ENOBUFS;
3948 	if (chandef->center_freq2 &&
3949 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3950 		return -ENOBUFS;
3951 	if (chandef->punctured &&
3952 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
3953 		return -ENOBUFS;
3954 
3955 	return 0;
3956 }
3957 EXPORT_SYMBOL(nl80211_send_chandef);
3958 
3959 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3960 			      struct cfg80211_registered_device *rdev,
3961 			      struct wireless_dev *wdev,
3962 			      enum nl80211_commands cmd)
3963 {
3964 	struct net_device *dev = wdev->netdev;
3965 	void *hdr;
3966 
3967 	lockdep_assert_wiphy(&rdev->wiphy);
3968 
3969 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3970 		cmd != NL80211_CMD_DEL_INTERFACE &&
3971 		cmd != NL80211_CMD_SET_INTERFACE);
3972 
3973 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3974 	if (!hdr)
3975 		return -1;
3976 
3977 	if (dev &&
3978 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3979 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3980 		goto nla_put_failure;
3981 
3982 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3983 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3984 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3985 			      NL80211_ATTR_PAD) ||
3986 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3987 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3988 			rdev->devlist_generation ^
3989 			(cfg80211_rdev_list_generation << 2)) ||
3990 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
3991 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
3992 		goto nla_put_failure;
3993 
3994 	if (rdev->ops->get_channel && !wdev->valid_links) {
3995 		struct cfg80211_chan_def chandef = {};
3996 		int ret;
3997 
3998 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3999 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4000 			goto nla_put_failure;
4001 	}
4002 
4003 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4004 		int dbm, ret;
4005 
4006 		ret = rdev_get_tx_power(rdev, wdev, 0, &dbm);
4007 		if (ret == 0 &&
4008 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4009 				DBM_TO_MBM(dbm)))
4010 			goto nla_put_failure;
4011 	}
4012 
4013 	switch (wdev->iftype) {
4014 	case NL80211_IFTYPE_AP:
4015 	case NL80211_IFTYPE_P2P_GO:
4016 		if (wdev->u.ap.ssid_len &&
4017 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4018 			    wdev->u.ap.ssid))
4019 			goto nla_put_failure;
4020 		break;
4021 	case NL80211_IFTYPE_STATION:
4022 	case NL80211_IFTYPE_P2P_CLIENT:
4023 		if (wdev->u.client.ssid_len &&
4024 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4025 			    wdev->u.client.ssid))
4026 			goto nla_put_failure;
4027 		break;
4028 	case NL80211_IFTYPE_ADHOC:
4029 		if (wdev->u.ibss.ssid_len &&
4030 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4031 			    wdev->u.ibss.ssid))
4032 			goto nla_put_failure;
4033 		break;
4034 	default:
4035 		/* nothing */
4036 		break;
4037 	}
4038 
4039 	if (rdev->ops->get_txq_stats) {
4040 		struct cfg80211_txq_stats txqstats = {};
4041 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4042 
4043 		if (ret == 0 &&
4044 		    !nl80211_put_txq_stats(msg, &txqstats,
4045 					   NL80211_ATTR_TXQ_STATS))
4046 			goto nla_put_failure;
4047 	}
4048 
4049 	if (wdev->valid_links) {
4050 		unsigned int link_id;
4051 		struct nlattr *links = nla_nest_start(msg,
4052 						      NL80211_ATTR_MLO_LINKS);
4053 
4054 		if (!links)
4055 			goto nla_put_failure;
4056 
4057 		for_each_valid_link(wdev, link_id) {
4058 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4059 			struct cfg80211_chan_def chandef = {};
4060 			int ret;
4061 
4062 			if (!link)
4063 				goto nla_put_failure;
4064 
4065 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4066 				goto nla_put_failure;
4067 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4068 				    wdev->links[link_id].addr))
4069 				goto nla_put_failure;
4070 
4071 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4072 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4073 				goto nla_put_failure;
4074 
4075 			if (rdev->ops->get_tx_power) {
4076 				int dbm, ret;
4077 
4078 				ret = rdev_get_tx_power(rdev, wdev, link_id, &dbm);
4079 				if (ret == 0 &&
4080 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4081 						DBM_TO_MBM(dbm)))
4082 					goto nla_put_failure;
4083 			}
4084 			nla_nest_end(msg, link);
4085 		}
4086 
4087 		nla_nest_end(msg, links);
4088 	}
4089 
4090 	genlmsg_end(msg, hdr);
4091 	return 0;
4092 
4093  nla_put_failure:
4094 	genlmsg_cancel(msg, hdr);
4095 	return -EMSGSIZE;
4096 }
4097 
4098 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4099 {
4100 	int wp_idx = 0;
4101 	int if_idx = 0;
4102 	int wp_start = cb->args[0];
4103 	int if_start = cb->args[1];
4104 	int filter_wiphy = -1;
4105 	struct cfg80211_registered_device *rdev;
4106 	struct wireless_dev *wdev;
4107 	int ret;
4108 
4109 	rtnl_lock();
4110 	if (!cb->args[2]) {
4111 		struct nl80211_dump_wiphy_state state = {
4112 			.filter_wiphy = -1,
4113 		};
4114 
4115 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4116 		if (ret)
4117 			goto out_unlock;
4118 
4119 		filter_wiphy = state.filter_wiphy;
4120 
4121 		/*
4122 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4123 		 * value needed to determine that parsing is necessary.
4124 		 */
4125 		if (filter_wiphy >= 0)
4126 			cb->args[2] = filter_wiphy + 1;
4127 		else
4128 			cb->args[2] = -1;
4129 	} else if (cb->args[2] > 0) {
4130 		filter_wiphy = cb->args[2] - 1;
4131 	}
4132 
4133 	for_each_rdev(rdev) {
4134 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4135 			continue;
4136 		if (wp_idx < wp_start) {
4137 			wp_idx++;
4138 			continue;
4139 		}
4140 
4141 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4142 			continue;
4143 
4144 		if_idx = 0;
4145 
4146 		guard(wiphy)(&rdev->wiphy);
4147 
4148 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4149 			if (if_idx < if_start) {
4150 				if_idx++;
4151 				continue;
4152 			}
4153 
4154 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4155 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4156 					       rdev, wdev,
4157 					       NL80211_CMD_NEW_INTERFACE) < 0)
4158 				goto out;
4159 
4160 			if_idx++;
4161 		}
4162 
4163 		if_start = 0;
4164 		wp_idx++;
4165 	}
4166  out:
4167 	cb->args[0] = wp_idx;
4168 	cb->args[1] = if_idx;
4169 
4170 	ret = skb->len;
4171  out_unlock:
4172 	rtnl_unlock();
4173 
4174 	return ret;
4175 }
4176 
4177 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4178 {
4179 	struct sk_buff *msg;
4180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4181 	struct wireless_dev *wdev = info->user_ptr[1];
4182 
4183 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4184 	if (!msg)
4185 		return -ENOMEM;
4186 
4187 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4188 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4189 		nlmsg_free(msg);
4190 		return -ENOBUFS;
4191 	}
4192 
4193 	return genlmsg_reply(msg, info);
4194 }
4195 
4196 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4197 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4198 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4199 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4200 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4201 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4202 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4203 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4204 };
4205 
4206 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4207 {
4208 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4209 	int flag;
4210 
4211 	*mntrflags = 0;
4212 
4213 	if (!nla)
4214 		return -EINVAL;
4215 
4216 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4217 		return -EINVAL;
4218 
4219 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4220 		if (flags[flag])
4221 			*mntrflags |= (1<<flag);
4222 
4223 	/* cooked monitor mode is incompatible with other modes */
4224 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4225 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4226 		return -EOPNOTSUPP;
4227 
4228 	*mntrflags |= MONITOR_FLAG_CHANGED;
4229 
4230 	return 0;
4231 }
4232 
4233 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4234 				     enum nl80211_iftype type,
4235 				     struct genl_info *info,
4236 				     struct vif_params *params)
4237 {
4238 	bool change = false;
4239 	int err;
4240 
4241 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4242 		if (type != NL80211_IFTYPE_MONITOR)
4243 			return -EINVAL;
4244 
4245 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4246 					  &params->flags);
4247 		if (err)
4248 			return err;
4249 
4250 		change = true;
4251 	}
4252 
4253 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4254 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4255 		return -EOPNOTSUPP;
4256 
4257 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4258 		const u8 *mumimo_groups;
4259 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4260 
4261 		if (type != NL80211_IFTYPE_MONITOR)
4262 			return -EINVAL;
4263 
4264 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4265 			return -EOPNOTSUPP;
4266 
4267 		mumimo_groups =
4268 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4269 
4270 		/* bits 0 and 63 are reserved and must be zero */
4271 		if ((mumimo_groups[0] & BIT(0)) ||
4272 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4273 			return -EINVAL;
4274 
4275 		params->vht_mumimo_groups = mumimo_groups;
4276 		change = true;
4277 	}
4278 
4279 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4280 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4281 
4282 		if (type != NL80211_IFTYPE_MONITOR)
4283 			return -EINVAL;
4284 
4285 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4286 			return -EOPNOTSUPP;
4287 
4288 		params->vht_mumimo_follow_addr =
4289 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4290 		change = true;
4291 	}
4292 
4293 	return change ? 1 : 0;
4294 }
4295 
4296 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4297 			       struct net_device *netdev, u8 use_4addr,
4298 			       enum nl80211_iftype iftype)
4299 {
4300 	if (!use_4addr) {
4301 		if (netdev && netif_is_bridge_port(netdev))
4302 			return -EBUSY;
4303 		return 0;
4304 	}
4305 
4306 	switch (iftype) {
4307 	case NL80211_IFTYPE_AP_VLAN:
4308 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4309 			return 0;
4310 		break;
4311 	case NL80211_IFTYPE_STATION:
4312 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4313 			return 0;
4314 		break;
4315 	default:
4316 		break;
4317 	}
4318 
4319 	return -EOPNOTSUPP;
4320 }
4321 
4322 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4323 					u32 *radio_mask)
4324 {
4325 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4326 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4327 	u32 mask, allowed;
4328 
4329 	if (!attr) {
4330 		*radio_mask = 0;
4331 		return 0;
4332 	}
4333 
4334 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4335 	mask = nla_get_u32(attr);
4336 	if (mask & ~allowed)
4337 		return -EINVAL;
4338 	if (!mask)
4339 		mask = allowed;
4340 	*radio_mask = mask;
4341 
4342 	return 1;
4343 }
4344 
4345 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4346 {
4347 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4348 	struct vif_params params;
4349 	int err;
4350 	enum nl80211_iftype otype, ntype;
4351 	struct net_device *dev = info->user_ptr[1];
4352 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4353 	u32 radio_mask = 0;
4354 	bool change = false;
4355 
4356 	memset(&params, 0, sizeof(params));
4357 
4358 	otype = ntype = dev->ieee80211_ptr->iftype;
4359 
4360 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4361 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4362 		if (otype != ntype)
4363 			change = true;
4364 	}
4365 
4366 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4367 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4368 			return -EINVAL;
4369 		if (otype != NL80211_IFTYPE_MESH_POINT)
4370 			return -EINVAL;
4371 		if (netif_running(dev))
4372 			return -EBUSY;
4373 
4374 		wdev->u.mesh.id_up_len =
4375 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4376 		memcpy(wdev->u.mesh.id,
4377 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4378 		       wdev->u.mesh.id_up_len);
4379 	}
4380 
4381 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4382 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4383 		change = true;
4384 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4385 		if (err)
4386 			return err;
4387 	} else {
4388 		params.use_4addr = -1;
4389 	}
4390 
4391 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4392 	if (err < 0)
4393 		return err;
4394 	if (err > 0)
4395 		change = true;
4396 
4397 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4398 	if (err < 0)
4399 		return err;
4400 	if (err && netif_running(dev))
4401 		return -EBUSY;
4402 
4403 	if (change)
4404 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4405 	else
4406 		err = 0;
4407 
4408 	if (!err && params.use_4addr != -1)
4409 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4410 
4411 	if (radio_mask)
4412 		wdev->radio_mask = radio_mask;
4413 
4414 	if (change && !err)
4415 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4416 
4417 	return err;
4418 }
4419 
4420 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4421 {
4422 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4423 	struct vif_params params;
4424 	struct wireless_dev *wdev;
4425 	struct sk_buff *msg;
4426 	u32 radio_mask;
4427 	int err;
4428 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4429 
4430 	memset(&params, 0, sizeof(params));
4431 
4432 	if (!info->attrs[NL80211_ATTR_IFNAME])
4433 		return -EINVAL;
4434 
4435 	if (info->attrs[NL80211_ATTR_IFTYPE])
4436 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4437 
4438 	if (!rdev->ops->add_virtual_intf)
4439 		return -EOPNOTSUPP;
4440 
4441 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4442 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4443 	    info->attrs[NL80211_ATTR_MAC]) {
4444 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4445 			   ETH_ALEN);
4446 		if (!is_valid_ether_addr(params.macaddr))
4447 			return -EADDRNOTAVAIL;
4448 	}
4449 
4450 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4451 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4452 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4453 		if (err)
4454 			return err;
4455 	}
4456 
4457 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4458 		return -EOPNOTSUPP;
4459 
4460 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4461 	if (err < 0)
4462 		return err;
4463 
4464 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4465 	if (err < 0)
4466 		return err;
4467 
4468 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4469 	if (!msg)
4470 		return -ENOMEM;
4471 
4472 	wdev = rdev_add_virtual_intf(rdev,
4473 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4474 				NET_NAME_USER, type, &params);
4475 	if (WARN_ON(!wdev)) {
4476 		nlmsg_free(msg);
4477 		return -EPROTO;
4478 	} else if (IS_ERR(wdev)) {
4479 		nlmsg_free(msg);
4480 		return PTR_ERR(wdev);
4481 	}
4482 
4483 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4484 		wdev->owner_nlportid = info->snd_portid;
4485 
4486 	switch (type) {
4487 	case NL80211_IFTYPE_MESH_POINT:
4488 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4489 			break;
4490 		wdev->u.mesh.id_up_len =
4491 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4492 		memcpy(wdev->u.mesh.id,
4493 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4494 		       wdev->u.mesh.id_up_len);
4495 		break;
4496 	case NL80211_IFTYPE_NAN:
4497 	case NL80211_IFTYPE_P2P_DEVICE:
4498 		/*
4499 		 * P2P Device and NAN do not have a netdev, so don't go
4500 		 * through the netdev notifier and must be added here
4501 		 */
4502 		cfg80211_init_wdev(wdev);
4503 		cfg80211_register_wdev(rdev, wdev);
4504 		break;
4505 	default:
4506 		break;
4507 	}
4508 
4509 	if (radio_mask)
4510 		wdev->radio_mask = radio_mask;
4511 
4512 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4513 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4514 		nlmsg_free(msg);
4515 		return -ENOBUFS;
4516 	}
4517 
4518 	return genlmsg_reply(msg, info);
4519 }
4520 
4521 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4522 {
4523 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4524 
4525 	/* to avoid failing a new interface creation due to pending removal */
4526 	cfg80211_destroy_ifaces(rdev);
4527 
4528 	guard(wiphy)(&rdev->wiphy);
4529 
4530 	return _nl80211_new_interface(skb, info);
4531 }
4532 
4533 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4534 {
4535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4536 	struct wireless_dev *wdev = info->user_ptr[1];
4537 
4538 	if (!rdev->ops->del_virtual_intf)
4539 		return -EOPNOTSUPP;
4540 
4541 	/*
4542 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4543 	 * reach 0, and thus the rdev cannot be deleted.
4544 	 *
4545 	 * We need to do it for the dev_close(), since that will call
4546 	 * the netdev notifiers, and we need to acquire the mutex there
4547 	 * but don't know if we get there from here or from some other
4548 	 * place (e.g. "ip link set ... down").
4549 	 */
4550 	mutex_unlock(&rdev->wiphy.mtx);
4551 
4552 	/*
4553 	 * If we remove a wireless device without a netdev then clear
4554 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4555 	 * to check if it needs to do dev_put(). Otherwise it crashes
4556 	 * since the wdev has been freed, unlike with a netdev where
4557 	 * we need the dev_put() for the netdev to really be freed.
4558 	 */
4559 	if (!wdev->netdev)
4560 		info->user_ptr[1] = NULL;
4561 	else
4562 		dev_close(wdev->netdev);
4563 
4564 	mutex_lock(&rdev->wiphy.mtx);
4565 
4566 	return cfg80211_remove_virtual_intf(rdev, wdev);
4567 }
4568 
4569 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4570 {
4571 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4572 	struct net_device *dev = info->user_ptr[1];
4573 	u16 noack_map;
4574 
4575 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4576 		return -EINVAL;
4577 
4578 	if (!rdev->ops->set_noack_map)
4579 		return -EOPNOTSUPP;
4580 
4581 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4582 
4583 	return rdev_set_noack_map(rdev, dev, noack_map);
4584 }
4585 
4586 static int nl80211_validate_key_link_id(struct genl_info *info,
4587 					struct wireless_dev *wdev,
4588 					int link_id, bool pairwise)
4589 {
4590 	if (pairwise) {
4591 		if (link_id != -1) {
4592 			GENL_SET_ERR_MSG(info,
4593 					 "link ID not allowed for pairwise key");
4594 			return -EINVAL;
4595 		}
4596 
4597 		return 0;
4598 	}
4599 
4600 	if (wdev->valid_links) {
4601 		if (link_id == -1) {
4602 			GENL_SET_ERR_MSG(info,
4603 					 "link ID must for MLO group key");
4604 			return -EINVAL;
4605 		}
4606 		if (!(wdev->valid_links & BIT(link_id))) {
4607 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4608 			return -EINVAL;
4609 		}
4610 	} else if (link_id != -1) {
4611 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4612 		return -EINVAL;
4613 	}
4614 
4615 	return 0;
4616 }
4617 
4618 struct get_key_cookie {
4619 	struct sk_buff *msg;
4620 	int error;
4621 	int idx;
4622 };
4623 
4624 static void get_key_callback(void *c, struct key_params *params)
4625 {
4626 	struct nlattr *key;
4627 	struct get_key_cookie *cookie = c;
4628 
4629 	if ((params->seq &&
4630 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4631 		     params->seq_len, params->seq)) ||
4632 	    (params->cipher &&
4633 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4634 			 params->cipher)))
4635 		goto nla_put_failure;
4636 
4637 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4638 	if (!key)
4639 		goto nla_put_failure;
4640 
4641 	if ((params->seq &&
4642 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4643 		     params->seq_len, params->seq)) ||
4644 	    (params->cipher &&
4645 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4646 			 params->cipher)))
4647 		goto nla_put_failure;
4648 
4649 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4650 		goto nla_put_failure;
4651 
4652 	nla_nest_end(cookie->msg, key);
4653 
4654 	return;
4655  nla_put_failure:
4656 	cookie->error = 1;
4657 }
4658 
4659 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4660 {
4661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4662 	int err;
4663 	struct net_device *dev = info->user_ptr[1];
4664 	u8 key_idx = 0;
4665 	const u8 *mac_addr = NULL;
4666 	bool pairwise;
4667 	struct get_key_cookie cookie = {
4668 		.error = 0,
4669 	};
4670 	void *hdr;
4671 	struct sk_buff *msg;
4672 	bool bigtk_support = false;
4673 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4674 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4675 
4676 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4677 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4678 		bigtk_support = true;
4679 
4680 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4681 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4682 	    wiphy_ext_feature_isset(&rdev->wiphy,
4683 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4684 		bigtk_support = true;
4685 
4686 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4687 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4688 
4689 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4690 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4691 			return -EINVAL;
4692 		}
4693 	}
4694 
4695 	if (info->attrs[NL80211_ATTR_MAC])
4696 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4697 
4698 	pairwise = !!mac_addr;
4699 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4700 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4701 
4702 		if (kt != NL80211_KEYTYPE_GROUP &&
4703 		    kt != NL80211_KEYTYPE_PAIRWISE)
4704 			return -EINVAL;
4705 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4706 	}
4707 
4708 	if (!rdev->ops->get_key)
4709 		return -EOPNOTSUPP;
4710 
4711 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4712 		return -ENOENT;
4713 
4714 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4715 	if (!msg)
4716 		return -ENOMEM;
4717 
4718 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4719 			     NL80211_CMD_NEW_KEY);
4720 	if (!hdr)
4721 		goto nla_put_failure;
4722 
4723 	cookie.msg = msg;
4724 	cookie.idx = key_idx;
4725 
4726 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4727 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4728 		goto nla_put_failure;
4729 	if (mac_addr &&
4730 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4731 		goto nla_put_failure;
4732 
4733 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4734 	if (err)
4735 		goto free_msg;
4736 
4737 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4738 			   &cookie, get_key_callback);
4739 
4740 	if (err)
4741 		goto free_msg;
4742 
4743 	if (cookie.error)
4744 		goto nla_put_failure;
4745 
4746 	genlmsg_end(msg, hdr);
4747 	return genlmsg_reply(msg, info);
4748 
4749  nla_put_failure:
4750 	err = -ENOBUFS;
4751  free_msg:
4752 	nlmsg_free(msg);
4753 	return err;
4754 }
4755 
4756 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4757 {
4758 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4759 	struct key_parse key;
4760 	int err;
4761 	struct net_device *dev = info->user_ptr[1];
4762 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4763 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4764 
4765 	err = nl80211_parse_key(info, &key);
4766 	if (err)
4767 		return err;
4768 
4769 	if (key.idx < 0)
4770 		return -EINVAL;
4771 
4772 	/* Only support setting default key and
4773 	 * Extended Key ID action NL80211_KEY_SET_TX.
4774 	 */
4775 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4776 	    !(key.p.mode == NL80211_KEY_SET_TX))
4777 		return -EINVAL;
4778 
4779 	if (key.def) {
4780 		if (!rdev->ops->set_default_key)
4781 			return -EOPNOTSUPP;
4782 
4783 		err = nl80211_key_allowed(wdev);
4784 		if (err)
4785 			return err;
4786 
4787 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4788 		if (err)
4789 			return err;
4790 
4791 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4792 					   key.def_uni, key.def_multi);
4793 
4794 		if (err)
4795 			return err;
4796 
4797 #ifdef CONFIG_CFG80211_WEXT
4798 		wdev->wext.default_key = key.idx;
4799 #endif
4800 		return 0;
4801 	} else if (key.defmgmt) {
4802 		if (key.def_uni || !key.def_multi)
4803 			return -EINVAL;
4804 
4805 		if (!rdev->ops->set_default_mgmt_key)
4806 			return -EOPNOTSUPP;
4807 
4808 		err = nl80211_key_allowed(wdev);
4809 		if (err)
4810 			return err;
4811 
4812 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4813 		if (err)
4814 			return err;
4815 
4816 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4817 		if (err)
4818 			return err;
4819 
4820 #ifdef CONFIG_CFG80211_WEXT
4821 		wdev->wext.default_mgmt_key = key.idx;
4822 #endif
4823 		return 0;
4824 	} else if (key.defbeacon) {
4825 		if (key.def_uni || !key.def_multi)
4826 			return -EINVAL;
4827 
4828 		if (!rdev->ops->set_default_beacon_key)
4829 			return -EOPNOTSUPP;
4830 
4831 		err = nl80211_key_allowed(wdev);
4832 		if (err)
4833 			return err;
4834 
4835 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4836 		if (err)
4837 			return err;
4838 
4839 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4840 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4841 		   wiphy_ext_feature_isset(&rdev->wiphy,
4842 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4843 		u8 *mac_addr = NULL;
4844 
4845 		if (info->attrs[NL80211_ATTR_MAC])
4846 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4847 
4848 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4849 			return -EINVAL;
4850 
4851 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4852 		if (err)
4853 			return err;
4854 
4855 		return rdev_add_key(rdev, dev, link_id, key.idx,
4856 				    NL80211_KEYTYPE_PAIRWISE,
4857 				    mac_addr, &key.p);
4858 	}
4859 
4860 	return -EINVAL;
4861 }
4862 
4863 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4864 {
4865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4866 	int err;
4867 	struct net_device *dev = info->user_ptr[1];
4868 	struct key_parse key;
4869 	const u8 *mac_addr = NULL;
4870 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4871 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4872 
4873 	err = nl80211_parse_key(info, &key);
4874 	if (err)
4875 		return err;
4876 
4877 	if (!key.p.key) {
4878 		GENL_SET_ERR_MSG(info, "no key");
4879 		return -EINVAL;
4880 	}
4881 
4882 	if (info->attrs[NL80211_ATTR_MAC])
4883 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4884 
4885 	if (key.type == -1) {
4886 		if (mac_addr)
4887 			key.type = NL80211_KEYTYPE_PAIRWISE;
4888 		else
4889 			key.type = NL80211_KEYTYPE_GROUP;
4890 	}
4891 
4892 	/* for now */
4893 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4894 	    key.type != NL80211_KEYTYPE_GROUP) {
4895 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4896 		return -EINVAL;
4897 	}
4898 
4899 	if (key.type == NL80211_KEYTYPE_GROUP &&
4900 	    info->attrs[NL80211_ATTR_VLAN_ID])
4901 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4902 
4903 	if (!rdev->ops->add_key)
4904 		return -EOPNOTSUPP;
4905 
4906 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4907 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4908 					   mac_addr)) {
4909 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4910 		return -EINVAL;
4911 	}
4912 
4913 	err = nl80211_key_allowed(wdev);
4914 	if (err)
4915 		GENL_SET_ERR_MSG(info, "key not allowed");
4916 
4917 	if (!err)
4918 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4919 				key.type == NL80211_KEYTYPE_PAIRWISE);
4920 
4921 	if (!err) {
4922 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4923 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4924 				    mac_addr, &key.p);
4925 		if (err)
4926 			GENL_SET_ERR_MSG(info, "key addition failed");
4927 	}
4928 
4929 	return err;
4930 }
4931 
4932 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4933 {
4934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4935 	int err;
4936 	struct net_device *dev = info->user_ptr[1];
4937 	u8 *mac_addr = NULL;
4938 	struct key_parse key;
4939 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4940 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4941 
4942 	err = nl80211_parse_key(info, &key);
4943 	if (err)
4944 		return err;
4945 
4946 	if (info->attrs[NL80211_ATTR_MAC])
4947 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4948 
4949 	if (key.type == -1) {
4950 		if (mac_addr)
4951 			key.type = NL80211_KEYTYPE_PAIRWISE;
4952 		else
4953 			key.type = NL80211_KEYTYPE_GROUP;
4954 	}
4955 
4956 	/* for now */
4957 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4958 	    key.type != NL80211_KEYTYPE_GROUP)
4959 		return -EINVAL;
4960 
4961 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4962 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4963 		return -EINVAL;
4964 
4965 	if (!rdev->ops->del_key)
4966 		return -EOPNOTSUPP;
4967 
4968 	err = nl80211_key_allowed(wdev);
4969 
4970 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4971 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4972 		err = -ENOENT;
4973 
4974 	if (!err)
4975 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4976 				key.type == NL80211_KEYTYPE_PAIRWISE);
4977 
4978 	if (!err)
4979 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4980 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4981 				   mac_addr);
4982 
4983 #ifdef CONFIG_CFG80211_WEXT
4984 	if (!err) {
4985 		if (key.idx == wdev->wext.default_key)
4986 			wdev->wext.default_key = -1;
4987 		else if (key.idx == wdev->wext.default_mgmt_key)
4988 			wdev->wext.default_mgmt_key = -1;
4989 	}
4990 #endif
4991 
4992 	return err;
4993 }
4994 
4995 /* This function returns an error or the number of nested attributes */
4996 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4997 {
4998 	struct nlattr *attr;
4999 	int n_entries = 0, tmp;
5000 
5001 	nla_for_each_nested(attr, nl_attr, tmp) {
5002 		if (nla_len(attr) != ETH_ALEN)
5003 			return -EINVAL;
5004 
5005 		n_entries++;
5006 	}
5007 
5008 	return n_entries;
5009 }
5010 
5011 /*
5012  * This function parses ACL information and allocates memory for ACL data.
5013  * On successful return, the calling function is responsible to free the
5014  * ACL buffer returned by this function.
5015  */
5016 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5017 						struct genl_info *info)
5018 {
5019 	enum nl80211_acl_policy acl_policy;
5020 	struct nlattr *attr;
5021 	struct cfg80211_acl_data *acl;
5022 	int i = 0, n_entries, tmp;
5023 
5024 	if (!wiphy->max_acl_mac_addrs)
5025 		return ERR_PTR(-EOPNOTSUPP);
5026 
5027 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5028 		return ERR_PTR(-EINVAL);
5029 
5030 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5031 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5032 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5033 		return ERR_PTR(-EINVAL);
5034 
5035 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5036 		return ERR_PTR(-EINVAL);
5037 
5038 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5039 	if (n_entries < 0)
5040 		return ERR_PTR(n_entries);
5041 
5042 	if (n_entries > wiphy->max_acl_mac_addrs)
5043 		return ERR_PTR(-EOPNOTSUPP);
5044 
5045 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5046 	if (!acl)
5047 		return ERR_PTR(-ENOMEM);
5048 	acl->n_acl_entries = n_entries;
5049 
5050 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5051 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5052 		i++;
5053 	}
5054 	acl->acl_policy = acl_policy;
5055 
5056 	return acl;
5057 }
5058 
5059 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5060 {
5061 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5062 	struct net_device *dev = info->user_ptr[1];
5063 	struct cfg80211_acl_data *acl;
5064 	int err;
5065 
5066 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5067 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5068 		return -EOPNOTSUPP;
5069 
5070 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5071 		return -EINVAL;
5072 
5073 	acl = parse_acl_data(&rdev->wiphy, info);
5074 	if (IS_ERR(acl))
5075 		return PTR_ERR(acl);
5076 
5077 	err = rdev_set_mac_acl(rdev, dev, acl);
5078 
5079 	kfree(acl);
5080 
5081 	return err;
5082 }
5083 
5084 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5085 			   u8 *rates, u8 rates_len)
5086 {
5087 	u8 i;
5088 	u32 mask = 0;
5089 
5090 	for (i = 0; i < rates_len; i++) {
5091 		int rate = (rates[i] & 0x7f) * 5;
5092 		int ridx;
5093 
5094 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5095 			struct ieee80211_rate *srate =
5096 				&sband->bitrates[ridx];
5097 			if (rate == srate->bitrate) {
5098 				mask |= 1 << ridx;
5099 				break;
5100 			}
5101 		}
5102 		if (ridx == sband->n_bitrates)
5103 			return 0; /* rate not found */
5104 	}
5105 
5106 	return mask;
5107 }
5108 
5109 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5110 			       u8 *rates, u8 rates_len,
5111 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5112 {
5113 	u8 i;
5114 
5115 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5116 
5117 	for (i = 0; i < rates_len; i++) {
5118 		int ridx, rbit;
5119 
5120 		ridx = rates[i] / 8;
5121 		rbit = BIT(rates[i] % 8);
5122 
5123 		/* check validity */
5124 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5125 			return false;
5126 
5127 		/* check availability */
5128 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5129 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5130 			mcs[ridx] |= rbit;
5131 		else
5132 			return false;
5133 	}
5134 
5135 	return true;
5136 }
5137 
5138 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5139 {
5140 	u16 mcs_mask = 0;
5141 
5142 	switch (vht_mcs_map) {
5143 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5144 		break;
5145 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5146 		mcs_mask = 0x00FF;
5147 		break;
5148 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5149 		mcs_mask = 0x01FF;
5150 		break;
5151 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5152 		mcs_mask = 0x03FF;
5153 		break;
5154 	default:
5155 		break;
5156 	}
5157 
5158 	return mcs_mask;
5159 }
5160 
5161 static void vht_build_mcs_mask(u16 vht_mcs_map,
5162 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5163 {
5164 	u8 nss;
5165 
5166 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5167 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5168 		vht_mcs_map >>= 2;
5169 	}
5170 }
5171 
5172 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5173 			     struct nl80211_txrate_vht *txrate,
5174 			     u16 mcs[NL80211_VHT_NSS_MAX])
5175 {
5176 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5177 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5178 	u8 i;
5179 
5180 	if (!sband->vht_cap.vht_supported)
5181 		return false;
5182 
5183 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5184 
5185 	/* Build vht_mcs_mask from VHT capabilities */
5186 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5187 
5188 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5189 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5190 			mcs[i] = txrate->mcs[i];
5191 		else
5192 			return false;
5193 	}
5194 
5195 	return true;
5196 }
5197 
5198 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5199 {
5200 	switch (he_mcs_map) {
5201 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5202 		return 0;
5203 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5204 		return 0x00FF;
5205 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5206 		return 0x03FF;
5207 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5208 		return 0xFFF;
5209 	default:
5210 		break;
5211 	}
5212 	return 0;
5213 }
5214 
5215 static void he_build_mcs_mask(u16 he_mcs_map,
5216 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5217 {
5218 	u8 nss;
5219 
5220 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5221 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5222 		he_mcs_map >>= 2;
5223 	}
5224 }
5225 
5226 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5227 			   const struct ieee80211_sta_he_cap *he_cap)
5228 {
5229 	struct net_device *dev = info->user_ptr[1];
5230 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5231 	struct cfg80211_chan_def *chandef;
5232 	__le16 tx_mcs;
5233 
5234 	chandef = wdev_chandef(wdev, link_id);
5235 	if (!chandef) {
5236 		/*
5237 		 * This is probably broken, but we never maintained
5238 		 * a chandef in these cases, so it always was.
5239 		 */
5240 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5241 	}
5242 
5243 	switch (chandef->width) {
5244 	case NL80211_CHAN_WIDTH_80P80:
5245 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5246 		break;
5247 	case NL80211_CHAN_WIDTH_160:
5248 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5249 		break;
5250 	default:
5251 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5252 		break;
5253 	}
5254 
5255 	return le16_to_cpu(tx_mcs);
5256 }
5257 
5258 static bool he_set_mcs_mask(struct genl_info *info,
5259 			    struct wireless_dev *wdev,
5260 			    struct ieee80211_supported_band *sband,
5261 			    struct nl80211_txrate_he *txrate,
5262 			    u16 mcs[NL80211_HE_NSS_MAX],
5263 			    unsigned int link_id)
5264 {
5265 	const struct ieee80211_sta_he_cap *he_cap;
5266 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5267 	u16 tx_mcs_map = 0;
5268 	u8 i;
5269 
5270 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5271 	if (!he_cap)
5272 		return false;
5273 
5274 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5275 
5276 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5277 
5278 	/* Build he_mcs_mask from HE capabilities */
5279 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5280 
5281 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5282 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5283 			mcs[i] = txrate->mcs[i];
5284 		else
5285 			return false;
5286 	}
5287 
5288 	return true;
5289 }
5290 
5291 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5292 					 struct nlattr *attrs[],
5293 					 enum nl80211_attrs attr,
5294 					 struct cfg80211_bitrate_mask *mask,
5295 					 struct net_device *dev,
5296 					 bool default_all_enabled,
5297 					 unsigned int link_id)
5298 {
5299 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5300 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5301 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5302 	int rem, i;
5303 	struct nlattr *tx_rates;
5304 	struct ieee80211_supported_band *sband;
5305 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5306 
5307 	memset(mask, 0, sizeof(*mask));
5308 	/* Default to all rates enabled */
5309 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5310 		const struct ieee80211_sta_he_cap *he_cap;
5311 
5312 		if (!default_all_enabled)
5313 			break;
5314 
5315 		sband = rdev->wiphy.bands[i];
5316 
5317 		if (!sband)
5318 			continue;
5319 
5320 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5321 		memcpy(mask->control[i].ht_mcs,
5322 		       sband->ht_cap.mcs.rx_mask,
5323 		       sizeof(mask->control[i].ht_mcs));
5324 
5325 		if (sband->vht_cap.vht_supported) {
5326 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5327 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5328 		}
5329 
5330 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5331 		if (!he_cap)
5332 			continue;
5333 
5334 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5335 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5336 
5337 		mask->control[i].he_gi = 0xFF;
5338 		mask->control[i].he_ltf = 0xFF;
5339 	}
5340 
5341 	/* if no rates are given set it back to the defaults */
5342 	if (!attrs[attr])
5343 		goto out;
5344 
5345 	/* The nested attribute uses enum nl80211_band as the index. This maps
5346 	 * directly to the enum nl80211_band values used in cfg80211.
5347 	 */
5348 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5349 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5350 		enum nl80211_band band = nla_type(tx_rates);
5351 		int err;
5352 
5353 		if (band < 0 || band >= NUM_NL80211_BANDS)
5354 			return -EINVAL;
5355 		sband = rdev->wiphy.bands[band];
5356 		if (sband == NULL)
5357 			return -EINVAL;
5358 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5359 						  tx_rates,
5360 						  nl80211_txattr_policy,
5361 						  info->extack);
5362 		if (err)
5363 			return err;
5364 		if (tb[NL80211_TXRATE_LEGACY]) {
5365 			mask->control[band].legacy = rateset_to_mask(
5366 				sband,
5367 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5368 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5369 			if ((mask->control[band].legacy == 0) &&
5370 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5371 				return -EINVAL;
5372 		}
5373 		if (tb[NL80211_TXRATE_HT]) {
5374 			if (!ht_rateset_to_mask(
5375 					sband,
5376 					nla_data(tb[NL80211_TXRATE_HT]),
5377 					nla_len(tb[NL80211_TXRATE_HT]),
5378 					mask->control[band].ht_mcs))
5379 				return -EINVAL;
5380 		}
5381 
5382 		if (tb[NL80211_TXRATE_VHT]) {
5383 			if (!vht_set_mcs_mask(
5384 					sband,
5385 					nla_data(tb[NL80211_TXRATE_VHT]),
5386 					mask->control[band].vht_mcs))
5387 				return -EINVAL;
5388 		}
5389 
5390 		if (tb[NL80211_TXRATE_GI]) {
5391 			mask->control[band].gi =
5392 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5393 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5394 				return -EINVAL;
5395 		}
5396 		if (tb[NL80211_TXRATE_HE] &&
5397 		    !he_set_mcs_mask(info, wdev, sband,
5398 				     nla_data(tb[NL80211_TXRATE_HE]),
5399 				     mask->control[band].he_mcs,
5400 				     link_id))
5401 			return -EINVAL;
5402 
5403 		if (tb[NL80211_TXRATE_HE_GI])
5404 			mask->control[band].he_gi =
5405 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5406 		if (tb[NL80211_TXRATE_HE_LTF])
5407 			mask->control[band].he_ltf =
5408 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5409 
5410 		if (mask->control[band].legacy == 0) {
5411 			/* don't allow empty legacy rates if HT, VHT or HE
5412 			 * are not even supported.
5413 			 */
5414 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5415 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5416 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5417 				return -EINVAL;
5418 
5419 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5420 				if (mask->control[band].ht_mcs[i])
5421 					goto out;
5422 
5423 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5424 				if (mask->control[band].vht_mcs[i])
5425 					goto out;
5426 
5427 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5428 				if (mask->control[band].he_mcs[i])
5429 					goto out;
5430 
5431 			/* legacy and mcs rates may not be both empty */
5432 			return -EINVAL;
5433 		}
5434 	}
5435 
5436 out:
5437 	return 0;
5438 }
5439 
5440 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5441 				   enum nl80211_band band,
5442 				   struct cfg80211_bitrate_mask *beacon_rate)
5443 {
5444 	u32 count_ht, count_vht, count_he, i;
5445 	u32 rate = beacon_rate->control[band].legacy;
5446 
5447 	/* Allow only one rate */
5448 	if (hweight32(rate) > 1)
5449 		return -EINVAL;
5450 
5451 	count_ht = 0;
5452 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5453 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5454 			return -EINVAL;
5455 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5456 			count_ht++;
5457 			if (count_ht > 1)
5458 				return -EINVAL;
5459 		}
5460 		if (count_ht && rate)
5461 			return -EINVAL;
5462 	}
5463 
5464 	count_vht = 0;
5465 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5466 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5467 			return -EINVAL;
5468 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5469 			count_vht++;
5470 			if (count_vht > 1)
5471 				return -EINVAL;
5472 		}
5473 		if (count_vht && rate)
5474 			return -EINVAL;
5475 	}
5476 
5477 	count_he = 0;
5478 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5479 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5480 			return -EINVAL;
5481 		} else if (beacon_rate->control[band].he_mcs[i]) {
5482 			count_he++;
5483 			if (count_he > 1)
5484 				return -EINVAL;
5485 		}
5486 		if (count_he && rate)
5487 			return -EINVAL;
5488 	}
5489 
5490 	if ((count_ht && count_vht && count_he) ||
5491 	    (!rate && !count_ht && !count_vht && !count_he))
5492 		return -EINVAL;
5493 
5494 	if (rate &&
5495 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5496 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5497 		return -EINVAL;
5498 	if (count_ht &&
5499 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5500 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5501 		return -EINVAL;
5502 	if (count_vht &&
5503 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5504 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5505 		return -EINVAL;
5506 	if (count_he &&
5507 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5508 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5509 		return -EINVAL;
5510 
5511 	return 0;
5512 }
5513 
5514 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5515 				       struct net_device *dev,
5516 				       struct nlattr *attrs,
5517 				       struct cfg80211_mbssid_config *config,
5518 				       u8 num_elems)
5519 {
5520 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5521 
5522 	if (!wiphy->mbssid_max_interfaces)
5523 		return -EOPNOTSUPP;
5524 
5525 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5526 			     NULL) ||
5527 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5528 		return -EINVAL;
5529 
5530 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5531 	if (config->ema) {
5532 		if (!wiphy->ema_max_profile_periodicity)
5533 			return -EOPNOTSUPP;
5534 
5535 		if (num_elems > wiphy->ema_max_profile_periodicity)
5536 			return -EINVAL;
5537 	}
5538 
5539 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5540 	if (config->index >= wiphy->mbssid_max_interfaces ||
5541 	    (!config->index && !num_elems))
5542 		return -EINVAL;
5543 
5544 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5545 		u32 tx_ifindex =
5546 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5547 
5548 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5549 		    (config->index && tx_ifindex == dev->ifindex))
5550 			return -EINVAL;
5551 
5552 		if (tx_ifindex != dev->ifindex) {
5553 			struct net_device *tx_netdev =
5554 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5555 
5556 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5557 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5558 			    tx_netdev->ieee80211_ptr->iftype !=
5559 							NL80211_IFTYPE_AP) {
5560 				dev_put(tx_netdev);
5561 				return -EINVAL;
5562 			}
5563 
5564 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5565 		} else {
5566 			config->tx_wdev = dev->ieee80211_ptr;
5567 		}
5568 	} else if (!config->index) {
5569 		config->tx_wdev = dev->ieee80211_ptr;
5570 	} else {
5571 		return -EINVAL;
5572 	}
5573 
5574 	return 0;
5575 }
5576 
5577 static struct cfg80211_mbssid_elems *
5578 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5579 {
5580 	struct nlattr *nl_elems;
5581 	struct cfg80211_mbssid_elems *elems;
5582 	int rem_elems;
5583 	u8 i = 0, num_elems = 0;
5584 
5585 	if (!wiphy->mbssid_max_interfaces)
5586 		return ERR_PTR(-EINVAL);
5587 
5588 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5589 		if (num_elems >= 255)
5590 			return ERR_PTR(-EINVAL);
5591 		num_elems++;
5592 	}
5593 
5594 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5595 	if (!elems)
5596 		return ERR_PTR(-ENOMEM);
5597 	elems->cnt = num_elems;
5598 
5599 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5600 		elems->elem[i].data = nla_data(nl_elems);
5601 		elems->elem[i].len = nla_len(nl_elems);
5602 		i++;
5603 	}
5604 	return elems;
5605 }
5606 
5607 static struct cfg80211_rnr_elems *
5608 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5609 			struct netlink_ext_ack *extack)
5610 {
5611 	struct nlattr *nl_elems;
5612 	struct cfg80211_rnr_elems *elems;
5613 	int rem_elems;
5614 	u8 i = 0, num_elems = 0;
5615 
5616 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5617 		int ret;
5618 
5619 		ret = validate_ie_attr(nl_elems, extack);
5620 		if (ret)
5621 			return ERR_PTR(ret);
5622 
5623 		num_elems++;
5624 	}
5625 
5626 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5627 	if (!elems)
5628 		return ERR_PTR(-ENOMEM);
5629 	elems->cnt = num_elems;
5630 
5631 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5632 		elems->elem[i].data = nla_data(nl_elems);
5633 		elems->elem[i].len = nla_len(nl_elems);
5634 		i++;
5635 	}
5636 	return elems;
5637 }
5638 
5639 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5640 				      struct cfg80211_he_bss_color *he_bss_color)
5641 {
5642 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5643 	int err;
5644 
5645 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5646 			       he_bss_color_policy, NULL);
5647 	if (err)
5648 		return err;
5649 
5650 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5651 		return -EINVAL;
5652 
5653 	he_bss_color->color =
5654 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5655 	he_bss_color->enabled =
5656 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5657 	he_bss_color->partial =
5658 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5659 
5660 	return 0;
5661 }
5662 
5663 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5664 				struct nlattr *attrs[],
5665 				struct cfg80211_beacon_data *bcn,
5666 				struct netlink_ext_ack *extack)
5667 {
5668 	bool haveinfo = false;
5669 	int err;
5670 
5671 	memset(bcn, 0, sizeof(*bcn));
5672 
5673 	bcn->link_id = nl80211_link_id(attrs);
5674 
5675 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5676 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5677 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5678 		if (!bcn->head_len)
5679 			return -EINVAL;
5680 		haveinfo = true;
5681 	}
5682 
5683 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5684 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5685 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5686 		haveinfo = true;
5687 	}
5688 
5689 	if (!haveinfo)
5690 		return -EINVAL;
5691 
5692 	if (attrs[NL80211_ATTR_IE]) {
5693 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5694 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5695 	}
5696 
5697 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5698 		bcn->proberesp_ies =
5699 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5700 		bcn->proberesp_ies_len =
5701 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5702 	}
5703 
5704 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5705 		bcn->assocresp_ies =
5706 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5707 		bcn->assocresp_ies_len =
5708 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5709 	}
5710 
5711 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5712 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5713 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5714 	}
5715 
5716 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5717 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5718 
5719 		err = nla_parse_nested_deprecated(tb,
5720 						  NL80211_FTM_RESP_ATTR_MAX,
5721 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5722 						  NULL, NULL);
5723 		if (err)
5724 			return err;
5725 
5726 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5727 		    wiphy_ext_feature_isset(&rdev->wiphy,
5728 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5729 			bcn->ftm_responder = 1;
5730 		else
5731 			return -EOPNOTSUPP;
5732 
5733 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5734 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5735 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5736 		}
5737 
5738 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5739 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5740 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5741 		}
5742 	} else {
5743 		bcn->ftm_responder = -1;
5744 	}
5745 
5746 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5747 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5748 						 &bcn->he_bss_color);
5749 		if (err)
5750 			return err;
5751 		bcn->he_bss_color_valid = true;
5752 	}
5753 
5754 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5755 		struct cfg80211_mbssid_elems *mbssid =
5756 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5757 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5758 
5759 		if (IS_ERR(mbssid))
5760 			return PTR_ERR(mbssid);
5761 
5762 		bcn->mbssid_ies = mbssid;
5763 
5764 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5765 			struct cfg80211_rnr_elems *rnr =
5766 				nl80211_parse_rnr_elems(&rdev->wiphy,
5767 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5768 							extack);
5769 
5770 			if (IS_ERR(rnr))
5771 				return PTR_ERR(rnr);
5772 
5773 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5774 				return -EINVAL;
5775 
5776 			bcn->rnr_ies = rnr;
5777 		}
5778 	}
5779 
5780 	return 0;
5781 }
5782 
5783 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5784 				    struct ieee80211_he_obss_pd *he_obss_pd)
5785 {
5786 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5787 	int err;
5788 
5789 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5790 			       he_obss_pd_policy, NULL);
5791 	if (err)
5792 		return err;
5793 
5794 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5795 		return -EINVAL;
5796 
5797 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5798 
5799 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5800 		he_obss_pd->min_offset =
5801 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5802 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5803 		he_obss_pd->max_offset =
5804 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5805 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5806 		he_obss_pd->non_srg_max_offset =
5807 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5808 
5809 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5810 		return -EINVAL;
5811 
5812 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5813 		memcpy(he_obss_pd->bss_color_bitmap,
5814 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5815 		       sizeof(he_obss_pd->bss_color_bitmap));
5816 
5817 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5818 		memcpy(he_obss_pd->partial_bssid_bitmap,
5819 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5820 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5821 
5822 	he_obss_pd->enable = true;
5823 
5824 	return 0;
5825 }
5826 
5827 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5828 					struct nlattr *attrs,
5829 					struct cfg80211_fils_discovery *fd)
5830 {
5831 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5832 	int ret;
5833 
5834 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5835 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5836 		return -EINVAL;
5837 
5838 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5839 			       NULL, NULL);
5840 	if (ret)
5841 		return ret;
5842 
5843 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5844 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5845 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5846 		fd->update = true;
5847 		return 0;
5848 	}
5849 
5850 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5851 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5852 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5853 		return -EINVAL;
5854 
5855 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5856 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5857 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5858 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5859 	fd->update = true;
5860 	return 0;
5861 }
5862 
5863 static int
5864 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5865 				     struct nlattr *attrs,
5866 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5867 {
5868 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5869 	int ret;
5870 
5871 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5872 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5873 		return -EINVAL;
5874 
5875 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5876 			       attrs, NULL, NULL);
5877 	if (ret)
5878 		return ret;
5879 
5880 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5881 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5882 		presp->update = true;
5883 		return 0;
5884 	}
5885 
5886 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5887 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5888 		return -EINVAL;
5889 
5890 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5891 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5892 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5893 	presp->update = true;
5894 	return 0;
5895 }
5896 
5897 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5898 					    const struct element *rates)
5899 {
5900 	int i;
5901 
5902 	if (!rates)
5903 		return;
5904 
5905 	for (i = 0; i < rates->datalen; i++) {
5906 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5907 			params->ht_required = true;
5908 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5909 			params->vht_required = true;
5910 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5911 			params->he_required = true;
5912 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5913 			params->sae_h2e_required = true;
5914 	}
5915 }
5916 
5917 /*
5918  * Since the nl80211 API didn't include, from the beginning, attributes about
5919  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5920  * benefit of drivers that rebuild IEs in the firmware.
5921  */
5922 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5923 {
5924 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5925 	size_t ies_len = bcn->tail_len;
5926 	const u8 *ies = bcn->tail;
5927 	const struct element *rates;
5928 	const struct element *cap;
5929 
5930 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5931 	nl80211_check_ap_rate_selectors(params, rates);
5932 
5933 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5934 	nl80211_check_ap_rate_selectors(params, rates);
5935 
5936 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5937 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5938 		params->ht_cap = (void *)cap->data;
5939 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5940 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5941 		params->vht_cap = (void *)cap->data;
5942 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5943 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5944 		params->he_cap = (void *)(cap->data + 1);
5945 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5946 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5947 		params->he_oper = (void *)(cap->data + 1);
5948 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5949 	if (cap) {
5950 		if (!cap->datalen)
5951 			return -EINVAL;
5952 		params->eht_cap = (void *)(cap->data + 1);
5953 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5954 						(const u8 *)params->eht_cap,
5955 						cap->datalen - 1, true))
5956 			return -EINVAL;
5957 	}
5958 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5959 	if (cap) {
5960 		if (!cap->datalen)
5961 			return -EINVAL;
5962 		params->eht_oper = (void *)(cap->data + 1);
5963 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5964 						cap->datalen - 1))
5965 			return -EINVAL;
5966 	}
5967 	return 0;
5968 }
5969 
5970 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5971 				   struct cfg80211_ap_settings *params)
5972 {
5973 	struct wireless_dev *wdev;
5974 
5975 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5976 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5977 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5978 			continue;
5979 
5980 		if (!wdev->u.ap.preset_chandef.chan)
5981 			continue;
5982 
5983 		params->chandef = wdev->u.ap.preset_chandef;
5984 		return true;
5985 	}
5986 
5987 	return false;
5988 }
5989 
5990 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5991 				    enum nl80211_auth_type auth_type,
5992 				    enum nl80211_commands cmd)
5993 {
5994 	if (auth_type > NL80211_AUTHTYPE_MAX)
5995 		return false;
5996 
5997 	switch (cmd) {
5998 	case NL80211_CMD_AUTHENTICATE:
5999 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6000 		    auth_type == NL80211_AUTHTYPE_SAE)
6001 			return false;
6002 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6003 					     NL80211_EXT_FEATURE_FILS_STA) &&
6004 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6005 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6006 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6007 			return false;
6008 		return true;
6009 	case NL80211_CMD_CONNECT:
6010 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6011 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6012 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6013 		    auth_type == NL80211_AUTHTYPE_SAE)
6014 			return false;
6015 
6016 		/* FILS with SK PFS or PK not supported yet */
6017 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6018 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6019 			return false;
6020 		if (!wiphy_ext_feature_isset(
6021 			    &rdev->wiphy,
6022 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6023 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6024 			return false;
6025 		return true;
6026 	case NL80211_CMD_START_AP:
6027 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6028 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6029 		    auth_type == NL80211_AUTHTYPE_SAE)
6030 			return false;
6031 		/* FILS not supported yet */
6032 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6033 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6034 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6035 			return false;
6036 		return true;
6037 	default:
6038 		return false;
6039 	}
6040 }
6041 
6042 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6043 				    unsigned int link_id)
6044 {
6045 	struct wiphy *wiphy = wdev->wiphy;
6046 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6047 	struct sk_buff *msg;
6048 	void *hdr;
6049 
6050 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6051 	if (!msg)
6052 		return;
6053 
6054 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6055 	if (!hdr)
6056 		goto out;
6057 
6058 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6059 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6060 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6061 			      NL80211_ATTR_PAD) ||
6062 	    (wdev->u.ap.ssid_len &&
6063 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6064 		     wdev->u.ap.ssid)) ||
6065 	    (wdev->valid_links &&
6066 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6067 		goto out;
6068 
6069 	genlmsg_end(msg, hdr);
6070 
6071 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6072 				NL80211_MCGRP_MLME, GFP_KERNEL);
6073 	return;
6074 out:
6075 	nlmsg_free(msg);
6076 }
6077 
6078 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6079 {
6080 	struct ieee80211_channel *channel = params->chandef.chan;
6081 
6082 	if ((params->he_cap ||  params->he_oper) &&
6083 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6084 		return -EOPNOTSUPP;
6085 
6086 	if ((params->eht_cap || params->eht_oper) &&
6087 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6088 		return -EOPNOTSUPP;
6089 
6090 	return 0;
6091 }
6092 
6093 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6094 {
6095 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6096 	struct cfg80211_beaconing_check_config beacon_check = {};
6097 	unsigned int link_id = nl80211_link_id(info->attrs);
6098 	struct net_device *dev = info->user_ptr[1];
6099 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6100 	struct cfg80211_ap_settings *params;
6101 	int err;
6102 
6103 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6104 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6105 		return -EOPNOTSUPP;
6106 
6107 	if (!rdev->ops->start_ap)
6108 		return -EOPNOTSUPP;
6109 
6110 	if (wdev->links[link_id].cac_started)
6111 		return -EBUSY;
6112 
6113 	if (wdev->links[link_id].ap.beacon_interval)
6114 		return -EALREADY;
6115 
6116 	/* these are required for START_AP */
6117 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6118 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6119 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6120 		return -EINVAL;
6121 
6122 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6123 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6124 		return -EOPNOTSUPP;
6125 
6126 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6127 	if (!params)
6128 		return -ENOMEM;
6129 
6130 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6131 				   info->extack);
6132 	if (err)
6133 		goto out;
6134 
6135 	params->beacon_interval =
6136 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6137 	params->dtim_period =
6138 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6139 
6140 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6141 					   params->beacon_interval);
6142 	if (err)
6143 		goto out;
6144 
6145 	/*
6146 	 * In theory, some of these attributes should be required here
6147 	 * but since they were not used when the command was originally
6148 	 * added, keep them optional for old user space programs to let
6149 	 * them continue to work with drivers that do not need the
6150 	 * additional information -- drivers must check!
6151 	 */
6152 	if (info->attrs[NL80211_ATTR_SSID]) {
6153 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6154 		params->ssid_len =
6155 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6156 		if (params->ssid_len == 0) {
6157 			err = -EINVAL;
6158 			goto out;
6159 		}
6160 
6161 		if (wdev->u.ap.ssid_len &&
6162 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6163 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6164 			/* require identical SSID for MLO */
6165 			err = -EINVAL;
6166 			goto out;
6167 		}
6168 	} else if (wdev->valid_links) {
6169 		/* require SSID for MLO */
6170 		err = -EINVAL;
6171 		goto out;
6172 	}
6173 
6174 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6175 		params->hidden_ssid = nla_get_u32(
6176 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6177 
6178 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6179 
6180 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6181 		params->auth_type = nla_get_u32(
6182 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6183 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6184 					     NL80211_CMD_START_AP)) {
6185 			err = -EINVAL;
6186 			goto out;
6187 		}
6188 	} else
6189 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6190 
6191 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6192 				      NL80211_MAX_NR_CIPHER_SUITES);
6193 	if (err)
6194 		goto out;
6195 
6196 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6197 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6198 			err = -EOPNOTSUPP;
6199 			goto out;
6200 		}
6201 		params->inactivity_timeout = nla_get_u16(
6202 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6203 	}
6204 
6205 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6206 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6207 			err = -EINVAL;
6208 			goto out;
6209 		}
6210 		params->p2p_ctwindow =
6211 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6212 		if (params->p2p_ctwindow != 0 &&
6213 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6214 			err = -EINVAL;
6215 			goto out;
6216 		}
6217 	}
6218 
6219 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6220 		u8 tmp;
6221 
6222 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6223 			err = -EINVAL;
6224 			goto out;
6225 		}
6226 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6227 		params->p2p_opp_ps = tmp;
6228 		if (params->p2p_opp_ps != 0 &&
6229 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6230 			err = -EINVAL;
6231 			goto out;
6232 		}
6233 	}
6234 
6235 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6236 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6237 		if (err)
6238 			goto out;
6239 	} else if (wdev->valid_links) {
6240 		/* with MLD need to specify the channel configuration */
6241 		err = -EINVAL;
6242 		goto out;
6243 	} else if (wdev->u.ap.preset_chandef.chan) {
6244 		params->chandef = wdev->u.ap.preset_chandef;
6245 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6246 		err = -EINVAL;
6247 		goto out;
6248 	}
6249 
6250 	beacon_check.iftype = wdev->iftype;
6251 	beacon_check.relax = true;
6252 	beacon_check.reg_power =
6253 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6254 					     params->beacon.tail_len);
6255 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6256 					  &beacon_check)) {
6257 		err = -EINVAL;
6258 		goto out;
6259 	}
6260 
6261 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6262 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6263 						    NL80211_ATTR_TX_RATES,
6264 						    &params->beacon_rate,
6265 						    dev, false, link_id);
6266 		if (err)
6267 			goto out;
6268 
6269 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6270 					      &params->beacon_rate);
6271 		if (err)
6272 			goto out;
6273 	}
6274 
6275 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6276 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6277 		err = -EOPNOTSUPP;
6278 		goto out;
6279 	}
6280 
6281 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6282 		params->acl = parse_acl_data(&rdev->wiphy, info);
6283 		if (IS_ERR(params->acl)) {
6284 			err = PTR_ERR(params->acl);
6285 			params->acl = NULL;
6286 			goto out;
6287 		}
6288 	}
6289 
6290 	params->twt_responder =
6291 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6292 
6293 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6294 		err = nl80211_parse_he_obss_pd(
6295 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6296 					&params->he_obss_pd);
6297 		if (err)
6298 			goto out;
6299 	}
6300 
6301 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6302 		err = nl80211_parse_fils_discovery(rdev,
6303 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6304 						   &params->fils_discovery);
6305 		if (err)
6306 			goto out;
6307 	}
6308 
6309 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6310 		err = nl80211_parse_unsol_bcast_probe_resp(
6311 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6312 			&params->unsol_bcast_probe_resp);
6313 		if (err)
6314 			goto out;
6315 	}
6316 
6317 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6318 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6319 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6320 						  &params->mbssid_config,
6321 						  params->beacon.mbssid_ies ?
6322 							params->beacon.mbssid_ies->cnt :
6323 							0);
6324 		if (err)
6325 			goto out;
6326 	}
6327 
6328 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6329 		err = -EINVAL;
6330 		goto out;
6331 	}
6332 
6333 	err = nl80211_calculate_ap_params(params);
6334 	if (err)
6335 		goto out;
6336 
6337 	err = nl80211_validate_ap_phy_operation(params);
6338 	if (err)
6339 		goto out;
6340 
6341 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6342 		params->flags = nla_get_u32(
6343 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6344 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6345 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6346 
6347 	if (wdev->conn_owner_nlportid &&
6348 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6349 	    wdev->conn_owner_nlportid != info->snd_portid) {
6350 		err = -EINVAL;
6351 		goto out;
6352 	}
6353 
6354 	/* FIXME: validate MLO/link-id against driver capabilities */
6355 
6356 	err = rdev_start_ap(rdev, dev, params);
6357 	if (!err) {
6358 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6359 		wdev->links[link_id].ap.chandef = params->chandef;
6360 		wdev->u.ap.ssid_len = params->ssid_len;
6361 		memcpy(wdev->u.ap.ssid, params->ssid,
6362 		       params->ssid_len);
6363 
6364 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6365 			wdev->conn_owner_nlportid = info->snd_portid;
6366 
6367 		nl80211_send_ap_started(wdev, link_id);
6368 	}
6369 out:
6370 	kfree(params->acl);
6371 	kfree(params->beacon.mbssid_ies);
6372 	if (params->mbssid_config.tx_wdev &&
6373 	    params->mbssid_config.tx_wdev->netdev &&
6374 	    params->mbssid_config.tx_wdev->netdev != dev)
6375 		dev_put(params->mbssid_config.tx_wdev->netdev);
6376 	kfree(params->beacon.rnr_ies);
6377 	kfree(params);
6378 
6379 	return err;
6380 }
6381 
6382 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6383 {
6384 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6385 	struct cfg80211_beaconing_check_config beacon_check = {};
6386 	unsigned int link_id = nl80211_link_id(info->attrs);
6387 	struct net_device *dev = info->user_ptr[1];
6388 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6389 	struct cfg80211_ap_update *params;
6390 	struct nlattr *attr;
6391 	int err;
6392 
6393 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6394 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6395 		return -EOPNOTSUPP;
6396 
6397 	if (!rdev->ops->change_beacon)
6398 		return -EOPNOTSUPP;
6399 
6400 	if (!wdev->links[link_id].ap.beacon_interval)
6401 		return -EINVAL;
6402 
6403 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6404 	if (!params)
6405 		return -ENOMEM;
6406 
6407 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6408 				   info->extack);
6409 	if (err)
6410 		goto out;
6411 
6412 	/* recheck beaconing is permitted with possibly changed power type */
6413 	beacon_check.iftype = wdev->iftype;
6414 	beacon_check.relax = true;
6415 	beacon_check.reg_power =
6416 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6417 					     params->beacon.tail_len);
6418 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6419 					  &wdev->links[link_id].ap.chandef,
6420 					  &beacon_check)) {
6421 		err = -EINVAL;
6422 		goto out;
6423 	}
6424 
6425 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6426 	if (attr) {
6427 		err = nl80211_parse_fils_discovery(rdev, attr,
6428 						   &params->fils_discovery);
6429 		if (err)
6430 			goto out;
6431 	}
6432 
6433 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6434 	if (attr) {
6435 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6436 							   &params->unsol_bcast_probe_resp);
6437 		if (err)
6438 			goto out;
6439 	}
6440 
6441 	err = rdev_change_beacon(rdev, dev, params);
6442 
6443 out:
6444 	kfree(params->beacon.mbssid_ies);
6445 	kfree(params->beacon.rnr_ies);
6446 	kfree(params);
6447 	return err;
6448 }
6449 
6450 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6451 {
6452 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6453 	unsigned int link_id = nl80211_link_id(info->attrs);
6454 	struct net_device *dev = info->user_ptr[1];
6455 
6456 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6457 }
6458 
6459 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6460 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6461 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6462 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6463 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6464 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6465 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6466 };
6467 
6468 static int parse_station_flags(struct genl_info *info,
6469 			       enum nl80211_iftype iftype,
6470 			       struct station_parameters *params)
6471 {
6472 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6473 	struct nlattr *nla;
6474 	int flag;
6475 
6476 	/*
6477 	 * Try parsing the new attribute first so userspace
6478 	 * can specify both for older kernels.
6479 	 */
6480 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6481 	if (nla) {
6482 		struct nl80211_sta_flag_update *sta_flags;
6483 
6484 		sta_flags = nla_data(nla);
6485 		params->sta_flags_mask = sta_flags->mask;
6486 		params->sta_flags_set = sta_flags->set;
6487 		params->sta_flags_set &= params->sta_flags_mask;
6488 		if ((params->sta_flags_mask |
6489 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6490 			return -EINVAL;
6491 		return 0;
6492 	}
6493 
6494 	/* if present, parse the old attribute */
6495 
6496 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6497 	if (!nla)
6498 		return 0;
6499 
6500 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6501 		return -EINVAL;
6502 
6503 	/*
6504 	 * Only allow certain flags for interface types so that
6505 	 * other attributes are silently ignored. Remember that
6506 	 * this is backward compatibility code with old userspace
6507 	 * and shouldn't be hit in other cases anyway.
6508 	 */
6509 	switch (iftype) {
6510 	case NL80211_IFTYPE_AP:
6511 	case NL80211_IFTYPE_AP_VLAN:
6512 	case NL80211_IFTYPE_P2P_GO:
6513 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6514 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6515 					 BIT(NL80211_STA_FLAG_WME) |
6516 					 BIT(NL80211_STA_FLAG_MFP);
6517 		break;
6518 	case NL80211_IFTYPE_P2P_CLIENT:
6519 	case NL80211_IFTYPE_STATION:
6520 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6521 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6522 		break;
6523 	case NL80211_IFTYPE_MESH_POINT:
6524 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6525 					 BIT(NL80211_STA_FLAG_MFP) |
6526 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6527 		break;
6528 	default:
6529 		return -EINVAL;
6530 	}
6531 
6532 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6533 		if (flags[flag]) {
6534 			params->sta_flags_set |= (1<<flag);
6535 
6536 			/* no longer support new API additions in old API */
6537 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6538 				return -EINVAL;
6539 		}
6540 	}
6541 
6542 	return 0;
6543 }
6544 
6545 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6546 {
6547 	struct nlattr *rate;
6548 	u32 bitrate;
6549 	u16 bitrate_compat;
6550 	enum nl80211_rate_info rate_flg;
6551 
6552 	rate = nla_nest_start_noflag(msg, attr);
6553 	if (!rate)
6554 		return false;
6555 
6556 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6557 	bitrate = cfg80211_calculate_bitrate(info);
6558 	/* report 16-bit bitrate only if we can */
6559 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6560 	if (bitrate > 0 &&
6561 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6562 		return false;
6563 	if (bitrate_compat > 0 &&
6564 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6565 		return false;
6566 
6567 	switch (info->bw) {
6568 	case RATE_INFO_BW_1:
6569 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6570 		break;
6571 	case RATE_INFO_BW_2:
6572 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6573 		break;
6574 	case RATE_INFO_BW_4:
6575 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6576 		break;
6577 	case RATE_INFO_BW_5:
6578 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6579 		break;
6580 	case RATE_INFO_BW_8:
6581 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6582 		break;
6583 	case RATE_INFO_BW_10:
6584 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6585 		break;
6586 	case RATE_INFO_BW_16:
6587 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6588 		break;
6589 	default:
6590 		WARN_ON(1);
6591 		fallthrough;
6592 	case RATE_INFO_BW_20:
6593 		rate_flg = 0;
6594 		break;
6595 	case RATE_INFO_BW_40:
6596 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6597 		break;
6598 	case RATE_INFO_BW_80:
6599 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6600 		break;
6601 	case RATE_INFO_BW_160:
6602 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6603 		break;
6604 	case RATE_INFO_BW_HE_RU:
6605 		rate_flg = 0;
6606 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6607 		break;
6608 	case RATE_INFO_BW_320:
6609 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6610 		break;
6611 	case RATE_INFO_BW_EHT_RU:
6612 		rate_flg = 0;
6613 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6614 		break;
6615 	}
6616 
6617 	if (rate_flg && nla_put_flag(msg, rate_flg))
6618 		return false;
6619 
6620 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6621 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6622 			return false;
6623 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6624 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6625 			return false;
6626 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6627 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6628 			return false;
6629 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6630 			return false;
6631 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6632 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6633 			return false;
6634 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6635 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6636 			return false;
6637 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6638 			return false;
6639 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6640 			return false;
6641 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6642 			return false;
6643 		if (info->bw == RATE_INFO_BW_HE_RU &&
6644 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6645 			       info->he_ru_alloc))
6646 			return false;
6647 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6648 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6649 			return false;
6650 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6651 			return false;
6652 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6653 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6654 			return false;
6655 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6656 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6657 			return false;
6658 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6659 			return false;
6660 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6661 			return false;
6662 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6663 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6664 			       info->eht_ru_alloc))
6665 			return false;
6666 	}
6667 
6668 	nla_nest_end(msg, rate);
6669 	return true;
6670 }
6671 
6672 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6673 			       int id)
6674 {
6675 	void *attr;
6676 	int i = 0;
6677 
6678 	if (!mask)
6679 		return true;
6680 
6681 	attr = nla_nest_start_noflag(msg, id);
6682 	if (!attr)
6683 		return false;
6684 
6685 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6686 		if (!(mask & BIT(i)))
6687 			continue;
6688 
6689 		if (nla_put_u8(msg, i, signal[i]))
6690 			return false;
6691 	}
6692 
6693 	nla_nest_end(msg, attr);
6694 
6695 	return true;
6696 }
6697 
6698 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6699 				u32 seq, int flags,
6700 				struct cfg80211_registered_device *rdev,
6701 				struct net_device *dev,
6702 				const u8 *mac_addr, struct station_info *sinfo)
6703 {
6704 	void *hdr;
6705 	struct nlattr *sinfoattr, *bss_param;
6706 
6707 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6708 	if (!hdr) {
6709 		cfg80211_sinfo_release_content(sinfo);
6710 		return -1;
6711 	}
6712 
6713 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6714 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6715 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6716 		goto nla_put_failure;
6717 
6718 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6719 	if (!sinfoattr)
6720 		goto nla_put_failure;
6721 
6722 #define PUT_SINFO(attr, memb, type) do {				\
6723 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6724 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6725 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6726 			     sinfo->memb))				\
6727 		goto nla_put_failure;					\
6728 	} while (0)
6729 #define PUT_SINFO_U64(attr, memb) do {					\
6730 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6731 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6732 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6733 		goto nla_put_failure;					\
6734 	} while (0)
6735 
6736 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6737 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6738 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6739 
6740 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6741 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6742 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6743 			(u32)sinfo->rx_bytes))
6744 		goto nla_put_failure;
6745 
6746 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6747 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6748 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6749 			(u32)sinfo->tx_bytes))
6750 		goto nla_put_failure;
6751 
6752 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6753 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6754 	PUT_SINFO(LLID, llid, u16);
6755 	PUT_SINFO(PLID, plid, u16);
6756 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6757 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6758 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6759 
6760 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6761 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6762 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6763 
6764 	switch (rdev->wiphy.signal_type) {
6765 	case CFG80211_SIGNAL_TYPE_MBM:
6766 		PUT_SINFO(SIGNAL, signal, u8);
6767 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6768 		break;
6769 	default:
6770 		break;
6771 	}
6772 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6773 		if (!nl80211_put_signal(msg, sinfo->chains,
6774 					sinfo->chain_signal,
6775 					NL80211_STA_INFO_CHAIN_SIGNAL))
6776 			goto nla_put_failure;
6777 	}
6778 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6779 		if (!nl80211_put_signal(msg, sinfo->chains,
6780 					sinfo->chain_signal_avg,
6781 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6782 			goto nla_put_failure;
6783 	}
6784 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6785 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6786 					  NL80211_STA_INFO_TX_BITRATE))
6787 			goto nla_put_failure;
6788 	}
6789 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6790 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6791 					  NL80211_STA_INFO_RX_BITRATE))
6792 			goto nla_put_failure;
6793 	}
6794 
6795 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6796 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6797 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6798 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6799 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6800 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6801 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6802 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6803 	PUT_SINFO(PEER_PM, peer_pm, u32);
6804 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6805 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6806 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6807 
6808 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6809 		bss_param = nla_nest_start_noflag(msg,
6810 						  NL80211_STA_INFO_BSS_PARAM);
6811 		if (!bss_param)
6812 			goto nla_put_failure;
6813 
6814 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6815 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6816 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6817 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6818 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6819 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6820 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6821 			       sinfo->bss_param.dtim_period) ||
6822 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6823 				sinfo->bss_param.beacon_interval))
6824 			goto nla_put_failure;
6825 
6826 		nla_nest_end(msg, bss_param);
6827 	}
6828 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6829 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6830 		    sizeof(struct nl80211_sta_flag_update),
6831 		    &sinfo->sta_flags))
6832 		goto nla_put_failure;
6833 
6834 	PUT_SINFO_U64(T_OFFSET, t_offset);
6835 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6836 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6837 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6838 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6839 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6840 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6841 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6842 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6843 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6844 	}
6845 
6846 #undef PUT_SINFO
6847 #undef PUT_SINFO_U64
6848 
6849 	if (sinfo->pertid) {
6850 		struct nlattr *tidsattr;
6851 		int tid;
6852 
6853 		tidsattr = nla_nest_start_noflag(msg,
6854 						 NL80211_STA_INFO_TID_STATS);
6855 		if (!tidsattr)
6856 			goto nla_put_failure;
6857 
6858 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6859 			struct cfg80211_tid_stats *tidstats;
6860 			struct nlattr *tidattr;
6861 
6862 			tidstats = &sinfo->pertid[tid];
6863 
6864 			if (!tidstats->filled)
6865 				continue;
6866 
6867 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6868 			if (!tidattr)
6869 				goto nla_put_failure;
6870 
6871 #define PUT_TIDVAL_U64(attr, memb) do {					\
6872 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6873 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6874 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6875 		goto nla_put_failure;					\
6876 	} while (0)
6877 
6878 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6879 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6880 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6881 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6882 
6883 #undef PUT_TIDVAL_U64
6884 			if ((tidstats->filled &
6885 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6886 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6887 						   NL80211_TID_STATS_TXQ_STATS))
6888 				goto nla_put_failure;
6889 
6890 			nla_nest_end(msg, tidattr);
6891 		}
6892 
6893 		nla_nest_end(msg, tidsattr);
6894 	}
6895 
6896 	nla_nest_end(msg, sinfoattr);
6897 
6898 	if (sinfo->assoc_req_ies_len &&
6899 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6900 		    sinfo->assoc_req_ies))
6901 		goto nla_put_failure;
6902 
6903 	if (sinfo->assoc_resp_ies_len &&
6904 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6905 		    sinfo->assoc_resp_ies))
6906 		goto nla_put_failure;
6907 
6908 	if (sinfo->mlo_params_valid) {
6909 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6910 			       sinfo->assoc_link_id))
6911 			goto nla_put_failure;
6912 
6913 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6914 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6915 			    sinfo->mld_addr))
6916 			goto nla_put_failure;
6917 	}
6918 
6919 	cfg80211_sinfo_release_content(sinfo);
6920 	genlmsg_end(msg, hdr);
6921 	return 0;
6922 
6923  nla_put_failure:
6924 	cfg80211_sinfo_release_content(sinfo);
6925 	genlmsg_cancel(msg, hdr);
6926 	return -EMSGSIZE;
6927 }
6928 
6929 static int nl80211_dump_station(struct sk_buff *skb,
6930 				struct netlink_callback *cb)
6931 {
6932 	struct station_info sinfo;
6933 	struct cfg80211_registered_device *rdev;
6934 	struct wireless_dev *wdev;
6935 	u8 mac_addr[ETH_ALEN];
6936 	int sta_idx = cb->args[2];
6937 	int err;
6938 
6939 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6940 	if (err)
6941 		return err;
6942 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6943 	__acquire(&rdev->wiphy.mtx);
6944 
6945 	if (!wdev->netdev) {
6946 		err = -EINVAL;
6947 		goto out_err;
6948 	}
6949 
6950 	if (!rdev->ops->dump_station) {
6951 		err = -EOPNOTSUPP;
6952 		goto out_err;
6953 	}
6954 
6955 	while (1) {
6956 		memset(&sinfo, 0, sizeof(sinfo));
6957 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6958 					mac_addr, &sinfo);
6959 		if (err == -ENOENT)
6960 			break;
6961 		if (err)
6962 			goto out_err;
6963 
6964 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6965 				NETLINK_CB(cb->skb).portid,
6966 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6967 				rdev, wdev->netdev, mac_addr,
6968 				&sinfo) < 0)
6969 			goto out;
6970 
6971 		sta_idx++;
6972 	}
6973 
6974  out:
6975 	cb->args[2] = sta_idx;
6976 	err = skb->len;
6977  out_err:
6978 	wiphy_unlock(&rdev->wiphy);
6979 
6980 	return err;
6981 }
6982 
6983 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6984 {
6985 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6986 	struct net_device *dev = info->user_ptr[1];
6987 	struct station_info sinfo;
6988 	struct sk_buff *msg;
6989 	u8 *mac_addr = NULL;
6990 	int err;
6991 
6992 	memset(&sinfo, 0, sizeof(sinfo));
6993 
6994 	if (!info->attrs[NL80211_ATTR_MAC])
6995 		return -EINVAL;
6996 
6997 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6998 
6999 	if (!rdev->ops->get_station)
7000 		return -EOPNOTSUPP;
7001 
7002 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
7003 	if (err)
7004 		return err;
7005 
7006 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7007 	if (!msg) {
7008 		cfg80211_sinfo_release_content(&sinfo);
7009 		return -ENOMEM;
7010 	}
7011 
7012 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
7013 				 info->snd_portid, info->snd_seq, 0,
7014 				 rdev, dev, mac_addr, &sinfo) < 0) {
7015 		nlmsg_free(msg);
7016 		return -ENOBUFS;
7017 	}
7018 
7019 	return genlmsg_reply(msg, info);
7020 }
7021 
7022 int cfg80211_check_station_change(struct wiphy *wiphy,
7023 				  struct station_parameters *params,
7024 				  enum cfg80211_station_type statype)
7025 {
7026 	if (params->listen_interval != -1 &&
7027 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7028 		return -EINVAL;
7029 
7030 	if (params->support_p2p_ps != -1 &&
7031 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7032 		return -EINVAL;
7033 
7034 	if (params->aid &&
7035 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7036 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7037 		return -EINVAL;
7038 
7039 	/* When you run into this, adjust the code below for the new flag */
7040 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7041 
7042 	switch (statype) {
7043 	case CFG80211_STA_MESH_PEER_KERNEL:
7044 	case CFG80211_STA_MESH_PEER_USER:
7045 		/*
7046 		 * No ignoring the TDLS flag here -- the userspace mesh
7047 		 * code doesn't have the bug of including TDLS in the
7048 		 * mask everywhere.
7049 		 */
7050 		if (params->sta_flags_mask &
7051 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7052 				  BIT(NL80211_STA_FLAG_MFP) |
7053 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7054 			return -EINVAL;
7055 		break;
7056 	case CFG80211_STA_TDLS_PEER_SETUP:
7057 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7058 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7059 			return -EINVAL;
7060 		/* ignore since it can't change */
7061 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7062 		break;
7063 	default:
7064 		/* disallow mesh-specific things */
7065 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7066 			return -EINVAL;
7067 		if (params->local_pm)
7068 			return -EINVAL;
7069 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7070 			return -EINVAL;
7071 	}
7072 
7073 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7074 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7075 		/* TDLS can't be set, ... */
7076 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7077 			return -EINVAL;
7078 		/*
7079 		 * ... but don't bother the driver with it. This works around
7080 		 * a hostapd/wpa_supplicant issue -- it always includes the
7081 		 * TLDS_PEER flag in the mask even for AP mode.
7082 		 */
7083 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7084 	}
7085 
7086 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7087 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7088 		/* reject other things that can't change */
7089 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7090 			return -EINVAL;
7091 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7092 			return -EINVAL;
7093 		if (params->link_sta_params.supported_rates)
7094 			return -EINVAL;
7095 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7096 		    params->link_sta_params.vht_capa ||
7097 		    params->link_sta_params.he_capa ||
7098 		    params->link_sta_params.eht_capa)
7099 			return -EINVAL;
7100 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7101 			return -EINVAL;
7102 	}
7103 
7104 	if (statype != CFG80211_STA_AP_CLIENT &&
7105 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7106 		if (params->vlan)
7107 			return -EINVAL;
7108 	}
7109 
7110 	switch (statype) {
7111 	case CFG80211_STA_AP_MLME_CLIENT:
7112 		/* Use this only for authorizing/unauthorizing a station */
7113 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7114 			return -EOPNOTSUPP;
7115 		break;
7116 	case CFG80211_STA_AP_CLIENT:
7117 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7118 		/* accept only the listed bits */
7119 		if (params->sta_flags_mask &
7120 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7121 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7122 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7123 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7124 				  BIT(NL80211_STA_FLAG_WME) |
7125 				  BIT(NL80211_STA_FLAG_MFP) |
7126 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7127 			return -EINVAL;
7128 
7129 		/* but authenticated/associated only if driver handles it */
7130 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7131 		    params->sta_flags_mask &
7132 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7133 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7134 			return -EINVAL;
7135 		break;
7136 	case CFG80211_STA_IBSS:
7137 	case CFG80211_STA_AP_STA:
7138 		/* reject any changes other than AUTHORIZED */
7139 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7140 			return -EINVAL;
7141 		break;
7142 	case CFG80211_STA_TDLS_PEER_SETUP:
7143 		/* reject any changes other than AUTHORIZED or WME */
7144 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7145 					       BIT(NL80211_STA_FLAG_WME)))
7146 			return -EINVAL;
7147 		/* force (at least) rates when authorizing */
7148 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7149 		    !params->link_sta_params.supported_rates)
7150 			return -EINVAL;
7151 		break;
7152 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7153 		/* reject any changes */
7154 		return -EINVAL;
7155 	case CFG80211_STA_MESH_PEER_KERNEL:
7156 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7157 			return -EINVAL;
7158 		break;
7159 	case CFG80211_STA_MESH_PEER_USER:
7160 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7161 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7162 			return -EINVAL;
7163 		break;
7164 	}
7165 
7166 	/*
7167 	 * Older kernel versions ignored this attribute entirely, so don't
7168 	 * reject attempts to update it but mark it as unused instead so the
7169 	 * driver won't look at the data.
7170 	 */
7171 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7172 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7173 		params->link_sta_params.opmode_notif_used = false;
7174 
7175 	return 0;
7176 }
7177 EXPORT_SYMBOL(cfg80211_check_station_change);
7178 
7179 /*
7180  * Get vlan interface making sure it is running and on the right wiphy.
7181  */
7182 static struct net_device *get_vlan(struct genl_info *info,
7183 				   struct cfg80211_registered_device *rdev)
7184 {
7185 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7186 	struct net_device *v;
7187 	int ret;
7188 
7189 	if (!vlanattr)
7190 		return NULL;
7191 
7192 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7193 	if (!v)
7194 		return ERR_PTR(-ENODEV);
7195 
7196 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7197 		ret = -EINVAL;
7198 		goto error;
7199 	}
7200 
7201 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7202 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7203 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7204 		ret = -EINVAL;
7205 		goto error;
7206 	}
7207 
7208 	if (!netif_running(v)) {
7209 		ret = -ENETDOWN;
7210 		goto error;
7211 	}
7212 
7213 	return v;
7214  error:
7215 	dev_put(v);
7216 	return ERR_PTR(ret);
7217 }
7218 
7219 static int nl80211_parse_sta_wme(struct genl_info *info,
7220 				 struct station_parameters *params)
7221 {
7222 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7223 	struct nlattr *nla;
7224 	int err;
7225 
7226 	/* parse WME attributes if present */
7227 	if (!info->attrs[NL80211_ATTR_STA_WME])
7228 		return 0;
7229 
7230 	nla = info->attrs[NL80211_ATTR_STA_WME];
7231 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7232 					  nl80211_sta_wme_policy,
7233 					  info->extack);
7234 	if (err)
7235 		return err;
7236 
7237 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7238 		params->uapsd_queues = nla_get_u8(
7239 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7240 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7241 		return -EINVAL;
7242 
7243 	if (tb[NL80211_STA_WME_MAX_SP])
7244 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7245 
7246 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7247 		return -EINVAL;
7248 
7249 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7250 
7251 	return 0;
7252 }
7253 
7254 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7255 				      struct station_parameters *params)
7256 {
7257 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7258 		params->supported_channels =
7259 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7260 		params->supported_channels_len =
7261 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7262 		/*
7263 		 * Need to include at least one (first channel, number of
7264 		 * channels) tuple for each subband (checked in policy),
7265 		 * and must have proper tuples for the rest of the data as well.
7266 		 */
7267 		if (params->supported_channels_len % 2)
7268 			return -EINVAL;
7269 	}
7270 
7271 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7272 		params->supported_oper_classes =
7273 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7274 		params->supported_oper_classes_len =
7275 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7276 	}
7277 	return 0;
7278 }
7279 
7280 static int nl80211_set_station_tdls(struct genl_info *info,
7281 				    struct station_parameters *params)
7282 {
7283 	int err;
7284 	/* Dummy STA entry gets updated once the peer capabilities are known */
7285 	if (info->attrs[NL80211_ATTR_PEER_AID])
7286 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7287 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7288 		params->link_sta_params.ht_capa =
7289 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7290 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7291 		params->link_sta_params.vht_capa =
7292 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7293 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7294 		params->link_sta_params.he_capa =
7295 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7296 		params->link_sta_params.he_capa_len =
7297 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7298 
7299 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7300 			params->link_sta_params.eht_capa =
7301 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7302 			params->link_sta_params.eht_capa_len =
7303 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7304 
7305 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7306 							(const u8 *)params->link_sta_params.eht_capa,
7307 							params->link_sta_params.eht_capa_len,
7308 							false))
7309 				return -EINVAL;
7310 		}
7311 	}
7312 
7313 	err = nl80211_parse_sta_channel_info(info, params);
7314 	if (err)
7315 		return err;
7316 
7317 	return nl80211_parse_sta_wme(info, params);
7318 }
7319 
7320 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7321 					     struct sta_txpwr *txpwr,
7322 					     bool *txpwr_set)
7323 {
7324 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7325 	int idx;
7326 
7327 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7328 		if (!rdev->ops->set_tx_power ||
7329 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7330 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7331 			return -EOPNOTSUPP;
7332 
7333 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7334 		txpwr->type = nla_get_u8(info->attrs[idx]);
7335 
7336 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7337 			idx = NL80211_ATTR_STA_TX_POWER;
7338 
7339 			if (info->attrs[idx])
7340 				txpwr->power = nla_get_s16(info->attrs[idx]);
7341 			else
7342 				return -EINVAL;
7343 		}
7344 
7345 		*txpwr_set = true;
7346 	} else {
7347 		*txpwr_set = false;
7348 	}
7349 
7350 	return 0;
7351 }
7352 
7353 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7354 {
7355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7356 	struct net_device *dev = info->user_ptr[1];
7357 	struct station_parameters params;
7358 	u8 *mac_addr;
7359 	int err;
7360 
7361 	memset(&params, 0, sizeof(params));
7362 
7363 	if (!rdev->ops->change_station)
7364 		return -EOPNOTSUPP;
7365 
7366 	/*
7367 	 * AID and listen_interval properties can be set only for unassociated
7368 	 * station. Include these parameters here and will check them in
7369 	 * cfg80211_check_station_change().
7370 	 */
7371 	if (info->attrs[NL80211_ATTR_STA_AID])
7372 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7373 
7374 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7375 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7376 
7377 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7378 		params.listen_interval =
7379 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7380 	else
7381 		params.listen_interval = -1;
7382 
7383 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7384 		params.support_p2p_ps =
7385 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7386 	else
7387 		params.support_p2p_ps = -1;
7388 
7389 	if (!info->attrs[NL80211_ATTR_MAC])
7390 		return -EINVAL;
7391 
7392 	params.link_sta_params.link_id =
7393 		nl80211_link_id_or_invalid(info->attrs);
7394 
7395 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7396 		/* If MLD_ADDR attribute is set then this is an MLD station
7397 		 * and the MLD_ADDR attribute holds the MLD address and the
7398 		 * MAC attribute holds for the LINK address.
7399 		 * In that case, the link_id is also expected to be valid.
7400 		 */
7401 		if (params.link_sta_params.link_id < 0)
7402 			return -EINVAL;
7403 
7404 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7405 		params.link_sta_params.mld_mac = mac_addr;
7406 		params.link_sta_params.link_mac =
7407 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7408 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7409 			return -EINVAL;
7410 	} else {
7411 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7412 	}
7413 
7414 
7415 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7416 		params.link_sta_params.supported_rates =
7417 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7418 		params.link_sta_params.supported_rates_len =
7419 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7420 	}
7421 
7422 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7423 		params.capability =
7424 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7425 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7426 	}
7427 
7428 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7429 		params.ext_capab =
7430 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7431 		params.ext_capab_len =
7432 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7433 	}
7434 
7435 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7436 		return -EINVAL;
7437 
7438 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7439 		params.plink_action =
7440 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7441 
7442 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7443 		params.plink_state =
7444 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7445 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7446 			params.peer_aid = nla_get_u16(
7447 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7448 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7449 	}
7450 
7451 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7452 		params.local_pm = nla_get_u32(
7453 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7454 
7455 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7456 		params.link_sta_params.opmode_notif_used = true;
7457 		params.link_sta_params.opmode_notif =
7458 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7459 	}
7460 
7461 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7462 		params.link_sta_params.he_6ghz_capa =
7463 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7464 
7465 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7466 		params.airtime_weight =
7467 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7468 
7469 	if (params.airtime_weight &&
7470 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7471 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7472 		return -EOPNOTSUPP;
7473 
7474 	err = nl80211_parse_sta_txpower_setting(info,
7475 						&params.link_sta_params.txpwr,
7476 						&params.link_sta_params.txpwr_set);
7477 	if (err)
7478 		return err;
7479 
7480 	/* Include parameters for TDLS peer (will check later) */
7481 	err = nl80211_set_station_tdls(info, &params);
7482 	if (err)
7483 		return err;
7484 
7485 	params.vlan = get_vlan(info, rdev);
7486 	if (IS_ERR(params.vlan))
7487 		return PTR_ERR(params.vlan);
7488 
7489 	switch (dev->ieee80211_ptr->iftype) {
7490 	case NL80211_IFTYPE_AP:
7491 	case NL80211_IFTYPE_AP_VLAN:
7492 	case NL80211_IFTYPE_P2P_GO:
7493 	case NL80211_IFTYPE_P2P_CLIENT:
7494 	case NL80211_IFTYPE_STATION:
7495 	case NL80211_IFTYPE_ADHOC:
7496 	case NL80211_IFTYPE_MESH_POINT:
7497 		break;
7498 	default:
7499 		err = -EOPNOTSUPP;
7500 		goto out_put_vlan;
7501 	}
7502 
7503 	/* driver will call cfg80211_check_station_change() */
7504 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7505 
7506  out_put_vlan:
7507 	dev_put(params.vlan);
7508 
7509 	return err;
7510 }
7511 
7512 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7513 {
7514 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7515 	int err;
7516 	struct net_device *dev = info->user_ptr[1];
7517 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7518 	struct station_parameters params;
7519 	u8 *mac_addr = NULL;
7520 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7521 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7522 
7523 	memset(&params, 0, sizeof(params));
7524 
7525 	if (!rdev->ops->add_station)
7526 		return -EOPNOTSUPP;
7527 
7528 	if (!info->attrs[NL80211_ATTR_MAC])
7529 		return -EINVAL;
7530 
7531 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7532 		return -EINVAL;
7533 
7534 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7535 		return -EINVAL;
7536 
7537 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7538 	    !info->attrs[NL80211_ATTR_PEER_AID])
7539 		return -EINVAL;
7540 
7541 	params.link_sta_params.link_id =
7542 		nl80211_link_id_or_invalid(info->attrs);
7543 
7544 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7545 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7546 		params.link_sta_params.mld_mac = mac_addr;
7547 		params.link_sta_params.link_mac =
7548 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7549 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7550 			return -EINVAL;
7551 	} else {
7552 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7553 	}
7554 
7555 	params.link_sta_params.supported_rates =
7556 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7557 	params.link_sta_params.supported_rates_len =
7558 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7559 	params.listen_interval =
7560 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7561 
7562 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7563 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7564 
7565 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7566 		params.support_p2p_ps =
7567 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7568 	} else {
7569 		/*
7570 		 * if not specified, assume it's supported for P2P GO interface,
7571 		 * and is NOT supported for AP interface
7572 		 */
7573 		params.support_p2p_ps =
7574 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7575 	}
7576 
7577 	if (info->attrs[NL80211_ATTR_PEER_AID])
7578 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7579 	else
7580 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7581 
7582 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7583 		params.capability =
7584 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7585 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7586 	}
7587 
7588 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7589 		params.ext_capab =
7590 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7591 		params.ext_capab_len =
7592 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7593 	}
7594 
7595 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7596 		params.link_sta_params.ht_capa =
7597 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7598 
7599 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7600 		params.link_sta_params.vht_capa =
7601 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7602 
7603 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7604 		params.link_sta_params.he_capa =
7605 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7606 		params.link_sta_params.he_capa_len =
7607 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7608 
7609 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7610 			params.link_sta_params.eht_capa =
7611 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7612 			params.link_sta_params.eht_capa_len =
7613 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7614 
7615 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7616 							(const u8 *)params.link_sta_params.eht_capa,
7617 							params.link_sta_params.eht_capa_len,
7618 							false))
7619 				return -EINVAL;
7620 		}
7621 	}
7622 
7623 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7624 		params.link_sta_params.he_6ghz_capa =
7625 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7626 
7627 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7628 		params.link_sta_params.opmode_notif_used = true;
7629 		params.link_sta_params.opmode_notif =
7630 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7631 	}
7632 
7633 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7634 		params.plink_action =
7635 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7636 
7637 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7638 		params.airtime_weight =
7639 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7640 
7641 	if (params.airtime_weight &&
7642 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7643 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7644 		return -EOPNOTSUPP;
7645 
7646 	err = nl80211_parse_sta_txpower_setting(info,
7647 						&params.link_sta_params.txpwr,
7648 						&params.link_sta_params.txpwr_set);
7649 	if (err)
7650 		return err;
7651 
7652 	err = nl80211_parse_sta_channel_info(info, &params);
7653 	if (err)
7654 		return err;
7655 
7656 	err = nl80211_parse_sta_wme(info, &params);
7657 	if (err)
7658 		return err;
7659 
7660 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7661 		return -EINVAL;
7662 
7663 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7664 	 * as userspace might just pass through the capabilities from the IEs
7665 	 * directly, rather than enforcing this restriction and returning an
7666 	 * error in this case.
7667 	 */
7668 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7669 		params.link_sta_params.ht_capa = NULL;
7670 		params.link_sta_params.vht_capa = NULL;
7671 
7672 		/* HE and EHT require WME */
7673 		if (params.link_sta_params.he_capa_len ||
7674 		    params.link_sta_params.he_6ghz_capa ||
7675 		    params.link_sta_params.eht_capa_len)
7676 			return -EINVAL;
7677 	}
7678 
7679 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7680 	if (params.link_sta_params.he_6ghz_capa &&
7681 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7682 		return -EINVAL;
7683 
7684 	/* When you run into this, adjust the code below for the new flag */
7685 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7686 
7687 	switch (dev->ieee80211_ptr->iftype) {
7688 	case NL80211_IFTYPE_AP:
7689 	case NL80211_IFTYPE_AP_VLAN:
7690 	case NL80211_IFTYPE_P2P_GO:
7691 		/* ignore WME attributes if iface/sta is not capable */
7692 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7693 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7694 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7695 
7696 		/* TDLS peers cannot be added */
7697 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7698 		    info->attrs[NL80211_ATTR_PEER_AID])
7699 			return -EINVAL;
7700 		/* but don't bother the driver with it */
7701 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7702 
7703 		/* allow authenticated/associated only if driver handles it */
7704 		if (!(rdev->wiphy.features &
7705 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7706 		    params.sta_flags_mask & auth_assoc)
7707 			return -EINVAL;
7708 
7709 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7710 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
7711 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7712 			return -EINVAL;
7713 
7714 		/* Older userspace, or userspace wanting to be compatible with
7715 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7716 		 * and assoc flags in the mask, but assumes the station will be
7717 		 * added as associated anyway since this was the required driver
7718 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7719 		 * introduced.
7720 		 * In order to not bother drivers with this quirk in the API
7721 		 * set the flags in both the mask and set for new stations in
7722 		 * this case.
7723 		 */
7724 		if (!(params.sta_flags_mask & auth_assoc)) {
7725 			params.sta_flags_mask |= auth_assoc;
7726 			params.sta_flags_set |= auth_assoc;
7727 		}
7728 
7729 		/* must be last in here for error handling */
7730 		params.vlan = get_vlan(info, rdev);
7731 		if (IS_ERR(params.vlan))
7732 			return PTR_ERR(params.vlan);
7733 		break;
7734 	case NL80211_IFTYPE_MESH_POINT:
7735 		/* ignore uAPSD data */
7736 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7737 
7738 		/* associated is disallowed */
7739 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7740 			return -EINVAL;
7741 		/* TDLS peers cannot be added */
7742 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7743 		    info->attrs[NL80211_ATTR_PEER_AID])
7744 			return -EINVAL;
7745 		break;
7746 	case NL80211_IFTYPE_STATION:
7747 	case NL80211_IFTYPE_P2P_CLIENT:
7748 		/* ignore uAPSD data */
7749 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7750 
7751 		/* these are disallowed */
7752 		if (params.sta_flags_mask &
7753 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7754 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7755 			return -EINVAL;
7756 		/* Only TDLS peers can be added */
7757 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7758 			return -EINVAL;
7759 		/* Can only add if TDLS ... */
7760 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7761 			return -EOPNOTSUPP;
7762 		/* ... with external setup is supported */
7763 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7764 			return -EOPNOTSUPP;
7765 		/*
7766 		 * Older wpa_supplicant versions always mark the TDLS peer
7767 		 * as authorized, but it shouldn't yet be.
7768 		 */
7769 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7770 		break;
7771 	default:
7772 		return -EOPNOTSUPP;
7773 	}
7774 
7775 	/* be aware of params.vlan when changing code here */
7776 
7777 	if (wdev->valid_links) {
7778 		if (params.link_sta_params.link_id < 0) {
7779 			err = -EINVAL;
7780 			goto out;
7781 		}
7782 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7783 			err = -ENOLINK;
7784 			goto out;
7785 		}
7786 	} else {
7787 		if (params.link_sta_params.link_id >= 0) {
7788 			err = -EINVAL;
7789 			goto out;
7790 		}
7791 	}
7792 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7793 out:
7794 	dev_put(params.vlan);
7795 	return err;
7796 }
7797 
7798 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7799 {
7800 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7801 	struct net_device *dev = info->user_ptr[1];
7802 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7803 	struct station_del_parameters params;
7804 	int link_id = nl80211_link_id_or_invalid(info->attrs);
7805 
7806 	memset(&params, 0, sizeof(params));
7807 
7808 	if (info->attrs[NL80211_ATTR_MAC])
7809 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7810 
7811 	switch (wdev->iftype) {
7812 	case NL80211_IFTYPE_AP:
7813 	case NL80211_IFTYPE_AP_VLAN:
7814 	case NL80211_IFTYPE_MESH_POINT:
7815 	case NL80211_IFTYPE_P2P_GO:
7816 		/* always accept these */
7817 		break;
7818 	case NL80211_IFTYPE_ADHOC:
7819 		/* conditionally accept */
7820 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7821 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7822 			break;
7823 		return -EINVAL;
7824 	default:
7825 		return -EINVAL;
7826 	}
7827 
7828 	if (!rdev->ops->del_station)
7829 		return -EOPNOTSUPP;
7830 
7831 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7832 		params.subtype =
7833 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7834 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7835 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7836 			return -EINVAL;
7837 	} else {
7838 		/* Default to Deauthentication frame */
7839 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7840 	}
7841 
7842 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7843 		params.reason_code =
7844 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7845 		if (params.reason_code == 0)
7846 			return -EINVAL; /* 0 is reserved */
7847 	} else {
7848 		/* Default to reason code 2 */
7849 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7850 	}
7851 
7852 	/* Link ID not expected in case of non-ML operation */
7853 	if (!wdev->valid_links && link_id != -1)
7854 		return -EINVAL;
7855 
7856 	/* If given, a valid link ID should be passed during MLO */
7857 	if (wdev->valid_links && link_id >= 0 &&
7858 	    !(wdev->valid_links & BIT(link_id)))
7859 		return -EINVAL;
7860 
7861 	params.link_id = link_id;
7862 
7863 	return rdev_del_station(rdev, dev, &params);
7864 }
7865 
7866 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7867 				int flags, struct net_device *dev,
7868 				u8 *dst, u8 *next_hop,
7869 				struct mpath_info *pinfo)
7870 {
7871 	void *hdr;
7872 	struct nlattr *pinfoattr;
7873 
7874 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7875 	if (!hdr)
7876 		return -1;
7877 
7878 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7879 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7880 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7881 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7882 		goto nla_put_failure;
7883 
7884 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7885 	if (!pinfoattr)
7886 		goto nla_put_failure;
7887 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7888 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7889 			pinfo->frame_qlen))
7890 		goto nla_put_failure;
7891 	if (((pinfo->filled & MPATH_INFO_SN) &&
7892 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7893 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7894 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7895 			 pinfo->metric)) ||
7896 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7897 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7898 			 pinfo->exptime)) ||
7899 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7900 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7901 			pinfo->flags)) ||
7902 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7903 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7904 			 pinfo->discovery_timeout)) ||
7905 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7906 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7907 			pinfo->discovery_retries)) ||
7908 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7909 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7910 			pinfo->hop_count)) ||
7911 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7912 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7913 			 pinfo->path_change_count)))
7914 		goto nla_put_failure;
7915 
7916 	nla_nest_end(msg, pinfoattr);
7917 
7918 	genlmsg_end(msg, hdr);
7919 	return 0;
7920 
7921  nla_put_failure:
7922 	genlmsg_cancel(msg, hdr);
7923 	return -EMSGSIZE;
7924 }
7925 
7926 static int nl80211_dump_mpath(struct sk_buff *skb,
7927 			      struct netlink_callback *cb)
7928 {
7929 	struct mpath_info pinfo;
7930 	struct cfg80211_registered_device *rdev;
7931 	struct wireless_dev *wdev;
7932 	u8 dst[ETH_ALEN];
7933 	u8 next_hop[ETH_ALEN];
7934 	int path_idx = cb->args[2];
7935 	int err;
7936 
7937 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7938 	if (err)
7939 		return err;
7940 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7941 	__acquire(&rdev->wiphy.mtx);
7942 
7943 	if (!rdev->ops->dump_mpath) {
7944 		err = -EOPNOTSUPP;
7945 		goto out_err;
7946 	}
7947 
7948 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7949 		err = -EOPNOTSUPP;
7950 		goto out_err;
7951 	}
7952 
7953 	while (1) {
7954 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7955 				      next_hop, &pinfo);
7956 		if (err == -ENOENT)
7957 			break;
7958 		if (err)
7959 			goto out_err;
7960 
7961 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7962 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7963 				       wdev->netdev, dst, next_hop,
7964 				       &pinfo) < 0)
7965 			goto out;
7966 
7967 		path_idx++;
7968 	}
7969 
7970  out:
7971 	cb->args[2] = path_idx;
7972 	err = skb->len;
7973  out_err:
7974 	wiphy_unlock(&rdev->wiphy);
7975 	return err;
7976 }
7977 
7978 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7979 {
7980 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7981 	int err;
7982 	struct net_device *dev = info->user_ptr[1];
7983 	struct mpath_info pinfo;
7984 	struct sk_buff *msg;
7985 	u8 *dst = NULL;
7986 	u8 next_hop[ETH_ALEN];
7987 
7988 	memset(&pinfo, 0, sizeof(pinfo));
7989 
7990 	if (!info->attrs[NL80211_ATTR_MAC])
7991 		return -EINVAL;
7992 
7993 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7994 
7995 	if (!rdev->ops->get_mpath)
7996 		return -EOPNOTSUPP;
7997 
7998 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7999 		return -EOPNOTSUPP;
8000 
8001 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
8002 	if (err)
8003 		return err;
8004 
8005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8006 	if (!msg)
8007 		return -ENOMEM;
8008 
8009 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8010 				 dev, dst, next_hop, &pinfo) < 0) {
8011 		nlmsg_free(msg);
8012 		return -ENOBUFS;
8013 	}
8014 
8015 	return genlmsg_reply(msg, info);
8016 }
8017 
8018 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8019 {
8020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8021 	struct net_device *dev = info->user_ptr[1];
8022 	u8 *dst = NULL;
8023 	u8 *next_hop = NULL;
8024 
8025 	if (!info->attrs[NL80211_ATTR_MAC])
8026 		return -EINVAL;
8027 
8028 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8029 		return -EINVAL;
8030 
8031 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8032 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8033 
8034 	if (!rdev->ops->change_mpath)
8035 		return -EOPNOTSUPP;
8036 
8037 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8038 		return -EOPNOTSUPP;
8039 
8040 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8041 }
8042 
8043 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8044 {
8045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8046 	struct net_device *dev = info->user_ptr[1];
8047 	u8 *dst = NULL;
8048 	u8 *next_hop = NULL;
8049 
8050 	if (!info->attrs[NL80211_ATTR_MAC])
8051 		return -EINVAL;
8052 
8053 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8054 		return -EINVAL;
8055 
8056 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8057 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8058 
8059 	if (!rdev->ops->add_mpath)
8060 		return -EOPNOTSUPP;
8061 
8062 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8063 		return -EOPNOTSUPP;
8064 
8065 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8066 }
8067 
8068 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8069 {
8070 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8071 	struct net_device *dev = info->user_ptr[1];
8072 	u8 *dst = NULL;
8073 
8074 	if (info->attrs[NL80211_ATTR_MAC])
8075 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8076 
8077 	if (!rdev->ops->del_mpath)
8078 		return -EOPNOTSUPP;
8079 
8080 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8081 		return -EOPNOTSUPP;
8082 
8083 	return rdev_del_mpath(rdev, dev, dst);
8084 }
8085 
8086 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8087 {
8088 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8089 	int err;
8090 	struct net_device *dev = info->user_ptr[1];
8091 	struct mpath_info pinfo;
8092 	struct sk_buff *msg;
8093 	u8 *dst = NULL;
8094 	u8 mpp[ETH_ALEN];
8095 
8096 	memset(&pinfo, 0, sizeof(pinfo));
8097 
8098 	if (!info->attrs[NL80211_ATTR_MAC])
8099 		return -EINVAL;
8100 
8101 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8102 
8103 	if (!rdev->ops->get_mpp)
8104 		return -EOPNOTSUPP;
8105 
8106 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8107 		return -EOPNOTSUPP;
8108 
8109 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
8110 	if (err)
8111 		return err;
8112 
8113 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8114 	if (!msg)
8115 		return -ENOMEM;
8116 
8117 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8118 			       dev, dst, mpp, &pinfo) < 0) {
8119 		nlmsg_free(msg);
8120 		return -ENOBUFS;
8121 	}
8122 
8123 	return genlmsg_reply(msg, info);
8124 }
8125 
8126 static int nl80211_dump_mpp(struct sk_buff *skb,
8127 			    struct netlink_callback *cb)
8128 {
8129 	struct mpath_info pinfo;
8130 	struct cfg80211_registered_device *rdev;
8131 	struct wireless_dev *wdev;
8132 	u8 dst[ETH_ALEN];
8133 	u8 mpp[ETH_ALEN];
8134 	int path_idx = cb->args[2];
8135 	int err;
8136 
8137 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8138 	if (err)
8139 		return err;
8140 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8141 	__acquire(&rdev->wiphy.mtx);
8142 
8143 	if (!rdev->ops->dump_mpp) {
8144 		err = -EOPNOTSUPP;
8145 		goto out_err;
8146 	}
8147 
8148 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8149 		err = -EOPNOTSUPP;
8150 		goto out_err;
8151 	}
8152 
8153 	while (1) {
8154 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8155 				    mpp, &pinfo);
8156 		if (err == -ENOENT)
8157 			break;
8158 		if (err)
8159 			goto out_err;
8160 
8161 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8162 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8163 				       wdev->netdev, dst, mpp,
8164 				       &pinfo) < 0)
8165 			goto out;
8166 
8167 		path_idx++;
8168 	}
8169 
8170  out:
8171 	cb->args[2] = path_idx;
8172 	err = skb->len;
8173  out_err:
8174 	wiphy_unlock(&rdev->wiphy);
8175 	return err;
8176 }
8177 
8178 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8179 {
8180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8181 	struct net_device *dev = info->user_ptr[1];
8182 	struct bss_parameters params;
8183 
8184 	memset(&params, 0, sizeof(params));
8185 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8186 	/* default to not changing parameters */
8187 	params.use_cts_prot = -1;
8188 	params.use_short_preamble = -1;
8189 	params.use_short_slot_time = -1;
8190 	params.ap_isolate = -1;
8191 	params.ht_opmode = -1;
8192 	params.p2p_ctwindow = -1;
8193 	params.p2p_opp_ps = -1;
8194 
8195 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8196 		params.use_cts_prot =
8197 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8198 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8199 		params.use_short_preamble =
8200 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8201 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8202 		params.use_short_slot_time =
8203 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8204 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8205 		params.basic_rates =
8206 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8207 		params.basic_rates_len =
8208 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8209 	}
8210 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8211 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8212 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8213 		params.ht_opmode =
8214 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8215 
8216 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8217 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8218 			return -EINVAL;
8219 		params.p2p_ctwindow =
8220 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8221 		if (params.p2p_ctwindow != 0 &&
8222 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8223 			return -EINVAL;
8224 	}
8225 
8226 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8227 		u8 tmp;
8228 
8229 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8230 			return -EINVAL;
8231 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8232 		params.p2p_opp_ps = tmp;
8233 		if (params.p2p_opp_ps &&
8234 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8235 			return -EINVAL;
8236 	}
8237 
8238 	if (!rdev->ops->change_bss)
8239 		return -EOPNOTSUPP;
8240 
8241 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8242 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8243 		return -EOPNOTSUPP;
8244 
8245 	return rdev_change_bss(rdev, dev, &params);
8246 }
8247 
8248 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8249 {
8250 	char *data = NULL;
8251 	bool is_indoor;
8252 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8253 	u32 owner_nlportid;
8254 
8255 	/*
8256 	 * You should only get this when cfg80211 hasn't yet initialized
8257 	 * completely when built-in to the kernel right between the time
8258 	 * window between nl80211_init() and regulatory_init(), if that is
8259 	 * even possible.
8260 	 */
8261 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8262 		return -EINPROGRESS;
8263 
8264 	user_reg_hint_type =
8265 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
8266 				    NL80211_USER_REG_HINT_USER);
8267 
8268 	switch (user_reg_hint_type) {
8269 	case NL80211_USER_REG_HINT_USER:
8270 	case NL80211_USER_REG_HINT_CELL_BASE:
8271 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8272 			return -EINVAL;
8273 
8274 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8275 		return regulatory_hint_user(data, user_reg_hint_type);
8276 	case NL80211_USER_REG_HINT_INDOOR:
8277 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8278 			owner_nlportid = info->snd_portid;
8279 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8280 		} else {
8281 			owner_nlportid = 0;
8282 			is_indoor = true;
8283 		}
8284 
8285 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8286 		return 0;
8287 	default:
8288 		return -EINVAL;
8289 	}
8290 }
8291 
8292 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8293 {
8294 	return reg_reload_regdb();
8295 }
8296 
8297 static int nl80211_get_mesh_config(struct sk_buff *skb,
8298 				   struct genl_info *info)
8299 {
8300 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8301 	struct net_device *dev = info->user_ptr[1];
8302 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8303 	struct mesh_config cur_params;
8304 	int err = 0;
8305 	void *hdr;
8306 	struct nlattr *pinfoattr;
8307 	struct sk_buff *msg;
8308 
8309 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8310 		return -EOPNOTSUPP;
8311 
8312 	if (!rdev->ops->get_mesh_config)
8313 		return -EOPNOTSUPP;
8314 
8315 	/* If not connected, get default parameters */
8316 	if (!wdev->u.mesh.id_len)
8317 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8318 	else
8319 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8320 
8321 	if (err)
8322 		return err;
8323 
8324 	/* Draw up a netlink message to send back */
8325 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8326 	if (!msg)
8327 		return -ENOMEM;
8328 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8329 			     NL80211_CMD_GET_MESH_CONFIG);
8330 	if (!hdr)
8331 		goto out;
8332 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8333 	if (!pinfoattr)
8334 		goto nla_put_failure;
8335 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8336 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8337 			cur_params.dot11MeshRetryTimeout) ||
8338 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8339 			cur_params.dot11MeshConfirmTimeout) ||
8340 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8341 			cur_params.dot11MeshHoldingTimeout) ||
8342 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8343 			cur_params.dot11MeshMaxPeerLinks) ||
8344 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8345 		       cur_params.dot11MeshMaxRetries) ||
8346 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8347 		       cur_params.dot11MeshTTL) ||
8348 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8349 		       cur_params.element_ttl) ||
8350 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8351 		       cur_params.auto_open_plinks) ||
8352 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8353 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8354 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8355 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8356 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8357 			cur_params.path_refresh_time) ||
8358 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8359 			cur_params.min_discovery_timeout) ||
8360 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8361 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8362 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8363 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8364 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8365 			cur_params.dot11MeshHWMPperrMinInterval) ||
8366 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8367 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8368 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8369 		       cur_params.dot11MeshHWMPRootMode) ||
8370 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8371 			cur_params.dot11MeshHWMPRannInterval) ||
8372 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8373 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8374 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8375 		       cur_params.dot11MeshForwarding) ||
8376 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8377 			cur_params.rssi_threshold) ||
8378 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8379 			cur_params.ht_opmode) ||
8380 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8381 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8382 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8383 			cur_params.dot11MeshHWMProotInterval) ||
8384 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8385 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8386 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8387 			cur_params.power_mode) ||
8388 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8389 			cur_params.dot11MeshAwakeWindowDuration) ||
8390 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8391 			cur_params.plink_timeout) ||
8392 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8393 		       cur_params.dot11MeshConnectedToMeshGate) ||
8394 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8395 		       cur_params.dot11MeshNolearn) ||
8396 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8397 		       cur_params.dot11MeshConnectedToAuthServer))
8398 		goto nla_put_failure;
8399 	nla_nest_end(msg, pinfoattr);
8400 	genlmsg_end(msg, hdr);
8401 	return genlmsg_reply(msg, info);
8402 
8403  nla_put_failure:
8404  out:
8405 	nlmsg_free(msg);
8406 	return -ENOBUFS;
8407 }
8408 
8409 static const struct nla_policy
8410 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8411 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8412 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8413 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8414 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8415 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8416 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8417 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8418 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8419 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8420 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8421 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8422 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8423 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8424 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8425 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8426 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8427 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8428 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8429 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8430 		NLA_POLICY_MIN(NLA_U16, 1),
8431 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8432 		NLA_POLICY_MIN(NLA_U16, 1),
8433 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8434 		NLA_POLICY_MIN(NLA_U16, 1),
8435 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8436 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8437 		NLA_POLICY_MIN(NLA_U16, 1),
8438 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8439 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8440 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8441 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8442 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8443 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8444 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8445 		NLA_POLICY_MIN(NLA_U16, 1),
8446 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8447 		NLA_POLICY_MIN(NLA_U16, 1),
8448 	[NL80211_MESHCONF_POWER_MODE] =
8449 		NLA_POLICY_RANGE(NLA_U32,
8450 				 NL80211_MESH_POWER_ACTIVE,
8451 				 NL80211_MESH_POWER_MAX),
8452 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8453 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8454 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8455 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8456 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8457 };
8458 
8459 static const struct nla_policy
8460 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8461 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8462 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8463 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8464 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8465 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8466 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8467 	[NL80211_MESH_SETUP_IE] =
8468 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8469 				       IEEE80211_MAX_DATA_LEN),
8470 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8471 };
8472 
8473 static int nl80211_parse_mesh_config(struct genl_info *info,
8474 				     struct mesh_config *cfg,
8475 				     u32 *mask_out)
8476 {
8477 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8478 	u32 mask = 0;
8479 	u16 ht_opmode;
8480 
8481 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8482 do {									\
8483 	if (tb[attr]) {							\
8484 		cfg->param = fn(tb[attr]);				\
8485 		mask |= BIT((attr) - 1);				\
8486 	}								\
8487 } while (0)
8488 
8489 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8490 		return -EINVAL;
8491 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8492 		return -EINVAL;
8493 
8494 	/* This makes sure that there aren't more than 32 mesh config
8495 	 * parameters (otherwise our bitfield scheme would not work.) */
8496 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8497 
8498 	/* Fill in the params struct */
8499 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8500 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8501 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8502 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8503 				  nla_get_u16);
8504 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8505 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8506 				  nla_get_u16);
8507 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8508 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8509 				  nla_get_u16);
8510 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8511 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8512 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8513 				  NL80211_MESHCONF_TTL, nla_get_u8);
8514 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8515 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8516 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8517 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8518 				  nla_get_u8);
8519 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8520 				  mask,
8521 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8522 				  nla_get_u32);
8523 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8524 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8525 				  nla_get_u8);
8526 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8527 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8528 				  nla_get_u32);
8529 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8530 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8531 		return -EINVAL;
8532 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8533 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8534 				  nla_get_u16);
8535 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8536 				  mask,
8537 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8538 				  nla_get_u32);
8539 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8540 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8541 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8542 		return -EINVAL;
8543 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8544 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8545 				  nla_get_u16);
8546 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8547 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8548 				  nla_get_u16);
8549 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8550 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8551 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8552 				  nla_get_u16);
8553 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8554 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8555 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8556 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8557 				  nla_get_u16);
8558 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8559 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8560 				  nla_get_u8);
8561 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8562 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8563 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8564 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8565 				  nla_get_s32);
8566 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8567 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8568 				  nla_get_u8);
8569 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8570 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8571 				  nla_get_u8);
8572 	/*
8573 	 * Check HT operation mode based on
8574 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8575 	 */
8576 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8577 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8578 
8579 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8580 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8581 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8582 			return -EINVAL;
8583 
8584 		/* NON_HT_STA bit is reserved, but some programs set it */
8585 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8586 
8587 		cfg->ht_opmode = ht_opmode;
8588 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8589 	}
8590 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8591 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8592 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8593 				  nla_get_u32);
8594 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8595 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8596 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8597 		return -EINVAL;
8598 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8599 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8600 				  nla_get_u16);
8601 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8602 				  mask,
8603 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8604 				  nla_get_u16);
8605 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8606 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8607 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8608 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8609 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8610 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8611 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8612 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8613 	if (mask_out)
8614 		*mask_out = mask;
8615 
8616 	return 0;
8617 
8618 #undef FILL_IN_MESH_PARAM_IF_SET
8619 }
8620 
8621 static int nl80211_parse_mesh_setup(struct genl_info *info,
8622 				     struct mesh_setup *setup)
8623 {
8624 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8625 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8626 
8627 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8628 		return -EINVAL;
8629 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8630 		return -EINVAL;
8631 
8632 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8633 		setup->sync_method =
8634 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8635 		 IEEE80211_SYNC_METHOD_VENDOR :
8636 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8637 
8638 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8639 		setup->path_sel_proto =
8640 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8641 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8642 		 IEEE80211_PATH_PROTOCOL_HWMP;
8643 
8644 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8645 		setup->path_metric =
8646 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8647 		 IEEE80211_PATH_METRIC_VENDOR :
8648 		 IEEE80211_PATH_METRIC_AIRTIME;
8649 
8650 	if (tb[NL80211_MESH_SETUP_IE]) {
8651 		struct nlattr *ieattr =
8652 			tb[NL80211_MESH_SETUP_IE];
8653 		setup->ie = nla_data(ieattr);
8654 		setup->ie_len = nla_len(ieattr);
8655 	}
8656 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8657 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8658 		return -EINVAL;
8659 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8660 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8661 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8662 	if (setup->is_secure)
8663 		setup->user_mpm = true;
8664 
8665 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8666 		if (!setup->user_mpm)
8667 			return -EINVAL;
8668 		setup->auth_id =
8669 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8670 	}
8671 
8672 	return 0;
8673 }
8674 
8675 static int nl80211_update_mesh_config(struct sk_buff *skb,
8676 				      struct genl_info *info)
8677 {
8678 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8679 	struct net_device *dev = info->user_ptr[1];
8680 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8681 	struct mesh_config cfg = {};
8682 	u32 mask;
8683 	int err;
8684 
8685 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8686 		return -EOPNOTSUPP;
8687 
8688 	if (!rdev->ops->update_mesh_config)
8689 		return -EOPNOTSUPP;
8690 
8691 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8692 	if (err)
8693 		return err;
8694 
8695 	if (!wdev->u.mesh.id_len)
8696 		err = -ENOLINK;
8697 
8698 	if (!err)
8699 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8700 
8701 	return err;
8702 }
8703 
8704 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8705 			      struct sk_buff *msg)
8706 {
8707 	struct nlattr *nl_reg_rules;
8708 	unsigned int i;
8709 
8710 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8711 	    (regdom->dfs_region &&
8712 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8713 		goto nla_put_failure;
8714 
8715 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8716 	if (!nl_reg_rules)
8717 		goto nla_put_failure;
8718 
8719 	for (i = 0; i < regdom->n_reg_rules; i++) {
8720 		struct nlattr *nl_reg_rule;
8721 		const struct ieee80211_reg_rule *reg_rule;
8722 		const struct ieee80211_freq_range *freq_range;
8723 		const struct ieee80211_power_rule *power_rule;
8724 		unsigned int max_bandwidth_khz;
8725 
8726 		reg_rule = &regdom->reg_rules[i];
8727 		freq_range = &reg_rule->freq_range;
8728 		power_rule = &reg_rule->power_rule;
8729 
8730 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8731 		if (!nl_reg_rule)
8732 			goto nla_put_failure;
8733 
8734 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8735 		if (!max_bandwidth_khz)
8736 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8737 								  reg_rule);
8738 
8739 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8740 				reg_rule->flags) ||
8741 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8742 				freq_range->start_freq_khz) ||
8743 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8744 				freq_range->end_freq_khz) ||
8745 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8746 				max_bandwidth_khz) ||
8747 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8748 				power_rule->max_antenna_gain) ||
8749 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8750 				power_rule->max_eirp) ||
8751 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8752 				reg_rule->dfs_cac_ms))
8753 			goto nla_put_failure;
8754 
8755 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
8756 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
8757 			       reg_rule->psd))
8758 			goto nla_put_failure;
8759 
8760 		nla_nest_end(msg, nl_reg_rule);
8761 	}
8762 
8763 	nla_nest_end(msg, nl_reg_rules);
8764 	return 0;
8765 
8766 nla_put_failure:
8767 	return -EMSGSIZE;
8768 }
8769 
8770 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8771 {
8772 	const struct ieee80211_regdomain *regdom = NULL;
8773 	struct cfg80211_registered_device *rdev;
8774 	struct wiphy *wiphy = NULL;
8775 	struct sk_buff *msg;
8776 	int err = -EMSGSIZE;
8777 	void *hdr;
8778 
8779 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8780 	if (!msg)
8781 		return -ENOBUFS;
8782 
8783 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8784 			     NL80211_CMD_GET_REG);
8785 	if (!hdr)
8786 		goto put_failure;
8787 
8788 	rtnl_lock();
8789 
8790 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8791 		bool self_managed;
8792 
8793 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8794 		if (IS_ERR(rdev)) {
8795 			err = PTR_ERR(rdev);
8796 			goto nla_put_failure;
8797 		}
8798 
8799 		wiphy = &rdev->wiphy;
8800 		self_managed = wiphy->regulatory_flags &
8801 			       REGULATORY_WIPHY_SELF_MANAGED;
8802 
8803 		rcu_read_lock();
8804 
8805 		regdom = get_wiphy_regdom(wiphy);
8806 
8807 		/* a self-managed-reg device must have a private regdom */
8808 		if (WARN_ON(!regdom && self_managed)) {
8809 			err = -EINVAL;
8810 			goto nla_put_failure_rcu;
8811 		}
8812 
8813 		if (regdom &&
8814 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8815 			goto nla_put_failure_rcu;
8816 	} else {
8817 		rcu_read_lock();
8818 	}
8819 
8820 	if (!wiphy && reg_last_request_cell_base() &&
8821 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8822 			NL80211_USER_REG_HINT_CELL_BASE))
8823 		goto nla_put_failure_rcu;
8824 
8825 	if (!regdom)
8826 		regdom = rcu_dereference(cfg80211_regdomain);
8827 
8828 	if (nl80211_put_regdom(regdom, msg))
8829 		goto nla_put_failure_rcu;
8830 
8831 	rcu_read_unlock();
8832 
8833 	genlmsg_end(msg, hdr);
8834 	rtnl_unlock();
8835 	return genlmsg_reply(msg, info);
8836 
8837 nla_put_failure_rcu:
8838 	rcu_read_unlock();
8839 nla_put_failure:
8840 	rtnl_unlock();
8841 put_failure:
8842 	nlmsg_free(msg);
8843 	return err;
8844 }
8845 
8846 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8847 			       u32 seq, int flags, struct wiphy *wiphy,
8848 			       const struct ieee80211_regdomain *regdom)
8849 {
8850 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8851 				   NL80211_CMD_GET_REG);
8852 
8853 	if (!hdr)
8854 		return -1;
8855 
8856 	genl_dump_check_consistent(cb, hdr);
8857 
8858 	if (nl80211_put_regdom(regdom, msg))
8859 		goto nla_put_failure;
8860 
8861 	if (!wiphy && reg_last_request_cell_base() &&
8862 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8863 			NL80211_USER_REG_HINT_CELL_BASE))
8864 		goto nla_put_failure;
8865 
8866 	if (wiphy &&
8867 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8868 		goto nla_put_failure;
8869 
8870 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8871 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8872 		goto nla_put_failure;
8873 
8874 	genlmsg_end(msg, hdr);
8875 	return 0;
8876 
8877 nla_put_failure:
8878 	genlmsg_cancel(msg, hdr);
8879 	return -EMSGSIZE;
8880 }
8881 
8882 static int nl80211_get_reg_dump(struct sk_buff *skb,
8883 				struct netlink_callback *cb)
8884 {
8885 	const struct ieee80211_regdomain *regdom = NULL;
8886 	struct cfg80211_registered_device *rdev;
8887 	int err, reg_idx, start = cb->args[2];
8888 
8889 	rcu_read_lock();
8890 
8891 	if (cfg80211_regdomain && start == 0) {
8892 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8893 					  NLM_F_MULTI, NULL,
8894 					  rcu_dereference(cfg80211_regdomain));
8895 		if (err < 0)
8896 			goto out_err;
8897 	}
8898 
8899 	/* the global regdom is idx 0 */
8900 	reg_idx = 1;
8901 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8902 		regdom = get_wiphy_regdom(&rdev->wiphy);
8903 		if (!regdom)
8904 			continue;
8905 
8906 		if (++reg_idx <= start)
8907 			continue;
8908 
8909 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8910 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8911 		if (err < 0) {
8912 			reg_idx--;
8913 			break;
8914 		}
8915 	}
8916 
8917 	cb->args[2] = reg_idx;
8918 	err = skb->len;
8919 out_err:
8920 	rcu_read_unlock();
8921 	return err;
8922 }
8923 
8924 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8925 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8926 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8927 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8928 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8929 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8930 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8931 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8932 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8933 };
8934 
8935 static int parse_reg_rule(struct nlattr *tb[],
8936 	struct ieee80211_reg_rule *reg_rule)
8937 {
8938 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8939 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8940 
8941 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8942 		return -EINVAL;
8943 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8944 		return -EINVAL;
8945 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8946 		return -EINVAL;
8947 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8948 		return -EINVAL;
8949 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8950 		return -EINVAL;
8951 
8952 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8953 
8954 	freq_range->start_freq_khz =
8955 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8956 	freq_range->end_freq_khz =
8957 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8958 	freq_range->max_bandwidth_khz =
8959 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8960 
8961 	power_rule->max_eirp =
8962 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8963 
8964 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8965 		power_rule->max_antenna_gain =
8966 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8967 
8968 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8969 		reg_rule->dfs_cac_ms =
8970 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8971 
8972 	return 0;
8973 }
8974 
8975 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8976 {
8977 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8978 	struct nlattr *nl_reg_rule;
8979 	char *alpha2;
8980 	int rem_reg_rules, r;
8981 	u32 num_rules = 0, rule_idx = 0;
8982 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8983 	struct ieee80211_regdomain *rd;
8984 
8985 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8986 		return -EINVAL;
8987 
8988 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8989 		return -EINVAL;
8990 
8991 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8992 
8993 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8994 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8995 
8996 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8997 			    rem_reg_rules) {
8998 		num_rules++;
8999 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
9000 			return -EINVAL;
9001 	}
9002 
9003 	rtnl_lock();
9004 	if (!reg_is_valid_request(alpha2)) {
9005 		r = -EINVAL;
9006 		goto out;
9007 	}
9008 
9009 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
9010 	if (!rd) {
9011 		r = -ENOMEM;
9012 		goto out;
9013 	}
9014 
9015 	rd->n_reg_rules = num_rules;
9016 	rd->alpha2[0] = alpha2[0];
9017 	rd->alpha2[1] = alpha2[1];
9018 
9019 	/*
9020 	 * Disable DFS master mode if the DFS region was
9021 	 * not supported or known on this kernel.
9022 	 */
9023 	if (reg_supported_dfs_region(dfs_region))
9024 		rd->dfs_region = dfs_region;
9025 
9026 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9027 			    rem_reg_rules) {
9028 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9029 						nl_reg_rule, reg_rule_policy,
9030 						info->extack);
9031 		if (r)
9032 			goto bad_reg;
9033 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9034 		if (r)
9035 			goto bad_reg;
9036 
9037 		rule_idx++;
9038 
9039 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9040 			r = -EINVAL;
9041 			goto bad_reg;
9042 		}
9043 	}
9044 
9045 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9046 	/* set_regdom takes ownership of rd */
9047 	rd = NULL;
9048  bad_reg:
9049 	kfree(rd);
9050  out:
9051 	rtnl_unlock();
9052 	return r;
9053 }
9054 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9055 
9056 static int validate_scan_freqs(struct nlattr *freqs)
9057 {
9058 	struct nlattr *attr1, *attr2;
9059 	int n_channels = 0, tmp1, tmp2;
9060 
9061 	nla_for_each_nested(attr1, freqs, tmp1)
9062 		if (nla_len(attr1) != sizeof(u32))
9063 			return 0;
9064 
9065 	nla_for_each_nested(attr1, freqs, tmp1) {
9066 		n_channels++;
9067 		/*
9068 		 * Some hardware has a limited channel list for
9069 		 * scanning, and it is pretty much nonsensical
9070 		 * to scan for a channel twice, so disallow that
9071 		 * and don't require drivers to check that the
9072 		 * channel list they get isn't longer than what
9073 		 * they can scan, as long as they can scan all
9074 		 * the channels they registered at once.
9075 		 */
9076 		nla_for_each_nested(attr2, freqs, tmp2)
9077 			if (attr1 != attr2 &&
9078 			    nla_get_u32(attr1) == nla_get_u32(attr2))
9079 				return 0;
9080 	}
9081 
9082 	return n_channels;
9083 }
9084 
9085 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
9086 {
9087 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
9088 }
9089 
9090 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
9091 			    struct cfg80211_bss_selection *bss_select)
9092 {
9093 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
9094 	struct nlattr *nest;
9095 	int err;
9096 	bool found = false;
9097 	int i;
9098 
9099 	/* only process one nested attribute */
9100 	nest = nla_data(nla);
9101 	if (!nla_ok(nest, nla_len(nest)))
9102 		return -EINVAL;
9103 
9104 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
9105 					  nest, nl80211_bss_select_policy,
9106 					  NULL);
9107 	if (err)
9108 		return err;
9109 
9110 	/* only one attribute may be given */
9111 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9112 		if (attr[i]) {
9113 			if (found)
9114 				return -EINVAL;
9115 			found = true;
9116 		}
9117 	}
9118 
9119 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9120 
9121 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9122 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9123 
9124 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9125 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9126 		bss_select->param.band_pref =
9127 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9128 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9129 			return -EINVAL;
9130 	}
9131 
9132 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9133 		struct nl80211_bss_select_rssi_adjust *adj_param;
9134 
9135 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9136 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9137 		bss_select->param.adjust.band = adj_param->band;
9138 		bss_select->param.adjust.delta = adj_param->delta;
9139 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9140 			return -EINVAL;
9141 	}
9142 
9143 	/* user-space did not provide behaviour attribute */
9144 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9145 		return -EINVAL;
9146 
9147 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9148 		return -EINVAL;
9149 
9150 	return 0;
9151 }
9152 
9153 int nl80211_parse_random_mac(struct nlattr **attrs,
9154 			     u8 *mac_addr, u8 *mac_addr_mask)
9155 {
9156 	int i;
9157 
9158 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9159 		eth_zero_addr(mac_addr);
9160 		eth_zero_addr(mac_addr_mask);
9161 		mac_addr[0] = 0x2;
9162 		mac_addr_mask[0] = 0x3;
9163 
9164 		return 0;
9165 	}
9166 
9167 	/* need both or none */
9168 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9169 		return -EINVAL;
9170 
9171 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9172 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9173 
9174 	/* don't allow or configure an mcast address */
9175 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9176 	    is_multicast_ether_addr(mac_addr))
9177 		return -EINVAL;
9178 
9179 	/*
9180 	 * allow users to pass a MAC address that has bits set outside
9181 	 * of the mask, but don't bother drivers with having to deal
9182 	 * with such bits
9183 	 */
9184 	for (i = 0; i < ETH_ALEN; i++)
9185 		mac_addr[i] &= mac_addr_mask[i];
9186 
9187 	return 0;
9188 }
9189 
9190 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9191 					      struct ieee80211_channel *chan)
9192 {
9193 	unsigned int link_id;
9194 	bool all_ok = true;
9195 
9196 	lockdep_assert_wiphy(wdev->wiphy);
9197 
9198 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
9199 		return false;
9200 
9201 	if (!cfg80211_beaconing_iface_active(wdev))
9202 		return true;
9203 
9204 	/*
9205 	 * FIXME: check if we have a free HW resource/link for chan
9206 	 *
9207 	 * This, as well as the FIXME below, requires knowing the link
9208 	 * capabilities of the hardware.
9209 	 */
9210 
9211 	/* we cannot leave radar channels */
9212 	for_each_valid_link(wdev, link_id) {
9213 		struct cfg80211_chan_def *chandef;
9214 
9215 		chandef = wdev_chandef(wdev, link_id);
9216 		if (!chandef || !chandef->chan)
9217 			continue;
9218 
9219 		/*
9220 		 * FIXME: don't require all_ok, but rather check only the
9221 		 *	  correct HW resource/link onto which 'chan' falls,
9222 		 *	  as only that link leaves the channel for doing
9223 		 *	  the off-channel operation.
9224 		 */
9225 
9226 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9227 			all_ok = false;
9228 	}
9229 
9230 	if (all_ok)
9231 		return true;
9232 
9233 	return regulatory_pre_cac_allowed(wdev->wiphy);
9234 }
9235 
9236 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9237 				    enum nl80211_ext_feature_index feat)
9238 {
9239 	if (!(flags & flag))
9240 		return true;
9241 	if (wiphy_ext_feature_isset(wiphy, feat))
9242 		return true;
9243 	return false;
9244 }
9245 
9246 static int
9247 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9248 			 void *request, struct nlattr **attrs,
9249 			 bool is_sched_scan)
9250 {
9251 	u8 *mac_addr, *mac_addr_mask;
9252 	u32 *flags;
9253 	enum nl80211_feature_flags randomness_flag;
9254 
9255 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9256 		return 0;
9257 
9258 	if (is_sched_scan) {
9259 		struct cfg80211_sched_scan_request *req = request;
9260 
9261 		randomness_flag = wdev ?
9262 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9263 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9264 		flags = &req->flags;
9265 		mac_addr = req->mac_addr;
9266 		mac_addr_mask = req->mac_addr_mask;
9267 	} else {
9268 		struct cfg80211_scan_request *req = request;
9269 
9270 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9271 		flags = &req->flags;
9272 		mac_addr = req->mac_addr;
9273 		mac_addr_mask = req->mac_addr_mask;
9274 	}
9275 
9276 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9277 
9278 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9279 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9280 	    !nl80211_check_scan_feat(wiphy, *flags,
9281 				     NL80211_SCAN_FLAG_LOW_SPAN,
9282 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9283 	    !nl80211_check_scan_feat(wiphy, *flags,
9284 				     NL80211_SCAN_FLAG_LOW_POWER,
9285 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9286 	    !nl80211_check_scan_feat(wiphy, *flags,
9287 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9288 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9289 	    !nl80211_check_scan_feat(wiphy, *flags,
9290 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9291 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9292 	    !nl80211_check_scan_feat(wiphy, *flags,
9293 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9294 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9295 	    !nl80211_check_scan_feat(wiphy, *flags,
9296 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9297 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9298 	    !nl80211_check_scan_feat(wiphy, *flags,
9299 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9300 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9301 	    !nl80211_check_scan_feat(wiphy, *flags,
9302 				     NL80211_SCAN_FLAG_RANDOM_SN,
9303 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9304 	    !nl80211_check_scan_feat(wiphy, *flags,
9305 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9306 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9307 		return -EOPNOTSUPP;
9308 
9309 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9310 		int err;
9311 
9312 		if (!(wiphy->features & randomness_flag) ||
9313 		    (wdev && wdev->connected))
9314 			return -EOPNOTSUPP;
9315 
9316 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9317 		if (err)
9318 			return err;
9319 	}
9320 
9321 	return 0;
9322 }
9323 
9324 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9325 {
9326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9327 	struct wireless_dev *wdev = info->user_ptr[1];
9328 	struct cfg80211_scan_request *request;
9329 	struct nlattr *scan_freqs = NULL;
9330 	bool scan_freqs_khz = false;
9331 	struct nlattr *attr;
9332 	struct wiphy *wiphy;
9333 	int err, tmp, n_ssids = 0, n_channels, i;
9334 	size_t ie_len, size;
9335 	size_t ssids_offset, ie_offset;
9336 
9337 	wiphy = &rdev->wiphy;
9338 
9339 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9340 		return -EOPNOTSUPP;
9341 
9342 	if (!rdev->ops->scan)
9343 		return -EOPNOTSUPP;
9344 
9345 	if (rdev->scan_req || rdev->scan_msg)
9346 		return -EBUSY;
9347 
9348 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9349 		if (!wiphy_ext_feature_isset(wiphy,
9350 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9351 			return -EOPNOTSUPP;
9352 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9353 		scan_freqs_khz = true;
9354 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9355 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9356 
9357 	if (scan_freqs) {
9358 		n_channels = validate_scan_freqs(scan_freqs);
9359 		if (!n_channels)
9360 			return -EINVAL;
9361 	} else {
9362 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9363 	}
9364 
9365 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9366 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9367 			n_ssids++;
9368 
9369 	if (n_ssids > wiphy->max_scan_ssids)
9370 		return -EINVAL;
9371 
9372 	if (info->attrs[NL80211_ATTR_IE])
9373 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9374 	else
9375 		ie_len = 0;
9376 
9377 	if (ie_len > wiphy->max_scan_ie_len)
9378 		return -EINVAL;
9379 
9380 	size = struct_size(request, channels, n_channels);
9381 	ssids_offset = size;
9382 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9383 	ie_offset = size;
9384 	size = size_add(size, ie_len);
9385 	request = kzalloc(size, GFP_KERNEL);
9386 	if (!request)
9387 		return -ENOMEM;
9388 	request->n_channels = n_channels;
9389 
9390 	if (n_ssids)
9391 		request->ssids = (void *)request + ssids_offset;
9392 	request->n_ssids = n_ssids;
9393 	if (ie_len)
9394 		request->ie = (void *)request + ie_offset;
9395 
9396 	i = 0;
9397 	if (scan_freqs) {
9398 		/* user specified, bail out if channel not found */
9399 		nla_for_each_nested(attr, scan_freqs, tmp) {
9400 			struct ieee80211_channel *chan;
9401 			int freq = nla_get_u32(attr);
9402 
9403 			if (!scan_freqs_khz)
9404 				freq = MHZ_TO_KHZ(freq);
9405 
9406 			chan = ieee80211_get_channel_khz(wiphy, freq);
9407 			if (!chan) {
9408 				err = -EINVAL;
9409 				goto out_free;
9410 			}
9411 
9412 			/* ignore disabled channels */
9413 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
9414 			    !cfg80211_wdev_channel_allowed(wdev, chan))
9415 				continue;
9416 
9417 			request->channels[i] = chan;
9418 			i++;
9419 		}
9420 	} else {
9421 		enum nl80211_band band;
9422 
9423 		/* all channels */
9424 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9425 			int j;
9426 
9427 			if (!wiphy->bands[band])
9428 				continue;
9429 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9430 				struct ieee80211_channel *chan;
9431 
9432 				chan = &wiphy->bands[band]->channels[j];
9433 
9434 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
9435 				    !cfg80211_wdev_channel_allowed(wdev, chan))
9436 					continue;
9437 
9438 				request->channels[i] = chan;
9439 				i++;
9440 			}
9441 		}
9442 	}
9443 
9444 	if (!i) {
9445 		err = -EINVAL;
9446 		goto out_free;
9447 	}
9448 
9449 	request->n_channels = i;
9450 
9451 	for (i = 0; i < request->n_channels; i++) {
9452 		struct ieee80211_channel *chan = request->channels[i];
9453 
9454 		/* if we can go off-channel to the target channel we're good */
9455 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9456 			continue;
9457 
9458 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9459 			err = -EBUSY;
9460 			goto out_free;
9461 		}
9462 	}
9463 
9464 	i = 0;
9465 	if (n_ssids) {
9466 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9467 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9468 				err = -EINVAL;
9469 				goto out_free;
9470 			}
9471 			request->ssids[i].ssid_len = nla_len(attr);
9472 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9473 			i++;
9474 		}
9475 	}
9476 
9477 	if (info->attrs[NL80211_ATTR_IE]) {
9478 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9479 		memcpy((void *)request->ie,
9480 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9481 		       request->ie_len);
9482 	}
9483 
9484 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9485 		if (wiphy->bands[i])
9486 			request->rates[i] =
9487 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9488 
9489 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9490 		nla_for_each_nested(attr,
9491 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9492 				    tmp) {
9493 			enum nl80211_band band = nla_type(attr);
9494 
9495 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9496 				err = -EINVAL;
9497 				goto out_free;
9498 			}
9499 
9500 			if (!wiphy->bands[band])
9501 				continue;
9502 
9503 			err = ieee80211_get_ratemask(wiphy->bands[band],
9504 						     nla_data(attr),
9505 						     nla_len(attr),
9506 						     &request->rates[band]);
9507 			if (err)
9508 				goto out_free;
9509 		}
9510 	}
9511 
9512 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9513 		request->duration =
9514 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9515 		request->duration_mandatory =
9516 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9517 	}
9518 
9519 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9520 				       false);
9521 	if (err)
9522 		goto out_free;
9523 
9524 	request->no_cck =
9525 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9526 
9527 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9528 	 * BSSID to scan for. This was problematic because that same attribute
9529 	 * was already used for another purpose (local random MAC address). The
9530 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9531 	 * compatibility with older userspace components, also use the
9532 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9533 	 * the specific BSSID use case instead of the random MAC address
9534 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9535 	 */
9536 	if (info->attrs[NL80211_ATTR_BSSID])
9537 		memcpy(request->bssid,
9538 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9539 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9540 		 info->attrs[NL80211_ATTR_MAC])
9541 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9542 		       ETH_ALEN);
9543 	else
9544 		eth_broadcast_addr(request->bssid);
9545 
9546 	request->tsf_report_link_id = nl80211_link_id_or_invalid(info->attrs);
9547 	request->wdev = wdev;
9548 	request->wiphy = &rdev->wiphy;
9549 	request->scan_start = jiffies;
9550 
9551 	rdev->scan_req = request;
9552 	err = cfg80211_scan(rdev);
9553 
9554 	if (err)
9555 		goto out_free;
9556 
9557 	nl80211_send_scan_start(rdev, wdev);
9558 	dev_hold(wdev->netdev);
9559 
9560 	return 0;
9561 
9562  out_free:
9563 	rdev->scan_req = NULL;
9564 	kfree(request);
9565 
9566 	return err;
9567 }
9568 
9569 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9570 {
9571 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9572 	struct wireless_dev *wdev = info->user_ptr[1];
9573 
9574 	if (!rdev->ops->abort_scan)
9575 		return -EOPNOTSUPP;
9576 
9577 	if (rdev->scan_msg)
9578 		return 0;
9579 
9580 	if (!rdev->scan_req)
9581 		return -ENOENT;
9582 
9583 	rdev_abort_scan(rdev, wdev);
9584 	return 0;
9585 }
9586 
9587 static int
9588 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9589 			       struct cfg80211_sched_scan_request *request,
9590 			       struct nlattr **attrs)
9591 {
9592 	int tmp, err, i = 0;
9593 	struct nlattr *attr;
9594 
9595 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9596 		u32 interval;
9597 
9598 		/*
9599 		 * If scan plans are not specified,
9600 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9601 		 * case one scan plan will be set with the specified scan
9602 		 * interval and infinite number of iterations.
9603 		 */
9604 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9605 		if (!interval)
9606 			return -EINVAL;
9607 
9608 		request->scan_plans[0].interval =
9609 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9610 		if (!request->scan_plans[0].interval)
9611 			return -EINVAL;
9612 
9613 		if (request->scan_plans[0].interval >
9614 		    wiphy->max_sched_scan_plan_interval)
9615 			request->scan_plans[0].interval =
9616 				wiphy->max_sched_scan_plan_interval;
9617 
9618 		return 0;
9619 	}
9620 
9621 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9622 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9623 
9624 		if (WARN_ON(i >= n_plans))
9625 			return -EINVAL;
9626 
9627 		err = nla_parse_nested_deprecated(plan,
9628 						  NL80211_SCHED_SCAN_PLAN_MAX,
9629 						  attr, nl80211_plan_policy,
9630 						  NULL);
9631 		if (err)
9632 			return err;
9633 
9634 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9635 			return -EINVAL;
9636 
9637 		request->scan_plans[i].interval =
9638 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9639 		if (!request->scan_plans[i].interval ||
9640 		    request->scan_plans[i].interval >
9641 		    wiphy->max_sched_scan_plan_interval)
9642 			return -EINVAL;
9643 
9644 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9645 			request->scan_plans[i].iterations =
9646 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9647 			if (!request->scan_plans[i].iterations ||
9648 			    (request->scan_plans[i].iterations >
9649 			     wiphy->max_sched_scan_plan_iterations))
9650 				return -EINVAL;
9651 		} else if (i < n_plans - 1) {
9652 			/*
9653 			 * All scan plans but the last one must specify
9654 			 * a finite number of iterations
9655 			 */
9656 			return -EINVAL;
9657 		}
9658 
9659 		i++;
9660 	}
9661 
9662 	/*
9663 	 * The last scan plan must not specify the number of
9664 	 * iterations, it is supposed to run infinitely
9665 	 */
9666 	if (request->scan_plans[n_plans - 1].iterations)
9667 		return  -EINVAL;
9668 
9669 	return 0;
9670 }
9671 
9672 static struct cfg80211_sched_scan_request *
9673 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9674 			 struct nlattr **attrs, int max_match_sets)
9675 {
9676 	struct cfg80211_sched_scan_request *request;
9677 	struct nlattr *attr;
9678 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9679 	enum nl80211_band band;
9680 	size_t ie_len, size;
9681 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9682 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9683 
9684 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9685 		n_channels = validate_scan_freqs(
9686 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9687 		if (!n_channels)
9688 			return ERR_PTR(-EINVAL);
9689 	} else {
9690 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9691 	}
9692 
9693 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9694 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9695 				    tmp)
9696 			n_ssids++;
9697 
9698 	if (n_ssids > wiphy->max_sched_scan_ssids)
9699 		return ERR_PTR(-EINVAL);
9700 
9701 	/*
9702 	 * First, count the number of 'real' matchsets. Due to an issue with
9703 	 * the old implementation, matchsets containing only the RSSI attribute
9704 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9705 	 * RSSI for all matchsets, rather than their own matchset for reporting
9706 	 * all APs with a strong RSSI. This is needed to be compatible with
9707 	 * older userspace that treated a matchset with only the RSSI as the
9708 	 * global RSSI for all other matchsets - if there are other matchsets.
9709 	 */
9710 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9711 		nla_for_each_nested(attr,
9712 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9713 				    tmp) {
9714 			struct nlattr *rssi;
9715 
9716 			err = nla_parse_nested_deprecated(tb,
9717 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9718 							  attr,
9719 							  nl80211_match_policy,
9720 							  NULL);
9721 			if (err)
9722 				return ERR_PTR(err);
9723 
9724 			/* SSID and BSSID are mutually exclusive */
9725 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9726 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9727 				return ERR_PTR(-EINVAL);
9728 
9729 			/* add other standalone attributes here */
9730 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9731 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9732 				n_match_sets++;
9733 				continue;
9734 			}
9735 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9736 			if (rssi)
9737 				default_match_rssi = nla_get_s32(rssi);
9738 		}
9739 	}
9740 
9741 	/* However, if there's no other matchset, add the RSSI one */
9742 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9743 		n_match_sets = 1;
9744 
9745 	if (n_match_sets > max_match_sets)
9746 		return ERR_PTR(-EINVAL);
9747 
9748 	if (attrs[NL80211_ATTR_IE])
9749 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9750 	else
9751 		ie_len = 0;
9752 
9753 	if (ie_len > wiphy->max_sched_scan_ie_len)
9754 		return ERR_PTR(-EINVAL);
9755 
9756 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9757 		/*
9758 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9759 		 * each scan plan already specifies its own interval
9760 		 */
9761 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9762 			return ERR_PTR(-EINVAL);
9763 
9764 		nla_for_each_nested(attr,
9765 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9766 			n_plans++;
9767 	} else {
9768 		/*
9769 		 * The scan interval attribute is kept for backward
9770 		 * compatibility. If no scan plans are specified and sched scan
9771 		 * interval is specified, one scan plan will be set with this
9772 		 * scan interval and infinite number of iterations.
9773 		 */
9774 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9775 			return ERR_PTR(-EINVAL);
9776 
9777 		n_plans = 1;
9778 	}
9779 
9780 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9781 		return ERR_PTR(-EINVAL);
9782 
9783 	if (!wiphy_ext_feature_isset(
9784 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9785 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9786 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9787 		return ERR_PTR(-EINVAL);
9788 
9789 	size = struct_size(request, channels, n_channels);
9790 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9791 	size = size_add(size, array_size(sizeof(*request->match_sets),
9792 					 n_match_sets));
9793 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9794 					 n_plans));
9795 	size = size_add(size, ie_len);
9796 	request = kzalloc(size, GFP_KERNEL);
9797 	if (!request)
9798 		return ERR_PTR(-ENOMEM);
9799 	request->n_channels = n_channels;
9800 
9801 	if (n_ssids)
9802 		request->ssids = (void *)request +
9803 			struct_size(request, channels, n_channels);
9804 	request->n_ssids = n_ssids;
9805 	if (ie_len) {
9806 		if (n_ssids)
9807 			request->ie = (void *)(request->ssids + n_ssids);
9808 		else
9809 			request->ie = (void *)(request->channels + n_channels);
9810 	}
9811 
9812 	if (n_match_sets) {
9813 		if (request->ie)
9814 			request->match_sets = (void *)(request->ie + ie_len);
9815 		else if (n_ssids)
9816 			request->match_sets =
9817 				(void *)(request->ssids + n_ssids);
9818 		else
9819 			request->match_sets =
9820 				(void *)(request->channels + n_channels);
9821 	}
9822 	request->n_match_sets = n_match_sets;
9823 
9824 	if (n_match_sets)
9825 		request->scan_plans = (void *)(request->match_sets +
9826 					       n_match_sets);
9827 	else if (request->ie)
9828 		request->scan_plans = (void *)(request->ie + ie_len);
9829 	else if (n_ssids)
9830 		request->scan_plans = (void *)(request->ssids + n_ssids);
9831 	else
9832 		request->scan_plans = (void *)(request->channels + n_channels);
9833 
9834 	request->n_scan_plans = n_plans;
9835 
9836 	i = 0;
9837 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9838 		/* user specified, bail out if channel not found */
9839 		nla_for_each_nested(attr,
9840 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9841 				    tmp) {
9842 			struct ieee80211_channel *chan;
9843 
9844 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9845 
9846 			if (!chan) {
9847 				err = -EINVAL;
9848 				goto out_free;
9849 			}
9850 
9851 			/* ignore disabled channels */
9852 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9853 				continue;
9854 
9855 			request->channels[i] = chan;
9856 			i++;
9857 		}
9858 	} else {
9859 		/* all channels */
9860 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9861 			int j;
9862 
9863 			if (!wiphy->bands[band])
9864 				continue;
9865 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9866 				struct ieee80211_channel *chan;
9867 
9868 				chan = &wiphy->bands[band]->channels[j];
9869 
9870 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9871 					continue;
9872 
9873 				request->channels[i] = chan;
9874 				i++;
9875 			}
9876 		}
9877 	}
9878 
9879 	if (!i) {
9880 		err = -EINVAL;
9881 		goto out_free;
9882 	}
9883 
9884 	request->n_channels = i;
9885 
9886 	i = 0;
9887 	if (n_ssids) {
9888 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9889 				    tmp) {
9890 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9891 				err = -EINVAL;
9892 				goto out_free;
9893 			}
9894 			request->ssids[i].ssid_len = nla_len(attr);
9895 			memcpy(request->ssids[i].ssid, nla_data(attr),
9896 			       nla_len(attr));
9897 			i++;
9898 		}
9899 	}
9900 
9901 	i = 0;
9902 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9903 		nla_for_each_nested(attr,
9904 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9905 				    tmp) {
9906 			struct nlattr *ssid, *bssid, *rssi;
9907 
9908 			err = nla_parse_nested_deprecated(tb,
9909 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9910 							  attr,
9911 							  nl80211_match_policy,
9912 							  NULL);
9913 			if (err)
9914 				goto out_free;
9915 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9916 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9917 
9918 			if (!ssid && !bssid) {
9919 				i++;
9920 				continue;
9921 			}
9922 
9923 			if (WARN_ON(i >= n_match_sets)) {
9924 				/* this indicates a programming error,
9925 				 * the loop above should have verified
9926 				 * things properly
9927 				 */
9928 				err = -EINVAL;
9929 				goto out_free;
9930 			}
9931 
9932 			if (ssid) {
9933 				memcpy(request->match_sets[i].ssid.ssid,
9934 				       nla_data(ssid), nla_len(ssid));
9935 				request->match_sets[i].ssid.ssid_len =
9936 					nla_len(ssid);
9937 			}
9938 			if (bssid)
9939 				memcpy(request->match_sets[i].bssid,
9940 				       nla_data(bssid), ETH_ALEN);
9941 
9942 			/* special attribute - old implementation w/a */
9943 			request->match_sets[i].rssi_thold = default_match_rssi;
9944 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9945 			if (rssi)
9946 				request->match_sets[i].rssi_thold =
9947 					nla_get_s32(rssi);
9948 			i++;
9949 		}
9950 
9951 		/* there was no other matchset, so the RSSI one is alone */
9952 		if (i == 0 && n_match_sets)
9953 			request->match_sets[0].rssi_thold = default_match_rssi;
9954 
9955 		request->min_rssi_thold = INT_MAX;
9956 		for (i = 0; i < n_match_sets; i++)
9957 			request->min_rssi_thold =
9958 				min(request->match_sets[i].rssi_thold,
9959 				    request->min_rssi_thold);
9960 	} else {
9961 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9962 	}
9963 
9964 	if (ie_len) {
9965 		request->ie_len = ie_len;
9966 		memcpy((void *)request->ie,
9967 		       nla_data(attrs[NL80211_ATTR_IE]),
9968 		       request->ie_len);
9969 	}
9970 
9971 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9972 	if (err)
9973 		goto out_free;
9974 
9975 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9976 		request->delay =
9977 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9978 
9979 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9980 		request->relative_rssi = nla_get_s8(
9981 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9982 		request->relative_rssi_set = true;
9983 	}
9984 
9985 	if (request->relative_rssi_set &&
9986 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9987 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9988 
9989 		rssi_adjust = nla_data(
9990 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9991 		request->rssi_adjust.band = rssi_adjust->band;
9992 		request->rssi_adjust.delta = rssi_adjust->delta;
9993 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9994 			err = -EINVAL;
9995 			goto out_free;
9996 		}
9997 	}
9998 
9999 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
10000 	if (err)
10001 		goto out_free;
10002 
10003 	request->scan_start = jiffies;
10004 
10005 	return request;
10006 
10007 out_free:
10008 	kfree(request);
10009 	return ERR_PTR(err);
10010 }
10011 
10012 static int nl80211_start_sched_scan(struct sk_buff *skb,
10013 				    struct genl_info *info)
10014 {
10015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10016 	struct net_device *dev = info->user_ptr[1];
10017 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10018 	struct cfg80211_sched_scan_request *sched_scan_req;
10019 	bool want_multi;
10020 	int err;
10021 
10022 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10023 		return -EOPNOTSUPP;
10024 
10025 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10026 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10027 	if (err)
10028 		return err;
10029 
10030 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10031 						  info->attrs,
10032 						  rdev->wiphy.max_match_sets);
10033 
10034 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10035 	if (err)
10036 		goto out_err;
10037 
10038 	/* leave request id zero for legacy request
10039 	 * or if driver does not support multi-scheduled scan
10040 	 */
10041 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10042 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10043 
10044 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
10045 	if (err)
10046 		goto out_free;
10047 
10048 	sched_scan_req->dev = dev;
10049 	sched_scan_req->wiphy = &rdev->wiphy;
10050 
10051 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10052 		sched_scan_req->owner_nlportid = info->snd_portid;
10053 
10054 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
10055 
10056 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
10057 	return 0;
10058 
10059 out_free:
10060 	kfree(sched_scan_req);
10061 out_err:
10062 	return err;
10063 }
10064 
10065 static int nl80211_stop_sched_scan(struct sk_buff *skb,
10066 				   struct genl_info *info)
10067 {
10068 	struct cfg80211_sched_scan_request *req;
10069 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10070 	u64 cookie;
10071 
10072 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
10073 		return -EOPNOTSUPP;
10074 
10075 	if (info->attrs[NL80211_ATTR_COOKIE]) {
10076 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10077 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
10078 	}
10079 
10080 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
10081 				     struct cfg80211_sched_scan_request,
10082 				     list);
10083 	if (!req || req->reqid ||
10084 	    (req->owner_nlportid &&
10085 	     req->owner_nlportid != info->snd_portid))
10086 		return -ENOENT;
10087 
10088 	return cfg80211_stop_sched_scan_req(rdev, req, false);
10089 }
10090 
10091 static int nl80211_start_radar_detection(struct sk_buff *skb,
10092 					 struct genl_info *info)
10093 {
10094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10095 	struct net_device *dev = info->user_ptr[1];
10096 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10097 	int link_id = nl80211_link_id(info->attrs);
10098 	struct wiphy *wiphy = wdev->wiphy;
10099 	struct cfg80211_chan_def chandef;
10100 	enum nl80211_dfs_regions dfs_region;
10101 	unsigned int cac_time_ms;
10102 	int err;
10103 
10104 	flush_delayed_work(&rdev->dfs_update_channels_wk);
10105 
10106 	switch (wdev->iftype) {
10107 	case NL80211_IFTYPE_AP:
10108 	case NL80211_IFTYPE_P2P_GO:
10109 	case NL80211_IFTYPE_MESH_POINT:
10110 	case NL80211_IFTYPE_ADHOC:
10111 		break;
10112 	default:
10113 		/* caution - see cfg80211_beaconing_iface_active() below */
10114 		return -EINVAL;
10115 	}
10116 
10117 	guard(wiphy)(wiphy);
10118 
10119 	dfs_region = reg_get_dfs_region(wiphy);
10120 	if (dfs_region == NL80211_DFS_UNSET)
10121 		return -EINVAL;
10122 
10123 	err = nl80211_parse_chandef(rdev, info, &chandef);
10124 	if (err)
10125 		return err;
10126 
10127 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10128 	if (err < 0)
10129 		return err;
10130 
10131 	if (err == 0)
10132 		return -EINVAL;
10133 
10134 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
10135 		return -EINVAL;
10136 
10137 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
10138 		return cfg80211_start_background_radar_detection(rdev, wdev,
10139 								 &chandef);
10140 
10141 	if (cfg80211_beaconing_iface_active(wdev)) {
10142 		/* During MLO other link(s) can beacon, only the current link
10143 		 * can not already beacon
10144 		 */
10145 		if (wdev->valid_links &&
10146 		    !wdev->links[link_id].ap.beacon_interval) {
10147 			/* nothing */
10148 		} else {
10149 			return -EBUSY;
10150 		}
10151 	}
10152 
10153 	if (wdev->links[link_id].cac_started)
10154 		return -EBUSY;
10155 
10156 	/* CAC start is offloaded to HW and can't be started manually */
10157 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
10158 		return -EOPNOTSUPP;
10159 
10160 	if (!rdev->ops->start_radar_detection)
10161 		return -EOPNOTSUPP;
10162 
10163 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10164 	if (WARN_ON(!cac_time_ms))
10165 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10166 
10167 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
10168 					 link_id);
10169 	if (err)
10170 		return err;
10171 
10172 	switch (wdev->iftype) {
10173 	case NL80211_IFTYPE_AP:
10174 	case NL80211_IFTYPE_P2P_GO:
10175 		wdev->links[0].ap.chandef = chandef;
10176 		break;
10177 	case NL80211_IFTYPE_ADHOC:
10178 		wdev->u.ibss.chandef = chandef;
10179 		break;
10180 	case NL80211_IFTYPE_MESH_POINT:
10181 		wdev->u.mesh.chandef = chandef;
10182 		break;
10183 	default:
10184 		break;
10185 	}
10186 	wdev->links[link_id].cac_started = true;
10187 	wdev->links[link_id].cac_start_time = jiffies;
10188 	wdev->links[link_id].cac_time_ms = cac_time_ms;
10189 
10190 	return 0;
10191 }
10192 
10193 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10194 					  struct genl_info *info)
10195 {
10196 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10197 	struct net_device *dev = info->user_ptr[1];
10198 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10199 	struct wiphy *wiphy = wdev->wiphy;
10200 	struct cfg80211_chan_def chandef;
10201 	enum nl80211_dfs_regions dfs_region;
10202 	int err;
10203 
10204 	dfs_region = reg_get_dfs_region(wiphy);
10205 	if (dfs_region == NL80211_DFS_UNSET) {
10206 		GENL_SET_ERR_MSG(info,
10207 				 "DFS Region is not set. Unexpected Radar indication");
10208 		return -EINVAL;
10209 	}
10210 
10211 	err = nl80211_parse_chandef(rdev, info, &chandef);
10212 	if (err) {
10213 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10214 		return err;
10215 	}
10216 
10217 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10218 	if (err < 0) {
10219 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10220 		return err;
10221 	}
10222 
10223 	if (err == 0) {
10224 		GENL_SET_ERR_MSG(info,
10225 				 "Unexpected Radar indication for chandef/iftype");
10226 		return -EINVAL;
10227 	}
10228 
10229 	/* Do not process this notification if radar is already detected
10230 	 * by kernel on this channel, and return success.
10231 	 */
10232 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10233 		return 0;
10234 
10235 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10236 
10237 	cfg80211_sched_dfs_chan_update(rdev);
10238 
10239 	rdev->radar_chandef = chandef;
10240 
10241 	/* Propagate this notification to other radios as well */
10242 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10243 
10244 	return 0;
10245 }
10246 
10247 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10248 					 const u8 *data, size_t datalen,
10249 					 int first_count, struct nlattr *attr,
10250 					 const u16 **offsets, unsigned int *n_offsets)
10251 {
10252 	int i;
10253 
10254 	*n_offsets = 0;
10255 
10256 	if (!attr)
10257 		return 0;
10258 
10259 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10260 		return -EINVAL;
10261 
10262 	*n_offsets = nla_len(attr) / sizeof(u16);
10263 	if (rdev->wiphy.max_num_csa_counters &&
10264 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10265 		return -EINVAL;
10266 
10267 	*offsets = nla_data(attr);
10268 
10269 	/* sanity checks - counters should fit and be the same */
10270 	for (i = 0; i < *n_offsets; i++) {
10271 		u16 offset = (*offsets)[i];
10272 
10273 		if (offset >= datalen)
10274 			return -EINVAL;
10275 
10276 		if (first_count != -1 && data[offset] != first_count)
10277 			return -EINVAL;
10278 	}
10279 
10280 	return 0;
10281 }
10282 
10283 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10284 {
10285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10286 	unsigned int link_id = nl80211_link_id(info->attrs);
10287 	struct net_device *dev = info->user_ptr[1];
10288 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10289 	struct cfg80211_csa_settings params;
10290 	struct nlattr **csa_attrs = NULL;
10291 	int err;
10292 	bool need_new_beacon = false;
10293 	bool need_handle_dfs_flag = true;
10294 	u32 cs_count;
10295 
10296 	if (!rdev->ops->channel_switch ||
10297 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10298 		return -EOPNOTSUPP;
10299 
10300 	switch (dev->ieee80211_ptr->iftype) {
10301 	case NL80211_IFTYPE_AP:
10302 	case NL80211_IFTYPE_P2P_GO:
10303 		need_new_beacon = true;
10304 		/* For all modes except AP the handle_dfs flag needs to be
10305 		 * supplied to tell the kernel that userspace will handle radar
10306 		 * events when they happen. Otherwise a switch to a channel
10307 		 * requiring DFS will be rejected.
10308 		 */
10309 		need_handle_dfs_flag = false;
10310 
10311 		/* useless if AP is not running */
10312 		if (!wdev->links[link_id].ap.beacon_interval)
10313 			return -ENOTCONN;
10314 		break;
10315 	case NL80211_IFTYPE_ADHOC:
10316 		if (!wdev->u.ibss.ssid_len)
10317 			return -ENOTCONN;
10318 		break;
10319 	case NL80211_IFTYPE_MESH_POINT:
10320 		if (!wdev->u.mesh.id_len)
10321 			return -ENOTCONN;
10322 		break;
10323 	default:
10324 		return -EOPNOTSUPP;
10325 	}
10326 
10327 	memset(&params, 0, sizeof(params));
10328 	params.beacon_csa.ftm_responder = -1;
10329 
10330 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10331 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10332 		return -EINVAL;
10333 
10334 	/* only important for AP, IBSS and mesh create IEs internally */
10335 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10336 		return -EINVAL;
10337 
10338 	/* Even though the attribute is u32, the specification says
10339 	 * u8, so let's make sure we don't overflow.
10340 	 */
10341 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10342 	if (cs_count > 255)
10343 		return -EINVAL;
10344 
10345 	params.count = cs_count;
10346 
10347 	if (!need_new_beacon)
10348 		goto skip_beacons;
10349 
10350 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10351 				   info->extack);
10352 	if (err)
10353 		goto free;
10354 
10355 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10356 			    GFP_KERNEL);
10357 	if (!csa_attrs) {
10358 		err = -ENOMEM;
10359 		goto free;
10360 	}
10361 
10362 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10363 					  info->attrs[NL80211_ATTR_CSA_IES],
10364 					  nl80211_policy, info->extack);
10365 	if (err)
10366 		goto free;
10367 
10368 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10369 				   info->extack);
10370 	if (err)
10371 		goto free;
10372 
10373 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10374 		err = -EINVAL;
10375 		goto free;
10376 	}
10377 
10378 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10379 					    params.beacon_csa.tail_len,
10380 					    params.count,
10381 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10382 					    &params.counter_offsets_beacon,
10383 					    &params.n_counter_offsets_beacon);
10384 	if (err)
10385 		goto free;
10386 
10387 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10388 					    params.beacon_csa.probe_resp_len,
10389 					    params.count,
10390 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10391 					    &params.counter_offsets_presp,
10392 					    &params.n_counter_offsets_presp);
10393 	if (err)
10394 		goto free;
10395 
10396 skip_beacons:
10397 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10398 	if (err)
10399 		goto free;
10400 
10401 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10402 					   wdev->iftype)) {
10403 		err = -EINVAL;
10404 		goto free;
10405 	}
10406 
10407 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10408 					    &params.chandef,
10409 					    wdev->iftype);
10410 	if (err < 0)
10411 		goto free;
10412 
10413 	if (err > 0) {
10414 		params.radar_required = true;
10415 		if (need_handle_dfs_flag &&
10416 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10417 			err = -EINVAL;
10418 			goto free;
10419 		}
10420 	}
10421 
10422 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10423 		params.block_tx = true;
10424 
10425 	params.link_id = link_id;
10426 	err = rdev_channel_switch(rdev, dev, &params);
10427 
10428 free:
10429 	kfree(params.beacon_after.mbssid_ies);
10430 	kfree(params.beacon_csa.mbssid_ies);
10431 	kfree(params.beacon_after.rnr_ies);
10432 	kfree(params.beacon_csa.rnr_ies);
10433 	kfree(csa_attrs);
10434 	return err;
10435 }
10436 
10437 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10438 			    u32 seq, int flags,
10439 			    struct cfg80211_registered_device *rdev,
10440 			    struct wireless_dev *wdev,
10441 			    struct cfg80211_internal_bss *intbss)
10442 {
10443 	struct cfg80211_bss *res = &intbss->pub;
10444 	const struct cfg80211_bss_ies *ies;
10445 	unsigned int link_id;
10446 	void *hdr;
10447 	struct nlattr *bss;
10448 
10449 	lockdep_assert_wiphy(wdev->wiphy);
10450 
10451 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10452 			     NL80211_CMD_NEW_SCAN_RESULTS);
10453 	if (!hdr)
10454 		return -1;
10455 
10456 	genl_dump_check_consistent(cb, hdr);
10457 
10458 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10459 		goto nla_put_failure;
10460 	if (wdev->netdev &&
10461 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10462 		goto nla_put_failure;
10463 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10464 			      NL80211_ATTR_PAD))
10465 		goto nla_put_failure;
10466 
10467 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10468 	if (!bss)
10469 		goto nla_put_failure;
10470 	if ((!is_zero_ether_addr(res->bssid) &&
10471 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10472 		goto nla_put_failure;
10473 
10474 	rcu_read_lock();
10475 	/* indicate whether we have probe response data or not */
10476 	if (rcu_access_pointer(res->proberesp_ies) &&
10477 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10478 		goto fail_unlock_rcu;
10479 
10480 	/* this pointer prefers to be pointed to probe response data
10481 	 * but is always valid
10482 	 */
10483 	ies = rcu_dereference(res->ies);
10484 	if (ies) {
10485 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10486 				      NL80211_BSS_PAD))
10487 			goto fail_unlock_rcu;
10488 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10489 					ies->len, ies->data))
10490 			goto fail_unlock_rcu;
10491 	}
10492 
10493 	/* and this pointer is always (unless driver didn't know) beacon data */
10494 	ies = rcu_dereference(res->beacon_ies);
10495 	if (ies && ies->from_beacon) {
10496 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10497 				      NL80211_BSS_PAD))
10498 			goto fail_unlock_rcu;
10499 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10500 					ies->len, ies->data))
10501 			goto fail_unlock_rcu;
10502 	}
10503 	rcu_read_unlock();
10504 
10505 	if (res->beacon_interval &&
10506 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10507 		goto nla_put_failure;
10508 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10509 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10510 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10511 			res->channel->freq_offset) ||
10512 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10513 			jiffies_to_msecs(jiffies - intbss->ts)))
10514 		goto nla_put_failure;
10515 
10516 	if (intbss->parent_tsf &&
10517 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10518 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10519 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10520 		     intbss->parent_bssid)))
10521 		goto nla_put_failure;
10522 
10523 	if (intbss->ts_boottime &&
10524 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10525 			      intbss->ts_boottime, NL80211_BSS_PAD))
10526 		goto nla_put_failure;
10527 
10528 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10529 				intbss->pub.chain_signal,
10530 				NL80211_BSS_CHAIN_SIGNAL))
10531 		goto nla_put_failure;
10532 
10533 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
10534 		switch (rdev->wiphy.signal_type) {
10535 		case CFG80211_SIGNAL_TYPE_MBM:
10536 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
10537 					res->signal))
10538 				goto nla_put_failure;
10539 			break;
10540 		case CFG80211_SIGNAL_TYPE_UNSPEC:
10541 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
10542 				       res->signal))
10543 				goto nla_put_failure;
10544 			break;
10545 		default:
10546 			break;
10547 		}
10548 	}
10549 
10550 	switch (wdev->iftype) {
10551 	case NL80211_IFTYPE_P2P_CLIENT:
10552 	case NL80211_IFTYPE_STATION:
10553 		for_each_valid_link(wdev, link_id) {
10554 			if (intbss == wdev->links[link_id].client.current_bss &&
10555 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10556 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10557 			     (wdev->valid_links &&
10558 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10559 					  link_id) ||
10560 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10561 				       wdev->u.client.connected_addr)))))
10562 				goto nla_put_failure;
10563 		}
10564 		break;
10565 	case NL80211_IFTYPE_ADHOC:
10566 		if (intbss == wdev->u.ibss.current_bss &&
10567 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10568 				NL80211_BSS_STATUS_IBSS_JOINED))
10569 			goto nla_put_failure;
10570 		break;
10571 	default:
10572 		break;
10573 	}
10574 
10575 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
10576 		goto nla_put_failure;
10577 
10578 	if (res->cannot_use_reasons &&
10579 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
10580 			      res->cannot_use_reasons,
10581 			      NL80211_BSS_PAD))
10582 		goto nla_put_failure;
10583 
10584 	nla_nest_end(msg, bss);
10585 
10586 	genlmsg_end(msg, hdr);
10587 	return 0;
10588 
10589  fail_unlock_rcu:
10590 	rcu_read_unlock();
10591  nla_put_failure:
10592 	genlmsg_cancel(msg, hdr);
10593 	return -EMSGSIZE;
10594 }
10595 
10596 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10597 {
10598 	struct cfg80211_registered_device *rdev;
10599 	struct cfg80211_internal_bss *scan;
10600 	struct wireless_dev *wdev;
10601 	struct nlattr **attrbuf;
10602 	int start = cb->args[2], idx = 0;
10603 	bool dump_include_use_data;
10604 	int err;
10605 
10606 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10607 	if (!attrbuf)
10608 		return -ENOMEM;
10609 
10610 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10611 	if (err) {
10612 		kfree(attrbuf);
10613 		return err;
10614 	}
10615 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10616 	__acquire(&rdev->wiphy.mtx);
10617 
10618 	dump_include_use_data =
10619 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
10620 	kfree(attrbuf);
10621 
10622 	spin_lock_bh(&rdev->bss_lock);
10623 
10624 	/*
10625 	 * dump_scan will be called multiple times to break up the scan results
10626 	 * into multiple messages.  It is unlikely that any more bss-es will be
10627 	 * expired after the first call, so only call only call this on the
10628 	 * first dump_scan invocation.
10629 	 */
10630 	if (start == 0)
10631 		cfg80211_bss_expire(rdev);
10632 
10633 	cb->seq = rdev->bss_generation;
10634 
10635 	list_for_each_entry(scan, &rdev->bss_list, list) {
10636 		if (++idx <= start)
10637 			continue;
10638 		if (!dump_include_use_data &&
10639 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
10640 			continue;
10641 		if (nl80211_send_bss(skb, cb,
10642 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10643 				rdev, wdev, scan) < 0) {
10644 			idx--;
10645 			break;
10646 		}
10647 	}
10648 
10649 	spin_unlock_bh(&rdev->bss_lock);
10650 
10651 	cb->args[2] = idx;
10652 	wiphy_unlock(&rdev->wiphy);
10653 
10654 	return skb->len;
10655 }
10656 
10657 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10658 			       int flags, struct net_device *dev,
10659 			       bool allow_radio_stats,
10660 			       struct survey_info *survey)
10661 {
10662 	void *hdr;
10663 	struct nlattr *infoattr;
10664 
10665 	/* skip radio stats if userspace didn't request them */
10666 	if (!survey->channel && !allow_radio_stats)
10667 		return 0;
10668 
10669 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10670 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10671 	if (!hdr)
10672 		return -ENOMEM;
10673 
10674 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10675 		goto nla_put_failure;
10676 
10677 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10678 	if (!infoattr)
10679 		goto nla_put_failure;
10680 
10681 	if (survey->channel &&
10682 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10683 			survey->channel->center_freq))
10684 		goto nla_put_failure;
10685 
10686 	if (survey->channel && survey->channel->freq_offset &&
10687 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10688 			survey->channel->freq_offset))
10689 		goto nla_put_failure;
10690 
10691 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10692 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10693 		goto nla_put_failure;
10694 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10695 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10696 		goto nla_put_failure;
10697 	if ((survey->filled & SURVEY_INFO_TIME) &&
10698 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10699 			survey->time, NL80211_SURVEY_INFO_PAD))
10700 		goto nla_put_failure;
10701 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10702 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10703 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10704 		goto nla_put_failure;
10705 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10706 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10707 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10708 		goto nla_put_failure;
10709 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10710 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10711 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10712 		goto nla_put_failure;
10713 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10714 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10715 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10716 		goto nla_put_failure;
10717 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10718 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10719 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10720 		goto nla_put_failure;
10721 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10722 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10723 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10724 		goto nla_put_failure;
10725 
10726 	nla_nest_end(msg, infoattr);
10727 
10728 	genlmsg_end(msg, hdr);
10729 	return 0;
10730 
10731  nla_put_failure:
10732 	genlmsg_cancel(msg, hdr);
10733 	return -EMSGSIZE;
10734 }
10735 
10736 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10737 {
10738 	struct nlattr **attrbuf;
10739 	struct survey_info survey;
10740 	struct cfg80211_registered_device *rdev;
10741 	struct wireless_dev *wdev;
10742 	int survey_idx = cb->args[2];
10743 	int res;
10744 	bool radio_stats;
10745 
10746 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10747 	if (!attrbuf)
10748 		return -ENOMEM;
10749 
10750 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10751 	if (res) {
10752 		kfree(attrbuf);
10753 		return res;
10754 	}
10755 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10756 	__acquire(&rdev->wiphy.mtx);
10757 
10758 	/* prepare_wdev_dump parsed the attributes */
10759 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10760 
10761 	if (!wdev->netdev) {
10762 		res = -EINVAL;
10763 		goto out_err;
10764 	}
10765 
10766 	if (!rdev->ops->dump_survey) {
10767 		res = -EOPNOTSUPP;
10768 		goto out_err;
10769 	}
10770 
10771 	while (1) {
10772 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10773 		if (res == -ENOENT)
10774 			break;
10775 		if (res)
10776 			goto out_err;
10777 
10778 		/* don't send disabled channels, but do send non-channel data */
10779 		if (survey.channel &&
10780 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10781 			survey_idx++;
10782 			continue;
10783 		}
10784 
10785 		if (nl80211_send_survey(skb,
10786 				NETLINK_CB(cb->skb).portid,
10787 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10788 				wdev->netdev, radio_stats, &survey) < 0)
10789 			goto out;
10790 		survey_idx++;
10791 	}
10792 
10793  out:
10794 	cb->args[2] = survey_idx;
10795 	res = skb->len;
10796  out_err:
10797 	kfree(attrbuf);
10798 	wiphy_unlock(&rdev->wiphy);
10799 	return res;
10800 }
10801 
10802 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10803 {
10804 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10805 	struct net_device *dev = info->user_ptr[1];
10806 	struct ieee80211_channel *chan;
10807 	const u8 *bssid, *ssid;
10808 	int err, ssid_len;
10809 	enum nl80211_auth_type auth_type;
10810 	struct key_parse key;
10811 	bool local_state_change;
10812 	struct cfg80211_auth_request req = {};
10813 	u32 freq;
10814 
10815 	if (!info->attrs[NL80211_ATTR_MAC])
10816 		return -EINVAL;
10817 
10818 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10819 		return -EINVAL;
10820 
10821 	if (!info->attrs[NL80211_ATTR_SSID])
10822 		return -EINVAL;
10823 
10824 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10825 		return -EINVAL;
10826 
10827 	err = nl80211_parse_key(info, &key);
10828 	if (err)
10829 		return err;
10830 
10831 	if (key.idx >= 0) {
10832 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10833 			return -EINVAL;
10834 		if (!key.p.key || !key.p.key_len)
10835 			return -EINVAL;
10836 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10837 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10838 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10839 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10840 			return -EINVAL;
10841 		if (key.idx > 3)
10842 			return -EINVAL;
10843 	} else {
10844 		key.p.key_len = 0;
10845 		key.p.key = NULL;
10846 	}
10847 
10848 	if (key.idx >= 0) {
10849 		int i;
10850 		bool ok = false;
10851 
10852 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10853 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10854 				ok = true;
10855 				break;
10856 			}
10857 		}
10858 		if (!ok)
10859 			return -EINVAL;
10860 	}
10861 
10862 	if (!rdev->ops->auth)
10863 		return -EOPNOTSUPP;
10864 
10865 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10866 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10867 		return -EOPNOTSUPP;
10868 
10869 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10870 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10871 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10872 		freq +=
10873 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10874 
10875 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10876 	if (!chan)
10877 		return -EINVAL;
10878 
10879 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10880 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10881 
10882 	if (info->attrs[NL80211_ATTR_IE]) {
10883 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10884 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10885 	}
10886 
10887 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
10888 		req.supported_selectors =
10889 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
10890 		req.supported_selectors_len =
10891 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
10892 	}
10893 
10894 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10895 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10896 		return -EINVAL;
10897 
10898 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10899 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10900 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10901 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10902 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10903 		return -EINVAL;
10904 
10905 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10906 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10907 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10908 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10909 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10910 			return -EINVAL;
10911 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10912 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10913 	}
10914 
10915 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10916 
10917 	/*
10918 	 * Since we no longer track auth state, ignore
10919 	 * requests to only change local state.
10920 	 */
10921 	if (local_state_change)
10922 		return 0;
10923 
10924 	req.auth_type = auth_type;
10925 	req.key = key.p.key;
10926 	req.key_len = key.p.key_len;
10927 	req.key_idx = key.idx;
10928 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10929 	if (req.link_id >= 0) {
10930 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10931 			return -EINVAL;
10932 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10933 			return -EINVAL;
10934 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10935 		if (!is_valid_ether_addr(req.ap_mld_addr))
10936 			return -EINVAL;
10937 	}
10938 
10939 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10940 				   IEEE80211_BSS_TYPE_ESS,
10941 				   IEEE80211_PRIVACY_ANY);
10942 	if (!req.bss)
10943 		return -ENOENT;
10944 
10945 	err = cfg80211_mlme_auth(rdev, dev, &req);
10946 
10947 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10948 
10949 	return err;
10950 }
10951 
10952 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10953 				     struct genl_info *info)
10954 {
10955 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10956 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10957 		return -EINVAL;
10958 	}
10959 
10960 	if (!rdev->ops->tx_control_port ||
10961 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10962 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10963 		return -EOPNOTSUPP;
10964 
10965 	return 0;
10966 }
10967 
10968 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10969 				   struct genl_info *info,
10970 				   struct cfg80211_crypto_settings *settings,
10971 				   int cipher_limit)
10972 {
10973 	memset(settings, 0, sizeof(*settings));
10974 
10975 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10976 
10977 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10978 		u16 proto;
10979 
10980 		proto = nla_get_u16(
10981 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10982 		settings->control_port_ethertype = cpu_to_be16(proto);
10983 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10984 		    proto != ETH_P_PAE)
10985 			return -EINVAL;
10986 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10987 			settings->control_port_no_encrypt = true;
10988 	} else
10989 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10990 
10991 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10992 		int r = validate_pae_over_nl80211(rdev, info);
10993 
10994 		if (r < 0)
10995 			return r;
10996 
10997 		settings->control_port_over_nl80211 = true;
10998 
10999 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
11000 			settings->control_port_no_preauth = true;
11001 	}
11002 
11003 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
11004 		void *data;
11005 		int len, i;
11006 
11007 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11008 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11009 		settings->n_ciphers_pairwise = len / sizeof(u32);
11010 
11011 		if (len % sizeof(u32))
11012 			return -EINVAL;
11013 
11014 		if (settings->n_ciphers_pairwise > cipher_limit)
11015 			return -EINVAL;
11016 
11017 		memcpy(settings->ciphers_pairwise, data, len);
11018 
11019 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
11020 			if (!cfg80211_supported_cipher_suite(
11021 					&rdev->wiphy,
11022 					settings->ciphers_pairwise[i]))
11023 				return -EINVAL;
11024 	}
11025 
11026 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
11027 		settings->cipher_group =
11028 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
11029 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
11030 						     settings->cipher_group))
11031 			return -EINVAL;
11032 	}
11033 
11034 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
11035 		settings->wpa_versions =
11036 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
11037 
11038 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
11039 		void *data;
11040 		int len;
11041 
11042 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
11043 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
11044 		settings->n_akm_suites = len / sizeof(u32);
11045 
11046 		if (len % sizeof(u32))
11047 			return -EINVAL;
11048 
11049 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
11050 			return -EINVAL;
11051 
11052 		memcpy(settings->akm_suites, data, len);
11053 	}
11054 
11055 	if (info->attrs[NL80211_ATTR_PMK]) {
11056 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
11057 			return -EINVAL;
11058 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11059 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
11060 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11061 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
11062 			return -EINVAL;
11063 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11064 	}
11065 
11066 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
11067 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11068 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
11069 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11070 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
11071 			return -EINVAL;
11072 		settings->sae_pwd =
11073 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11074 		settings->sae_pwd_len =
11075 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11076 	}
11077 
11078 	settings->sae_pwe =
11079 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
11080 				   NL80211_SAE_PWE_UNSPECIFIED);
11081 
11082 	return 0;
11083 }
11084 
11085 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
11086 					      const u8 *ssid, int ssid_len,
11087 					      struct nlattr **attrs,
11088 					      int assoc_link_id, int link_id)
11089 {
11090 	struct ieee80211_channel *chan;
11091 	struct cfg80211_bss *bss;
11092 	const u8 *bssid;
11093 	u32 freq, use_for = 0;
11094 
11095 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
11096 		return ERR_PTR(-EINVAL);
11097 
11098 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
11099 
11100 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
11101 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11102 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11103 
11104 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11105 	if (!chan)
11106 		return ERR_PTR(-EINVAL);
11107 
11108 	if (assoc_link_id >= 0)
11109 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
11110 	if (assoc_link_id == link_id)
11111 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
11112 
11113 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
11114 				 ssid, ssid_len,
11115 				 IEEE80211_BSS_TYPE_ESS,
11116 				 IEEE80211_PRIVACY_ANY,
11117 				 use_for);
11118 	if (!bss)
11119 		return ERR_PTR(-ENOENT);
11120 
11121 	return bss;
11122 }
11123 
11124 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
11125 				 struct cfg80211_assoc_link *links,
11126 				 int assoc_link_id,
11127 				 const u8 *ssid, int ssid_len,
11128 				 struct genl_info *info)
11129 {
11130 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
11131 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
11132 	struct nlattr *link;
11133 	unsigned int link_id;
11134 	int rem, err;
11135 
11136 	if (!attrs)
11137 		return -ENOMEM;
11138 
11139 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
11140 		memset(attrs, 0, attrsize);
11141 
11142 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
11143 
11144 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11145 			NL_SET_BAD_ATTR(info->extack, link);
11146 			return -EINVAL;
11147 		}
11148 
11149 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11150 		/* cannot use the same link ID again */
11151 		if (links[link_id].bss) {
11152 			NL_SET_BAD_ATTR(info->extack, link);
11153 			return -EINVAL;
11154 		}
11155 		links[link_id].bss =
11156 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11157 					  assoc_link_id, link_id);
11158 		if (IS_ERR(links[link_id].bss)) {
11159 			err = PTR_ERR(links[link_id].bss);
11160 			links[link_id].bss = NULL;
11161 			NL_SET_ERR_MSG_ATTR(info->extack, link,
11162 					    "Error fetching BSS for link");
11163 			return err;
11164 		}
11165 
11166 		if (attrs[NL80211_ATTR_IE]) {
11167 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
11168 			links[link_id].elems_len =
11169 				nla_len(attrs[NL80211_ATTR_IE]);
11170 
11171 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11172 					       links[link_id].elems,
11173 					       links[link_id].elems_len)) {
11174 				NL_SET_ERR_MSG_ATTR(info->extack,
11175 						    attrs[NL80211_ATTR_IE],
11176 						    "cannot deal with fragmentation");
11177 				return -EINVAL;
11178 			}
11179 
11180 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11181 						   links[link_id].elems,
11182 						   links[link_id].elems_len)) {
11183 				NL_SET_ERR_MSG_ATTR(info->extack,
11184 						    attrs[NL80211_ATTR_IE],
11185 						    "cannot deal with non-inheritance");
11186 				return -EINVAL;
11187 			}
11188 		}
11189 
11190 		links[link_id].disabled =
11191 			nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11192 	}
11193 
11194 	return 0;
11195 }
11196 
11197 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
11198 {
11199 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11200 	struct net_device *dev = info->user_ptr[1];
11201 	struct cfg80211_assoc_request req = {};
11202 	const u8 *ap_addr, *ssid;
11203 	unsigned int link_id;
11204 	int err, ssid_len;
11205 
11206 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11207 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11208 		return -EPERM;
11209 
11210 	if (!info->attrs[NL80211_ATTR_SSID])
11211 		return -EINVAL;
11212 
11213 	if (!rdev->ops->assoc)
11214 		return -EOPNOTSUPP;
11215 
11216 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11217 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11218 		return -EOPNOTSUPP;
11219 
11220 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11221 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11222 
11223 	if (info->attrs[NL80211_ATTR_IE]) {
11224 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11225 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11226 
11227 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11228 					   req.ie, req.ie_len)) {
11229 			NL_SET_ERR_MSG_ATTR(info->extack,
11230 					    info->attrs[NL80211_ATTR_IE],
11231 					    "non-inheritance makes no sense");
11232 			return -EINVAL;
11233 		}
11234 	}
11235 
11236 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11237 		enum nl80211_mfp mfp =
11238 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11239 		if (mfp == NL80211_MFP_REQUIRED)
11240 			req.use_mfp = true;
11241 		else if (mfp != NL80211_MFP_NO)
11242 			return -EINVAL;
11243 	}
11244 
11245 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11246 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11247 
11248 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
11249 		req.supported_selectors =
11250 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11251 		req.supported_selectors_len =
11252 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11253 	}
11254 
11255 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11256 		req.flags |= ASSOC_REQ_DISABLE_HT;
11257 
11258 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11259 		memcpy(&req.ht_capa_mask,
11260 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11261 		       sizeof(req.ht_capa_mask));
11262 
11263 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11264 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11265 			return -EINVAL;
11266 		memcpy(&req.ht_capa,
11267 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11268 		       sizeof(req.ht_capa));
11269 	}
11270 
11271 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11272 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11273 
11274 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11275 		req.flags |= ASSOC_REQ_DISABLE_HE;
11276 
11277 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11278 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11279 
11280 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11281 		memcpy(&req.vht_capa_mask,
11282 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11283 		       sizeof(req.vht_capa_mask));
11284 
11285 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11286 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11287 			return -EINVAL;
11288 		memcpy(&req.vht_capa,
11289 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11290 		       sizeof(req.vht_capa));
11291 	}
11292 
11293 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11294 		if (!((rdev->wiphy.features &
11295 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11296 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11297 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11298 					     NL80211_EXT_FEATURE_RRM))
11299 			return -EINVAL;
11300 		req.flags |= ASSOC_REQ_USE_RRM;
11301 	}
11302 
11303 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11304 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11305 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11306 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11307 			return -EINVAL;
11308 		req.fils_nonces =
11309 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11310 	}
11311 
11312 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11313 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11314 			return -EINVAL;
11315 		memcpy(&req.s1g_capa_mask,
11316 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11317 		       sizeof(req.s1g_capa_mask));
11318 	}
11319 
11320 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11321 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11322 			return -EINVAL;
11323 		memcpy(&req.s1g_capa,
11324 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11325 		       sizeof(req.s1g_capa));
11326 	}
11327 
11328 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11329 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11330 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11331 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11332 			return -EINVAL;
11333 		}
11334 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11335 	}
11336 
11337 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11338 
11339 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11340 		if (req.link_id < 0)
11341 			return -EINVAL;
11342 
11343 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11344 			return -EINVAL;
11345 
11346 		if (info->attrs[NL80211_ATTR_MAC] ||
11347 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11348 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11349 			return -EINVAL;
11350 
11351 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11352 		ap_addr = req.ap_mld_addr;
11353 
11354 		err = nl80211_process_links(rdev, req.links, req.link_id,
11355 					    ssid, ssid_len, info);
11356 		if (err)
11357 			goto free;
11358 
11359 		if (!req.links[req.link_id].bss) {
11360 			err = -EINVAL;
11361 			goto free;
11362 		}
11363 
11364 		if (req.links[req.link_id].elems_len) {
11365 			GENL_SET_ERR_MSG(info,
11366 					 "cannot have per-link elems on assoc link");
11367 			err = -EINVAL;
11368 			goto free;
11369 		}
11370 
11371 		if (req.links[req.link_id].disabled) {
11372 			GENL_SET_ERR_MSG(info,
11373 					 "cannot have assoc link disabled");
11374 			err = -EINVAL;
11375 			goto free;
11376 		}
11377 	} else {
11378 		if (req.link_id >= 0)
11379 			return -EINVAL;
11380 
11381 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11382 					    -1, -1);
11383 		if (IS_ERR(req.bss))
11384 			return PTR_ERR(req.bss);
11385 		ap_addr = req.bss->bssid;
11386 	}
11387 
11388 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11389 	if (!err) {
11390 		struct nlattr *link;
11391 		int rem = 0;
11392 
11393 		err = cfg80211_mlme_assoc(rdev, dev, &req,
11394 					  info->extack);
11395 
11396 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11397 			dev->ieee80211_ptr->conn_owner_nlportid =
11398 				info->snd_portid;
11399 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11400 			       ap_addr, ETH_ALEN);
11401 		}
11402 
11403 		/* Report error from first problematic link */
11404 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11405 			nla_for_each_nested(link,
11406 					    info->attrs[NL80211_ATTR_MLO_LINKS],
11407 					    rem) {
11408 				struct nlattr *link_id_attr =
11409 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
11410 
11411 				if (!link_id_attr)
11412 					continue;
11413 
11414 				link_id = nla_get_u8(link_id_attr);
11415 
11416 				if (link_id == req.link_id)
11417 					continue;
11418 
11419 				if (!req.links[link_id].error ||
11420 				    WARN_ON(req.links[link_id].error > 0))
11421 					continue;
11422 
11423 				WARN_ON(err >= 0);
11424 
11425 				NL_SET_BAD_ATTR(info->extack, link);
11426 				err = req.links[link_id].error;
11427 				break;
11428 			}
11429 		}
11430 	}
11431 
11432 free:
11433 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11434 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11435 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11436 
11437 	return err;
11438 }
11439 
11440 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11441 {
11442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11443 	struct net_device *dev = info->user_ptr[1];
11444 	const u8 *ie = NULL, *bssid;
11445 	int ie_len = 0;
11446 	u16 reason_code;
11447 	bool local_state_change;
11448 
11449 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11450 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11451 		return -EPERM;
11452 
11453 	if (!info->attrs[NL80211_ATTR_MAC])
11454 		return -EINVAL;
11455 
11456 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11457 		return -EINVAL;
11458 
11459 	if (!rdev->ops->deauth)
11460 		return -EOPNOTSUPP;
11461 
11462 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11463 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11464 		return -EOPNOTSUPP;
11465 
11466 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11467 
11468 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11469 	if (reason_code == 0) {
11470 		/* Reason Code 0 is reserved */
11471 		return -EINVAL;
11472 	}
11473 
11474 	if (info->attrs[NL80211_ATTR_IE]) {
11475 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11476 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11477 	}
11478 
11479 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11480 
11481 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11482 				    local_state_change);
11483 }
11484 
11485 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11486 {
11487 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11488 	struct net_device *dev = info->user_ptr[1];
11489 	const u8 *ie = NULL, *bssid;
11490 	int ie_len = 0;
11491 	u16 reason_code;
11492 	bool local_state_change;
11493 
11494 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11495 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11496 		return -EPERM;
11497 
11498 	if (!info->attrs[NL80211_ATTR_MAC])
11499 		return -EINVAL;
11500 
11501 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11502 		return -EINVAL;
11503 
11504 	if (!rdev->ops->disassoc)
11505 		return -EOPNOTSUPP;
11506 
11507 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11508 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11509 		return -EOPNOTSUPP;
11510 
11511 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11512 
11513 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11514 	if (reason_code == 0) {
11515 		/* Reason Code 0 is reserved */
11516 		return -EINVAL;
11517 	}
11518 
11519 	if (info->attrs[NL80211_ATTR_IE]) {
11520 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11521 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11522 	}
11523 
11524 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11525 
11526 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11527 				      local_state_change);
11528 }
11529 
11530 static bool
11531 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11532 			 int mcast_rate[NUM_NL80211_BANDS],
11533 			 int rateval)
11534 {
11535 	struct wiphy *wiphy = &rdev->wiphy;
11536 	bool found = false;
11537 	int band, i;
11538 
11539 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11540 		struct ieee80211_supported_band *sband;
11541 
11542 		sband = wiphy->bands[band];
11543 		if (!sband)
11544 			continue;
11545 
11546 		for (i = 0; i < sband->n_bitrates; i++) {
11547 			if (sband->bitrates[i].bitrate == rateval) {
11548 				mcast_rate[band] = i + 1;
11549 				found = true;
11550 				break;
11551 			}
11552 		}
11553 	}
11554 
11555 	return found;
11556 }
11557 
11558 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11559 {
11560 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11561 	struct net_device *dev = info->user_ptr[1];
11562 	struct cfg80211_ibss_params ibss;
11563 	struct wiphy *wiphy;
11564 	struct cfg80211_cached_keys *connkeys = NULL;
11565 	int err;
11566 
11567 	memset(&ibss, 0, sizeof(ibss));
11568 
11569 	if (!info->attrs[NL80211_ATTR_SSID] ||
11570 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11571 		return -EINVAL;
11572 
11573 	ibss.beacon_interval = 100;
11574 
11575 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11576 		ibss.beacon_interval =
11577 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11578 
11579 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11580 					   ibss.beacon_interval);
11581 	if (err)
11582 		return err;
11583 
11584 	if (!rdev->ops->join_ibss)
11585 		return -EOPNOTSUPP;
11586 
11587 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11588 		return -EOPNOTSUPP;
11589 
11590 	wiphy = &rdev->wiphy;
11591 
11592 	if (info->attrs[NL80211_ATTR_MAC]) {
11593 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11594 
11595 		if (!is_valid_ether_addr(ibss.bssid))
11596 			return -EINVAL;
11597 	}
11598 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11599 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11600 
11601 	if (info->attrs[NL80211_ATTR_IE]) {
11602 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11603 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11604 	}
11605 
11606 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11607 	if (err)
11608 		return err;
11609 
11610 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11611 				     NL80211_IFTYPE_ADHOC))
11612 		return -EINVAL;
11613 
11614 	switch (ibss.chandef.width) {
11615 	case NL80211_CHAN_WIDTH_5:
11616 	case NL80211_CHAN_WIDTH_10:
11617 	case NL80211_CHAN_WIDTH_20_NOHT:
11618 		break;
11619 	case NL80211_CHAN_WIDTH_20:
11620 	case NL80211_CHAN_WIDTH_40:
11621 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11622 			return -EINVAL;
11623 		break;
11624 	case NL80211_CHAN_WIDTH_80:
11625 	case NL80211_CHAN_WIDTH_80P80:
11626 	case NL80211_CHAN_WIDTH_160:
11627 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11628 			return -EINVAL;
11629 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11630 					     NL80211_EXT_FEATURE_VHT_IBSS))
11631 			return -EINVAL;
11632 		break;
11633 	case NL80211_CHAN_WIDTH_320:
11634 		return -EINVAL;
11635 	default:
11636 		return -EINVAL;
11637 	}
11638 
11639 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11640 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11641 
11642 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11643 		u8 *rates =
11644 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11645 		int n_rates =
11646 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11647 		struct ieee80211_supported_band *sband =
11648 			wiphy->bands[ibss.chandef.chan->band];
11649 
11650 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11651 					     &ibss.basic_rates);
11652 		if (err)
11653 			return err;
11654 	}
11655 
11656 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11657 		memcpy(&ibss.ht_capa_mask,
11658 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11659 		       sizeof(ibss.ht_capa_mask));
11660 
11661 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11662 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11663 			return -EINVAL;
11664 		memcpy(&ibss.ht_capa,
11665 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11666 		       sizeof(ibss.ht_capa));
11667 	}
11668 
11669 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11670 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11671 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11672 		return -EINVAL;
11673 
11674 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11675 		bool no_ht = false;
11676 
11677 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11678 		if (IS_ERR(connkeys))
11679 			return PTR_ERR(connkeys);
11680 
11681 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11682 		    no_ht) {
11683 			kfree_sensitive(connkeys);
11684 			return -EINVAL;
11685 		}
11686 	}
11687 
11688 	ibss.control_port =
11689 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11690 
11691 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11692 		int r = validate_pae_over_nl80211(rdev, info);
11693 
11694 		if (r < 0) {
11695 			kfree_sensitive(connkeys);
11696 			return r;
11697 		}
11698 
11699 		ibss.control_port_over_nl80211 = true;
11700 	}
11701 
11702 	ibss.userspace_handles_dfs =
11703 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11704 
11705 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11706 	if (err)
11707 		kfree_sensitive(connkeys);
11708 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11709 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11710 
11711 	return err;
11712 }
11713 
11714 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11715 {
11716 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11717 	struct net_device *dev = info->user_ptr[1];
11718 
11719 	if (!rdev->ops->leave_ibss)
11720 		return -EOPNOTSUPP;
11721 
11722 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11723 		return -EOPNOTSUPP;
11724 
11725 	return cfg80211_leave_ibss(rdev, dev, false);
11726 }
11727 
11728 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11729 {
11730 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11731 	struct net_device *dev = info->user_ptr[1];
11732 	int mcast_rate[NUM_NL80211_BANDS];
11733 	u32 nla_rate;
11734 
11735 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11736 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11737 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11738 		return -EOPNOTSUPP;
11739 
11740 	if (!rdev->ops->set_mcast_rate)
11741 		return -EOPNOTSUPP;
11742 
11743 	memset(mcast_rate, 0, sizeof(mcast_rate));
11744 
11745 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11746 		return -EINVAL;
11747 
11748 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11749 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11750 		return -EINVAL;
11751 
11752 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11753 }
11754 
11755 static struct sk_buff *
11756 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11757 			    struct wireless_dev *wdev, int approxlen,
11758 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11759 			    enum nl80211_attrs attr,
11760 			    const struct nl80211_vendor_cmd_info *info,
11761 			    gfp_t gfp)
11762 {
11763 	struct sk_buff *skb;
11764 	void *hdr;
11765 	struct nlattr *data;
11766 
11767 	skb = nlmsg_new(approxlen + 100, gfp);
11768 	if (!skb)
11769 		return NULL;
11770 
11771 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11772 	if (!hdr) {
11773 		kfree_skb(skb);
11774 		return NULL;
11775 	}
11776 
11777 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11778 		goto nla_put_failure;
11779 
11780 	if (info) {
11781 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11782 				info->vendor_id))
11783 			goto nla_put_failure;
11784 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11785 				info->subcmd))
11786 			goto nla_put_failure;
11787 	}
11788 
11789 	if (wdev) {
11790 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11791 				      wdev_id(wdev), NL80211_ATTR_PAD))
11792 			goto nla_put_failure;
11793 		if (wdev->netdev &&
11794 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11795 				wdev->netdev->ifindex))
11796 			goto nla_put_failure;
11797 	}
11798 
11799 	data = nla_nest_start_noflag(skb, attr);
11800 	if (!data)
11801 		goto nla_put_failure;
11802 
11803 	((void **)skb->cb)[0] = rdev;
11804 	((void **)skb->cb)[1] = hdr;
11805 	((void **)skb->cb)[2] = data;
11806 
11807 	return skb;
11808 
11809  nla_put_failure:
11810 	kfree_skb(skb);
11811 	return NULL;
11812 }
11813 
11814 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11815 					   struct wireless_dev *wdev,
11816 					   enum nl80211_commands cmd,
11817 					   enum nl80211_attrs attr,
11818 					   unsigned int portid,
11819 					   int vendor_event_idx,
11820 					   int approxlen, gfp_t gfp)
11821 {
11822 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11823 	const struct nl80211_vendor_cmd_info *info;
11824 
11825 	switch (cmd) {
11826 	case NL80211_CMD_TESTMODE:
11827 		if (WARN_ON(vendor_event_idx != -1))
11828 			return NULL;
11829 		info = NULL;
11830 		break;
11831 	case NL80211_CMD_VENDOR:
11832 		if (WARN_ON(vendor_event_idx < 0 ||
11833 			    vendor_event_idx >= wiphy->n_vendor_events))
11834 			return NULL;
11835 		info = &wiphy->vendor_events[vendor_event_idx];
11836 		break;
11837 	default:
11838 		WARN_ON(1);
11839 		return NULL;
11840 	}
11841 
11842 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11843 					   cmd, attr, info, gfp);
11844 }
11845 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11846 
11847 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11848 {
11849 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11850 	void *hdr = ((void **)skb->cb)[1];
11851 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11852 	struct nlattr *data = ((void **)skb->cb)[2];
11853 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11854 
11855 	/* clear CB data for netlink core to own from now on */
11856 	memset(skb->cb, 0, sizeof(skb->cb));
11857 
11858 	nla_nest_end(skb, data);
11859 	genlmsg_end(skb, hdr);
11860 
11861 	if (nlhdr->nlmsg_pid) {
11862 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11863 				nlhdr->nlmsg_pid);
11864 	} else {
11865 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11866 			mcgrp = NL80211_MCGRP_VENDOR;
11867 
11868 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11869 					skb, 0, mcgrp, gfp);
11870 	}
11871 }
11872 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11873 
11874 #ifdef CONFIG_NL80211_TESTMODE
11875 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11876 {
11877 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11878 	struct wireless_dev *wdev;
11879 	int err;
11880 
11881 	lockdep_assert_held(&rdev->wiphy.mtx);
11882 
11883 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11884 					  info->attrs);
11885 
11886 	if (!rdev->ops->testmode_cmd)
11887 		return -EOPNOTSUPP;
11888 
11889 	if (IS_ERR(wdev)) {
11890 		err = PTR_ERR(wdev);
11891 		if (err != -EINVAL)
11892 			return err;
11893 		wdev = NULL;
11894 	} else if (wdev->wiphy != &rdev->wiphy) {
11895 		return -EINVAL;
11896 	}
11897 
11898 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11899 		return -EINVAL;
11900 
11901 	rdev->cur_cmd_info = info;
11902 	err = rdev_testmode_cmd(rdev, wdev,
11903 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11904 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11905 	rdev->cur_cmd_info = NULL;
11906 
11907 	return err;
11908 }
11909 
11910 static int nl80211_testmode_dump(struct sk_buff *skb,
11911 				 struct netlink_callback *cb)
11912 {
11913 	struct cfg80211_registered_device *rdev;
11914 	struct nlattr **attrbuf = NULL;
11915 	int err;
11916 	long phy_idx;
11917 	void *data = NULL;
11918 	int data_len = 0;
11919 
11920 	rtnl_lock();
11921 
11922 	if (cb->args[0]) {
11923 		/*
11924 		 * 0 is a valid index, but not valid for args[0],
11925 		 * so we need to offset by 1.
11926 		 */
11927 		phy_idx = cb->args[0] - 1;
11928 
11929 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11930 		if (!rdev) {
11931 			err = -ENOENT;
11932 			goto out_err;
11933 		}
11934 	} else {
11935 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11936 				  GFP_KERNEL);
11937 		if (!attrbuf) {
11938 			err = -ENOMEM;
11939 			goto out_err;
11940 		}
11941 
11942 		err = nlmsg_parse_deprecated(cb->nlh,
11943 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11944 					     attrbuf, nl80211_fam.maxattr,
11945 					     nl80211_policy, NULL);
11946 		if (err)
11947 			goto out_err;
11948 
11949 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11950 		if (IS_ERR(rdev)) {
11951 			err = PTR_ERR(rdev);
11952 			goto out_err;
11953 		}
11954 		phy_idx = rdev->wiphy_idx;
11955 
11956 		if (attrbuf[NL80211_ATTR_TESTDATA])
11957 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11958 	}
11959 
11960 	if (cb->args[1]) {
11961 		data = nla_data((void *)cb->args[1]);
11962 		data_len = nla_len((void *)cb->args[1]);
11963 	}
11964 
11965 	if (!rdev->ops->testmode_dump) {
11966 		err = -EOPNOTSUPP;
11967 		goto out_err;
11968 	}
11969 
11970 	while (1) {
11971 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11972 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11973 					   NL80211_CMD_TESTMODE);
11974 		struct nlattr *tmdata;
11975 
11976 		if (!hdr)
11977 			break;
11978 
11979 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11980 			genlmsg_cancel(skb, hdr);
11981 			break;
11982 		}
11983 
11984 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11985 		if (!tmdata) {
11986 			genlmsg_cancel(skb, hdr);
11987 			break;
11988 		}
11989 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11990 		nla_nest_end(skb, tmdata);
11991 
11992 		if (err == -ENOBUFS || err == -ENOENT) {
11993 			genlmsg_cancel(skb, hdr);
11994 			break;
11995 		} else if (err) {
11996 			genlmsg_cancel(skb, hdr);
11997 			goto out_err;
11998 		}
11999 
12000 		genlmsg_end(skb, hdr);
12001 	}
12002 
12003 	err = skb->len;
12004 	/* see above */
12005 	cb->args[0] = phy_idx + 1;
12006  out_err:
12007 	kfree(attrbuf);
12008 	rtnl_unlock();
12009 	return err;
12010 }
12011 #endif
12012 
12013 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
12014 {
12015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12016 	struct net_device *dev = info->user_ptr[1];
12017 	struct cfg80211_connect_params connect;
12018 	struct wiphy *wiphy;
12019 	struct cfg80211_cached_keys *connkeys = NULL;
12020 	u32 freq = 0;
12021 	int err;
12022 
12023 	memset(&connect, 0, sizeof(connect));
12024 
12025 	if (!info->attrs[NL80211_ATTR_SSID] ||
12026 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12027 		return -EINVAL;
12028 
12029 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12030 		connect.auth_type =
12031 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12032 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
12033 					     NL80211_CMD_CONNECT))
12034 			return -EINVAL;
12035 	} else
12036 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
12037 
12038 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
12039 
12040 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
12041 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12042 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12043 		return -EINVAL;
12044 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
12045 
12046 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
12047 				      NL80211_MAX_NR_CIPHER_SUITES);
12048 	if (err)
12049 		return err;
12050 
12051 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12052 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12053 		return -EOPNOTSUPP;
12054 
12055 	wiphy = &rdev->wiphy;
12056 
12057 	connect.bg_scan_period = -1;
12058 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
12059 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
12060 		connect.bg_scan_period =
12061 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
12062 	}
12063 
12064 	if (info->attrs[NL80211_ATTR_MAC])
12065 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12066 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
12067 		connect.bssid_hint =
12068 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
12069 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12070 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12071 
12072 	if (info->attrs[NL80211_ATTR_IE]) {
12073 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12074 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12075 	}
12076 
12077 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12078 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12079 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
12080 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12081 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
12082 			return -EOPNOTSUPP;
12083 	} else {
12084 		connect.mfp = NL80211_MFP_NO;
12085 	}
12086 
12087 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12088 		connect.prev_bssid =
12089 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12090 
12091 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
12092 		freq = MHZ_TO_KHZ(nla_get_u32(
12093 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12094 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12095 		freq +=
12096 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12097 
12098 	if (freq) {
12099 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
12100 		if (!connect.channel)
12101 			return -EINVAL;
12102 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
12103 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
12104 		freq = MHZ_TO_KHZ(freq);
12105 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
12106 		if (!connect.channel_hint)
12107 			return -EINVAL;
12108 	}
12109 
12110 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
12111 		connect.edmg.channels =
12112 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
12113 
12114 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
12115 			connect.edmg.bw_config =
12116 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
12117 	}
12118 
12119 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12120 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
12121 		if (IS_ERR(connkeys))
12122 			return PTR_ERR(connkeys);
12123 	}
12124 
12125 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12126 		connect.flags |= ASSOC_REQ_DISABLE_HT;
12127 
12128 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12129 		memcpy(&connect.ht_capa_mask,
12130 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12131 		       sizeof(connect.ht_capa_mask));
12132 
12133 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12134 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
12135 			kfree_sensitive(connkeys);
12136 			return -EINVAL;
12137 		}
12138 		memcpy(&connect.ht_capa,
12139 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12140 		       sizeof(connect.ht_capa));
12141 	}
12142 
12143 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12144 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
12145 
12146 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12147 		connect.flags |= ASSOC_REQ_DISABLE_HE;
12148 
12149 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12150 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12151 
12152 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12153 		memcpy(&connect.vht_capa_mask,
12154 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12155 		       sizeof(connect.vht_capa_mask));
12156 
12157 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12158 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12159 			kfree_sensitive(connkeys);
12160 			return -EINVAL;
12161 		}
12162 		memcpy(&connect.vht_capa,
12163 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12164 		       sizeof(connect.vht_capa));
12165 	}
12166 
12167 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12168 		if (!((rdev->wiphy.features &
12169 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12170 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12171 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12172 					     NL80211_EXT_FEATURE_RRM)) {
12173 			kfree_sensitive(connkeys);
12174 			return -EINVAL;
12175 		}
12176 		connect.flags |= ASSOC_REQ_USE_RRM;
12177 	}
12178 
12179 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12180 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12181 		kfree_sensitive(connkeys);
12182 		return -EOPNOTSUPP;
12183 	}
12184 
12185 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12186 		/* bss selection makes no sense if bssid is set */
12187 		if (connect.bssid) {
12188 			kfree_sensitive(connkeys);
12189 			return -EINVAL;
12190 		}
12191 
12192 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12193 				       wiphy, &connect.bss_select);
12194 		if (err) {
12195 			kfree_sensitive(connkeys);
12196 			return err;
12197 		}
12198 	}
12199 
12200 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12201 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12202 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12203 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12204 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12205 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12206 		connect.fils_erp_username =
12207 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12208 		connect.fils_erp_username_len =
12209 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12210 		connect.fils_erp_realm =
12211 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12212 		connect.fils_erp_realm_len =
12213 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12214 		connect.fils_erp_next_seq_num =
12215 			nla_get_u16(
12216 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12217 		connect.fils_erp_rrk =
12218 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12219 		connect.fils_erp_rrk_len =
12220 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12221 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12222 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12223 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12224 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12225 		kfree_sensitive(connkeys);
12226 		return -EINVAL;
12227 	}
12228 
12229 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12230 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12231 			kfree_sensitive(connkeys);
12232 			GENL_SET_ERR_MSG(info,
12233 					 "external auth requires connection ownership");
12234 			return -EINVAL;
12235 		}
12236 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12237 	}
12238 
12239 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12240 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12241 
12242 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12243 			       connect.prev_bssid);
12244 	if (err)
12245 		kfree_sensitive(connkeys);
12246 
12247 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12248 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12249 		if (connect.bssid)
12250 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12251 			       connect.bssid, ETH_ALEN);
12252 		else
12253 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12254 	}
12255 
12256 	return err;
12257 }
12258 
12259 static int nl80211_update_connect_params(struct sk_buff *skb,
12260 					 struct genl_info *info)
12261 {
12262 	struct cfg80211_connect_params connect = {};
12263 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12264 	struct net_device *dev = info->user_ptr[1];
12265 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12266 	bool fils_sk_offload;
12267 	u32 auth_type;
12268 	u32 changed = 0;
12269 
12270 	if (!rdev->ops->update_connect_params)
12271 		return -EOPNOTSUPP;
12272 
12273 	if (info->attrs[NL80211_ATTR_IE]) {
12274 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12275 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12276 		changed |= UPDATE_ASSOC_IES;
12277 	}
12278 
12279 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12280 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12281 
12282 	/*
12283 	 * when driver supports fils-sk offload all attributes must be
12284 	 * provided. So the else covers "fils-sk-not-all" and
12285 	 * "no-fils-sk-any".
12286 	 */
12287 	if (fils_sk_offload &&
12288 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12289 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12290 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12291 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12292 		connect.fils_erp_username =
12293 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12294 		connect.fils_erp_username_len =
12295 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12296 		connect.fils_erp_realm =
12297 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12298 		connect.fils_erp_realm_len =
12299 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12300 		connect.fils_erp_next_seq_num =
12301 			nla_get_u16(
12302 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12303 		connect.fils_erp_rrk =
12304 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12305 		connect.fils_erp_rrk_len =
12306 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12307 		changed |= UPDATE_FILS_ERP_INFO;
12308 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12309 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12310 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12311 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12312 		return -EINVAL;
12313 	}
12314 
12315 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12316 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12317 		if (!nl80211_valid_auth_type(rdev, auth_type,
12318 					     NL80211_CMD_CONNECT))
12319 			return -EINVAL;
12320 
12321 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12322 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12323 			return -EINVAL;
12324 
12325 		connect.auth_type = auth_type;
12326 		changed |= UPDATE_AUTH_TYPE;
12327 	}
12328 
12329 	if (!wdev->connected)
12330 		return -ENOLINK;
12331 
12332 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12333 }
12334 
12335 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12336 {
12337 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12338 	struct net_device *dev = info->user_ptr[1];
12339 	u16 reason;
12340 
12341 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12342 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12343 		return -EPERM;
12344 
12345 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
12346 				     WLAN_REASON_DEAUTH_LEAVING);
12347 
12348 	if (reason == 0)
12349 		return -EINVAL;
12350 
12351 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12352 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12353 		return -EOPNOTSUPP;
12354 
12355 	return cfg80211_disconnect(rdev, dev, reason, true);
12356 }
12357 
12358 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12359 {
12360 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12361 	struct net *net;
12362 	int err;
12363 
12364 	if (info->attrs[NL80211_ATTR_PID]) {
12365 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12366 
12367 		net = get_net_ns_by_pid(pid);
12368 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12369 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12370 
12371 		net = get_net_ns_by_fd(fd);
12372 	} else {
12373 		return -EINVAL;
12374 	}
12375 
12376 	if (IS_ERR(net))
12377 		return PTR_ERR(net);
12378 
12379 	err = 0;
12380 
12381 	/* check if anything to do */
12382 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12383 		err = cfg80211_switch_netns(rdev, net);
12384 
12385 	put_net(net);
12386 	return err;
12387 }
12388 
12389 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12390 {
12391 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12392 	struct net_device *dev = info->user_ptr[1];
12393 	struct cfg80211_pmksa pmksa;
12394 	bool ap_pmksa_caching_support = false;
12395 
12396 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12397 
12398 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12399 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12400 
12401 	if (!info->attrs[NL80211_ATTR_PMKID])
12402 		return -EINVAL;
12403 
12404 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12405 
12406 	if (info->attrs[NL80211_ATTR_MAC]) {
12407 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12408 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12409 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12410 	           info->attrs[NL80211_ATTR_PMK]) {
12411 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12412 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12413 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12414 	} else {
12415 		return -EINVAL;
12416 	}
12417 
12418 	if (info->attrs[NL80211_ATTR_PMK]) {
12419 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12420 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12421 	}
12422 
12423 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12424 		pmksa.pmk_lifetime =
12425 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12426 
12427 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12428 		pmksa.pmk_reauth_threshold =
12429 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12430 
12431 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12432 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12433 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12434 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12435 	       ap_pmksa_caching_support))
12436 		return -EOPNOTSUPP;
12437 
12438 	if (!rdev->ops->set_pmksa)
12439 		return -EOPNOTSUPP;
12440 
12441 	return rdev_set_pmksa(rdev, dev, &pmksa);
12442 }
12443 
12444 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
12445 {
12446 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12447 	struct net_device *dev = info->user_ptr[1];
12448 	struct cfg80211_pmksa pmksa;
12449 	bool sae_offload_support = false;
12450 	bool owe_offload_support = false;
12451 	bool ap_pmksa_caching_support = false;
12452 
12453 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12454 
12455 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12456 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
12457 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12458 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
12459 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12460 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12461 
12462 	if (info->attrs[NL80211_ATTR_PMKID])
12463 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12464 
12465 	if (info->attrs[NL80211_ATTR_MAC]) {
12466 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12467 	} else if (info->attrs[NL80211_ATTR_SSID]) {
12468 		/* SSID based pmksa flush supported only for FILS,
12469 		 * OWE/SAE OFFLOAD cases
12470 		 */
12471 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12472 		    info->attrs[NL80211_ATTR_PMK]) {
12473 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12474 		} else if (!sae_offload_support && !owe_offload_support) {
12475 			return -EINVAL;
12476 		}
12477 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12478 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12479 	} else {
12480 		return -EINVAL;
12481 	}
12482 
12483 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12484 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12485 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12486 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12487 	       ap_pmksa_caching_support))
12488 		return -EOPNOTSUPP;
12489 
12490 	if (!rdev->ops->del_pmksa)
12491 		return -EOPNOTSUPP;
12492 
12493 	return rdev_del_pmksa(rdev, dev, &pmksa);
12494 }
12495 
12496 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12497 {
12498 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12499 	struct net_device *dev = info->user_ptr[1];
12500 
12501 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12502 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12503 		return -EOPNOTSUPP;
12504 
12505 	if (!rdev->ops->flush_pmksa)
12506 		return -EOPNOTSUPP;
12507 
12508 	return rdev_flush_pmksa(rdev, dev);
12509 }
12510 
12511 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12512 {
12513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12514 	struct net_device *dev = info->user_ptr[1];
12515 	u8 action_code, dialog_token;
12516 	u32 peer_capability = 0;
12517 	u16 status_code;
12518 	u8 *peer;
12519 	int link_id;
12520 	bool initiator;
12521 
12522 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12523 	    !rdev->ops->tdls_mgmt)
12524 		return -EOPNOTSUPP;
12525 
12526 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12527 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12528 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12529 	    !info->attrs[NL80211_ATTR_IE] ||
12530 	    !info->attrs[NL80211_ATTR_MAC])
12531 		return -EINVAL;
12532 
12533 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12534 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12535 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12536 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12537 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12538 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12539 		peer_capability =
12540 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12541 	link_id = nl80211_link_id_or_invalid(info->attrs);
12542 
12543 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12544 			      dialog_token, status_code, peer_capability,
12545 			      initiator,
12546 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12547 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12548 }
12549 
12550 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12551 {
12552 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12553 	struct net_device *dev = info->user_ptr[1];
12554 	enum nl80211_tdls_operation operation;
12555 	u8 *peer;
12556 
12557 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12558 	    !rdev->ops->tdls_oper)
12559 		return -EOPNOTSUPP;
12560 
12561 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12562 	    !info->attrs[NL80211_ATTR_MAC])
12563 		return -EINVAL;
12564 
12565 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12566 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12567 
12568 	return rdev_tdls_oper(rdev, dev, peer, operation);
12569 }
12570 
12571 static int nl80211_remain_on_channel(struct sk_buff *skb,
12572 				     struct genl_info *info)
12573 {
12574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12575 	unsigned int link_id = nl80211_link_id(info->attrs);
12576 	struct wireless_dev *wdev = info->user_ptr[1];
12577 	struct cfg80211_chan_def chandef;
12578 	struct sk_buff *msg;
12579 	void *hdr;
12580 	u64 cookie;
12581 	u32 duration;
12582 	int err;
12583 
12584 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12585 	    !info->attrs[NL80211_ATTR_DURATION])
12586 		return -EINVAL;
12587 
12588 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12589 
12590 	if (!rdev->ops->remain_on_channel ||
12591 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12592 		return -EOPNOTSUPP;
12593 
12594 	/*
12595 	 * We should be on that channel for at least a minimum amount of
12596 	 * time (10ms) but no longer than the driver supports.
12597 	 */
12598 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12599 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12600 		return -EINVAL;
12601 
12602 	err = nl80211_parse_chandef(rdev, info, &chandef);
12603 	if (err)
12604 		return err;
12605 
12606 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12607 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12608 
12609 		oper_chandef = wdev_chandef(wdev, link_id);
12610 
12611 		if (WARN_ON(!oper_chandef)) {
12612 			/* cannot happen since we must beacon to get here */
12613 			WARN_ON(1);
12614 			return -EBUSY;
12615 		}
12616 
12617 		/* note: returns first one if identical chandefs */
12618 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12619 							     oper_chandef);
12620 
12621 		if (compat_chandef != &chandef)
12622 			return -EBUSY;
12623 	}
12624 
12625 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12626 	if (!msg)
12627 		return -ENOMEM;
12628 
12629 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12630 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12631 	if (!hdr) {
12632 		err = -ENOBUFS;
12633 		goto free_msg;
12634 	}
12635 
12636 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12637 				     duration, &cookie);
12638 
12639 	if (err)
12640 		goto free_msg;
12641 
12642 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12643 			      NL80211_ATTR_PAD))
12644 		goto nla_put_failure;
12645 
12646 	genlmsg_end(msg, hdr);
12647 
12648 	return genlmsg_reply(msg, info);
12649 
12650  nla_put_failure:
12651 	err = -ENOBUFS;
12652  free_msg:
12653 	nlmsg_free(msg);
12654 	return err;
12655 }
12656 
12657 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12658 					    struct genl_info *info)
12659 {
12660 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12661 	struct wireless_dev *wdev = info->user_ptr[1];
12662 	u64 cookie;
12663 
12664 	if (!info->attrs[NL80211_ATTR_COOKIE])
12665 		return -EINVAL;
12666 
12667 	if (!rdev->ops->cancel_remain_on_channel)
12668 		return -EOPNOTSUPP;
12669 
12670 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12671 
12672 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12673 }
12674 
12675 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12676 				       struct genl_info *info)
12677 {
12678 	struct cfg80211_bitrate_mask mask;
12679 	unsigned int link_id = nl80211_link_id(info->attrs);
12680 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12681 	struct net_device *dev = info->user_ptr[1];
12682 	int err;
12683 
12684 	if (!rdev->ops->set_bitrate_mask)
12685 		return -EOPNOTSUPP;
12686 
12687 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12688 					    NL80211_ATTR_TX_RATES, &mask,
12689 					    dev, true, link_id);
12690 	if (err)
12691 		return err;
12692 
12693 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12694 }
12695 
12696 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12697 {
12698 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12699 	struct wireless_dev *wdev = info->user_ptr[1];
12700 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12701 
12702 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12703 		return -EINVAL;
12704 
12705 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12706 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12707 
12708 	switch (wdev->iftype) {
12709 	case NL80211_IFTYPE_STATION:
12710 	case NL80211_IFTYPE_ADHOC:
12711 	case NL80211_IFTYPE_P2P_CLIENT:
12712 	case NL80211_IFTYPE_AP:
12713 	case NL80211_IFTYPE_AP_VLAN:
12714 	case NL80211_IFTYPE_MESH_POINT:
12715 	case NL80211_IFTYPE_P2P_GO:
12716 	case NL80211_IFTYPE_P2P_DEVICE:
12717 		break;
12718 	case NL80211_IFTYPE_NAN:
12719 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12720 					     NL80211_EXT_FEATURE_SECURE_NAN))
12721 			return -EOPNOTSUPP;
12722 		break;
12723 	default:
12724 		return -EOPNOTSUPP;
12725 	}
12726 
12727 	/* not much point in registering if we can't reply */
12728 	if (!rdev->ops->mgmt_tx)
12729 		return -EOPNOTSUPP;
12730 
12731 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12732 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12733 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12734 		GENL_SET_ERR_MSG(info,
12735 				 "multicast RX registrations are not supported");
12736 		return -EOPNOTSUPP;
12737 	}
12738 
12739 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12740 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12741 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12742 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12743 					   info->extack);
12744 }
12745 
12746 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12747 {
12748 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12749 	struct wireless_dev *wdev = info->user_ptr[1];
12750 	struct cfg80211_chan_def chandef;
12751 	int err;
12752 	void *hdr = NULL;
12753 	u64 cookie;
12754 	struct sk_buff *msg = NULL;
12755 	struct cfg80211_mgmt_tx_params params = {
12756 		.dont_wait_for_ack =
12757 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12758 	};
12759 
12760 	if (!info->attrs[NL80211_ATTR_FRAME])
12761 		return -EINVAL;
12762 
12763 	if (!rdev->ops->mgmt_tx)
12764 		return -EOPNOTSUPP;
12765 
12766 	switch (wdev->iftype) {
12767 	case NL80211_IFTYPE_P2P_DEVICE:
12768 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12769 			return -EINVAL;
12770 		break;
12771 	case NL80211_IFTYPE_STATION:
12772 	case NL80211_IFTYPE_ADHOC:
12773 	case NL80211_IFTYPE_P2P_CLIENT:
12774 	case NL80211_IFTYPE_AP:
12775 	case NL80211_IFTYPE_AP_VLAN:
12776 	case NL80211_IFTYPE_MESH_POINT:
12777 	case NL80211_IFTYPE_P2P_GO:
12778 		break;
12779 	case NL80211_IFTYPE_NAN:
12780 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12781 					     NL80211_EXT_FEATURE_SECURE_NAN))
12782 			return -EOPNOTSUPP;
12783 		break;
12784 	default:
12785 		return -EOPNOTSUPP;
12786 	}
12787 
12788 	if (info->attrs[NL80211_ATTR_DURATION]) {
12789 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12790 			return -EINVAL;
12791 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12792 
12793 		/*
12794 		 * We should wait on the channel for at least a minimum amount
12795 		 * of time (10ms) but no longer than the driver supports.
12796 		 */
12797 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12798 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12799 			return -EINVAL;
12800 	}
12801 
12802 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12803 
12804 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12805 		return -EINVAL;
12806 
12807 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12808 
12809 	/* get the channel if any has been specified, otherwise pass NULL to
12810 	 * the driver. The latter will use the current one
12811 	 */
12812 	chandef.chan = NULL;
12813 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12814 		err = nl80211_parse_chandef(rdev, info, &chandef);
12815 		if (err)
12816 			return err;
12817 	}
12818 
12819 	if (!chandef.chan && params.offchan)
12820 		return -EINVAL;
12821 
12822 	if (params.offchan &&
12823 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
12824 		return -EBUSY;
12825 
12826 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12827 	/*
12828 	 * This now races due to the unlock, but we cannot check
12829 	 * the valid links for the _station_ anyway, so that's up
12830 	 * to the driver.
12831 	 */
12832 	if (params.link_id >= 0 &&
12833 	    !(wdev->valid_links & BIT(params.link_id)))
12834 		return -EINVAL;
12835 
12836 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12837 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12838 
12839 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
12840 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
12841 					    &params.csa_offsets,
12842 					    &params.n_csa_offsets);
12843 	if (err)
12844 		return err;
12845 
12846 	if (!params.dont_wait_for_ack) {
12847 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12848 		if (!msg)
12849 			return -ENOMEM;
12850 
12851 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12852 				     NL80211_CMD_FRAME);
12853 		if (!hdr) {
12854 			err = -ENOBUFS;
12855 			goto free_msg;
12856 		}
12857 	}
12858 
12859 	params.chan = chandef.chan;
12860 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12861 	if (err)
12862 		goto free_msg;
12863 
12864 	if (msg) {
12865 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12866 				      NL80211_ATTR_PAD))
12867 			goto nla_put_failure;
12868 
12869 		genlmsg_end(msg, hdr);
12870 		return genlmsg_reply(msg, info);
12871 	}
12872 
12873 	return 0;
12874 
12875  nla_put_failure:
12876 	err = -ENOBUFS;
12877  free_msg:
12878 	nlmsg_free(msg);
12879 	return err;
12880 }
12881 
12882 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12883 {
12884 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12885 	struct wireless_dev *wdev = info->user_ptr[1];
12886 	u64 cookie;
12887 
12888 	if (!info->attrs[NL80211_ATTR_COOKIE])
12889 		return -EINVAL;
12890 
12891 	if (!rdev->ops->mgmt_tx_cancel_wait)
12892 		return -EOPNOTSUPP;
12893 
12894 	switch (wdev->iftype) {
12895 	case NL80211_IFTYPE_STATION:
12896 	case NL80211_IFTYPE_ADHOC:
12897 	case NL80211_IFTYPE_P2P_CLIENT:
12898 	case NL80211_IFTYPE_AP:
12899 	case NL80211_IFTYPE_AP_VLAN:
12900 	case NL80211_IFTYPE_P2P_GO:
12901 	case NL80211_IFTYPE_P2P_DEVICE:
12902 		break;
12903 	case NL80211_IFTYPE_NAN:
12904 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12905 					     NL80211_EXT_FEATURE_SECURE_NAN))
12906 			return -EOPNOTSUPP;
12907 		break;
12908 	default:
12909 		return -EOPNOTSUPP;
12910 	}
12911 
12912 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12913 
12914 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12915 }
12916 
12917 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12918 {
12919 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12920 	struct wireless_dev *wdev;
12921 	struct net_device *dev = info->user_ptr[1];
12922 	u8 ps_state;
12923 	bool state;
12924 	int err;
12925 
12926 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12927 		return -EINVAL;
12928 
12929 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12930 
12931 	wdev = dev->ieee80211_ptr;
12932 
12933 	if (!rdev->ops->set_power_mgmt)
12934 		return -EOPNOTSUPP;
12935 
12936 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12937 
12938 	if (state == wdev->ps)
12939 		return 0;
12940 
12941 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12942 	if (!err)
12943 		wdev->ps = state;
12944 	return err;
12945 }
12946 
12947 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12948 {
12949 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12950 	enum nl80211_ps_state ps_state;
12951 	struct wireless_dev *wdev;
12952 	struct net_device *dev = info->user_ptr[1];
12953 	struct sk_buff *msg;
12954 	void *hdr;
12955 	int err;
12956 
12957 	wdev = dev->ieee80211_ptr;
12958 
12959 	if (!rdev->ops->set_power_mgmt)
12960 		return -EOPNOTSUPP;
12961 
12962 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12963 	if (!msg)
12964 		return -ENOMEM;
12965 
12966 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12967 			     NL80211_CMD_GET_POWER_SAVE);
12968 	if (!hdr) {
12969 		err = -ENOBUFS;
12970 		goto free_msg;
12971 	}
12972 
12973 	if (wdev->ps)
12974 		ps_state = NL80211_PS_ENABLED;
12975 	else
12976 		ps_state = NL80211_PS_DISABLED;
12977 
12978 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12979 		goto nla_put_failure;
12980 
12981 	genlmsg_end(msg, hdr);
12982 	return genlmsg_reply(msg, info);
12983 
12984  nla_put_failure:
12985 	err = -ENOBUFS;
12986  free_msg:
12987 	nlmsg_free(msg);
12988 	return err;
12989 }
12990 
12991 static const struct nla_policy
12992 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12993 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12994 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12995 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12996 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12997 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12998 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12999 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
13000 };
13001 
13002 static int nl80211_set_cqm_txe(struct genl_info *info,
13003 			       u32 rate, u32 pkts, u32 intvl)
13004 {
13005 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13006 	struct net_device *dev = info->user_ptr[1];
13007 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13008 
13009 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
13010 		return -EINVAL;
13011 
13012 	if (!rdev->ops->set_cqm_txe_config)
13013 		return -EOPNOTSUPP;
13014 
13015 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13016 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13017 		return -EOPNOTSUPP;
13018 
13019 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
13020 }
13021 
13022 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
13023 				    struct net_device *dev,
13024 				    struct cfg80211_cqm_config *cqm_config)
13025 {
13026 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13027 	s32 last, low, high;
13028 	u32 hyst;
13029 	int i, n, low_index;
13030 	int err;
13031 
13032 	/*
13033 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
13034 	 * event has been received yet, we should receive an event after a
13035 	 * connection is established and enough beacons received to calculate
13036 	 * the average.
13037 	 */
13038 	if (!cqm_config->last_rssi_event_value &&
13039 	    wdev->links[0].client.current_bss &&
13040 	    rdev->ops->get_station) {
13041 		struct station_info sinfo = {};
13042 		u8 *mac_addr;
13043 
13044 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
13045 
13046 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
13047 		if (err)
13048 			return err;
13049 
13050 		cfg80211_sinfo_release_content(&sinfo);
13051 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
13052 			cqm_config->last_rssi_event_value =
13053 				(s8) sinfo.rx_beacon_signal_avg;
13054 	}
13055 
13056 	last = cqm_config->last_rssi_event_value;
13057 	hyst = cqm_config->rssi_hyst;
13058 	n = cqm_config->n_rssi_thresholds;
13059 
13060 	for (i = 0; i < n; i++) {
13061 		i = array_index_nospec(i, n);
13062 		if (last < cqm_config->rssi_thresholds[i])
13063 			break;
13064 	}
13065 
13066 	low_index = i - 1;
13067 	if (low_index >= 0) {
13068 		low_index = array_index_nospec(low_index, n);
13069 		low = cqm_config->rssi_thresholds[low_index] - hyst;
13070 	} else {
13071 		low = S32_MIN;
13072 	}
13073 	if (i < n) {
13074 		i = array_index_nospec(i, n);
13075 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
13076 	} else {
13077 		high = S32_MAX;
13078 	}
13079 
13080 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
13081 }
13082 
13083 static int nl80211_set_cqm_rssi(struct genl_info *info,
13084 				const s32 *thresholds, int n_thresholds,
13085 				u32 hysteresis)
13086 {
13087 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13088 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
13089 	struct net_device *dev = info->user_ptr[1];
13090 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13091 	s32 prev = S32_MIN;
13092 	int i, err;
13093 
13094 	/* Check all values negative and sorted */
13095 	for (i = 0; i < n_thresholds; i++) {
13096 		if (thresholds[i] > 0 || thresholds[i] <= prev)
13097 			return -EINVAL;
13098 
13099 		prev = thresholds[i];
13100 	}
13101 
13102 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13103 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13104 		return -EOPNOTSUPP;
13105 
13106 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
13107 		n_thresholds = 0;
13108 
13109 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
13110 
13111 	/* if already disabled just succeed */
13112 	if (!n_thresholds && !old)
13113 		return 0;
13114 
13115 	if (n_thresholds > 1) {
13116 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13117 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
13118 		    !rdev->ops->set_cqm_rssi_range_config)
13119 			return -EOPNOTSUPP;
13120 	} else {
13121 		if (!rdev->ops->set_cqm_rssi_config)
13122 			return -EOPNOTSUPP;
13123 	}
13124 
13125 	if (n_thresholds) {
13126 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
13127 						 n_thresholds),
13128 				     GFP_KERNEL);
13129 		if (!cqm_config)
13130 			return -ENOMEM;
13131 
13132 		cqm_config->rssi_hyst = hysteresis;
13133 		cqm_config->n_rssi_thresholds = n_thresholds;
13134 		memcpy(cqm_config->rssi_thresholds, thresholds,
13135 		       flex_array_size(cqm_config, rssi_thresholds,
13136 				       n_thresholds));
13137 		cqm_config->use_range_api = n_thresholds > 1 ||
13138 					    !rdev->ops->set_cqm_rssi_config;
13139 
13140 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
13141 
13142 		if (cqm_config->use_range_api)
13143 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
13144 		else
13145 			err = rdev_set_cqm_rssi_config(rdev, dev,
13146 						       thresholds[0],
13147 						       hysteresis);
13148 	} else {
13149 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13150 		/* if enabled as range also disable via range */
13151 		if (old->use_range_api)
13152 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13153 		else
13154 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13155 	}
13156 
13157 	if (err) {
13158 		rcu_assign_pointer(wdev->cqm_config, old);
13159 		kfree_rcu(cqm_config, rcu_head);
13160 	} else {
13161 		kfree_rcu(old, rcu_head);
13162 	}
13163 
13164 	return err;
13165 }
13166 
13167 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13168 {
13169 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13170 	struct nlattr *cqm;
13171 	int err;
13172 
13173 	cqm = info->attrs[NL80211_ATTR_CQM];
13174 	if (!cqm)
13175 		return -EINVAL;
13176 
13177 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13178 					  nl80211_attr_cqm_policy,
13179 					  info->extack);
13180 	if (err)
13181 		return err;
13182 
13183 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13184 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13185 		const s32 *thresholds =
13186 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13187 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13188 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13189 
13190 		if (len % 4)
13191 			return -EINVAL;
13192 
13193 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13194 					    hysteresis);
13195 	}
13196 
13197 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13198 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13199 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13200 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13201 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13202 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13203 
13204 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13205 	}
13206 
13207 	return -EINVAL;
13208 }
13209 
13210 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13211 {
13212 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13213 	struct net_device *dev = info->user_ptr[1];
13214 	struct ocb_setup setup = {};
13215 	int err;
13216 
13217 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13218 	if (err)
13219 		return err;
13220 
13221 	return cfg80211_join_ocb(rdev, dev, &setup);
13222 }
13223 
13224 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13225 {
13226 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13227 	struct net_device *dev = info->user_ptr[1];
13228 
13229 	return cfg80211_leave_ocb(rdev, dev);
13230 }
13231 
13232 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13233 {
13234 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13235 	struct net_device *dev = info->user_ptr[1];
13236 	struct mesh_config cfg;
13237 	struct mesh_setup setup;
13238 	int err;
13239 
13240 	/* start with default */
13241 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13242 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13243 
13244 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13245 		/* and parse parameters if given */
13246 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13247 		if (err)
13248 			return err;
13249 	}
13250 
13251 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13252 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13253 		return -EINVAL;
13254 
13255 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13256 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13257 
13258 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13259 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13260 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13261 			return -EINVAL;
13262 
13263 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13264 		setup.beacon_interval =
13265 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13266 
13267 		err = cfg80211_validate_beacon_int(rdev,
13268 						   NL80211_IFTYPE_MESH_POINT,
13269 						   setup.beacon_interval);
13270 		if (err)
13271 			return err;
13272 	}
13273 
13274 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13275 		setup.dtim_period =
13276 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13277 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13278 			return -EINVAL;
13279 	}
13280 
13281 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13282 		/* parse additional setup parameters if given */
13283 		err = nl80211_parse_mesh_setup(info, &setup);
13284 		if (err)
13285 			return err;
13286 	}
13287 
13288 	if (setup.user_mpm)
13289 		cfg.auto_open_plinks = false;
13290 
13291 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13292 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13293 		if (err)
13294 			return err;
13295 	} else {
13296 		/* __cfg80211_join_mesh() will sort it out */
13297 		setup.chandef.chan = NULL;
13298 	}
13299 
13300 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13301 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13302 		int n_rates =
13303 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13304 		struct ieee80211_supported_band *sband;
13305 
13306 		if (!setup.chandef.chan)
13307 			return -EINVAL;
13308 
13309 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13310 
13311 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13312 					     &setup.basic_rates);
13313 		if (err)
13314 			return err;
13315 	}
13316 
13317 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13318 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13319 						    NL80211_ATTR_TX_RATES,
13320 						    &setup.beacon_rate,
13321 						    dev, false, 0);
13322 		if (err)
13323 			return err;
13324 
13325 		if (!setup.chandef.chan)
13326 			return -EINVAL;
13327 
13328 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13329 					      &setup.beacon_rate);
13330 		if (err)
13331 			return err;
13332 	}
13333 
13334 	setup.userspace_handles_dfs =
13335 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13336 
13337 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13338 		int r = validate_pae_over_nl80211(rdev, info);
13339 
13340 		if (r < 0)
13341 			return r;
13342 
13343 		setup.control_port_over_nl80211 = true;
13344 	}
13345 
13346 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13347 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13348 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13349 
13350 	return err;
13351 }
13352 
13353 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13354 {
13355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13356 	struct net_device *dev = info->user_ptr[1];
13357 
13358 	return cfg80211_leave_mesh(rdev, dev);
13359 }
13360 
13361 #ifdef CONFIG_PM
13362 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13363 					struct cfg80211_registered_device *rdev)
13364 {
13365 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13366 	struct nlattr *nl_pats, *nl_pat;
13367 	int i, pat_len;
13368 
13369 	if (!wowlan->n_patterns)
13370 		return 0;
13371 
13372 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13373 	if (!nl_pats)
13374 		return -ENOBUFS;
13375 
13376 	for (i = 0; i < wowlan->n_patterns; i++) {
13377 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13378 		if (!nl_pat)
13379 			return -ENOBUFS;
13380 		pat_len = wowlan->patterns[i].pattern_len;
13381 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13382 			    wowlan->patterns[i].mask) ||
13383 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13384 			    wowlan->patterns[i].pattern) ||
13385 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13386 				wowlan->patterns[i].pkt_offset))
13387 			return -ENOBUFS;
13388 		nla_nest_end(msg, nl_pat);
13389 	}
13390 	nla_nest_end(msg, nl_pats);
13391 
13392 	return 0;
13393 }
13394 
13395 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13396 				   struct cfg80211_wowlan_tcp *tcp)
13397 {
13398 	struct nlattr *nl_tcp;
13399 
13400 	if (!tcp)
13401 		return 0;
13402 
13403 	nl_tcp = nla_nest_start_noflag(msg,
13404 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13405 	if (!nl_tcp)
13406 		return -ENOBUFS;
13407 
13408 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13409 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13410 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13411 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13412 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13413 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13414 		    tcp->payload_len, tcp->payload) ||
13415 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13416 			tcp->data_interval) ||
13417 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13418 		    tcp->wake_len, tcp->wake_data) ||
13419 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13420 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13421 		return -ENOBUFS;
13422 
13423 	if (tcp->payload_seq.len &&
13424 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13425 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13426 		return -ENOBUFS;
13427 
13428 	if (tcp->payload_tok.len &&
13429 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13430 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13431 		    &tcp->payload_tok))
13432 		return -ENOBUFS;
13433 
13434 	nla_nest_end(msg, nl_tcp);
13435 
13436 	return 0;
13437 }
13438 
13439 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13440 				  struct cfg80211_sched_scan_request *req)
13441 {
13442 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13443 	int i;
13444 
13445 	if (!req)
13446 		return 0;
13447 
13448 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13449 	if (!nd)
13450 		return -ENOBUFS;
13451 
13452 	if (req->n_scan_plans == 1 &&
13453 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13454 			req->scan_plans[0].interval * 1000))
13455 		return -ENOBUFS;
13456 
13457 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13458 		return -ENOBUFS;
13459 
13460 	if (req->relative_rssi_set) {
13461 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13462 
13463 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13464 			       req->relative_rssi))
13465 			return -ENOBUFS;
13466 
13467 		rssi_adjust.band = req->rssi_adjust.band;
13468 		rssi_adjust.delta = req->rssi_adjust.delta;
13469 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13470 			    sizeof(rssi_adjust), &rssi_adjust))
13471 			return -ENOBUFS;
13472 	}
13473 
13474 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13475 	if (!freqs)
13476 		return -ENOBUFS;
13477 
13478 	for (i = 0; i < req->n_channels; i++) {
13479 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13480 			return -ENOBUFS;
13481 	}
13482 
13483 	nla_nest_end(msg, freqs);
13484 
13485 	if (req->n_match_sets) {
13486 		matches = nla_nest_start_noflag(msg,
13487 						NL80211_ATTR_SCHED_SCAN_MATCH);
13488 		if (!matches)
13489 			return -ENOBUFS;
13490 
13491 		for (i = 0; i < req->n_match_sets; i++) {
13492 			match = nla_nest_start_noflag(msg, i);
13493 			if (!match)
13494 				return -ENOBUFS;
13495 
13496 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13497 				    req->match_sets[i].ssid.ssid_len,
13498 				    req->match_sets[i].ssid.ssid))
13499 				return -ENOBUFS;
13500 			nla_nest_end(msg, match);
13501 		}
13502 		nla_nest_end(msg, matches);
13503 	}
13504 
13505 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13506 	if (!scan_plans)
13507 		return -ENOBUFS;
13508 
13509 	for (i = 0; i < req->n_scan_plans; i++) {
13510 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13511 		if (!scan_plan)
13512 			return -ENOBUFS;
13513 
13514 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13515 				req->scan_plans[i].interval) ||
13516 		    (req->scan_plans[i].iterations &&
13517 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13518 				 req->scan_plans[i].iterations)))
13519 			return -ENOBUFS;
13520 		nla_nest_end(msg, scan_plan);
13521 	}
13522 	nla_nest_end(msg, scan_plans);
13523 
13524 	nla_nest_end(msg, nd);
13525 
13526 	return 0;
13527 }
13528 
13529 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13530 {
13531 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13532 	struct sk_buff *msg;
13533 	void *hdr;
13534 	u32 size = NLMSG_DEFAULT_SIZE;
13535 
13536 	if (!rdev->wiphy.wowlan)
13537 		return -EOPNOTSUPP;
13538 
13539 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13540 		/* adjust size to have room for all the data */
13541 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13542 			rdev->wiphy.wowlan_config->tcp->payload_len +
13543 			rdev->wiphy.wowlan_config->tcp->wake_len +
13544 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13545 	}
13546 
13547 	msg = nlmsg_new(size, GFP_KERNEL);
13548 	if (!msg)
13549 		return -ENOMEM;
13550 
13551 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13552 			     NL80211_CMD_GET_WOWLAN);
13553 	if (!hdr)
13554 		goto nla_put_failure;
13555 
13556 	if (rdev->wiphy.wowlan_config) {
13557 		struct nlattr *nl_wowlan;
13558 
13559 		nl_wowlan = nla_nest_start_noflag(msg,
13560 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13561 		if (!nl_wowlan)
13562 			goto nla_put_failure;
13563 
13564 		if ((rdev->wiphy.wowlan_config->any &&
13565 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13566 		    (rdev->wiphy.wowlan_config->disconnect &&
13567 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13568 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13569 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13570 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13571 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13572 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13573 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13574 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13575 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13576 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13577 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13578 			goto nla_put_failure;
13579 
13580 		if (nl80211_send_wowlan_patterns(msg, rdev))
13581 			goto nla_put_failure;
13582 
13583 		if (nl80211_send_wowlan_tcp(msg,
13584 					    rdev->wiphy.wowlan_config->tcp))
13585 			goto nla_put_failure;
13586 
13587 		if (nl80211_send_wowlan_nd(
13588 			    msg,
13589 			    rdev->wiphy.wowlan_config->nd_config))
13590 			goto nla_put_failure;
13591 
13592 		nla_nest_end(msg, nl_wowlan);
13593 	}
13594 
13595 	genlmsg_end(msg, hdr);
13596 	return genlmsg_reply(msg, info);
13597 
13598 nla_put_failure:
13599 	nlmsg_free(msg);
13600 	return -ENOBUFS;
13601 }
13602 
13603 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13604 				    struct nlattr *attr,
13605 				    struct cfg80211_wowlan *trig)
13606 {
13607 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13608 	struct cfg80211_wowlan_tcp *cfg;
13609 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13610 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13611 	u32 size;
13612 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13613 	int err, port;
13614 
13615 	if (!rdev->wiphy.wowlan->tcp)
13616 		return -EINVAL;
13617 
13618 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13619 					  nl80211_wowlan_tcp_policy, NULL);
13620 	if (err)
13621 		return err;
13622 
13623 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13624 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13625 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13626 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13627 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13628 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13629 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13630 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13631 		return -EINVAL;
13632 
13633 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13634 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13635 		return -EINVAL;
13636 
13637 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13638 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13639 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13640 		return -EINVAL;
13641 
13642 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13643 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13644 		return -EINVAL;
13645 
13646 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13647 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13648 		return -EINVAL;
13649 
13650 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13651 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13652 
13653 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13654 		tokens_size = tokln - sizeof(*tok);
13655 
13656 		if (!tok->len || tokens_size % tok->len)
13657 			return -EINVAL;
13658 		if (!rdev->wiphy.wowlan->tcp->tok)
13659 			return -EINVAL;
13660 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13661 			return -EINVAL;
13662 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13663 			return -EINVAL;
13664 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13665 			return -EINVAL;
13666 		if (tok->offset + tok->len > data_size)
13667 			return -EINVAL;
13668 	}
13669 
13670 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13671 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13672 		if (!rdev->wiphy.wowlan->tcp->seq)
13673 			return -EINVAL;
13674 		if (seq->len == 0 || seq->len > 4)
13675 			return -EINVAL;
13676 		if (seq->len + seq->offset > data_size)
13677 			return -EINVAL;
13678 	}
13679 
13680 	size = sizeof(*cfg);
13681 	size += data_size;
13682 	size += wake_size + wake_mask_size;
13683 	size += tokens_size;
13684 
13685 	cfg = kzalloc(size, GFP_KERNEL);
13686 	if (!cfg)
13687 		return -ENOMEM;
13688 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13689 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13690 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13691 	       ETH_ALEN);
13692 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
13693 #ifdef CONFIG_INET
13694 	/* allocate a socket and port for it and use it */
13695 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13696 			    IPPROTO_TCP, &cfg->sock, 1);
13697 	if (err) {
13698 		kfree(cfg);
13699 		return err;
13700 	}
13701 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13702 		sock_release(cfg->sock);
13703 		kfree(cfg);
13704 		return -EADDRINUSE;
13705 	}
13706 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13707 #else
13708 	if (!port) {
13709 		kfree(cfg);
13710 		return -EINVAL;
13711 	}
13712 	cfg->src_port = port;
13713 #endif
13714 
13715 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13716 	cfg->payload_len = data_size;
13717 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13718 	memcpy((void *)cfg->payload,
13719 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13720 	       data_size);
13721 	if (seq)
13722 		cfg->payload_seq = *seq;
13723 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13724 	cfg->wake_len = wake_size;
13725 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13726 	memcpy((void *)cfg->wake_data,
13727 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13728 	       wake_size);
13729 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13730 			 data_size + wake_size;
13731 	memcpy((void *)cfg->wake_mask,
13732 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13733 	       wake_mask_size);
13734 	if (tok) {
13735 		cfg->tokens_size = tokens_size;
13736 		cfg->payload_tok = *tok;
13737 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13738 		       tokens_size);
13739 	}
13740 
13741 	trig->tcp = cfg;
13742 
13743 	return 0;
13744 }
13745 
13746 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13747 				   const struct wiphy_wowlan_support *wowlan,
13748 				   struct nlattr *attr,
13749 				   struct cfg80211_wowlan *trig)
13750 {
13751 	struct nlattr **tb;
13752 	int err;
13753 
13754 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13755 	if (!tb)
13756 		return -ENOMEM;
13757 
13758 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13759 		err = -EOPNOTSUPP;
13760 		goto out;
13761 	}
13762 
13763 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13764 					  nl80211_policy, NULL);
13765 	if (err)
13766 		goto out;
13767 
13768 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13769 						   wowlan->max_nd_match_sets);
13770 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13771 	if (err)
13772 		trig->nd_config = NULL;
13773 
13774 out:
13775 	kfree(tb);
13776 	return err;
13777 }
13778 
13779 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13780 {
13781 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13782 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13783 	struct cfg80211_wowlan new_triggers = {};
13784 	struct cfg80211_wowlan *ntrig;
13785 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13786 	int err, i;
13787 	bool prev_enabled = rdev->wiphy.wowlan_config;
13788 	bool regular = false;
13789 
13790 	if (!wowlan)
13791 		return -EOPNOTSUPP;
13792 
13793 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13794 		cfg80211_rdev_free_wowlan(rdev);
13795 		rdev->wiphy.wowlan_config = NULL;
13796 		goto set_wakeup;
13797 	}
13798 
13799 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13800 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13801 					  nl80211_wowlan_policy, info->extack);
13802 	if (err)
13803 		return err;
13804 
13805 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13806 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13807 			return -EINVAL;
13808 		new_triggers.any = true;
13809 	}
13810 
13811 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13812 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13813 			return -EINVAL;
13814 		new_triggers.disconnect = true;
13815 		regular = true;
13816 	}
13817 
13818 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13819 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13820 			return -EINVAL;
13821 		new_triggers.magic_pkt = true;
13822 		regular = true;
13823 	}
13824 
13825 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13826 		return -EINVAL;
13827 
13828 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13829 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13830 			return -EINVAL;
13831 		new_triggers.gtk_rekey_failure = true;
13832 		regular = true;
13833 	}
13834 
13835 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13836 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13837 			return -EINVAL;
13838 		new_triggers.eap_identity_req = true;
13839 		regular = true;
13840 	}
13841 
13842 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13843 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13844 			return -EINVAL;
13845 		new_triggers.four_way_handshake = true;
13846 		regular = true;
13847 	}
13848 
13849 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13850 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13851 			return -EINVAL;
13852 		new_triggers.rfkill_release = true;
13853 		regular = true;
13854 	}
13855 
13856 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13857 		struct nlattr *pat;
13858 		int n_patterns = 0;
13859 		int rem, pat_len, mask_len, pkt_offset;
13860 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13861 
13862 		regular = true;
13863 
13864 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13865 				    rem)
13866 			n_patterns++;
13867 		if (n_patterns > wowlan->n_patterns)
13868 			return -EINVAL;
13869 
13870 		new_triggers.patterns = kcalloc(n_patterns,
13871 						sizeof(new_triggers.patterns[0]),
13872 						GFP_KERNEL);
13873 		if (!new_triggers.patterns)
13874 			return -ENOMEM;
13875 
13876 		new_triggers.n_patterns = n_patterns;
13877 		i = 0;
13878 
13879 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13880 				    rem) {
13881 			u8 *mask_pat;
13882 
13883 			err = nla_parse_nested_deprecated(pat_tb,
13884 							  MAX_NL80211_PKTPAT,
13885 							  pat,
13886 							  nl80211_packet_pattern_policy,
13887 							  info->extack);
13888 			if (err)
13889 				goto error;
13890 
13891 			err = -EINVAL;
13892 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13893 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13894 				goto error;
13895 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13896 			mask_len = DIV_ROUND_UP(pat_len, 8);
13897 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13898 				goto error;
13899 			if (pat_len > wowlan->pattern_max_len ||
13900 			    pat_len < wowlan->pattern_min_len)
13901 				goto error;
13902 
13903 			pkt_offset =
13904 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
13905 						    0);
13906 			if (pkt_offset > wowlan->max_pkt_offset)
13907 				goto error;
13908 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13909 
13910 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13911 			if (!mask_pat) {
13912 				err = -ENOMEM;
13913 				goto error;
13914 			}
13915 			new_triggers.patterns[i].mask = mask_pat;
13916 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13917 			       mask_len);
13918 			mask_pat += mask_len;
13919 			new_triggers.patterns[i].pattern = mask_pat;
13920 			new_triggers.patterns[i].pattern_len = pat_len;
13921 			memcpy(mask_pat,
13922 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13923 			       pat_len);
13924 			i++;
13925 		}
13926 	}
13927 
13928 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13929 		regular = true;
13930 		err = nl80211_parse_wowlan_tcp(
13931 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13932 			&new_triggers);
13933 		if (err)
13934 			goto error;
13935 	}
13936 
13937 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13938 		regular = true;
13939 		err = nl80211_parse_wowlan_nd(
13940 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13941 			&new_triggers);
13942 		if (err)
13943 			goto error;
13944 	}
13945 
13946 	/* The 'any' trigger means the device continues operating more or less
13947 	 * as in its normal operation mode and wakes up the host on most of the
13948 	 * normal interrupts (like packet RX, ...)
13949 	 * It therefore makes little sense to combine with the more constrained
13950 	 * wakeup trigger modes.
13951 	 */
13952 	if (new_triggers.any && regular) {
13953 		err = -EINVAL;
13954 		goto error;
13955 	}
13956 
13957 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13958 	if (!ntrig) {
13959 		err = -ENOMEM;
13960 		goto error;
13961 	}
13962 	cfg80211_rdev_free_wowlan(rdev);
13963 	rdev->wiphy.wowlan_config = ntrig;
13964 
13965  set_wakeup:
13966 	if (rdev->ops->set_wakeup &&
13967 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13968 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13969 
13970 	return 0;
13971  error:
13972 	for (i = 0; i < new_triggers.n_patterns; i++)
13973 		kfree(new_triggers.patterns[i].mask);
13974 	kfree(new_triggers.patterns);
13975 	if (new_triggers.tcp && new_triggers.tcp->sock)
13976 		sock_release(new_triggers.tcp->sock);
13977 	kfree(new_triggers.tcp);
13978 	kfree(new_triggers.nd_config);
13979 	return err;
13980 }
13981 #endif
13982 
13983 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13984 				       struct cfg80211_registered_device *rdev)
13985 {
13986 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13987 	int i, j, pat_len;
13988 	struct cfg80211_coalesce_rules *rule;
13989 
13990 	if (!rdev->coalesce->n_rules)
13991 		return 0;
13992 
13993 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13994 	if (!nl_rules)
13995 		return -ENOBUFS;
13996 
13997 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13998 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13999 		if (!nl_rule)
14000 			return -ENOBUFS;
14001 
14002 		rule = &rdev->coalesce->rules[i];
14003 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
14004 				rule->delay))
14005 			return -ENOBUFS;
14006 
14007 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
14008 				rule->condition))
14009 			return -ENOBUFS;
14010 
14011 		nl_pats = nla_nest_start_noflag(msg,
14012 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
14013 		if (!nl_pats)
14014 			return -ENOBUFS;
14015 
14016 		for (j = 0; j < rule->n_patterns; j++) {
14017 			nl_pat = nla_nest_start_noflag(msg, j + 1);
14018 			if (!nl_pat)
14019 				return -ENOBUFS;
14020 			pat_len = rule->patterns[j].pattern_len;
14021 			if (nla_put(msg, NL80211_PKTPAT_MASK,
14022 				    DIV_ROUND_UP(pat_len, 8),
14023 				    rule->patterns[j].mask) ||
14024 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14025 				    rule->patterns[j].pattern) ||
14026 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14027 					rule->patterns[j].pkt_offset))
14028 				return -ENOBUFS;
14029 			nla_nest_end(msg, nl_pat);
14030 		}
14031 		nla_nest_end(msg, nl_pats);
14032 		nla_nest_end(msg, nl_rule);
14033 	}
14034 	nla_nest_end(msg, nl_rules);
14035 
14036 	return 0;
14037 }
14038 
14039 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
14040 {
14041 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14042 	struct sk_buff *msg;
14043 	void *hdr;
14044 
14045 	if (!rdev->wiphy.coalesce)
14046 		return -EOPNOTSUPP;
14047 
14048 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14049 	if (!msg)
14050 		return -ENOMEM;
14051 
14052 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14053 			     NL80211_CMD_GET_COALESCE);
14054 	if (!hdr)
14055 		goto nla_put_failure;
14056 
14057 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
14058 		goto nla_put_failure;
14059 
14060 	genlmsg_end(msg, hdr);
14061 	return genlmsg_reply(msg, info);
14062 
14063 nla_put_failure:
14064 	nlmsg_free(msg);
14065 	return -ENOBUFS;
14066 }
14067 
14068 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
14069 {
14070 	int i, j;
14071 	struct cfg80211_coalesce_rules *rule;
14072 
14073 	if (!coalesce)
14074 		return;
14075 
14076 	for (i = 0; i < coalesce->n_rules; i++) {
14077 		rule = &coalesce->rules[i];
14078 		for (j = 0; j < rule->n_patterns; j++)
14079 			kfree(rule->patterns[j].mask);
14080 		kfree(rule->patterns);
14081 	}
14082 	kfree(coalesce);
14083 }
14084 
14085 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
14086 				       struct nlattr *rule,
14087 				       struct cfg80211_coalesce_rules *new_rule)
14088 {
14089 	int err, i;
14090 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14091 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
14092 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
14093 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14094 
14095 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
14096 					  rule, nl80211_coalesce_policy, NULL);
14097 	if (err)
14098 		return err;
14099 
14100 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
14101 		new_rule->delay =
14102 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
14103 	if (new_rule->delay > coalesce->max_delay)
14104 		return -EINVAL;
14105 
14106 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
14107 		new_rule->condition =
14108 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
14109 
14110 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
14111 		return -EINVAL;
14112 
14113 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14114 			    rem)
14115 		n_patterns++;
14116 	if (n_patterns > coalesce->n_patterns)
14117 		return -EINVAL;
14118 
14119 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
14120 				     GFP_KERNEL);
14121 	if (!new_rule->patterns)
14122 		return -ENOMEM;
14123 
14124 	new_rule->n_patterns = n_patterns;
14125 	i = 0;
14126 
14127 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14128 			    rem) {
14129 		u8 *mask_pat;
14130 
14131 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
14132 						  pat,
14133 						  nl80211_packet_pattern_policy,
14134 						  NULL);
14135 		if (err)
14136 			return err;
14137 
14138 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
14139 		    !pat_tb[NL80211_PKTPAT_PATTERN])
14140 			return -EINVAL;
14141 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14142 		mask_len = DIV_ROUND_UP(pat_len, 8);
14143 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14144 			return -EINVAL;
14145 		if (pat_len > coalesce->pattern_max_len ||
14146 		    pat_len < coalesce->pattern_min_len)
14147 			return -EINVAL;
14148 
14149 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
14150 						 0);
14151 		if (pkt_offset > coalesce->max_pkt_offset)
14152 			return -EINVAL;
14153 		new_rule->patterns[i].pkt_offset = pkt_offset;
14154 
14155 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14156 		if (!mask_pat)
14157 			return -ENOMEM;
14158 
14159 		new_rule->patterns[i].mask = mask_pat;
14160 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14161 		       mask_len);
14162 
14163 		mask_pat += mask_len;
14164 		new_rule->patterns[i].pattern = mask_pat;
14165 		new_rule->patterns[i].pattern_len = pat_len;
14166 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14167 		       pat_len);
14168 		i++;
14169 	}
14170 
14171 	return 0;
14172 }
14173 
14174 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14175 {
14176 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14177 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14178 	struct cfg80211_coalesce *new_coalesce;
14179 	int err, rem_rule, n_rules = 0, i;
14180 	struct nlattr *rule;
14181 
14182 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14183 		return -EOPNOTSUPP;
14184 
14185 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14186 		cfg80211_free_coalesce(rdev->coalesce);
14187 		rdev->coalesce = NULL;
14188 		rdev_set_coalesce(rdev, NULL);
14189 		return 0;
14190 	}
14191 
14192 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14193 			    rem_rule)
14194 		n_rules++;
14195 	if (n_rules > coalesce->n_rules)
14196 		return -EINVAL;
14197 
14198 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14199 			       GFP_KERNEL);
14200 	if (!new_coalesce)
14201 		return -ENOMEM;
14202 
14203 	new_coalesce->n_rules = n_rules;
14204 	i = 0;
14205 
14206 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14207 			    rem_rule) {
14208 		err = nl80211_parse_coalesce_rule(rdev, rule,
14209 						  &new_coalesce->rules[i]);
14210 		if (err)
14211 			goto error;
14212 
14213 		i++;
14214 	}
14215 
14216 	err = rdev_set_coalesce(rdev, new_coalesce);
14217 	if (err)
14218 		goto error;
14219 
14220 	cfg80211_free_coalesce(rdev->coalesce);
14221 	rdev->coalesce = new_coalesce;
14222 
14223 	return 0;
14224 error:
14225 	cfg80211_free_coalesce(new_coalesce);
14226 
14227 	return err;
14228 }
14229 
14230 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14231 {
14232 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14233 	struct net_device *dev = info->user_ptr[1];
14234 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14235 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14236 	struct cfg80211_gtk_rekey_data rekey_data = {};
14237 	int err;
14238 
14239 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14240 		return -EINVAL;
14241 
14242 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14243 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14244 					  nl80211_rekey_policy, info->extack);
14245 	if (err)
14246 		return err;
14247 
14248 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14249 	    !tb[NL80211_REKEY_DATA_KCK])
14250 		return -EINVAL;
14251 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14252 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14253 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14254 		return -ERANGE;
14255 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14256 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14257 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14258 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14259 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14260 		return -ERANGE;
14261 
14262 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14263 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14264 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14265 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14266 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14267 	if (tb[NL80211_REKEY_DATA_AKM])
14268 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14269 
14270 	if (!wdev->connected)
14271 		return -ENOTCONN;
14272 
14273 	if (!rdev->ops->set_rekey_data)
14274 		return -EOPNOTSUPP;
14275 
14276 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14277 }
14278 
14279 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14280 					     struct genl_info *info)
14281 {
14282 	struct net_device *dev = info->user_ptr[1];
14283 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14284 
14285 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14286 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14287 		return -EINVAL;
14288 
14289 	if (wdev->ap_unexpected_nlportid)
14290 		return -EBUSY;
14291 
14292 	wdev->ap_unexpected_nlportid = info->snd_portid;
14293 	return 0;
14294 }
14295 
14296 static int nl80211_probe_client(struct sk_buff *skb,
14297 				struct genl_info *info)
14298 {
14299 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14300 	struct net_device *dev = info->user_ptr[1];
14301 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14302 	struct sk_buff *msg;
14303 	void *hdr;
14304 	const u8 *addr;
14305 	u64 cookie;
14306 	int err;
14307 
14308 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14309 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14310 		return -EOPNOTSUPP;
14311 
14312 	if (!info->attrs[NL80211_ATTR_MAC])
14313 		return -EINVAL;
14314 
14315 	if (!rdev->ops->probe_client)
14316 		return -EOPNOTSUPP;
14317 
14318 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14319 	if (!msg)
14320 		return -ENOMEM;
14321 
14322 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14323 			     NL80211_CMD_PROBE_CLIENT);
14324 	if (!hdr) {
14325 		err = -ENOBUFS;
14326 		goto free_msg;
14327 	}
14328 
14329 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14330 
14331 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14332 	if (err)
14333 		goto free_msg;
14334 
14335 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14336 			      NL80211_ATTR_PAD))
14337 		goto nla_put_failure;
14338 
14339 	genlmsg_end(msg, hdr);
14340 
14341 	return genlmsg_reply(msg, info);
14342 
14343  nla_put_failure:
14344 	err = -ENOBUFS;
14345  free_msg:
14346 	nlmsg_free(msg);
14347 	return err;
14348 }
14349 
14350 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14351 {
14352 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14353 	struct cfg80211_beacon_registration *reg, *nreg;
14354 	int rv;
14355 
14356 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14357 		return -EOPNOTSUPP;
14358 
14359 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14360 	if (!nreg)
14361 		return -ENOMEM;
14362 
14363 	/* First, check if already registered. */
14364 	spin_lock_bh(&rdev->beacon_registrations_lock);
14365 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14366 		if (reg->nlportid == info->snd_portid) {
14367 			rv = -EALREADY;
14368 			goto out_err;
14369 		}
14370 	}
14371 	/* Add it to the list */
14372 	nreg->nlportid = info->snd_portid;
14373 	list_add(&nreg->list, &rdev->beacon_registrations);
14374 
14375 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14376 
14377 	return 0;
14378 out_err:
14379 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14380 	kfree(nreg);
14381 	return rv;
14382 }
14383 
14384 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14385 {
14386 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14387 	struct wireless_dev *wdev = info->user_ptr[1];
14388 	int err;
14389 
14390 	if (!rdev->ops->start_p2p_device)
14391 		return -EOPNOTSUPP;
14392 
14393 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14394 		return -EOPNOTSUPP;
14395 
14396 	if (wdev_running(wdev))
14397 		return 0;
14398 
14399 	if (rfkill_blocked(rdev->wiphy.rfkill))
14400 		return -ERFKILL;
14401 
14402 	err = rdev_start_p2p_device(rdev, wdev);
14403 	if (err)
14404 		return err;
14405 
14406 	wdev->is_running = true;
14407 	rdev->opencount++;
14408 
14409 	return 0;
14410 }
14411 
14412 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14413 {
14414 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14415 	struct wireless_dev *wdev = info->user_ptr[1];
14416 
14417 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14418 		return -EOPNOTSUPP;
14419 
14420 	if (!rdev->ops->stop_p2p_device)
14421 		return -EOPNOTSUPP;
14422 
14423 	cfg80211_stop_p2p_device(rdev, wdev);
14424 
14425 	return 0;
14426 }
14427 
14428 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14429 {
14430 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14431 	struct wireless_dev *wdev = info->user_ptr[1];
14432 	struct cfg80211_nan_conf conf = {};
14433 	int err;
14434 
14435 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14436 		return -EOPNOTSUPP;
14437 
14438 	if (wdev_running(wdev))
14439 		return -EEXIST;
14440 
14441 	if (rfkill_blocked(rdev->wiphy.rfkill))
14442 		return -ERFKILL;
14443 
14444 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14445 		return -EINVAL;
14446 
14447 	conf.master_pref =
14448 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14449 
14450 	if (info->attrs[NL80211_ATTR_BANDS]) {
14451 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14452 
14453 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14454 			return -EOPNOTSUPP;
14455 
14456 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14457 			return -EINVAL;
14458 
14459 		conf.bands = bands;
14460 	}
14461 
14462 	err = rdev_start_nan(rdev, wdev, &conf);
14463 	if (err)
14464 		return err;
14465 
14466 	wdev->is_running = true;
14467 	rdev->opencount++;
14468 
14469 	return 0;
14470 }
14471 
14472 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14473 {
14474 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14475 	struct wireless_dev *wdev = info->user_ptr[1];
14476 
14477 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14478 		return -EOPNOTSUPP;
14479 
14480 	cfg80211_stop_nan(rdev, wdev);
14481 
14482 	return 0;
14483 }
14484 
14485 static int validate_nan_filter(struct nlattr *filter_attr)
14486 {
14487 	struct nlattr *attr;
14488 	int len = 0, n_entries = 0, rem;
14489 
14490 	nla_for_each_nested(attr, filter_attr, rem) {
14491 		len += nla_len(attr);
14492 		n_entries++;
14493 	}
14494 
14495 	if (len >= U8_MAX)
14496 		return -EINVAL;
14497 
14498 	return n_entries;
14499 }
14500 
14501 static int handle_nan_filter(struct nlattr *attr_filter,
14502 			     struct cfg80211_nan_func *func,
14503 			     bool tx)
14504 {
14505 	struct nlattr *attr;
14506 	int n_entries, rem, i;
14507 	struct cfg80211_nan_func_filter *filter;
14508 
14509 	n_entries = validate_nan_filter(attr_filter);
14510 	if (n_entries < 0)
14511 		return n_entries;
14512 
14513 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14514 
14515 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14516 	if (!filter)
14517 		return -ENOMEM;
14518 
14519 	i = 0;
14520 	nla_for_each_nested(attr, attr_filter, rem) {
14521 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14522 		if (!filter[i].filter)
14523 			goto err;
14524 
14525 		filter[i].len = nla_len(attr);
14526 		i++;
14527 	}
14528 	if (tx) {
14529 		func->num_tx_filters = n_entries;
14530 		func->tx_filters = filter;
14531 	} else {
14532 		func->num_rx_filters = n_entries;
14533 		func->rx_filters = filter;
14534 	}
14535 
14536 	return 0;
14537 
14538 err:
14539 	i = 0;
14540 	nla_for_each_nested(attr, attr_filter, rem) {
14541 		kfree(filter[i].filter);
14542 		i++;
14543 	}
14544 	kfree(filter);
14545 	return -ENOMEM;
14546 }
14547 
14548 static int nl80211_nan_add_func(struct sk_buff *skb,
14549 				struct genl_info *info)
14550 {
14551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14552 	struct wireless_dev *wdev = info->user_ptr[1];
14553 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14554 	struct cfg80211_nan_func *func;
14555 	struct sk_buff *msg = NULL;
14556 	void *hdr = NULL;
14557 	int err = 0;
14558 
14559 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14560 		return -EOPNOTSUPP;
14561 
14562 	if (!wdev_running(wdev))
14563 		return -ENOTCONN;
14564 
14565 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14566 		return -EINVAL;
14567 
14568 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14569 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14570 					  nl80211_nan_func_policy,
14571 					  info->extack);
14572 	if (err)
14573 		return err;
14574 
14575 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14576 	if (!func)
14577 		return -ENOMEM;
14578 
14579 	func->cookie = cfg80211_assign_cookie(rdev);
14580 
14581 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14582 		err = -EINVAL;
14583 		goto out;
14584 	}
14585 
14586 
14587 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14588 
14589 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14590 		err = -EINVAL;
14591 		goto out;
14592 	}
14593 
14594 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14595 	       sizeof(func->service_id));
14596 
14597 	func->close_range =
14598 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14599 
14600 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14601 		func->serv_spec_info_len =
14602 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14603 		func->serv_spec_info =
14604 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14605 				func->serv_spec_info_len,
14606 				GFP_KERNEL);
14607 		if (!func->serv_spec_info) {
14608 			err = -ENOMEM;
14609 			goto out;
14610 		}
14611 	}
14612 
14613 	if (tb[NL80211_NAN_FUNC_TTL])
14614 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14615 
14616 	switch (func->type) {
14617 	case NL80211_NAN_FUNC_PUBLISH:
14618 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14619 			err = -EINVAL;
14620 			goto out;
14621 		}
14622 
14623 		func->publish_type =
14624 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14625 		func->publish_bcast =
14626 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14627 
14628 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14629 			func->publish_bcast) {
14630 			err = -EINVAL;
14631 			goto out;
14632 		}
14633 		break;
14634 	case NL80211_NAN_FUNC_SUBSCRIBE:
14635 		func->subscribe_active =
14636 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14637 		break;
14638 	case NL80211_NAN_FUNC_FOLLOW_UP:
14639 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14640 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14641 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14642 			err = -EINVAL;
14643 			goto out;
14644 		}
14645 
14646 		func->followup_id =
14647 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14648 		func->followup_reqid =
14649 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14650 		memcpy(func->followup_dest.addr,
14651 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14652 		       sizeof(func->followup_dest.addr));
14653 		if (func->ttl) {
14654 			err = -EINVAL;
14655 			goto out;
14656 		}
14657 		break;
14658 	default:
14659 		err = -EINVAL;
14660 		goto out;
14661 	}
14662 
14663 	if (tb[NL80211_NAN_FUNC_SRF]) {
14664 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14665 
14666 		err = nla_parse_nested_deprecated(srf_tb,
14667 						  NL80211_NAN_SRF_ATTR_MAX,
14668 						  tb[NL80211_NAN_FUNC_SRF],
14669 						  nl80211_nan_srf_policy,
14670 						  info->extack);
14671 		if (err)
14672 			goto out;
14673 
14674 		func->srf_include =
14675 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14676 
14677 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14678 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14679 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14680 				err = -EINVAL;
14681 				goto out;
14682 			}
14683 
14684 			func->srf_bf_len =
14685 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14686 			func->srf_bf =
14687 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14688 					func->srf_bf_len, GFP_KERNEL);
14689 			if (!func->srf_bf) {
14690 				err = -ENOMEM;
14691 				goto out;
14692 			}
14693 
14694 			func->srf_bf_idx =
14695 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14696 		} else {
14697 			struct nlattr *attr, *mac_attr =
14698 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14699 			int n_entries, rem, i = 0;
14700 
14701 			if (!mac_attr) {
14702 				err = -EINVAL;
14703 				goto out;
14704 			}
14705 
14706 			n_entries = validate_acl_mac_addrs(mac_attr);
14707 			if (n_entries <= 0) {
14708 				err = -EINVAL;
14709 				goto out;
14710 			}
14711 
14712 			func->srf_num_macs = n_entries;
14713 			func->srf_macs =
14714 				kcalloc(n_entries, sizeof(*func->srf_macs),
14715 					GFP_KERNEL);
14716 			if (!func->srf_macs) {
14717 				err = -ENOMEM;
14718 				goto out;
14719 			}
14720 
14721 			nla_for_each_nested(attr, mac_attr, rem)
14722 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14723 				       sizeof(*func->srf_macs));
14724 		}
14725 	}
14726 
14727 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14728 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14729 					func, true);
14730 		if (err)
14731 			goto out;
14732 	}
14733 
14734 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14735 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14736 					func, false);
14737 		if (err)
14738 			goto out;
14739 	}
14740 
14741 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14742 	if (!msg) {
14743 		err = -ENOMEM;
14744 		goto out;
14745 	}
14746 
14747 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14748 			     NL80211_CMD_ADD_NAN_FUNCTION);
14749 	/* This can't really happen - we just allocated 4KB */
14750 	if (WARN_ON(!hdr)) {
14751 		err = -ENOMEM;
14752 		goto out;
14753 	}
14754 
14755 	err = rdev_add_nan_func(rdev, wdev, func);
14756 out:
14757 	if (err < 0) {
14758 		cfg80211_free_nan_func(func);
14759 		nlmsg_free(msg);
14760 		return err;
14761 	}
14762 
14763 	/* propagate the instance id and cookie to userspace  */
14764 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14765 			      NL80211_ATTR_PAD))
14766 		goto nla_put_failure;
14767 
14768 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14769 	if (!func_attr)
14770 		goto nla_put_failure;
14771 
14772 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14773 		       func->instance_id))
14774 		goto nla_put_failure;
14775 
14776 	nla_nest_end(msg, func_attr);
14777 
14778 	genlmsg_end(msg, hdr);
14779 	return genlmsg_reply(msg, info);
14780 
14781 nla_put_failure:
14782 	nlmsg_free(msg);
14783 	return -ENOBUFS;
14784 }
14785 
14786 static int nl80211_nan_del_func(struct sk_buff *skb,
14787 			       struct genl_info *info)
14788 {
14789 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14790 	struct wireless_dev *wdev = info->user_ptr[1];
14791 	u64 cookie;
14792 
14793 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14794 		return -EOPNOTSUPP;
14795 
14796 	if (!wdev_running(wdev))
14797 		return -ENOTCONN;
14798 
14799 	if (!info->attrs[NL80211_ATTR_COOKIE])
14800 		return -EINVAL;
14801 
14802 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14803 
14804 	rdev_del_nan_func(rdev, wdev, cookie);
14805 
14806 	return 0;
14807 }
14808 
14809 static int nl80211_nan_change_config(struct sk_buff *skb,
14810 				     struct genl_info *info)
14811 {
14812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14813 	struct wireless_dev *wdev = info->user_ptr[1];
14814 	struct cfg80211_nan_conf conf = {};
14815 	u32 changed = 0;
14816 
14817 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14818 		return -EOPNOTSUPP;
14819 
14820 	if (!wdev_running(wdev))
14821 		return -ENOTCONN;
14822 
14823 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14824 		conf.master_pref =
14825 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14826 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14827 			return -EINVAL;
14828 
14829 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14830 	}
14831 
14832 	if (info->attrs[NL80211_ATTR_BANDS]) {
14833 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14834 
14835 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14836 			return -EOPNOTSUPP;
14837 
14838 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14839 			return -EINVAL;
14840 
14841 		conf.bands = bands;
14842 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14843 	}
14844 
14845 	if (!changed)
14846 		return -EINVAL;
14847 
14848 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14849 }
14850 
14851 void cfg80211_nan_match(struct wireless_dev *wdev,
14852 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14853 {
14854 	struct wiphy *wiphy = wdev->wiphy;
14855 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14856 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14857 	struct sk_buff *msg;
14858 	void *hdr;
14859 
14860 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14861 		return;
14862 
14863 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14864 	if (!msg)
14865 		return;
14866 
14867 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14868 	if (!hdr) {
14869 		nlmsg_free(msg);
14870 		return;
14871 	}
14872 
14873 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14874 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14875 					 wdev->netdev->ifindex)) ||
14876 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14877 			      NL80211_ATTR_PAD))
14878 		goto nla_put_failure;
14879 
14880 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14881 			      NL80211_ATTR_PAD) ||
14882 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14883 		goto nla_put_failure;
14884 
14885 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14886 	if (!match_attr)
14887 		goto nla_put_failure;
14888 
14889 	local_func_attr = nla_nest_start_noflag(msg,
14890 						NL80211_NAN_MATCH_FUNC_LOCAL);
14891 	if (!local_func_attr)
14892 		goto nla_put_failure;
14893 
14894 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14895 		goto nla_put_failure;
14896 
14897 	nla_nest_end(msg, local_func_attr);
14898 
14899 	peer_func_attr = nla_nest_start_noflag(msg,
14900 					       NL80211_NAN_MATCH_FUNC_PEER);
14901 	if (!peer_func_attr)
14902 		goto nla_put_failure;
14903 
14904 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14905 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14906 		goto nla_put_failure;
14907 
14908 	if (match->info && match->info_len &&
14909 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14910 		    match->info))
14911 		goto nla_put_failure;
14912 
14913 	nla_nest_end(msg, peer_func_attr);
14914 	nla_nest_end(msg, match_attr);
14915 	genlmsg_end(msg, hdr);
14916 
14917 	if (!wdev->owner_nlportid)
14918 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14919 					msg, 0, NL80211_MCGRP_NAN, gfp);
14920 	else
14921 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14922 				wdev->owner_nlportid);
14923 
14924 	return;
14925 
14926 nla_put_failure:
14927 	nlmsg_free(msg);
14928 }
14929 EXPORT_SYMBOL(cfg80211_nan_match);
14930 
14931 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14932 				  u8 inst_id,
14933 				  enum nl80211_nan_func_term_reason reason,
14934 				  u64 cookie, gfp_t gfp)
14935 {
14936 	struct wiphy *wiphy = wdev->wiphy;
14937 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14938 	struct sk_buff *msg;
14939 	struct nlattr *func_attr;
14940 	void *hdr;
14941 
14942 	if (WARN_ON(!inst_id))
14943 		return;
14944 
14945 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14946 	if (!msg)
14947 		return;
14948 
14949 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14950 	if (!hdr) {
14951 		nlmsg_free(msg);
14952 		return;
14953 	}
14954 
14955 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14956 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14957 					 wdev->netdev->ifindex)) ||
14958 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14959 			      NL80211_ATTR_PAD))
14960 		goto nla_put_failure;
14961 
14962 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14963 			      NL80211_ATTR_PAD))
14964 		goto nla_put_failure;
14965 
14966 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14967 	if (!func_attr)
14968 		goto nla_put_failure;
14969 
14970 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14971 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14972 		goto nla_put_failure;
14973 
14974 	nla_nest_end(msg, func_attr);
14975 	genlmsg_end(msg, hdr);
14976 
14977 	if (!wdev->owner_nlportid)
14978 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14979 					msg, 0, NL80211_MCGRP_NAN, gfp);
14980 	else
14981 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14982 				wdev->owner_nlportid);
14983 
14984 	return;
14985 
14986 nla_put_failure:
14987 	nlmsg_free(msg);
14988 }
14989 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14990 
14991 static int nl80211_get_protocol_features(struct sk_buff *skb,
14992 					 struct genl_info *info)
14993 {
14994 	void *hdr;
14995 	struct sk_buff *msg;
14996 
14997 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14998 	if (!msg)
14999 		return -ENOMEM;
15000 
15001 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15002 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
15003 	if (!hdr)
15004 		goto nla_put_failure;
15005 
15006 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
15007 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
15008 		goto nla_put_failure;
15009 
15010 	genlmsg_end(msg, hdr);
15011 	return genlmsg_reply(msg, info);
15012 
15013  nla_put_failure:
15014 	kfree_skb(msg);
15015 	return -ENOBUFS;
15016 }
15017 
15018 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
15019 {
15020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15021 	struct cfg80211_update_ft_ies_params ft_params;
15022 	struct net_device *dev = info->user_ptr[1];
15023 
15024 	if (!rdev->ops->update_ft_ies)
15025 		return -EOPNOTSUPP;
15026 
15027 	if (!info->attrs[NL80211_ATTR_MDID] ||
15028 	    !info->attrs[NL80211_ATTR_IE])
15029 		return -EINVAL;
15030 
15031 	memset(&ft_params, 0, sizeof(ft_params));
15032 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
15033 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15034 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15035 
15036 	return rdev_update_ft_ies(rdev, dev, &ft_params);
15037 }
15038 
15039 static int nl80211_crit_protocol_start(struct sk_buff *skb,
15040 				       struct genl_info *info)
15041 {
15042 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15043 	struct wireless_dev *wdev = info->user_ptr[1];
15044 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
15045 	u16 duration;
15046 	int ret;
15047 
15048 	if (!rdev->ops->crit_proto_start)
15049 		return -EOPNOTSUPP;
15050 
15051 	if (WARN_ON(!rdev->ops->crit_proto_stop))
15052 		return -EINVAL;
15053 
15054 	if (rdev->crit_proto_nlportid)
15055 		return -EBUSY;
15056 
15057 	/* determine protocol if provided */
15058 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
15059 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
15060 
15061 	if (proto >= NUM_NL80211_CRIT_PROTO)
15062 		return -EINVAL;
15063 
15064 	/* timeout must be provided */
15065 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
15066 		return -EINVAL;
15067 
15068 	duration =
15069 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
15070 
15071 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
15072 	if (!ret)
15073 		rdev->crit_proto_nlportid = info->snd_portid;
15074 
15075 	return ret;
15076 }
15077 
15078 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
15079 				      struct genl_info *info)
15080 {
15081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15082 	struct wireless_dev *wdev = info->user_ptr[1];
15083 
15084 	if (!rdev->ops->crit_proto_stop)
15085 		return -EOPNOTSUPP;
15086 
15087 	if (rdev->crit_proto_nlportid) {
15088 		rdev->crit_proto_nlportid = 0;
15089 		rdev_crit_proto_stop(rdev, wdev);
15090 	}
15091 	return 0;
15092 }
15093 
15094 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
15095 				       struct nlattr *attr,
15096 				       struct netlink_ext_ack *extack)
15097 {
15098 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
15099 		if (attr->nla_type & NLA_F_NESTED) {
15100 			NL_SET_ERR_MSG_ATTR(extack, attr,
15101 					    "unexpected nested data");
15102 			return -EINVAL;
15103 		}
15104 
15105 		return 0;
15106 	}
15107 
15108 	if (!(attr->nla_type & NLA_F_NESTED)) {
15109 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
15110 		return -EINVAL;
15111 	}
15112 
15113 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
15114 }
15115 
15116 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
15117 {
15118 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15119 	struct wireless_dev *wdev =
15120 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
15121 					   info->attrs);
15122 	int i, err;
15123 	u32 vid, subcmd;
15124 
15125 	if (!rdev->wiphy.vendor_commands)
15126 		return -EOPNOTSUPP;
15127 
15128 	if (IS_ERR(wdev)) {
15129 		err = PTR_ERR(wdev);
15130 		if (err != -EINVAL)
15131 			return err;
15132 		wdev = NULL;
15133 	} else if (wdev->wiphy != &rdev->wiphy) {
15134 		return -EINVAL;
15135 	}
15136 
15137 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15138 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15139 		return -EINVAL;
15140 
15141 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15142 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15143 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15144 		const struct wiphy_vendor_command *vcmd;
15145 		void *data = NULL;
15146 		int len = 0;
15147 
15148 		vcmd = &rdev->wiphy.vendor_commands[i];
15149 
15150 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15151 			continue;
15152 
15153 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15154 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15155 			if (!wdev)
15156 				return -EINVAL;
15157 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15158 			    !wdev->netdev)
15159 				return -EINVAL;
15160 
15161 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15162 				if (!wdev_running(wdev))
15163 					return -ENETDOWN;
15164 			}
15165 		} else {
15166 			wdev = NULL;
15167 		}
15168 
15169 		if (!vcmd->doit)
15170 			return -EOPNOTSUPP;
15171 
15172 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15173 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15174 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15175 
15176 			err = nl80211_vendor_check_policy(vcmd,
15177 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15178 					info->extack);
15179 			if (err)
15180 				return err;
15181 		}
15182 
15183 		rdev->cur_cmd_info = info;
15184 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15185 		rdev->cur_cmd_info = NULL;
15186 		return err;
15187 	}
15188 
15189 	return -EOPNOTSUPP;
15190 }
15191 
15192 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15193 				       struct netlink_callback *cb,
15194 				       struct cfg80211_registered_device **rdev,
15195 				       struct wireless_dev **wdev)
15196 {
15197 	struct nlattr **attrbuf;
15198 	u32 vid, subcmd;
15199 	unsigned int i;
15200 	int vcmd_idx = -1;
15201 	int err;
15202 	void *data = NULL;
15203 	unsigned int data_len = 0;
15204 
15205 	if (cb->args[0]) {
15206 		/* subtract the 1 again here */
15207 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15208 		struct wireless_dev *tmp;
15209 
15210 		if (!wiphy)
15211 			return -ENODEV;
15212 		*rdev = wiphy_to_rdev(wiphy);
15213 		*wdev = NULL;
15214 
15215 		if (cb->args[1]) {
15216 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15217 				if (tmp->identifier == cb->args[1] - 1) {
15218 					*wdev = tmp;
15219 					break;
15220 				}
15221 			}
15222 		}
15223 
15224 		/* keep rtnl locked in successful case */
15225 		return 0;
15226 	}
15227 
15228 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15229 	if (!attrbuf)
15230 		return -ENOMEM;
15231 
15232 	err = nlmsg_parse_deprecated(cb->nlh,
15233 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15234 				     attrbuf, nl80211_fam.maxattr,
15235 				     nl80211_policy, NULL);
15236 	if (err)
15237 		goto out;
15238 
15239 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15240 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15241 		err = -EINVAL;
15242 		goto out;
15243 	}
15244 
15245 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15246 	if (IS_ERR(*wdev))
15247 		*wdev = NULL;
15248 
15249 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15250 	if (IS_ERR(*rdev)) {
15251 		err = PTR_ERR(*rdev);
15252 		goto out;
15253 	}
15254 
15255 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15256 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15257 
15258 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15259 		const struct wiphy_vendor_command *vcmd;
15260 
15261 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15262 
15263 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15264 			continue;
15265 
15266 		if (!vcmd->dumpit) {
15267 			err = -EOPNOTSUPP;
15268 			goto out;
15269 		}
15270 
15271 		vcmd_idx = i;
15272 		break;
15273 	}
15274 
15275 	if (vcmd_idx < 0) {
15276 		err = -EOPNOTSUPP;
15277 		goto out;
15278 	}
15279 
15280 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15281 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15282 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15283 
15284 		err = nl80211_vendor_check_policy(
15285 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15286 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15287 				cb->extack);
15288 		if (err)
15289 			goto out;
15290 	}
15291 
15292 	/* 0 is the first index - add 1 to parse only once */
15293 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15294 	/* add 1 to know if it was NULL */
15295 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15296 	cb->args[2] = vcmd_idx;
15297 	cb->args[3] = (unsigned long)data;
15298 	cb->args[4] = data_len;
15299 
15300 	/* keep rtnl locked in successful case */
15301 	err = 0;
15302 out:
15303 	kfree(attrbuf);
15304 	return err;
15305 }
15306 
15307 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15308 				   struct netlink_callback *cb)
15309 {
15310 	struct cfg80211_registered_device *rdev;
15311 	struct wireless_dev *wdev;
15312 	unsigned int vcmd_idx;
15313 	const struct wiphy_vendor_command *vcmd;
15314 	void *data;
15315 	int data_len;
15316 	int err;
15317 	struct nlattr *vendor_data;
15318 
15319 	rtnl_lock();
15320 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15321 	if (err)
15322 		goto out;
15323 
15324 	vcmd_idx = cb->args[2];
15325 	data = (void *)cb->args[3];
15326 	data_len = cb->args[4];
15327 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15328 
15329 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15330 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15331 		if (!wdev) {
15332 			err = -EINVAL;
15333 			goto out;
15334 		}
15335 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15336 		    !wdev->netdev) {
15337 			err = -EINVAL;
15338 			goto out;
15339 		}
15340 
15341 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15342 			if (!wdev_running(wdev)) {
15343 				err = -ENETDOWN;
15344 				goto out;
15345 			}
15346 		}
15347 	}
15348 
15349 	while (1) {
15350 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15351 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15352 					   NL80211_CMD_VENDOR);
15353 		if (!hdr)
15354 			break;
15355 
15356 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15357 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15358 					       wdev_id(wdev),
15359 					       NL80211_ATTR_PAD))) {
15360 			genlmsg_cancel(skb, hdr);
15361 			break;
15362 		}
15363 
15364 		vendor_data = nla_nest_start_noflag(skb,
15365 						    NL80211_ATTR_VENDOR_DATA);
15366 		if (!vendor_data) {
15367 			genlmsg_cancel(skb, hdr);
15368 			break;
15369 		}
15370 
15371 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15372 				   (unsigned long *)&cb->args[5]);
15373 		nla_nest_end(skb, vendor_data);
15374 
15375 		if (err == -ENOBUFS || err == -ENOENT) {
15376 			genlmsg_cancel(skb, hdr);
15377 			break;
15378 		} else if (err <= 0) {
15379 			genlmsg_cancel(skb, hdr);
15380 			goto out;
15381 		}
15382 
15383 		genlmsg_end(skb, hdr);
15384 	}
15385 
15386 	err = skb->len;
15387  out:
15388 	rtnl_unlock();
15389 	return err;
15390 }
15391 
15392 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15393 					   enum nl80211_commands cmd,
15394 					   enum nl80211_attrs attr,
15395 					   int approxlen)
15396 {
15397 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15398 
15399 	if (WARN_ON(!rdev->cur_cmd_info))
15400 		return NULL;
15401 
15402 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15403 					   rdev->cur_cmd_info->snd_portid,
15404 					   rdev->cur_cmd_info->snd_seq,
15405 					   cmd, attr, NULL, GFP_KERNEL);
15406 }
15407 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15408 
15409 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15410 {
15411 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15412 	void *hdr = ((void **)skb->cb)[1];
15413 	struct nlattr *data = ((void **)skb->cb)[2];
15414 
15415 	/* clear CB data for netlink core to own from now on */
15416 	memset(skb->cb, 0, sizeof(skb->cb));
15417 
15418 	if (WARN_ON(!rdev->cur_cmd_info)) {
15419 		kfree_skb(skb);
15420 		return -EINVAL;
15421 	}
15422 
15423 	nla_nest_end(skb, data);
15424 	genlmsg_end(skb, hdr);
15425 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15426 }
15427 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15428 
15429 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15430 {
15431 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15432 
15433 	if (WARN_ON(!rdev->cur_cmd_info))
15434 		return 0;
15435 
15436 	return rdev->cur_cmd_info->snd_portid;
15437 }
15438 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15439 
15440 static int nl80211_set_qos_map(struct sk_buff *skb,
15441 			       struct genl_info *info)
15442 {
15443 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15444 	struct cfg80211_qos_map *qos_map = NULL;
15445 	struct net_device *dev = info->user_ptr[1];
15446 	u8 *pos, len, num_des, des_len, des;
15447 	int ret;
15448 
15449 	if (!rdev->ops->set_qos_map)
15450 		return -EOPNOTSUPP;
15451 
15452 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15453 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15454 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15455 
15456 		if (len % 2)
15457 			return -EINVAL;
15458 
15459 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15460 		if (!qos_map)
15461 			return -ENOMEM;
15462 
15463 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15464 		if (num_des) {
15465 			des_len = num_des *
15466 				sizeof(struct cfg80211_dscp_exception);
15467 			memcpy(qos_map->dscp_exception, pos, des_len);
15468 			qos_map->num_des = num_des;
15469 			for (des = 0; des < num_des; des++) {
15470 				if (qos_map->dscp_exception[des].up > 7) {
15471 					kfree(qos_map);
15472 					return -EINVAL;
15473 				}
15474 			}
15475 			pos += des_len;
15476 		}
15477 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15478 	}
15479 
15480 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15481 	if (!ret)
15482 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15483 
15484 	kfree(qos_map);
15485 	return ret;
15486 }
15487 
15488 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15489 {
15490 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15491 	struct net_device *dev = info->user_ptr[1];
15492 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15493 	const u8 *peer;
15494 	u8 tsid, up;
15495 	u16 admitted_time = 0;
15496 
15497 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15498 		return -EOPNOTSUPP;
15499 
15500 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15501 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15502 		return -EINVAL;
15503 
15504 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15505 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15506 
15507 	/* WMM uses TIDs 0-7 even for TSPEC */
15508 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15509 		/* TODO: handle 802.11 TSPEC/admission control
15510 		 * need more attributes for that (e.g. BA session requirement);
15511 		 * change the WMM admission test above to allow both then
15512 		 */
15513 		return -EINVAL;
15514 	}
15515 
15516 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15517 
15518 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15519 		admitted_time =
15520 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15521 		if (!admitted_time)
15522 			return -EINVAL;
15523 	}
15524 
15525 	switch (wdev->iftype) {
15526 	case NL80211_IFTYPE_STATION:
15527 	case NL80211_IFTYPE_P2P_CLIENT:
15528 		if (wdev->connected)
15529 			break;
15530 		return -ENOTCONN;
15531 	default:
15532 		return -EOPNOTSUPP;
15533 	}
15534 
15535 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15536 }
15537 
15538 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15539 {
15540 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15541 	struct net_device *dev = info->user_ptr[1];
15542 	const u8 *peer;
15543 	u8 tsid;
15544 
15545 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15546 		return -EINVAL;
15547 
15548 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15549 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15550 
15551 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
15552 }
15553 
15554 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15555 				       struct genl_info *info)
15556 {
15557 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15558 	struct net_device *dev = info->user_ptr[1];
15559 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15560 	struct cfg80211_chan_def chandef = {};
15561 	const u8 *addr;
15562 	u8 oper_class;
15563 	int err;
15564 
15565 	if (!rdev->ops->tdls_channel_switch ||
15566 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15567 		return -EOPNOTSUPP;
15568 
15569 	switch (dev->ieee80211_ptr->iftype) {
15570 	case NL80211_IFTYPE_STATION:
15571 	case NL80211_IFTYPE_P2P_CLIENT:
15572 		break;
15573 	default:
15574 		return -EOPNOTSUPP;
15575 	}
15576 
15577 	if (!info->attrs[NL80211_ATTR_MAC] ||
15578 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15579 		return -EINVAL;
15580 
15581 	err = nl80211_parse_chandef(rdev, info, &chandef);
15582 	if (err)
15583 		return err;
15584 
15585 	/*
15586 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15587 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15588 	 * specification is not defined for them.
15589 	 */
15590 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15591 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15592 	    chandef.width != NL80211_CHAN_WIDTH_20)
15593 		return -EINVAL;
15594 
15595 	/* we will be active on the TDLS link */
15596 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15597 					   wdev->iftype))
15598 		return -EINVAL;
15599 
15600 	/* don't allow switching to DFS channels */
15601 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15602 		return -EINVAL;
15603 
15604 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15605 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15606 
15607 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15608 }
15609 
15610 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15611 					      struct genl_info *info)
15612 {
15613 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15614 	struct net_device *dev = info->user_ptr[1];
15615 	const u8 *addr;
15616 
15617 	if (!rdev->ops->tdls_channel_switch ||
15618 	    !rdev->ops->tdls_cancel_channel_switch ||
15619 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15620 		return -EOPNOTSUPP;
15621 
15622 	switch (dev->ieee80211_ptr->iftype) {
15623 	case NL80211_IFTYPE_STATION:
15624 	case NL80211_IFTYPE_P2P_CLIENT:
15625 		break;
15626 	default:
15627 		return -EOPNOTSUPP;
15628 	}
15629 
15630 	if (!info->attrs[NL80211_ATTR_MAC])
15631 		return -EINVAL;
15632 
15633 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15634 
15635 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15636 
15637 	return 0;
15638 }
15639 
15640 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15641 					    struct genl_info *info)
15642 {
15643 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15644 	struct net_device *dev = info->user_ptr[1];
15645 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15646 	const struct nlattr *nla;
15647 	bool enabled;
15648 
15649 	if (!rdev->ops->set_multicast_to_unicast)
15650 		return -EOPNOTSUPP;
15651 
15652 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15653 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15654 		return -EOPNOTSUPP;
15655 
15656 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15657 	enabled = nla_get_flag(nla);
15658 
15659 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15660 }
15661 
15662 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15663 {
15664 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15665 	struct net_device *dev = info->user_ptr[1];
15666 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15667 	struct cfg80211_pmk_conf pmk_conf = {};
15668 
15669 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15670 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15671 		return -EOPNOTSUPP;
15672 
15673 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15674 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15675 		return -EOPNOTSUPP;
15676 
15677 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15678 		return -EINVAL;
15679 
15680 	if (!wdev->connected)
15681 		return -ENOTCONN;
15682 
15683 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15684 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
15685 		return -EINVAL;
15686 
15687 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15688 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15689 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15690 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
15691 		return -EINVAL;
15692 
15693 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15694 		pmk_conf.pmk_r0_name =
15695 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15696 
15697 	return rdev_set_pmk(rdev, dev, &pmk_conf);
15698 }
15699 
15700 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15701 {
15702 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15703 	struct net_device *dev = info->user_ptr[1];
15704 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15705 	const u8 *aa;
15706 
15707 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15708 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15709 		return -EOPNOTSUPP;
15710 
15711 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15712 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15713 		return -EOPNOTSUPP;
15714 
15715 	if (!info->attrs[NL80211_ATTR_MAC])
15716 		return -EINVAL;
15717 
15718 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15719 	return rdev_del_pmk(rdev, dev, aa);
15720 }
15721 
15722 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15723 {
15724 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15725 	struct net_device *dev = info->user_ptr[1];
15726 	struct cfg80211_external_auth_params params;
15727 
15728 	if (!rdev->ops->external_auth)
15729 		return -EOPNOTSUPP;
15730 
15731 	if (!info->attrs[NL80211_ATTR_SSID] &&
15732 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15733 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15734 		return -EINVAL;
15735 
15736 	if (!info->attrs[NL80211_ATTR_BSSID])
15737 		return -EINVAL;
15738 
15739 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15740 		return -EINVAL;
15741 
15742 	memset(&params, 0, sizeof(params));
15743 
15744 	if (info->attrs[NL80211_ATTR_SSID]) {
15745 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15746 		if (params.ssid.ssid_len == 0)
15747 			return -EINVAL;
15748 		memcpy(params.ssid.ssid,
15749 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15750 		       params.ssid.ssid_len);
15751 	}
15752 
15753 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15754 	       ETH_ALEN);
15755 
15756 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15757 
15758 	if (info->attrs[NL80211_ATTR_PMKID])
15759 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15760 
15761 	return rdev_external_auth(rdev, dev, &params);
15762 }
15763 
15764 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15765 {
15766 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15767 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15768 	struct net_device *dev = info->user_ptr[1];
15769 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15770 	const u8 *buf;
15771 	size_t len;
15772 	u8 *dest;
15773 	u16 proto;
15774 	bool noencrypt;
15775 	u64 cookie = 0;
15776 	int link_id;
15777 	int err;
15778 
15779 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15780 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15781 		return -EOPNOTSUPP;
15782 
15783 	if (!rdev->ops->tx_control_port)
15784 		return -EOPNOTSUPP;
15785 
15786 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15787 	    !info->attrs[NL80211_ATTR_MAC] ||
15788 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15789 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15790 		return -EINVAL;
15791 	}
15792 
15793 	switch (wdev->iftype) {
15794 	case NL80211_IFTYPE_AP:
15795 	case NL80211_IFTYPE_P2P_GO:
15796 	case NL80211_IFTYPE_MESH_POINT:
15797 		break;
15798 	case NL80211_IFTYPE_ADHOC:
15799 		if (wdev->u.ibss.current_bss)
15800 			break;
15801 		return -ENOTCONN;
15802 	case NL80211_IFTYPE_STATION:
15803 	case NL80211_IFTYPE_P2P_CLIENT:
15804 		if (wdev->connected)
15805 			break;
15806 		return -ENOTCONN;
15807 	default:
15808 		return -EOPNOTSUPP;
15809 	}
15810 
15811 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15812 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15813 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15814 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15815 	noencrypt =
15816 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15817 
15818 	link_id = nl80211_link_id_or_invalid(info->attrs);
15819 
15820 	err = rdev_tx_control_port(rdev, dev, buf, len,
15821 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15822 				   dont_wait_for_ack ? NULL : &cookie);
15823 	if (!err && !dont_wait_for_ack)
15824 		nl_set_extack_cookie_u64(info->extack, cookie);
15825 	return err;
15826 }
15827 
15828 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15829 					   struct genl_info *info)
15830 {
15831 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15832 	struct net_device *dev = info->user_ptr[1];
15833 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15834 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15835 	unsigned int link_id = nl80211_link_id(info->attrs);
15836 	struct sk_buff *msg;
15837 	void *hdr;
15838 	struct nlattr *ftm_stats_attr;
15839 	int err;
15840 
15841 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15842 	    !wdev->links[link_id].ap.beacon_interval)
15843 		return -EOPNOTSUPP;
15844 
15845 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15846 	if (err)
15847 		return err;
15848 
15849 	if (!ftm_stats.filled)
15850 		return -ENODATA;
15851 
15852 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15853 	if (!msg)
15854 		return -ENOMEM;
15855 
15856 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15857 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15858 	if (!hdr)
15859 		goto nla_put_failure;
15860 
15861 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15862 		goto nla_put_failure;
15863 
15864 	ftm_stats_attr = nla_nest_start_noflag(msg,
15865 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15866 	if (!ftm_stats_attr)
15867 		goto nla_put_failure;
15868 
15869 #define SET_FTM(field, name, type)					 \
15870 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15871 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15872 			     ftm_stats.field))				 \
15873 		goto nla_put_failure; } while (0)
15874 #define SET_FTM_U64(field, name)					 \
15875 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15876 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15877 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15878 		goto nla_put_failure; } while (0)
15879 
15880 	SET_FTM(success_num, SUCCESS_NUM, u32);
15881 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15882 	SET_FTM(failed_num, FAILED_NUM, u32);
15883 	SET_FTM(asap_num, ASAP_NUM, u32);
15884 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15885 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15886 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15887 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15888 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15889 #undef SET_FTM
15890 
15891 	nla_nest_end(msg, ftm_stats_attr);
15892 
15893 	genlmsg_end(msg, hdr);
15894 	return genlmsg_reply(msg, info);
15895 
15896 nla_put_failure:
15897 	nlmsg_free(msg);
15898 	return -ENOBUFS;
15899 }
15900 
15901 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15902 {
15903 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15904 	struct cfg80211_update_owe_info owe_info;
15905 	struct net_device *dev = info->user_ptr[1];
15906 
15907 	if (!rdev->ops->update_owe_info)
15908 		return -EOPNOTSUPP;
15909 
15910 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15911 	    !info->attrs[NL80211_ATTR_MAC])
15912 		return -EINVAL;
15913 
15914 	memset(&owe_info, 0, sizeof(owe_info));
15915 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15916 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15917 
15918 	if (info->attrs[NL80211_ATTR_IE]) {
15919 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15920 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15921 	}
15922 
15923 	return rdev_update_owe_info(rdev, dev, &owe_info);
15924 }
15925 
15926 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15927 {
15928 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15929 	struct net_device *dev = info->user_ptr[1];
15930 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15931 	struct station_info sinfo = {};
15932 	const u8 *buf;
15933 	size_t len;
15934 	u8 *dest;
15935 	int err;
15936 
15937 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15938 		return -EOPNOTSUPP;
15939 
15940 	if (!info->attrs[NL80211_ATTR_MAC] ||
15941 	    !info->attrs[NL80211_ATTR_FRAME]) {
15942 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15943 		return -EINVAL;
15944 	}
15945 
15946 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15947 		return -EOPNOTSUPP;
15948 
15949 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15950 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15951 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15952 
15953 	if (len < sizeof(struct ethhdr))
15954 		return -EINVAL;
15955 
15956 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15957 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15958 		return -EINVAL;
15959 
15960 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15961 	if (err)
15962 		return err;
15963 
15964 	cfg80211_sinfo_release_content(&sinfo);
15965 
15966 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15967 }
15968 
15969 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15970 			  struct nlattr *attrs[], struct net_device *dev,
15971 			  struct cfg80211_tid_cfg *tid_conf,
15972 			  struct genl_info *info, const u8 *peer,
15973 			  unsigned int link_id)
15974 {
15975 	struct netlink_ext_ack *extack = info->extack;
15976 	u64 mask;
15977 	int err;
15978 
15979 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15980 		return -EINVAL;
15981 
15982 	tid_conf->config_override =
15983 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15984 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15985 
15986 	if (tid_conf->config_override) {
15987 		if (rdev->ops->reset_tid_config) {
15988 			err = rdev_reset_tid_config(rdev, dev, peer,
15989 						    tid_conf->tids);
15990 			if (err)
15991 				return err;
15992 		} else {
15993 			return -EINVAL;
15994 		}
15995 	}
15996 
15997 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15998 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15999 		tid_conf->noack =
16000 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
16001 	}
16002 
16003 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
16004 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
16005 		tid_conf->retry_short =
16006 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
16007 
16008 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
16009 			return -EINVAL;
16010 	}
16011 
16012 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
16013 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
16014 		tid_conf->retry_long =
16015 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
16016 
16017 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
16018 			return -EINVAL;
16019 	}
16020 
16021 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
16022 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
16023 		tid_conf->ampdu =
16024 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
16025 	}
16026 
16027 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
16028 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
16029 		tid_conf->rtscts =
16030 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
16031 	}
16032 
16033 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
16034 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
16035 		tid_conf->amsdu =
16036 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
16037 	}
16038 
16039 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
16040 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
16041 
16042 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
16043 
16044 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
16045 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
16046 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
16047 						    &tid_conf->txrate_mask, dev,
16048 						    true, link_id);
16049 			if (err)
16050 				return err;
16051 
16052 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
16053 		}
16054 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
16055 	}
16056 
16057 	if (peer)
16058 		mask = rdev->wiphy.tid_config_support.peer;
16059 	else
16060 		mask = rdev->wiphy.tid_config_support.vif;
16061 
16062 	if (tid_conf->mask & ~mask) {
16063 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
16064 		return -EOPNOTSUPP;
16065 	}
16066 
16067 	return 0;
16068 }
16069 
16070 static int nl80211_set_tid_config(struct sk_buff *skb,
16071 				  struct genl_info *info)
16072 {
16073 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16074 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
16075 	unsigned int link_id = nl80211_link_id(info->attrs);
16076 	struct net_device *dev = info->user_ptr[1];
16077 	struct cfg80211_tid_config *tid_config;
16078 	struct nlattr *tid;
16079 	int conf_idx = 0, rem_conf;
16080 	int ret = -EINVAL;
16081 	u32 num_conf = 0;
16082 
16083 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
16084 		return -EINVAL;
16085 
16086 	if (!rdev->ops->set_tid_config)
16087 		return -EOPNOTSUPP;
16088 
16089 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16090 			    rem_conf)
16091 		num_conf++;
16092 
16093 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16094 			     GFP_KERNEL);
16095 	if (!tid_config)
16096 		return -ENOMEM;
16097 
16098 	tid_config->n_tid_conf = num_conf;
16099 
16100 	if (info->attrs[NL80211_ATTR_MAC])
16101 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16102 
16103 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16104 			    rem_conf) {
16105 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16106 				       tid, NULL, NULL);
16107 
16108 		if (ret)
16109 			goto bad_tid_conf;
16110 
16111 		ret = parse_tid_conf(rdev, attrs, dev,
16112 				     &tid_config->tid_conf[conf_idx],
16113 				     info, tid_config->peer, link_id);
16114 		if (ret)
16115 			goto bad_tid_conf;
16116 
16117 		conf_idx++;
16118 	}
16119 
16120 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16121 
16122 bad_tid_conf:
16123 	kfree(tid_config);
16124 	return ret;
16125 }
16126 
16127 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16128 {
16129 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16130 	struct cfg80211_color_change_settings params = {};
16131 	struct net_device *dev = info->user_ptr[1];
16132 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16133 	struct nlattr **tb;
16134 	u16 offset;
16135 	int err;
16136 
16137 	if (!rdev->ops->color_change)
16138 		return -EOPNOTSUPP;
16139 
16140 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16141 				     NL80211_EXT_FEATURE_BSS_COLOR))
16142 		return -EOPNOTSUPP;
16143 
16144 	if (wdev->iftype != NL80211_IFTYPE_AP)
16145 		return -EOPNOTSUPP;
16146 
16147 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16148 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16149 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16150 		return -EINVAL;
16151 
16152 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16153 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16154 
16155 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16156 				   info->extack);
16157 	if (err)
16158 		return err;
16159 
16160 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16161 	if (!tb)
16162 		return -ENOMEM;
16163 
16164 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16165 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16166 			       nl80211_policy, info->extack);
16167 	if (err)
16168 		goto out;
16169 
16170 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16171 				   info->extack);
16172 	if (err)
16173 		goto out;
16174 
16175 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16176 		err = -EINVAL;
16177 		goto out;
16178 	}
16179 
16180 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16181 		err = -EINVAL;
16182 		goto out;
16183 	}
16184 
16185 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16186 	if (offset >= params.beacon_color_change.tail_len) {
16187 		err = -EINVAL;
16188 		goto out;
16189 	}
16190 
16191 	if (params.beacon_color_change.tail[offset] != params.count) {
16192 		err = -EINVAL;
16193 		goto out;
16194 	}
16195 
16196 	params.counter_offset_beacon = offset;
16197 
16198 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16199 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16200 		    sizeof(u16)) {
16201 			err = -EINVAL;
16202 			goto out;
16203 		}
16204 
16205 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16206 		if (offset >= params.beacon_color_change.probe_resp_len) {
16207 			err = -EINVAL;
16208 			goto out;
16209 		}
16210 
16211 		if (params.beacon_color_change.probe_resp[offset] !=
16212 		    params.count) {
16213 			err = -EINVAL;
16214 			goto out;
16215 		}
16216 
16217 		params.counter_offset_presp = offset;
16218 	}
16219 
16220 	params.link_id = nl80211_link_id(info->attrs);
16221 	err = rdev_color_change(rdev, dev, &params);
16222 
16223 out:
16224 	kfree(params.beacon_next.mbssid_ies);
16225 	kfree(params.beacon_color_change.mbssid_ies);
16226 	kfree(params.beacon_next.rnr_ies);
16227 	kfree(params.beacon_color_change.rnr_ies);
16228 	kfree(tb);
16229 	return err;
16230 }
16231 
16232 static int nl80211_set_fils_aad(struct sk_buff *skb,
16233 				struct genl_info *info)
16234 {
16235 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16236 	struct net_device *dev = info->user_ptr[1];
16237 	struct cfg80211_fils_aad fils_aad = {};
16238 	u8 *nonces;
16239 
16240 	if (!info->attrs[NL80211_ATTR_MAC] ||
16241 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16242 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16243 		return -EINVAL;
16244 
16245 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16246 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16247 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16248 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16249 	fils_aad.snonce = nonces;
16250 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16251 
16252 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16253 }
16254 
16255 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16256 {
16257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16258 	unsigned int link_id = nl80211_link_id(info->attrs);
16259 	struct net_device *dev = info->user_ptr[1];
16260 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16261 	int ret;
16262 
16263 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16264 		return -EINVAL;
16265 
16266 	switch (wdev->iftype) {
16267 	case NL80211_IFTYPE_AP:
16268 		break;
16269 	default:
16270 		return -EINVAL;
16271 	}
16272 
16273 	if (!info->attrs[NL80211_ATTR_MAC] ||
16274 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16275 		return -EINVAL;
16276 
16277 	wdev->valid_links |= BIT(link_id);
16278 	ether_addr_copy(wdev->links[link_id].addr,
16279 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16280 
16281 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16282 	if (ret) {
16283 		wdev->valid_links &= ~BIT(link_id);
16284 		eth_zero_addr(wdev->links[link_id].addr);
16285 	}
16286 
16287 	return ret;
16288 }
16289 
16290 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16291 {
16292 	unsigned int link_id = nl80211_link_id(info->attrs);
16293 	struct net_device *dev = info->user_ptr[1];
16294 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16295 
16296 	/* cannot remove if there's no link */
16297 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16298 		return -EINVAL;
16299 
16300 	switch (wdev->iftype) {
16301 	case NL80211_IFTYPE_AP:
16302 		break;
16303 	default:
16304 		return -EINVAL;
16305 	}
16306 
16307 	cfg80211_remove_link(wdev, link_id);
16308 
16309 	return 0;
16310 }
16311 
16312 static int
16313 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16314 			     bool add)
16315 {
16316 	struct link_station_parameters params = {};
16317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16318 	struct net_device *dev = info->user_ptr[1];
16319 	int err;
16320 
16321 	if ((add && !rdev->ops->add_link_station) ||
16322 	    (!add && !rdev->ops->mod_link_station))
16323 		return -EOPNOTSUPP;
16324 
16325 	if (add && !info->attrs[NL80211_ATTR_MAC])
16326 		return -EINVAL;
16327 
16328 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16329 		return -EINVAL;
16330 
16331 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16332 		return -EINVAL;
16333 
16334 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16335 
16336 	if (info->attrs[NL80211_ATTR_MAC]) {
16337 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16338 		if (!is_valid_ether_addr(params.link_mac))
16339 			return -EINVAL;
16340 	}
16341 
16342 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16343 		return -EINVAL;
16344 
16345 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16346 
16347 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16348 		params.supported_rates =
16349 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16350 		params.supported_rates_len =
16351 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16352 	}
16353 
16354 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16355 		params.ht_capa =
16356 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16357 
16358 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16359 		params.vht_capa =
16360 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16361 
16362 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16363 		params.he_capa =
16364 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16365 		params.he_capa_len =
16366 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16367 
16368 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16369 			params.eht_capa =
16370 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16371 			params.eht_capa_len =
16372 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16373 
16374 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16375 							(const u8 *)params.eht_capa,
16376 							params.eht_capa_len,
16377 							false))
16378 				return -EINVAL;
16379 		}
16380 	}
16381 
16382 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16383 		params.he_6ghz_capa =
16384 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16385 
16386 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16387 		params.opmode_notif_used = true;
16388 		params.opmode_notif =
16389 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16390 	}
16391 
16392 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16393 						&params.txpwr_set);
16394 	if (err)
16395 		return err;
16396 
16397 	if (add)
16398 		return rdev_add_link_station(rdev, dev, &params);
16399 
16400 	return rdev_mod_link_station(rdev, dev, &params);
16401 }
16402 
16403 static int
16404 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16405 {
16406 	return nl80211_add_mod_link_station(skb, info, true);
16407 }
16408 
16409 static int
16410 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16411 {
16412 	return nl80211_add_mod_link_station(skb, info, false);
16413 }
16414 
16415 static int
16416 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16417 {
16418 	struct link_station_del_parameters params = {};
16419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16420 	struct net_device *dev = info->user_ptr[1];
16421 
16422 	if (!rdev->ops->del_link_station)
16423 		return -EOPNOTSUPP;
16424 
16425 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16426 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16427 		return -EINVAL;
16428 
16429 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16430 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16431 
16432 	return rdev_del_link_station(rdev, dev, &params);
16433 }
16434 
16435 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16436 				    struct genl_info *info)
16437 {
16438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16439 	struct net_device *dev = info->user_ptr[1];
16440 	struct cfg80211_set_hw_timestamp hwts = {};
16441 
16442 	if (!rdev->wiphy.hw_timestamp_max_peers)
16443 		return -EOPNOTSUPP;
16444 
16445 	if (!info->attrs[NL80211_ATTR_MAC] &&
16446 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16447 		return -EOPNOTSUPP;
16448 
16449 	if (info->attrs[NL80211_ATTR_MAC])
16450 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16451 
16452 	hwts.enable =
16453 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16454 
16455 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16456 }
16457 
16458 static int
16459 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
16460 {
16461 	struct cfg80211_ttlm_params params = {};
16462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16463 	struct net_device *dev = info->user_ptr[1];
16464 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16465 
16466 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16467 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16468 		return -EOPNOTSUPP;
16469 
16470 	if (!wdev->connected)
16471 		return -ENOLINK;
16472 
16473 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
16474 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
16475 		return -EINVAL;
16476 
16477 	nla_memcpy(params.dlink,
16478 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
16479 		   sizeof(params.dlink));
16480 	nla_memcpy(params.ulink,
16481 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
16482 		   sizeof(params.ulink));
16483 
16484 	return rdev_set_ttlm(rdev, dev, &params);
16485 }
16486 
16487 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
16488 {
16489 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16490 	struct net_device *dev = info->user_ptr[1];
16491 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16492 	struct cfg80211_assoc_link links[IEEE80211_MLD_MAX_NUM_LINKS] = {};
16493 	unsigned int link_id;
16494 	u16 add_links, rem_links;
16495 	int err;
16496 
16497 	if (!wdev->valid_links)
16498 		return -EINVAL;
16499 
16500 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
16501 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
16502 		return -EPERM;
16503 
16504 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
16505 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
16506 		return -EOPNOTSUPP;
16507 
16508 	add_links = 0;
16509 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
16510 		err = nl80211_process_links(rdev, links,
16511 					    /* mark as MLO, but not assoc */
16512 					    IEEE80211_MLD_MAX_NUM_LINKS,
16513 					    NULL, 0, info);
16514 		if (err)
16515 			return err;
16516 
16517 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
16518 		     link_id++) {
16519 			if (!links[link_id].bss)
16520 				continue;
16521 			add_links |= BIT(link_id);
16522 		}
16523 	}
16524 
16525 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
16526 		rem_links =
16527 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
16528 	else
16529 		rem_links = 0;
16530 
16531 	/* Validate that existing links are not added, removed links are valid
16532 	 * and don't allow adding and removing the same links
16533 	 */
16534 	if ((add_links & rem_links) || !(add_links | rem_links) ||
16535 	    (wdev->valid_links & add_links) ||
16536 	    ((wdev->valid_links & rem_links) != rem_links)) {
16537 		err = -EINVAL;
16538 		goto out;
16539 	}
16540 
16541 	err = -EOPNOTSUPP;
16542 
16543 out:
16544 	for (link_id = 0; link_id < ARRAY_SIZE(links); link_id++)
16545 		cfg80211_put_bss(&rdev->wiphy, links[link_id].bss);
16546 
16547 	return err;
16548 }
16549 
16550 static int
16551 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
16552 {
16553 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16554 	struct net_device *dev = info->user_ptr[1];
16555 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16556 	bool val;
16557 
16558 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16559 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16560 		return -EOPNOTSUPP;
16561 
16562 	if (!wdev->connected)
16563 		return -ENOLINK;
16564 
16565 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
16566 
16567 	return rdev_set_epcs(rdev, dev, val);
16568 }
16569 
16570 #define NL80211_FLAG_NEED_WIPHY		0x01
16571 #define NL80211_FLAG_NEED_NETDEV	0x02
16572 #define NL80211_FLAG_NEED_RTNL		0x04
16573 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16574 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16575 					 NL80211_FLAG_CHECK_NETDEV_UP)
16576 #define NL80211_FLAG_NEED_WDEV		0x10
16577 /* If a netdev is associated, it must be UP, P2P must be started */
16578 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16579 					 NL80211_FLAG_CHECK_NETDEV_UP)
16580 #define NL80211_FLAG_CLEAR_SKB		0x20
16581 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16582 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16583 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16584 
16585 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16586 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16587 	SELECTOR(__sel, WIPHY,				\
16588 		 NL80211_FLAG_NEED_WIPHY)		\
16589 	SELECTOR(__sel, WDEV,				\
16590 		 NL80211_FLAG_NEED_WDEV)		\
16591 	SELECTOR(__sel, NETDEV,				\
16592 		 NL80211_FLAG_NEED_NETDEV)		\
16593 	SELECTOR(__sel, NETDEV_LINK,			\
16594 		 NL80211_FLAG_NEED_NETDEV |		\
16595 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16596 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16597 		 NL80211_FLAG_NEED_NETDEV |		\
16598 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16599 	SELECTOR(__sel, WIPHY_RTNL,			\
16600 		 NL80211_FLAG_NEED_WIPHY |		\
16601 		 NL80211_FLAG_NEED_RTNL)		\
16602 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16603 		 NL80211_FLAG_NEED_WIPHY |		\
16604 		 NL80211_FLAG_NEED_RTNL |		\
16605 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16606 	SELECTOR(__sel, WDEV_RTNL,			\
16607 		 NL80211_FLAG_NEED_WDEV |		\
16608 		 NL80211_FLAG_NEED_RTNL)		\
16609 	SELECTOR(__sel, NETDEV_RTNL,			\
16610 		 NL80211_FLAG_NEED_NETDEV |		\
16611 		 NL80211_FLAG_NEED_RTNL)		\
16612 	SELECTOR(__sel, NETDEV_UP,			\
16613 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16614 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16615 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16616 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16617 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16618 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16619 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16620 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16621 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16622 		 NL80211_FLAG_CLEAR_SKB |		\
16623 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16624 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16625 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16626 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16627 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
16628 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16629 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16630 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16631 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16632 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16633 		 NL80211_FLAG_CLEAR_SKB)		\
16634 	SELECTOR(__sel, WDEV_UP,			\
16635 		 NL80211_FLAG_NEED_WDEV_UP)		\
16636 	SELECTOR(__sel, WDEV_UP_LINK,			\
16637 		 NL80211_FLAG_NEED_WDEV_UP |		\
16638 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16639 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16640 		 NL80211_FLAG_NEED_WDEV_UP |		\
16641 		 NL80211_FLAG_NEED_RTNL)		\
16642 	SELECTOR(__sel, WIPHY_CLEAR,			\
16643 		 NL80211_FLAG_NEED_WIPHY |		\
16644 		 NL80211_FLAG_CLEAR_SKB)
16645 
16646 enum nl80211_internal_flags_selector {
16647 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16648 	INTERNAL_FLAG_SELECTORS(_)
16649 #undef SELECTOR
16650 };
16651 
16652 static u32 nl80211_internal_flags[] = {
16653 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16654 	INTERNAL_FLAG_SELECTORS(_)
16655 #undef SELECTOR
16656 };
16657 
16658 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16659 			    struct sk_buff *skb,
16660 			    struct genl_info *info)
16661 {
16662 	struct cfg80211_registered_device *rdev = NULL;
16663 	struct wireless_dev *wdev = NULL;
16664 	struct net_device *dev = NULL;
16665 	u32 internal_flags;
16666 	int err;
16667 
16668 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16669 		return -EINVAL;
16670 
16671 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16672 
16673 	rtnl_lock();
16674 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16675 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16676 		if (IS_ERR(rdev)) {
16677 			err = PTR_ERR(rdev);
16678 			goto out_unlock;
16679 		}
16680 		info->user_ptr[0] = rdev;
16681 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16682 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16683 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16684 						  info->attrs);
16685 		if (IS_ERR(wdev)) {
16686 			err = PTR_ERR(wdev);
16687 			goto out_unlock;
16688 		}
16689 
16690 		dev = wdev->netdev;
16691 		dev_hold(dev);
16692 		rdev = wiphy_to_rdev(wdev->wiphy);
16693 
16694 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16695 			if (!dev) {
16696 				err = -EINVAL;
16697 				goto out_unlock;
16698 			}
16699 
16700 			info->user_ptr[1] = dev;
16701 		} else {
16702 			info->user_ptr[1] = wdev;
16703 		}
16704 
16705 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16706 		    !wdev_running(wdev)) {
16707 			err = -ENETDOWN;
16708 			goto out_unlock;
16709 		}
16710 
16711 		info->user_ptr[0] = rdev;
16712 	}
16713 
16714 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16715 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16716 
16717 		if (!wdev) {
16718 			err = -EINVAL;
16719 			goto out_unlock;
16720 		}
16721 
16722 		/* MLO -> require valid link ID */
16723 		if (wdev->valid_links &&
16724 		    (!link_id ||
16725 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16726 			err = -EINVAL;
16727 			goto out_unlock;
16728 		}
16729 
16730 		/* non-MLO -> no link ID attribute accepted */
16731 		if (!wdev->valid_links && link_id) {
16732 			err = -EINVAL;
16733 			goto out_unlock;
16734 		}
16735 	}
16736 
16737 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16738 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16739 		    (wdev && wdev->valid_links)) {
16740 			err = -EINVAL;
16741 			goto out_unlock;
16742 		}
16743 	}
16744 
16745 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16746 		wiphy_lock(&rdev->wiphy);
16747 		/* we keep the mutex locked until post_doit */
16748 		__release(&rdev->wiphy.mtx);
16749 	}
16750 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16751 		rtnl_unlock();
16752 
16753 	return 0;
16754 out_unlock:
16755 	rtnl_unlock();
16756 	dev_put(dev);
16757 	return err;
16758 }
16759 
16760 static void nl80211_post_doit(const struct genl_split_ops *ops,
16761 			      struct sk_buff *skb,
16762 			      struct genl_info *info)
16763 {
16764 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16765 
16766 	if (info->user_ptr[1]) {
16767 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16768 			struct wireless_dev *wdev = info->user_ptr[1];
16769 
16770 			dev_put(wdev->netdev);
16771 		} else {
16772 			dev_put(info->user_ptr[1]);
16773 		}
16774 	}
16775 
16776 	if (info->user_ptr[0] &&
16777 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16778 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16779 
16780 		/* we kept the mutex locked since pre_doit */
16781 		__acquire(&rdev->wiphy.mtx);
16782 		wiphy_unlock(&rdev->wiphy);
16783 	}
16784 
16785 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16786 		rtnl_unlock();
16787 
16788 	/* If needed, clear the netlink message payload from the SKB
16789 	 * as it might contain key data that shouldn't stick around on
16790 	 * the heap after the SKB is freed. The netlink message header
16791 	 * is still needed for further processing, so leave it intact.
16792 	 */
16793 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16794 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16795 
16796 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16797 	}
16798 }
16799 
16800 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16801 				     struct cfg80211_sar_specs *sar_specs,
16802 				     struct nlattr *spec[], int index)
16803 {
16804 	u32 range_index, i;
16805 
16806 	if (!sar_specs || !spec)
16807 		return -EINVAL;
16808 
16809 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16810 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16811 		return -EINVAL;
16812 
16813 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16814 
16815 	/* check if range_index exceeds num_freq_ranges */
16816 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16817 		return -EINVAL;
16818 
16819 	/* check if range_index duplicates */
16820 	for (i = 0; i < index; i++) {
16821 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16822 			return -EINVAL;
16823 	}
16824 
16825 	sar_specs->sub_specs[index].power =
16826 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16827 
16828 	sar_specs->sub_specs[index].freq_range_index = range_index;
16829 
16830 	return 0;
16831 }
16832 
16833 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16834 {
16835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16836 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16837 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16838 	struct cfg80211_sar_specs *sar_spec;
16839 	enum nl80211_sar_type type;
16840 	struct nlattr *spec_list;
16841 	u32 specs;
16842 	int rem, err;
16843 
16844 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16845 		return -EOPNOTSUPP;
16846 
16847 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16848 		return -EINVAL;
16849 
16850 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16851 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16852 			 NULL, NULL);
16853 
16854 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16855 		return -EINVAL;
16856 
16857 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16858 	if (type != rdev->wiphy.sar_capa->type)
16859 		return -EINVAL;
16860 
16861 	specs = 0;
16862 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16863 		specs++;
16864 
16865 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16866 		return -EINVAL;
16867 
16868 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16869 	if (!sar_spec)
16870 		return -ENOMEM;
16871 
16872 	sar_spec->type = type;
16873 	specs = 0;
16874 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16875 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16876 				 spec_list, NULL, NULL);
16877 
16878 		switch (type) {
16879 		case NL80211_SAR_TYPE_POWER:
16880 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16881 						      spec, specs)) {
16882 				err = -EINVAL;
16883 				goto error;
16884 			}
16885 			break;
16886 		default:
16887 			err = -EINVAL;
16888 			goto error;
16889 		}
16890 		specs++;
16891 	}
16892 
16893 	sar_spec->num_sub_specs = specs;
16894 
16895 	rdev->cur_cmd_info = info;
16896 	err = rdev_set_sar_specs(rdev, sar_spec);
16897 	rdev->cur_cmd_info = NULL;
16898 error:
16899 	kfree(sar_spec);
16900 	return err;
16901 }
16902 
16903 #define SELECTOR(__sel, name, value) \
16904 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16905 int __missing_selector(void);
16906 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16907 
16908 static const struct genl_ops nl80211_ops[] = {
16909 	{
16910 		.cmd = NL80211_CMD_GET_WIPHY,
16911 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16912 		.doit = nl80211_get_wiphy,
16913 		.dumpit = nl80211_dump_wiphy,
16914 		.done = nl80211_dump_wiphy_done,
16915 		/* can be retrieved by unprivileged users */
16916 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16917 	},
16918 };
16919 
16920 static const struct genl_small_ops nl80211_small_ops[] = {
16921 	{
16922 		.cmd = NL80211_CMD_SET_WIPHY,
16923 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16924 		.doit = nl80211_set_wiphy,
16925 		.flags = GENL_UNS_ADMIN_PERM,
16926 	},
16927 	{
16928 		.cmd = NL80211_CMD_GET_INTERFACE,
16929 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16930 		.doit = nl80211_get_interface,
16931 		.dumpit = nl80211_dump_interface,
16932 		/* can be retrieved by unprivileged users */
16933 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16934 	},
16935 	{
16936 		.cmd = NL80211_CMD_SET_INTERFACE,
16937 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16938 		.doit = nl80211_set_interface,
16939 		.flags = GENL_UNS_ADMIN_PERM,
16940 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16941 					 NL80211_FLAG_NEED_RTNL),
16942 	},
16943 	{
16944 		.cmd = NL80211_CMD_NEW_INTERFACE,
16945 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16946 		.doit = nl80211_new_interface,
16947 		.flags = GENL_UNS_ADMIN_PERM,
16948 		.internal_flags =
16949 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16950 			       NL80211_FLAG_NEED_RTNL |
16951 			       /* we take the wiphy mutex later ourselves */
16952 			       NL80211_FLAG_NO_WIPHY_MTX),
16953 	},
16954 	{
16955 		.cmd = NL80211_CMD_DEL_INTERFACE,
16956 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16957 		.doit = nl80211_del_interface,
16958 		.flags = GENL_UNS_ADMIN_PERM,
16959 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16960 					 NL80211_FLAG_NEED_RTNL),
16961 	},
16962 	{
16963 		.cmd = NL80211_CMD_GET_KEY,
16964 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16965 		.doit = nl80211_get_key,
16966 		.flags = GENL_UNS_ADMIN_PERM,
16967 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16968 	},
16969 	{
16970 		.cmd = NL80211_CMD_SET_KEY,
16971 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16972 		.doit = nl80211_set_key,
16973 		.flags = GENL_UNS_ADMIN_PERM,
16974 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16975 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16976 					 NL80211_FLAG_CLEAR_SKB),
16977 	},
16978 	{
16979 		.cmd = NL80211_CMD_NEW_KEY,
16980 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16981 		.doit = nl80211_new_key,
16982 		.flags = GENL_UNS_ADMIN_PERM,
16983 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16984 					 NL80211_FLAG_CLEAR_SKB),
16985 	},
16986 	{
16987 		.cmd = NL80211_CMD_DEL_KEY,
16988 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16989 		.doit = nl80211_del_key,
16990 		.flags = GENL_UNS_ADMIN_PERM,
16991 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16992 	},
16993 	{
16994 		.cmd = NL80211_CMD_SET_BEACON,
16995 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16996 		.flags = GENL_UNS_ADMIN_PERM,
16997 		.doit = nl80211_set_beacon,
16998 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16999 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17000 	},
17001 	{
17002 		.cmd = NL80211_CMD_START_AP,
17003 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17004 		.flags = GENL_UNS_ADMIN_PERM,
17005 		.doit = nl80211_start_ap,
17006 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17007 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17008 	},
17009 	{
17010 		.cmd = NL80211_CMD_STOP_AP,
17011 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17012 		.flags = GENL_UNS_ADMIN_PERM,
17013 		.doit = nl80211_stop_ap,
17014 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17015 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17016 	},
17017 	{
17018 		.cmd = NL80211_CMD_GET_STATION,
17019 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17020 		.doit = nl80211_get_station,
17021 		.dumpit = nl80211_dump_station,
17022 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17023 	},
17024 	{
17025 		.cmd = NL80211_CMD_SET_STATION,
17026 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17027 		.doit = nl80211_set_station,
17028 		.flags = GENL_UNS_ADMIN_PERM,
17029 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17030 	},
17031 	{
17032 		.cmd = NL80211_CMD_NEW_STATION,
17033 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17034 		.doit = nl80211_new_station,
17035 		.flags = GENL_UNS_ADMIN_PERM,
17036 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17037 	},
17038 	{
17039 		.cmd = NL80211_CMD_DEL_STATION,
17040 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17041 		.doit = nl80211_del_station,
17042 		.flags = GENL_UNS_ADMIN_PERM,
17043 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
17044 		 * whether MAC address is passed or not. If MAC address is
17045 		 * passed, then even during MLO, link ID is not required.
17046 		 */
17047 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17048 	},
17049 	{
17050 		.cmd = NL80211_CMD_GET_MPATH,
17051 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17052 		.doit = nl80211_get_mpath,
17053 		.dumpit = nl80211_dump_mpath,
17054 		.flags = GENL_UNS_ADMIN_PERM,
17055 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17056 	},
17057 	{
17058 		.cmd = NL80211_CMD_GET_MPP,
17059 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17060 		.doit = nl80211_get_mpp,
17061 		.dumpit = nl80211_dump_mpp,
17062 		.flags = GENL_UNS_ADMIN_PERM,
17063 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17064 	},
17065 	{
17066 		.cmd = NL80211_CMD_SET_MPATH,
17067 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17068 		.doit = nl80211_set_mpath,
17069 		.flags = GENL_UNS_ADMIN_PERM,
17070 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17071 	},
17072 	{
17073 		.cmd = NL80211_CMD_NEW_MPATH,
17074 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17075 		.doit = nl80211_new_mpath,
17076 		.flags = GENL_UNS_ADMIN_PERM,
17077 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17078 	},
17079 	{
17080 		.cmd = NL80211_CMD_DEL_MPATH,
17081 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17082 		.doit = nl80211_del_mpath,
17083 		.flags = GENL_UNS_ADMIN_PERM,
17084 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17085 	},
17086 	{
17087 		.cmd = NL80211_CMD_SET_BSS,
17088 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17089 		.doit = nl80211_set_bss,
17090 		.flags = GENL_UNS_ADMIN_PERM,
17091 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17092 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17093 	},
17094 	{
17095 		.cmd = NL80211_CMD_GET_REG,
17096 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17097 		.doit = nl80211_get_reg_do,
17098 		.dumpit = nl80211_get_reg_dump,
17099 		/* can be retrieved by unprivileged users */
17100 	},
17101 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
17102 	{
17103 		.cmd = NL80211_CMD_SET_REG,
17104 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17105 		.doit = nl80211_set_reg,
17106 		.flags = GENL_ADMIN_PERM,
17107 	},
17108 #endif
17109 	{
17110 		.cmd = NL80211_CMD_REQ_SET_REG,
17111 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17112 		.doit = nl80211_req_set_reg,
17113 		.flags = GENL_ADMIN_PERM,
17114 	},
17115 	{
17116 		.cmd = NL80211_CMD_RELOAD_REGDB,
17117 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17118 		.doit = nl80211_reload_regdb,
17119 		.flags = GENL_ADMIN_PERM,
17120 	},
17121 	{
17122 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
17123 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17124 		.doit = nl80211_get_mesh_config,
17125 		/* can be retrieved by unprivileged users */
17126 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17127 	},
17128 	{
17129 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
17130 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17131 		.doit = nl80211_update_mesh_config,
17132 		.flags = GENL_UNS_ADMIN_PERM,
17133 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17134 	},
17135 	{
17136 		.cmd = NL80211_CMD_TRIGGER_SCAN,
17137 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17138 		.doit = nl80211_trigger_scan,
17139 		.flags = GENL_UNS_ADMIN_PERM,
17140 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17141 	},
17142 	{
17143 		.cmd = NL80211_CMD_ABORT_SCAN,
17144 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17145 		.doit = nl80211_abort_scan,
17146 		.flags = GENL_UNS_ADMIN_PERM,
17147 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17148 	},
17149 	{
17150 		.cmd = NL80211_CMD_GET_SCAN,
17151 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17152 		.dumpit = nl80211_dump_scan,
17153 	},
17154 	{
17155 		.cmd = NL80211_CMD_START_SCHED_SCAN,
17156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17157 		.doit = nl80211_start_sched_scan,
17158 		.flags = GENL_UNS_ADMIN_PERM,
17159 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17160 	},
17161 	{
17162 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
17163 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17164 		.doit = nl80211_stop_sched_scan,
17165 		.flags = GENL_UNS_ADMIN_PERM,
17166 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17167 	},
17168 	{
17169 		.cmd = NL80211_CMD_AUTHENTICATE,
17170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17171 		.doit = nl80211_authenticate,
17172 		.flags = GENL_UNS_ADMIN_PERM,
17173 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17174 					 NL80211_FLAG_CLEAR_SKB),
17175 	},
17176 	{
17177 		.cmd = NL80211_CMD_ASSOCIATE,
17178 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17179 		.doit = nl80211_associate,
17180 		.flags = GENL_UNS_ADMIN_PERM,
17181 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17182 					 NL80211_FLAG_CLEAR_SKB),
17183 	},
17184 	{
17185 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17186 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17187 		.doit = nl80211_deauthenticate,
17188 		.flags = GENL_UNS_ADMIN_PERM,
17189 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17190 	},
17191 	{
17192 		.cmd = NL80211_CMD_DISASSOCIATE,
17193 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17194 		.doit = nl80211_disassociate,
17195 		.flags = GENL_UNS_ADMIN_PERM,
17196 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17197 	},
17198 	{
17199 		.cmd = NL80211_CMD_JOIN_IBSS,
17200 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17201 		.doit = nl80211_join_ibss,
17202 		.flags = GENL_UNS_ADMIN_PERM,
17203 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17204 	},
17205 	{
17206 		.cmd = NL80211_CMD_LEAVE_IBSS,
17207 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17208 		.doit = nl80211_leave_ibss,
17209 		.flags = GENL_UNS_ADMIN_PERM,
17210 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17211 	},
17212 #ifdef CONFIG_NL80211_TESTMODE
17213 	{
17214 		.cmd = NL80211_CMD_TESTMODE,
17215 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17216 		.doit = nl80211_testmode_do,
17217 		.dumpit = nl80211_testmode_dump,
17218 		.flags = GENL_UNS_ADMIN_PERM,
17219 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17220 	},
17221 #endif
17222 	{
17223 		.cmd = NL80211_CMD_CONNECT,
17224 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17225 		.doit = nl80211_connect,
17226 		.flags = GENL_UNS_ADMIN_PERM,
17227 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17228 					 NL80211_FLAG_CLEAR_SKB),
17229 	},
17230 	{
17231 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17232 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17233 		.doit = nl80211_update_connect_params,
17234 		.flags = GENL_ADMIN_PERM,
17235 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17236 					 NL80211_FLAG_CLEAR_SKB),
17237 	},
17238 	{
17239 		.cmd = NL80211_CMD_DISCONNECT,
17240 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17241 		.doit = nl80211_disconnect,
17242 		.flags = GENL_UNS_ADMIN_PERM,
17243 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17244 	},
17245 	{
17246 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17247 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17248 		.doit = nl80211_wiphy_netns,
17249 		.flags = GENL_UNS_ADMIN_PERM,
17250 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17251 					 NL80211_FLAG_NEED_RTNL |
17252 					 NL80211_FLAG_NO_WIPHY_MTX),
17253 	},
17254 	{
17255 		.cmd = NL80211_CMD_GET_SURVEY,
17256 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17257 		.dumpit = nl80211_dump_survey,
17258 	},
17259 	{
17260 		.cmd = NL80211_CMD_SET_PMKSA,
17261 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17262 		.doit = nl80211_set_pmksa,
17263 		.flags = GENL_UNS_ADMIN_PERM,
17264 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17265 					 NL80211_FLAG_CLEAR_SKB),
17266 	},
17267 	{
17268 		.cmd = NL80211_CMD_DEL_PMKSA,
17269 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17270 		.doit = nl80211_del_pmksa,
17271 		.flags = GENL_UNS_ADMIN_PERM,
17272 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17273 	},
17274 	{
17275 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17276 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17277 		.doit = nl80211_flush_pmksa,
17278 		.flags = GENL_UNS_ADMIN_PERM,
17279 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17280 	},
17281 	{
17282 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17283 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17284 		.doit = nl80211_remain_on_channel,
17285 		.flags = GENL_UNS_ADMIN_PERM,
17286 		/* FIXME: requiring a link ID here is probably not good */
17287 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17288 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17289 	},
17290 	{
17291 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17292 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17293 		.doit = nl80211_cancel_remain_on_channel,
17294 		.flags = GENL_UNS_ADMIN_PERM,
17295 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17296 	},
17297 	{
17298 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17299 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17300 		.doit = nl80211_set_tx_bitrate_mask,
17301 		.flags = GENL_UNS_ADMIN_PERM,
17302 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17303 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17304 	},
17305 	{
17306 		.cmd = NL80211_CMD_REGISTER_FRAME,
17307 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17308 		.doit = nl80211_register_mgmt,
17309 		.flags = GENL_UNS_ADMIN_PERM,
17310 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17311 	},
17312 	{
17313 		.cmd = NL80211_CMD_FRAME,
17314 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17315 		.doit = nl80211_tx_mgmt,
17316 		.flags = GENL_UNS_ADMIN_PERM,
17317 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17318 	},
17319 	{
17320 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17321 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17322 		.doit = nl80211_tx_mgmt_cancel_wait,
17323 		.flags = GENL_UNS_ADMIN_PERM,
17324 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17325 	},
17326 	{
17327 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17328 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17329 		.doit = nl80211_set_power_save,
17330 		.flags = GENL_UNS_ADMIN_PERM,
17331 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17332 	},
17333 	{
17334 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17335 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17336 		.doit = nl80211_get_power_save,
17337 		/* can be retrieved by unprivileged users */
17338 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17339 	},
17340 	{
17341 		.cmd = NL80211_CMD_SET_CQM,
17342 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17343 		.doit = nl80211_set_cqm,
17344 		.flags = GENL_UNS_ADMIN_PERM,
17345 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17346 	},
17347 	{
17348 		.cmd = NL80211_CMD_SET_CHANNEL,
17349 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17350 		.doit = nl80211_set_channel,
17351 		.flags = GENL_UNS_ADMIN_PERM,
17352 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17353 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17354 	},
17355 	{
17356 		.cmd = NL80211_CMD_JOIN_MESH,
17357 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17358 		.doit = nl80211_join_mesh,
17359 		.flags = GENL_UNS_ADMIN_PERM,
17360 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17361 	},
17362 	{
17363 		.cmd = NL80211_CMD_LEAVE_MESH,
17364 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17365 		.doit = nl80211_leave_mesh,
17366 		.flags = GENL_UNS_ADMIN_PERM,
17367 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17368 	},
17369 	{
17370 		.cmd = NL80211_CMD_JOIN_OCB,
17371 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17372 		.doit = nl80211_join_ocb,
17373 		.flags = GENL_UNS_ADMIN_PERM,
17374 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17375 	},
17376 	{
17377 		.cmd = NL80211_CMD_LEAVE_OCB,
17378 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17379 		.doit = nl80211_leave_ocb,
17380 		.flags = GENL_UNS_ADMIN_PERM,
17381 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17382 	},
17383 #ifdef CONFIG_PM
17384 	{
17385 		.cmd = NL80211_CMD_GET_WOWLAN,
17386 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17387 		.doit = nl80211_get_wowlan,
17388 		/* can be retrieved by unprivileged users */
17389 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17390 	},
17391 	{
17392 		.cmd = NL80211_CMD_SET_WOWLAN,
17393 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17394 		.doit = nl80211_set_wowlan,
17395 		.flags = GENL_UNS_ADMIN_PERM,
17396 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17397 	},
17398 #endif
17399 	{
17400 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17401 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17402 		.doit = nl80211_set_rekey_data,
17403 		.flags = GENL_UNS_ADMIN_PERM,
17404 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17405 					 NL80211_FLAG_CLEAR_SKB),
17406 	},
17407 	{
17408 		.cmd = NL80211_CMD_TDLS_MGMT,
17409 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17410 		.doit = nl80211_tdls_mgmt,
17411 		.flags = GENL_UNS_ADMIN_PERM,
17412 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17413 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17414 	},
17415 	{
17416 		.cmd = NL80211_CMD_TDLS_OPER,
17417 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17418 		.doit = nl80211_tdls_oper,
17419 		.flags = GENL_UNS_ADMIN_PERM,
17420 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17421 	},
17422 	{
17423 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17424 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17425 		.doit = nl80211_register_unexpected_frame,
17426 		.flags = GENL_UNS_ADMIN_PERM,
17427 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17428 	},
17429 	{
17430 		.cmd = NL80211_CMD_PROBE_CLIENT,
17431 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17432 		.doit = nl80211_probe_client,
17433 		.flags = GENL_UNS_ADMIN_PERM,
17434 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17435 	},
17436 	{
17437 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17438 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17439 		.doit = nl80211_register_beacons,
17440 		.flags = GENL_UNS_ADMIN_PERM,
17441 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17442 	},
17443 	{
17444 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17445 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17446 		.doit = nl80211_set_noack_map,
17447 		.flags = GENL_UNS_ADMIN_PERM,
17448 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17449 	},
17450 	{
17451 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17452 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17453 		.doit = nl80211_start_p2p_device,
17454 		.flags = GENL_UNS_ADMIN_PERM,
17455 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17456 					 NL80211_FLAG_NEED_RTNL),
17457 	},
17458 	{
17459 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17460 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17461 		.doit = nl80211_stop_p2p_device,
17462 		.flags = GENL_UNS_ADMIN_PERM,
17463 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17464 					 NL80211_FLAG_NEED_RTNL),
17465 	},
17466 	{
17467 		.cmd = NL80211_CMD_START_NAN,
17468 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17469 		.doit = nl80211_start_nan,
17470 		.flags = GENL_ADMIN_PERM,
17471 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17472 					 NL80211_FLAG_NEED_RTNL),
17473 	},
17474 	{
17475 		.cmd = NL80211_CMD_STOP_NAN,
17476 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17477 		.doit = nl80211_stop_nan,
17478 		.flags = GENL_ADMIN_PERM,
17479 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17480 					 NL80211_FLAG_NEED_RTNL),
17481 	},
17482 	{
17483 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17484 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17485 		.doit = nl80211_nan_add_func,
17486 		.flags = GENL_ADMIN_PERM,
17487 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17488 	},
17489 	{
17490 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17491 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17492 		.doit = nl80211_nan_del_func,
17493 		.flags = GENL_ADMIN_PERM,
17494 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17495 	},
17496 	{
17497 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17498 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17499 		.doit = nl80211_nan_change_config,
17500 		.flags = GENL_ADMIN_PERM,
17501 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17502 	},
17503 	{
17504 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17505 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17506 		.doit = nl80211_set_mcast_rate,
17507 		.flags = GENL_UNS_ADMIN_PERM,
17508 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17509 	},
17510 	{
17511 		.cmd = NL80211_CMD_SET_MAC_ACL,
17512 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17513 		.doit = nl80211_set_mac_acl,
17514 		.flags = GENL_UNS_ADMIN_PERM,
17515 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17516 					 NL80211_FLAG_MLO_UNSUPPORTED),
17517 	},
17518 	{
17519 		.cmd = NL80211_CMD_RADAR_DETECT,
17520 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17521 		.doit = nl80211_start_radar_detection,
17522 		.flags = GENL_UNS_ADMIN_PERM,
17523 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17524 					 NL80211_FLAG_NO_WIPHY_MTX |
17525 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17526 	},
17527 	{
17528 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17529 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17530 		.doit = nl80211_get_protocol_features,
17531 	},
17532 	{
17533 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17534 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17535 		.doit = nl80211_update_ft_ies,
17536 		.flags = GENL_UNS_ADMIN_PERM,
17537 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17538 	},
17539 	{
17540 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17541 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17542 		.doit = nl80211_crit_protocol_start,
17543 		.flags = GENL_UNS_ADMIN_PERM,
17544 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17545 	},
17546 	{
17547 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17548 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17549 		.doit = nl80211_crit_protocol_stop,
17550 		.flags = GENL_UNS_ADMIN_PERM,
17551 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17552 	},
17553 	{
17554 		.cmd = NL80211_CMD_GET_COALESCE,
17555 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17556 		.doit = nl80211_get_coalesce,
17557 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17558 	},
17559 	{
17560 		.cmd = NL80211_CMD_SET_COALESCE,
17561 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17562 		.doit = nl80211_set_coalesce,
17563 		.flags = GENL_UNS_ADMIN_PERM,
17564 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17565 	},
17566 	{
17567 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17568 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17569 		.doit = nl80211_channel_switch,
17570 		.flags = GENL_UNS_ADMIN_PERM,
17571 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17572 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17573 	},
17574 	{
17575 		.cmd = NL80211_CMD_VENDOR,
17576 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17577 		.doit = nl80211_vendor_cmd,
17578 		.dumpit = nl80211_vendor_cmd_dump,
17579 		.flags = GENL_UNS_ADMIN_PERM,
17580 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17581 					 NL80211_FLAG_CLEAR_SKB),
17582 	},
17583 	{
17584 		.cmd = NL80211_CMD_SET_QOS_MAP,
17585 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17586 		.doit = nl80211_set_qos_map,
17587 		.flags = GENL_UNS_ADMIN_PERM,
17588 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17589 	},
17590 	{
17591 		.cmd = NL80211_CMD_ADD_TX_TS,
17592 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17593 		.doit = nl80211_add_tx_ts,
17594 		.flags = GENL_UNS_ADMIN_PERM,
17595 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17596 					 NL80211_FLAG_MLO_UNSUPPORTED),
17597 	},
17598 	{
17599 		.cmd = NL80211_CMD_DEL_TX_TS,
17600 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17601 		.doit = nl80211_del_tx_ts,
17602 		.flags = GENL_UNS_ADMIN_PERM,
17603 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17604 	},
17605 	{
17606 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17607 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17608 		.doit = nl80211_tdls_channel_switch,
17609 		.flags = GENL_UNS_ADMIN_PERM,
17610 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17611 	},
17612 	{
17613 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17614 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17615 		.doit = nl80211_tdls_cancel_channel_switch,
17616 		.flags = GENL_UNS_ADMIN_PERM,
17617 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17618 	},
17619 	{
17620 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17621 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17622 		.doit = nl80211_set_multicast_to_unicast,
17623 		.flags = GENL_UNS_ADMIN_PERM,
17624 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17625 	},
17626 	{
17627 		.cmd = NL80211_CMD_SET_PMK,
17628 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17629 		.doit = nl80211_set_pmk,
17630 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17631 					 NL80211_FLAG_CLEAR_SKB),
17632 	},
17633 	{
17634 		.cmd = NL80211_CMD_DEL_PMK,
17635 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17636 		.doit = nl80211_del_pmk,
17637 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17638 	},
17639 	{
17640 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17641 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17642 		.doit = nl80211_external_auth,
17643 		.flags = GENL_ADMIN_PERM,
17644 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17645 	},
17646 	{
17647 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17648 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17649 		.doit = nl80211_tx_control_port,
17650 		.flags = GENL_UNS_ADMIN_PERM,
17651 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17652 	},
17653 	{
17654 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17655 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17656 		.doit = nl80211_get_ftm_responder_stats,
17657 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17658 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17659 	},
17660 	{
17661 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17662 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17663 		.doit = nl80211_pmsr_start,
17664 		.flags = GENL_UNS_ADMIN_PERM,
17665 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17666 	},
17667 	{
17668 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17669 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17670 		.doit = nl80211_notify_radar_detection,
17671 		.flags = GENL_UNS_ADMIN_PERM,
17672 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17673 	},
17674 	{
17675 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17676 		.doit = nl80211_update_owe_info,
17677 		.flags = GENL_ADMIN_PERM,
17678 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17679 	},
17680 	{
17681 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17682 		.doit = nl80211_probe_mesh_link,
17683 		.flags = GENL_UNS_ADMIN_PERM,
17684 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17685 	},
17686 	{
17687 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17688 		.doit = nl80211_set_tid_config,
17689 		.flags = GENL_UNS_ADMIN_PERM,
17690 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17691 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17692 	},
17693 	{
17694 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17695 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17696 		.doit = nl80211_set_sar_specs,
17697 		.flags = GENL_UNS_ADMIN_PERM,
17698 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17699 					 NL80211_FLAG_NEED_RTNL),
17700 	},
17701 	{
17702 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17703 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17704 		.doit = nl80211_color_change,
17705 		.flags = GENL_UNS_ADMIN_PERM,
17706 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17707 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17708 	},
17709 	{
17710 		.cmd = NL80211_CMD_SET_FILS_AAD,
17711 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17712 		.doit = nl80211_set_fils_aad,
17713 		.flags = GENL_UNS_ADMIN_PERM,
17714 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17715 	},
17716 	{
17717 		.cmd = NL80211_CMD_ADD_LINK,
17718 		.doit = nl80211_add_link,
17719 		.flags = GENL_UNS_ADMIN_PERM,
17720 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17721 	},
17722 	{
17723 		.cmd = NL80211_CMD_REMOVE_LINK,
17724 		.doit = nl80211_remove_link,
17725 		.flags = GENL_UNS_ADMIN_PERM,
17726 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17727 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17728 	},
17729 	{
17730 		.cmd = NL80211_CMD_ADD_LINK_STA,
17731 		.doit = nl80211_add_link_station,
17732 		.flags = GENL_UNS_ADMIN_PERM,
17733 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17734 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17735 	},
17736 	{
17737 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17738 		.doit = nl80211_modify_link_station,
17739 		.flags = GENL_UNS_ADMIN_PERM,
17740 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17741 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17742 	},
17743 	{
17744 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17745 		.doit = nl80211_remove_link_station,
17746 		.flags = GENL_UNS_ADMIN_PERM,
17747 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17748 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17749 	},
17750 	{
17751 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17752 		.doit = nl80211_set_hw_timestamp,
17753 		.flags = GENL_UNS_ADMIN_PERM,
17754 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17755 	},
17756 	{
17757 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
17758 		.doit = nl80211_set_ttlm,
17759 		.flags = GENL_UNS_ADMIN_PERM,
17760 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17761 	},
17762 	{
17763 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
17764 		.doit = nl80211_assoc_ml_reconf,
17765 		.flags = GENL_UNS_ADMIN_PERM,
17766 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17767 	},
17768 	{
17769 		.cmd = NL80211_CMD_EPCS_CFG,
17770 		.doit = nl80211_epcs_cfg,
17771 		.flags = GENL_UNS_ADMIN_PERM,
17772 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17773 	},
17774 };
17775 
17776 static struct genl_family nl80211_fam __ro_after_init = {
17777 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17778 	.hdrsize = 0,			/* no private header */
17779 	.version = 1,			/* no particular meaning now */
17780 	.maxattr = NL80211_ATTR_MAX,
17781 	.policy = nl80211_policy,
17782 	.netnsok = true,
17783 	.pre_doit = nl80211_pre_doit,
17784 	.post_doit = nl80211_post_doit,
17785 	.module = THIS_MODULE,
17786 	.ops = nl80211_ops,
17787 	.n_ops = ARRAY_SIZE(nl80211_ops),
17788 	.small_ops = nl80211_small_ops,
17789 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17790 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17791 	.mcgrps = nl80211_mcgrps,
17792 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17793 	.parallel_ops = true,
17794 };
17795 
17796 /* notification functions */
17797 
17798 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17799 			  enum nl80211_commands cmd)
17800 {
17801 	struct sk_buff *msg;
17802 	struct nl80211_dump_wiphy_state state = {};
17803 
17804 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17805 		cmd != NL80211_CMD_DEL_WIPHY);
17806 
17807 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17808 	if (!msg)
17809 		return;
17810 
17811 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17812 		nlmsg_free(msg);
17813 		return;
17814 	}
17815 
17816 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17817 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17818 }
17819 
17820 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17821 				struct wireless_dev *wdev,
17822 				enum nl80211_commands cmd)
17823 {
17824 	struct sk_buff *msg;
17825 
17826 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17827 	if (!msg)
17828 		return;
17829 
17830 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17831 		nlmsg_free(msg);
17832 		return;
17833 	}
17834 
17835 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17836 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17837 }
17838 
17839 static int nl80211_add_scan_req(struct sk_buff *msg,
17840 				struct cfg80211_registered_device *rdev)
17841 {
17842 	struct cfg80211_scan_request *req = rdev->scan_req;
17843 	struct nlattr *nest;
17844 	int i;
17845 	struct cfg80211_scan_info *info;
17846 
17847 	if (WARN_ON(!req))
17848 		return 0;
17849 
17850 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17851 	if (!nest)
17852 		goto nla_put_failure;
17853 	for (i = 0; i < req->n_ssids; i++) {
17854 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17855 			goto nla_put_failure;
17856 	}
17857 	nla_nest_end(msg, nest);
17858 
17859 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17860 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17861 		if (!nest)
17862 			goto nla_put_failure;
17863 		for (i = 0; i < req->n_channels; i++) {
17864 			if (nla_put_u32(msg, i,
17865 				   ieee80211_channel_to_khz(req->channels[i])))
17866 				goto nla_put_failure;
17867 		}
17868 		nla_nest_end(msg, nest);
17869 	} else {
17870 		nest = nla_nest_start_noflag(msg,
17871 					     NL80211_ATTR_SCAN_FREQUENCIES);
17872 		if (!nest)
17873 			goto nla_put_failure;
17874 		for (i = 0; i < req->n_channels; i++) {
17875 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17876 				goto nla_put_failure;
17877 		}
17878 		nla_nest_end(msg, nest);
17879 	}
17880 
17881 	if (req->ie &&
17882 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17883 		goto nla_put_failure;
17884 
17885 	if (req->flags &&
17886 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17887 		goto nla_put_failure;
17888 
17889 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17890 		&rdev->scan_req->info;
17891 	if (info->scan_start_tsf &&
17892 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17893 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17894 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17895 		     info->tsf_bssid)))
17896 		goto nla_put_failure;
17897 
17898 	return 0;
17899  nla_put_failure:
17900 	return -ENOBUFS;
17901 }
17902 
17903 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17904 				 struct cfg80211_registered_device *rdev,
17905 				 struct wireless_dev *wdev,
17906 				 u32 portid, u32 seq, int flags,
17907 				 u32 cmd)
17908 {
17909 	void *hdr;
17910 
17911 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17912 	if (!hdr)
17913 		return -1;
17914 
17915 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17916 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17917 					 wdev->netdev->ifindex)) ||
17918 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17919 			      NL80211_ATTR_PAD))
17920 		goto nla_put_failure;
17921 
17922 	/* ignore errors and send incomplete event anyway */
17923 	nl80211_add_scan_req(msg, rdev);
17924 
17925 	genlmsg_end(msg, hdr);
17926 	return 0;
17927 
17928  nla_put_failure:
17929 	genlmsg_cancel(msg, hdr);
17930 	return -EMSGSIZE;
17931 }
17932 
17933 static int
17934 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17935 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17936 {
17937 	void *hdr;
17938 
17939 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17940 	if (!hdr)
17941 		return -1;
17942 
17943 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17944 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17945 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17946 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17947 			      NL80211_ATTR_PAD))
17948 		goto nla_put_failure;
17949 
17950 	genlmsg_end(msg, hdr);
17951 	return 0;
17952 
17953  nla_put_failure:
17954 	genlmsg_cancel(msg, hdr);
17955 	return -EMSGSIZE;
17956 }
17957 
17958 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17959 			     struct wireless_dev *wdev)
17960 {
17961 	struct sk_buff *msg;
17962 
17963 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17964 	if (!msg)
17965 		return;
17966 
17967 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17968 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17969 		nlmsg_free(msg);
17970 		return;
17971 	}
17972 
17973 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17974 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17975 }
17976 
17977 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17978 				       struct wireless_dev *wdev, bool aborted)
17979 {
17980 	struct sk_buff *msg;
17981 
17982 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17983 	if (!msg)
17984 		return NULL;
17985 
17986 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17987 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17988 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17989 		nlmsg_free(msg);
17990 		return NULL;
17991 	}
17992 
17993 	return msg;
17994 }
17995 
17996 /* send message created by nl80211_build_scan_msg() */
17997 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17998 			   struct sk_buff *msg)
17999 {
18000 	if (!msg)
18001 		return;
18002 
18003 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18004 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18005 }
18006 
18007 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
18008 {
18009 	struct sk_buff *msg;
18010 
18011 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18012 	if (!msg)
18013 		return;
18014 
18015 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
18016 		nlmsg_free(msg);
18017 		return;
18018 	}
18019 
18020 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
18021 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18022 }
18023 
18024 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
18025 					  struct regulatory_request *request)
18026 {
18027 	/* Userspace can always count this one always being set */
18028 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
18029 		goto nla_put_failure;
18030 
18031 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
18032 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18033 			       NL80211_REGDOM_TYPE_WORLD))
18034 			goto nla_put_failure;
18035 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
18036 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18037 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
18038 			goto nla_put_failure;
18039 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
18040 		   request->intersect) {
18041 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18042 			       NL80211_REGDOM_TYPE_INTERSECTION))
18043 			goto nla_put_failure;
18044 	} else {
18045 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18046 			       NL80211_REGDOM_TYPE_COUNTRY) ||
18047 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
18048 				   request->alpha2))
18049 			goto nla_put_failure;
18050 	}
18051 
18052 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
18053 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
18054 
18055 		if (wiphy &&
18056 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
18057 			goto nla_put_failure;
18058 
18059 		if (wiphy &&
18060 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
18061 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
18062 			goto nla_put_failure;
18063 	}
18064 
18065 	return true;
18066 
18067 nla_put_failure:
18068 	return false;
18069 }
18070 
18071 /*
18072  * This can happen on global regulatory changes or device specific settings
18073  * based on custom regulatory domains.
18074  */
18075 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
18076 				     struct regulatory_request *request)
18077 {
18078 	struct sk_buff *msg;
18079 	void *hdr;
18080 
18081 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18082 	if (!msg)
18083 		return;
18084 
18085 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
18086 	if (!hdr)
18087 		goto nla_put_failure;
18088 
18089 	if (!nl80211_reg_change_event_fill(msg, request))
18090 		goto nla_put_failure;
18091 
18092 	genlmsg_end(msg, hdr);
18093 
18094 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18095 				NL80211_MCGRP_REGULATORY);
18096 
18097 	return;
18098 
18099 nla_put_failure:
18100 	nlmsg_free(msg);
18101 }
18102 
18103 struct nl80211_mlme_event {
18104 	enum nl80211_commands cmd;
18105 	const u8 *buf;
18106 	size_t buf_len;
18107 	int uapsd_queues;
18108 	const u8 *req_ies;
18109 	size_t req_ies_len;
18110 	bool reconnect;
18111 };
18112 
18113 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
18114 				    struct net_device *netdev,
18115 				    const struct nl80211_mlme_event *event,
18116 				    gfp_t gfp)
18117 {
18118 	struct sk_buff *msg;
18119 	void *hdr;
18120 
18121 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
18122 	if (!msg)
18123 		return;
18124 
18125 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
18126 	if (!hdr) {
18127 		nlmsg_free(msg);
18128 		return;
18129 	}
18130 
18131 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18132 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18133 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
18134 	    (event->req_ies &&
18135 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
18136 		     event->req_ies)))
18137 		goto nla_put_failure;
18138 
18139 	if (event->reconnect &&
18140 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
18141 		goto nla_put_failure;
18142 
18143 	if (event->uapsd_queues >= 0) {
18144 		struct nlattr *nla_wmm =
18145 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
18146 		if (!nla_wmm)
18147 			goto nla_put_failure;
18148 
18149 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
18150 			       event->uapsd_queues))
18151 			goto nla_put_failure;
18152 
18153 		nla_nest_end(msg, nla_wmm);
18154 	}
18155 
18156 	genlmsg_end(msg, hdr);
18157 
18158 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18159 				NL80211_MCGRP_MLME, gfp);
18160 	return;
18161 
18162  nla_put_failure:
18163 	nlmsg_free(msg);
18164 }
18165 
18166 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
18167 			  struct net_device *netdev, const u8 *buf,
18168 			  size_t len, gfp_t gfp)
18169 {
18170 	struct nl80211_mlme_event event = {
18171 		.cmd = NL80211_CMD_AUTHENTICATE,
18172 		.buf = buf,
18173 		.buf_len = len,
18174 		.uapsd_queues = -1,
18175 	};
18176 
18177 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18178 }
18179 
18180 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
18181 			   struct net_device *netdev,
18182 			   const struct cfg80211_rx_assoc_resp_data *data)
18183 {
18184 	struct nl80211_mlme_event event = {
18185 		.cmd = NL80211_CMD_ASSOCIATE,
18186 		.buf = data->buf,
18187 		.buf_len = data->len,
18188 		.uapsd_queues = data->uapsd_queues,
18189 		.req_ies = data->req_ies,
18190 		.req_ies_len = data->req_ies_len,
18191 	};
18192 
18193 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
18194 }
18195 
18196 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
18197 			 struct net_device *netdev, const u8 *buf,
18198 			 size_t len, bool reconnect, gfp_t gfp)
18199 {
18200 	struct nl80211_mlme_event event = {
18201 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18202 		.buf = buf,
18203 		.buf_len = len,
18204 		.reconnect = reconnect,
18205 		.uapsd_queues = -1,
18206 	};
18207 
18208 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18209 }
18210 
18211 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
18212 			   struct net_device *netdev, const u8 *buf,
18213 			   size_t len, bool reconnect, gfp_t gfp)
18214 {
18215 	struct nl80211_mlme_event event = {
18216 		.cmd = NL80211_CMD_DISASSOCIATE,
18217 		.buf = buf,
18218 		.buf_len = len,
18219 		.reconnect = reconnect,
18220 		.uapsd_queues = -1,
18221 	};
18222 
18223 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18224 }
18225 
18226 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
18227 				  size_t len)
18228 {
18229 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18230 	struct wiphy *wiphy = wdev->wiphy;
18231 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18232 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18233 	struct nl80211_mlme_event event = {
18234 		.buf = buf,
18235 		.buf_len = len,
18236 		.uapsd_queues = -1,
18237 	};
18238 
18239 	if (WARN_ON(len < 2))
18240 		return;
18241 
18242 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18243 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18244 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18245 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18246 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18247 		if (wdev->unprot_beacon_reported &&
18248 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18249 			return;
18250 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18251 		wdev->unprot_beacon_reported = jiffies;
18252 	} else {
18253 		return;
18254 	}
18255 
18256 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18257 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18258 }
18259 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18260 
18261 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18262 				      struct net_device *netdev, int cmd,
18263 				      const u8 *addr, gfp_t gfp)
18264 {
18265 	struct sk_buff *msg;
18266 	void *hdr;
18267 
18268 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18269 	if (!msg)
18270 		return;
18271 
18272 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18273 	if (!hdr) {
18274 		nlmsg_free(msg);
18275 		return;
18276 	}
18277 
18278 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18279 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18280 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18281 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18282 		goto nla_put_failure;
18283 
18284 	genlmsg_end(msg, hdr);
18285 
18286 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18287 				NL80211_MCGRP_MLME, gfp);
18288 	return;
18289 
18290  nla_put_failure:
18291 	nlmsg_free(msg);
18292 }
18293 
18294 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18295 			       struct net_device *netdev, const u8 *addr,
18296 			       gfp_t gfp)
18297 {
18298 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18299 				  addr, gfp);
18300 }
18301 
18302 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18303 				struct net_device *netdev, const u8 *addr,
18304 				gfp_t gfp)
18305 {
18306 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18307 				  addr, gfp);
18308 }
18309 
18310 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18311 				 struct net_device *netdev,
18312 				 struct cfg80211_connect_resp_params *cr,
18313 				 gfp_t gfp)
18314 {
18315 	struct sk_buff *msg;
18316 	void *hdr;
18317 	unsigned int link;
18318 	size_t link_info_size = 0;
18319 	const u8 *connected_addr = cr->valid_links ?
18320 				   cr->ap_mld_addr : cr->links[0].bssid;
18321 
18322 	if (cr->valid_links) {
18323 		for_each_valid_link(cr, link) {
18324 			/* Nested attribute header */
18325 			link_info_size += NLA_HDRLEN;
18326 			/* Link ID */
18327 			link_info_size += nla_total_size(sizeof(u8));
18328 			link_info_size += cr->links[link].addr ?
18329 					  nla_total_size(ETH_ALEN) : 0;
18330 			link_info_size += (cr->links[link].bssid ||
18331 					   cr->links[link].bss) ?
18332 					  nla_total_size(ETH_ALEN) : 0;
18333 			link_info_size += nla_total_size(sizeof(u16));
18334 		}
18335 	}
18336 
18337 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18338 			cr->fils.kek_len + cr->fils.pmk_len +
18339 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18340 			gfp);
18341 	if (!msg)
18342 		return;
18343 
18344 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18345 	if (!hdr) {
18346 		nlmsg_free(msg);
18347 		return;
18348 	}
18349 
18350 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18351 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18352 	    (connected_addr &&
18353 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18354 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18355 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18356 			cr->status) ||
18357 	    (cr->status < 0 &&
18358 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18359 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18360 			  cr->timeout_reason))) ||
18361 	    (cr->req_ie &&
18362 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18363 	    (cr->resp_ie &&
18364 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18365 		     cr->resp_ie)) ||
18366 	    (cr->fils.update_erp_next_seq_num &&
18367 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18368 			 cr->fils.erp_next_seq_num)) ||
18369 	    (cr->status == WLAN_STATUS_SUCCESS &&
18370 	     ((cr->fils.kek &&
18371 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18372 		       cr->fils.kek)) ||
18373 	      (cr->fils.pmk &&
18374 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18375 	      (cr->fils.pmkid &&
18376 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18377 		goto nla_put_failure;
18378 
18379 	if (cr->valid_links) {
18380 		int i = 1;
18381 		struct nlattr *nested;
18382 
18383 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18384 		if (!nested)
18385 			goto nla_put_failure;
18386 
18387 		for_each_valid_link(cr, link) {
18388 			struct nlattr *nested_mlo_links;
18389 			const u8 *bssid = cr->links[link].bss ?
18390 					  cr->links[link].bss->bssid :
18391 					  cr->links[link].bssid;
18392 
18393 			nested_mlo_links = nla_nest_start(msg, i);
18394 			if (!nested_mlo_links)
18395 				goto nla_put_failure;
18396 
18397 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18398 			    (bssid &&
18399 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18400 			    (cr->links[link].addr &&
18401 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18402 				     cr->links[link].addr)) ||
18403 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18404 					cr->links[link].status))
18405 				goto nla_put_failure;
18406 
18407 			nla_nest_end(msg, nested_mlo_links);
18408 			i++;
18409 		}
18410 		nla_nest_end(msg, nested);
18411 	}
18412 
18413 	genlmsg_end(msg, hdr);
18414 
18415 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18416 				NL80211_MCGRP_MLME, gfp);
18417 	return;
18418 
18419  nla_put_failure:
18420 	nlmsg_free(msg);
18421 }
18422 
18423 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18424 			 struct net_device *netdev,
18425 			 struct cfg80211_roam_info *info, gfp_t gfp)
18426 {
18427 	struct sk_buff *msg;
18428 	void *hdr;
18429 	size_t link_info_size = 0;
18430 	unsigned int link;
18431 	const u8 *connected_addr = info->ap_mld_addr ?
18432 				   info->ap_mld_addr :
18433 				   (info->links[0].bss ?
18434 				    info->links[0].bss->bssid :
18435 				    info->links[0].bssid);
18436 
18437 	if (info->valid_links) {
18438 		for_each_valid_link(info, link) {
18439 			/* Nested attribute header */
18440 			link_info_size += NLA_HDRLEN;
18441 			/* Link ID */
18442 			link_info_size += nla_total_size(sizeof(u8));
18443 			link_info_size += info->links[link].addr ?
18444 					  nla_total_size(ETH_ALEN) : 0;
18445 			link_info_size += (info->links[link].bssid ||
18446 					   info->links[link].bss) ?
18447 					  nla_total_size(ETH_ALEN) : 0;
18448 		}
18449 	}
18450 
18451 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18452 			info->fils.kek_len + info->fils.pmk_len +
18453 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18454 			link_info_size, gfp);
18455 	if (!msg)
18456 		return;
18457 
18458 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18459 	if (!hdr) {
18460 		nlmsg_free(msg);
18461 		return;
18462 	}
18463 
18464 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18465 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18466 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18467 	    (info->req_ie &&
18468 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18469 		     info->req_ie)) ||
18470 	    (info->resp_ie &&
18471 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18472 		     info->resp_ie)) ||
18473 	    (info->fils.update_erp_next_seq_num &&
18474 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18475 			 info->fils.erp_next_seq_num)) ||
18476 	    (info->fils.kek &&
18477 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18478 		     info->fils.kek)) ||
18479 	    (info->fils.pmk &&
18480 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18481 	    (info->fils.pmkid &&
18482 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18483 		goto nla_put_failure;
18484 
18485 	if (info->valid_links) {
18486 		int i = 1;
18487 		struct nlattr *nested;
18488 
18489 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18490 		if (!nested)
18491 			goto nla_put_failure;
18492 
18493 		for_each_valid_link(info, link) {
18494 			struct nlattr *nested_mlo_links;
18495 			const u8 *bssid = info->links[link].bss ?
18496 					  info->links[link].bss->bssid :
18497 					  info->links[link].bssid;
18498 
18499 			nested_mlo_links = nla_nest_start(msg, i);
18500 			if (!nested_mlo_links)
18501 				goto nla_put_failure;
18502 
18503 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18504 			    (bssid &&
18505 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18506 			    (info->links[link].addr &&
18507 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18508 				     info->links[link].addr)))
18509 				goto nla_put_failure;
18510 
18511 			nla_nest_end(msg, nested_mlo_links);
18512 			i++;
18513 		}
18514 		nla_nest_end(msg, nested);
18515 	}
18516 
18517 	genlmsg_end(msg, hdr);
18518 
18519 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18520 				NL80211_MCGRP_MLME, gfp);
18521 	return;
18522 
18523  nla_put_failure:
18524 	nlmsg_free(msg);
18525 }
18526 
18527 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18528 				  struct net_device *netdev, const u8 *peer_addr,
18529 				  const u8 *td_bitmap, u8 td_bitmap_len)
18530 {
18531 	struct sk_buff *msg;
18532 	void *hdr;
18533 
18534 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18535 	if (!msg)
18536 		return;
18537 
18538 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18539 	if (!hdr) {
18540 		nlmsg_free(msg);
18541 		return;
18542 	}
18543 
18544 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18545 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18546 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
18547 		goto nla_put_failure;
18548 
18549 	if (td_bitmap_len > 0 && td_bitmap &&
18550 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
18551 		goto nla_put_failure;
18552 
18553 	genlmsg_end(msg, hdr);
18554 
18555 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18556 				NL80211_MCGRP_MLME, GFP_KERNEL);
18557 	return;
18558 
18559  nla_put_failure:
18560 	nlmsg_free(msg);
18561 }
18562 
18563 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18564 			       struct net_device *netdev, u16 reason,
18565 			       const u8 *ie, size_t ie_len, bool from_ap)
18566 {
18567 	struct sk_buff *msg;
18568 	void *hdr;
18569 
18570 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18571 	if (!msg)
18572 		return;
18573 
18574 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18575 	if (!hdr) {
18576 		nlmsg_free(msg);
18577 		return;
18578 	}
18579 
18580 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18581 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18582 	    (reason &&
18583 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18584 	    (from_ap &&
18585 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18586 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18587 		goto nla_put_failure;
18588 
18589 	genlmsg_end(msg, hdr);
18590 
18591 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18592 				NL80211_MCGRP_MLME, GFP_KERNEL);
18593 	return;
18594 
18595  nla_put_failure:
18596 	nlmsg_free(msg);
18597 }
18598 
18599 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18600 {
18601 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18602 	struct wiphy *wiphy = wdev->wiphy;
18603 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18604 	struct sk_buff *msg;
18605 	struct nlattr *links;
18606 	void *hdr;
18607 
18608 	lockdep_assert_wiphy(wdev->wiphy);
18609 	trace_cfg80211_links_removed(dev, link_mask);
18610 
18611 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18612 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18613 		return;
18614 
18615 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18616 		    (wdev->valid_links & link_mask) != link_mask ||
18617 		    wdev->valid_links == link_mask))
18618 		return;
18619 
18620 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18621 	wdev->valid_links &= ~link_mask;
18622 
18623 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18624 	if (!msg)
18625 		return;
18626 
18627 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18628 	if (!hdr) {
18629 		nlmsg_free(msg);
18630 		return;
18631 	}
18632 
18633 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18634 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18635 		goto nla_put_failure;
18636 
18637 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18638 	if (!links)
18639 		goto nla_put_failure;
18640 
18641 	while (link_mask) {
18642 		struct nlattr *link;
18643 		int link_id = __ffs(link_mask);
18644 
18645 		link = nla_nest_start(msg, link_id + 1);
18646 		if (!link)
18647 			goto nla_put_failure;
18648 
18649 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18650 			goto nla_put_failure;
18651 
18652 		nla_nest_end(msg, link);
18653 		link_mask &= ~(1 << link_id);
18654 	}
18655 
18656 	nla_nest_end(msg, links);
18657 
18658 	genlmsg_end(msg, hdr);
18659 
18660 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18661 				NL80211_MCGRP_MLME, GFP_KERNEL);
18662 	return;
18663 
18664  nla_put_failure:
18665 	nlmsg_free(msg);
18666 }
18667 EXPORT_SYMBOL(cfg80211_links_removed);
18668 
18669 void nl80211_mlo_reconf_add_done(struct net_device *dev,
18670 				 struct cfg80211_mlo_reconf_done_data *data)
18671 {
18672 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18673 	struct wiphy *wiphy = wdev->wiphy;
18674 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18675 	struct nl80211_mlme_event event = {
18676 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
18677 		.buf = data->buf,
18678 		.buf_len = data->len,
18679 		.uapsd_queues = -1,
18680 	};
18681 
18682 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
18683 }
18684 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
18685 
18686 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18687 			     struct net_device *netdev, const u8 *bssid,
18688 			     gfp_t gfp)
18689 {
18690 	struct sk_buff *msg;
18691 	void *hdr;
18692 
18693 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18694 	if (!msg)
18695 		return;
18696 
18697 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18698 	if (!hdr) {
18699 		nlmsg_free(msg);
18700 		return;
18701 	}
18702 
18703 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18704 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18705 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18706 		goto nla_put_failure;
18707 
18708 	genlmsg_end(msg, hdr);
18709 
18710 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18711 				NL80211_MCGRP_MLME, gfp);
18712 	return;
18713 
18714  nla_put_failure:
18715 	nlmsg_free(msg);
18716 }
18717 
18718 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18719 					const u8 *ie, u8 ie_len,
18720 					int sig_dbm, gfp_t gfp)
18721 {
18722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18723 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18724 	struct sk_buff *msg;
18725 	void *hdr;
18726 
18727 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18728 		return;
18729 
18730 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18731 
18732 	msg = nlmsg_new(100 + ie_len, gfp);
18733 	if (!msg)
18734 		return;
18735 
18736 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18737 	if (!hdr) {
18738 		nlmsg_free(msg);
18739 		return;
18740 	}
18741 
18742 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18743 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18744 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18745 	    (ie_len && ie &&
18746 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18747 	    (sig_dbm &&
18748 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18749 		goto nla_put_failure;
18750 
18751 	genlmsg_end(msg, hdr);
18752 
18753 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18754 				NL80211_MCGRP_MLME, gfp);
18755 	return;
18756 
18757  nla_put_failure:
18758 	nlmsg_free(msg);
18759 }
18760 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18761 
18762 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18763 				 struct net_device *netdev, const u8 *addr,
18764 				 enum nl80211_key_type key_type, int key_id,
18765 				 const u8 *tsc, gfp_t gfp)
18766 {
18767 	struct sk_buff *msg;
18768 	void *hdr;
18769 
18770 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18771 	if (!msg)
18772 		return;
18773 
18774 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18775 	if (!hdr) {
18776 		nlmsg_free(msg);
18777 		return;
18778 	}
18779 
18780 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18781 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18782 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18783 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18784 	    (key_id != -1 &&
18785 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18786 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18787 		goto nla_put_failure;
18788 
18789 	genlmsg_end(msg, hdr);
18790 
18791 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18792 				NL80211_MCGRP_MLME, gfp);
18793 	return;
18794 
18795  nla_put_failure:
18796 	nlmsg_free(msg);
18797 }
18798 
18799 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18800 				    struct ieee80211_channel *channel_before,
18801 				    struct ieee80211_channel *channel_after)
18802 {
18803 	struct sk_buff *msg;
18804 	void *hdr;
18805 	struct nlattr *nl_freq;
18806 
18807 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18808 	if (!msg)
18809 		return;
18810 
18811 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18812 	if (!hdr) {
18813 		nlmsg_free(msg);
18814 		return;
18815 	}
18816 
18817 	/*
18818 	 * Since we are applying the beacon hint to a wiphy we know its
18819 	 * wiphy_idx is valid
18820 	 */
18821 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18822 		goto nla_put_failure;
18823 
18824 	/* Before */
18825 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18826 	if (!nl_freq)
18827 		goto nla_put_failure;
18828 
18829 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18830 		goto nla_put_failure;
18831 	nla_nest_end(msg, nl_freq);
18832 
18833 	/* After */
18834 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18835 	if (!nl_freq)
18836 		goto nla_put_failure;
18837 
18838 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18839 		goto nla_put_failure;
18840 	nla_nest_end(msg, nl_freq);
18841 
18842 	genlmsg_end(msg, hdr);
18843 
18844 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18845 				NL80211_MCGRP_REGULATORY);
18846 
18847 	return;
18848 
18849 nla_put_failure:
18850 	nlmsg_free(msg);
18851 }
18852 
18853 static void nl80211_send_remain_on_chan_event(
18854 	int cmd, struct cfg80211_registered_device *rdev,
18855 	struct wireless_dev *wdev, u64 cookie,
18856 	struct ieee80211_channel *chan,
18857 	unsigned int duration, gfp_t gfp)
18858 {
18859 	struct sk_buff *msg;
18860 	void *hdr;
18861 
18862 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18863 	if (!msg)
18864 		return;
18865 
18866 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18867 	if (!hdr) {
18868 		nlmsg_free(msg);
18869 		return;
18870 	}
18871 
18872 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18873 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18874 					 wdev->netdev->ifindex)) ||
18875 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18876 			      NL80211_ATTR_PAD) ||
18877 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18878 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18879 			NL80211_CHAN_NO_HT) ||
18880 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18881 			      NL80211_ATTR_PAD))
18882 		goto nla_put_failure;
18883 
18884 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18885 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18886 		goto nla_put_failure;
18887 
18888 	genlmsg_end(msg, hdr);
18889 
18890 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18891 				NL80211_MCGRP_MLME, gfp);
18892 	return;
18893 
18894  nla_put_failure:
18895 	nlmsg_free(msg);
18896 }
18897 
18898 void cfg80211_assoc_comeback(struct net_device *netdev,
18899 			     const u8 *ap_addr, u32 timeout)
18900 {
18901 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18902 	struct wiphy *wiphy = wdev->wiphy;
18903 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18904 	struct sk_buff *msg;
18905 	void *hdr;
18906 
18907 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18908 
18909 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18910 	if (!msg)
18911 		return;
18912 
18913 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18914 	if (!hdr) {
18915 		nlmsg_free(msg);
18916 		return;
18917 	}
18918 
18919 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18920 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18921 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18922 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18923 		goto nla_put_failure;
18924 
18925 	genlmsg_end(msg, hdr);
18926 
18927 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18928 				NL80211_MCGRP_MLME, GFP_KERNEL);
18929 	return;
18930 
18931  nla_put_failure:
18932 	nlmsg_free(msg);
18933 }
18934 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18935 
18936 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18937 			       struct ieee80211_channel *chan,
18938 			       unsigned int duration, gfp_t gfp)
18939 {
18940 	struct wiphy *wiphy = wdev->wiphy;
18941 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18942 
18943 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18944 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18945 					  rdev, wdev, cookie, chan,
18946 					  duration, gfp);
18947 }
18948 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18949 
18950 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18951 					struct ieee80211_channel *chan,
18952 					gfp_t gfp)
18953 {
18954 	struct wiphy *wiphy = wdev->wiphy;
18955 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18956 
18957 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18958 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18959 					  rdev, wdev, cookie, chan, 0, gfp);
18960 }
18961 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18962 
18963 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18964 					struct ieee80211_channel *chan,
18965 					gfp_t gfp)
18966 {
18967 	struct wiphy *wiphy = wdev->wiphy;
18968 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18969 
18970 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18971 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18972 					  rdev, wdev, cookie, chan, 0, gfp);
18973 }
18974 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18975 
18976 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18977 		      struct station_info *sinfo, gfp_t gfp)
18978 {
18979 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18980 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18981 	struct sk_buff *msg;
18982 
18983 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18984 
18985 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18986 	if (!msg)
18987 		return;
18988 
18989 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18990 				 rdev, dev, mac_addr, sinfo) < 0) {
18991 		nlmsg_free(msg);
18992 		return;
18993 	}
18994 
18995 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18996 				NL80211_MCGRP_MLME, gfp);
18997 }
18998 EXPORT_SYMBOL(cfg80211_new_sta);
18999 
19000 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
19001 			    struct station_info *sinfo, gfp_t gfp)
19002 {
19003 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19004 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19005 	struct sk_buff *msg;
19006 	struct station_info empty_sinfo = {};
19007 
19008 	if (!sinfo)
19009 		sinfo = &empty_sinfo;
19010 
19011 	trace_cfg80211_del_sta(dev, mac_addr);
19012 
19013 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19014 	if (!msg) {
19015 		cfg80211_sinfo_release_content(sinfo);
19016 		return;
19017 	}
19018 
19019 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
19020 				 rdev, dev, mac_addr, sinfo) < 0) {
19021 		nlmsg_free(msg);
19022 		return;
19023 	}
19024 
19025 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19026 				NL80211_MCGRP_MLME, gfp);
19027 }
19028 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
19029 
19030 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
19031 			  enum nl80211_connect_failed_reason reason,
19032 			  gfp_t gfp)
19033 {
19034 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19035 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19036 	struct sk_buff *msg;
19037 	void *hdr;
19038 
19039 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
19040 	if (!msg)
19041 		return;
19042 
19043 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
19044 	if (!hdr) {
19045 		nlmsg_free(msg);
19046 		return;
19047 	}
19048 
19049 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19050 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
19051 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
19052 		goto nla_put_failure;
19053 
19054 	genlmsg_end(msg, hdr);
19055 
19056 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19057 				NL80211_MCGRP_MLME, gfp);
19058 	return;
19059 
19060  nla_put_failure:
19061 	nlmsg_free(msg);
19062 }
19063 EXPORT_SYMBOL(cfg80211_conn_failed);
19064 
19065 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
19066 				       const u8 *addr, gfp_t gfp)
19067 {
19068 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19069 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19070 	struct sk_buff *msg;
19071 	void *hdr;
19072 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
19073 
19074 	if (!nlportid)
19075 		return false;
19076 
19077 	msg = nlmsg_new(100, gfp);
19078 	if (!msg)
19079 		return true;
19080 
19081 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19082 	if (!hdr) {
19083 		nlmsg_free(msg);
19084 		return true;
19085 	}
19086 
19087 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19088 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19089 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19090 		goto nla_put_failure;
19091 
19092 	genlmsg_end(msg, hdr);
19093 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19094 	return true;
19095 
19096  nla_put_failure:
19097 	nlmsg_free(msg);
19098 	return true;
19099 }
19100 
19101 bool cfg80211_rx_spurious_frame(struct net_device *dev,
19102 				const u8 *addr, gfp_t gfp)
19103 {
19104 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19105 	bool ret;
19106 
19107 	trace_cfg80211_rx_spurious_frame(dev, addr);
19108 
19109 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19110 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
19111 		trace_cfg80211_return_bool(false);
19112 		return false;
19113 	}
19114 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
19115 					 addr, gfp);
19116 	trace_cfg80211_return_bool(ret);
19117 	return ret;
19118 }
19119 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
19120 
19121 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
19122 					const u8 *addr, gfp_t gfp)
19123 {
19124 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19125 	bool ret;
19126 
19127 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
19128 
19129 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19130 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
19131 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
19132 		trace_cfg80211_return_bool(false);
19133 		return false;
19134 	}
19135 	ret = __nl80211_unexpected_frame(dev,
19136 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
19137 					 addr, gfp);
19138 	trace_cfg80211_return_bool(ret);
19139 	return ret;
19140 }
19141 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
19142 
19143 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
19144 		      struct wireless_dev *wdev, u32 nlportid,
19145 		      struct cfg80211_rx_info *info, gfp_t gfp)
19146 {
19147 	struct net_device *netdev = wdev->netdev;
19148 	struct sk_buff *msg;
19149 	void *hdr;
19150 
19151 	msg = nlmsg_new(100 + info->len, gfp);
19152 	if (!msg)
19153 		return -ENOMEM;
19154 
19155 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19156 	if (!hdr) {
19157 		nlmsg_free(msg);
19158 		return -ENOMEM;
19159 	}
19160 
19161 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19162 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19163 					netdev->ifindex)) ||
19164 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19165 			      NL80211_ATTR_PAD) ||
19166 	    (info->have_link_id &&
19167 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
19168 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
19169 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
19170 	    (info->sig_dbm &&
19171 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
19172 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
19173 	    (info->flags &&
19174 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
19175 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
19176 						  NL80211_ATTR_RX_HW_TIMESTAMP,
19177 						  info->rx_tstamp,
19178 						  NL80211_ATTR_PAD)) ||
19179 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
19180 						   NL80211_ATTR_TX_HW_TIMESTAMP,
19181 						   info->ack_tstamp,
19182 						   NL80211_ATTR_PAD)))
19183 		goto nla_put_failure;
19184 
19185 	genlmsg_end(msg, hdr);
19186 
19187 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19188 
19189  nla_put_failure:
19190 	nlmsg_free(msg);
19191 	return -ENOBUFS;
19192 }
19193 
19194 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
19195 				    struct cfg80211_tx_status *status,
19196 				    gfp_t gfp, enum nl80211_commands command)
19197 {
19198 	struct wiphy *wiphy = wdev->wiphy;
19199 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19200 	struct net_device *netdev = wdev->netdev;
19201 	struct sk_buff *msg;
19202 	void *hdr;
19203 
19204 	if (command == NL80211_CMD_FRAME_TX_STATUS)
19205 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
19206 					      status->ack);
19207 	else
19208 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
19209 						      status->ack);
19210 
19211 	msg = nlmsg_new(100 + status->len, gfp);
19212 	if (!msg)
19213 		return;
19214 
19215 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
19216 	if (!hdr) {
19217 		nlmsg_free(msg);
19218 		return;
19219 	}
19220 
19221 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19222 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19223 				   netdev->ifindex)) ||
19224 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19225 			      NL80211_ATTR_PAD) ||
19226 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
19227 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
19228 			      NL80211_ATTR_PAD) ||
19229 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19230 	    (status->tx_tstamp &&
19231 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
19232 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
19233 	    (status->ack_tstamp &&
19234 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
19235 			       status->ack_tstamp, NL80211_ATTR_PAD)))
19236 		goto nla_put_failure;
19237 
19238 	genlmsg_end(msg, hdr);
19239 
19240 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19241 				NL80211_MCGRP_MLME, gfp);
19242 	return;
19243 
19244 nla_put_failure:
19245 	nlmsg_free(msg);
19246 }
19247 
19248 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19249 				     const u8 *buf, size_t len, bool ack,
19250 				     gfp_t gfp)
19251 {
19252 	struct cfg80211_tx_status status = {
19253 		.cookie = cookie,
19254 		.buf = buf,
19255 		.len = len,
19256 		.ack = ack
19257 	};
19258 
19259 	nl80211_frame_tx_status(wdev, &status, gfp,
19260 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19261 }
19262 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19263 
19264 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19265 				 struct cfg80211_tx_status *status, gfp_t gfp)
19266 {
19267 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19268 }
19269 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19270 
19271 static int __nl80211_rx_control_port(struct net_device *dev,
19272 				     struct sk_buff *skb,
19273 				     bool unencrypted,
19274 				     int link_id,
19275 				     gfp_t gfp)
19276 {
19277 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19278 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19279 	struct ethhdr *ehdr = eth_hdr(skb);
19280 	const u8 *addr = ehdr->h_source;
19281 	u16 proto = be16_to_cpu(skb->protocol);
19282 	struct sk_buff *msg;
19283 	void *hdr;
19284 	struct nlattr *frame;
19285 
19286 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19287 
19288 	if (!nlportid)
19289 		return -ENOENT;
19290 
19291 	msg = nlmsg_new(100 + skb->len, gfp);
19292 	if (!msg)
19293 		return -ENOMEM;
19294 
19295 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19296 	if (!hdr) {
19297 		nlmsg_free(msg);
19298 		return -ENOBUFS;
19299 	}
19300 
19301 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19302 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19303 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19304 			      NL80211_ATTR_PAD) ||
19305 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19306 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19307 	    (link_id >= 0 &&
19308 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19309 	    (unencrypted && nla_put_flag(msg,
19310 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19311 		goto nla_put_failure;
19312 
19313 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19314 	if (!frame)
19315 		goto nla_put_failure;
19316 
19317 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19318 	genlmsg_end(msg, hdr);
19319 
19320 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19321 
19322  nla_put_failure:
19323 	nlmsg_free(msg);
19324 	return -ENOBUFS;
19325 }
19326 
19327 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19328 			      bool unencrypted, int link_id)
19329 {
19330 	int ret;
19331 
19332 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19333 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19334 					GFP_ATOMIC);
19335 	trace_cfg80211_return_bool(ret == 0);
19336 	return ret == 0;
19337 }
19338 EXPORT_SYMBOL(cfg80211_rx_control_port);
19339 
19340 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19341 					    const char *mac, gfp_t gfp)
19342 {
19343 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19344 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19345 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19346 	void **cb;
19347 
19348 	if (!msg)
19349 		return NULL;
19350 
19351 	cb = (void **)msg->cb;
19352 
19353 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19354 	if (!cb[0]) {
19355 		nlmsg_free(msg);
19356 		return NULL;
19357 	}
19358 
19359 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19360 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19361 		goto nla_put_failure;
19362 
19363 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19364 		goto nla_put_failure;
19365 
19366 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19367 	if (!cb[1])
19368 		goto nla_put_failure;
19369 
19370 	cb[2] = rdev;
19371 
19372 	return msg;
19373  nla_put_failure:
19374 	nlmsg_free(msg);
19375 	return NULL;
19376 }
19377 
19378 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19379 {
19380 	void **cb = (void **)msg->cb;
19381 	struct cfg80211_registered_device *rdev = cb[2];
19382 
19383 	nla_nest_end(msg, cb[1]);
19384 	genlmsg_end(msg, cb[0]);
19385 
19386 	memset(msg->cb, 0, sizeof(msg->cb));
19387 
19388 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19389 				NL80211_MCGRP_MLME, gfp);
19390 }
19391 
19392 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19393 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19394 			      s32 rssi_level, gfp_t gfp)
19395 {
19396 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19397 	struct cfg80211_cqm_config *cqm_config;
19398 
19399 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19400 
19401 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19402 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19403 		return;
19404 
19405 	rcu_read_lock();
19406 	cqm_config = rcu_dereference(wdev->cqm_config);
19407 	if (cqm_config) {
19408 		cqm_config->last_rssi_event_value = rssi_level;
19409 		cqm_config->last_rssi_event_type = rssi_event;
19410 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19411 	}
19412 	rcu_read_unlock();
19413 }
19414 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19415 
19416 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19417 {
19418 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19419 						 cqm_rssi_work);
19420 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19421 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19422 	struct cfg80211_cqm_config *cqm_config;
19423 	struct sk_buff *msg;
19424 	s32 rssi_level;
19425 
19426 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
19427 	if (!cqm_config)
19428 		return;
19429 
19430 	if (cqm_config->use_range_api)
19431 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19432 
19433 	rssi_level = cqm_config->last_rssi_event_value;
19434 	rssi_event = cqm_config->last_rssi_event_type;
19435 
19436 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19437 	if (!msg)
19438 		return;
19439 
19440 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19441 			rssi_event))
19442 		goto nla_put_failure;
19443 
19444 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19445 				      rssi_level))
19446 		goto nla_put_failure;
19447 
19448 	cfg80211_send_cqm(msg, GFP_KERNEL);
19449 
19450 	return;
19451 
19452  nla_put_failure:
19453 	nlmsg_free(msg);
19454 }
19455 
19456 void cfg80211_cqm_txe_notify(struct net_device *dev,
19457 			     const u8 *peer, u32 num_packets,
19458 			     u32 rate, u32 intvl, gfp_t gfp)
19459 {
19460 	struct sk_buff *msg;
19461 
19462 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19463 	if (!msg)
19464 		return;
19465 
19466 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19467 		goto nla_put_failure;
19468 
19469 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19470 		goto nla_put_failure;
19471 
19472 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19473 		goto nla_put_failure;
19474 
19475 	cfg80211_send_cqm(msg, gfp);
19476 	return;
19477 
19478  nla_put_failure:
19479 	nlmsg_free(msg);
19480 }
19481 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19482 
19483 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19484 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19485 {
19486 	struct sk_buff *msg;
19487 
19488 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19489 
19490 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19491 	if (!msg)
19492 		return;
19493 
19494 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19495 		goto nla_put_failure;
19496 
19497 	cfg80211_send_cqm(msg, gfp);
19498 	return;
19499 
19500  nla_put_failure:
19501 	nlmsg_free(msg);
19502 }
19503 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19504 
19505 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19506 {
19507 	struct sk_buff *msg;
19508 
19509 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19510 	if (!msg)
19511 		return;
19512 
19513 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19514 		goto nla_put_failure;
19515 
19516 	cfg80211_send_cqm(msg, gfp);
19517 	return;
19518 
19519  nla_put_failure:
19520 	nlmsg_free(msg);
19521 }
19522 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19523 
19524 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19525 				     struct net_device *netdev, const u8 *bssid,
19526 				     const u8 *replay_ctr, gfp_t gfp)
19527 {
19528 	struct sk_buff *msg;
19529 	struct nlattr *rekey_attr;
19530 	void *hdr;
19531 
19532 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19533 	if (!msg)
19534 		return;
19535 
19536 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19537 	if (!hdr) {
19538 		nlmsg_free(msg);
19539 		return;
19540 	}
19541 
19542 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19543 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19544 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19545 		goto nla_put_failure;
19546 
19547 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19548 	if (!rekey_attr)
19549 		goto nla_put_failure;
19550 
19551 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19552 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19553 		goto nla_put_failure;
19554 
19555 	nla_nest_end(msg, rekey_attr);
19556 
19557 	genlmsg_end(msg, hdr);
19558 
19559 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19560 				NL80211_MCGRP_MLME, gfp);
19561 	return;
19562 
19563  nla_put_failure:
19564 	nlmsg_free(msg);
19565 }
19566 
19567 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19568 			       const u8 *replay_ctr, gfp_t gfp)
19569 {
19570 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19571 	struct wiphy *wiphy = wdev->wiphy;
19572 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19573 
19574 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19575 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19576 }
19577 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19578 
19579 static void
19580 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19581 			       struct net_device *netdev, int index,
19582 			       const u8 *bssid, bool preauth, gfp_t gfp)
19583 {
19584 	struct sk_buff *msg;
19585 	struct nlattr *attr;
19586 	void *hdr;
19587 
19588 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19589 	if (!msg)
19590 		return;
19591 
19592 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19593 	if (!hdr) {
19594 		nlmsg_free(msg);
19595 		return;
19596 	}
19597 
19598 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19599 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19600 		goto nla_put_failure;
19601 
19602 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19603 	if (!attr)
19604 		goto nla_put_failure;
19605 
19606 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19607 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19608 	    (preauth &&
19609 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19610 		goto nla_put_failure;
19611 
19612 	nla_nest_end(msg, attr);
19613 
19614 	genlmsg_end(msg, hdr);
19615 
19616 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19617 				NL80211_MCGRP_MLME, gfp);
19618 	return;
19619 
19620  nla_put_failure:
19621 	nlmsg_free(msg);
19622 }
19623 
19624 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19625 				     const u8 *bssid, bool preauth, gfp_t gfp)
19626 {
19627 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19628 	struct wiphy *wiphy = wdev->wiphy;
19629 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19630 
19631 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19632 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19633 }
19634 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19635 
19636 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19637 				     struct net_device *netdev,
19638 				     unsigned int link_id,
19639 				     struct cfg80211_chan_def *chandef,
19640 				     gfp_t gfp,
19641 				     enum nl80211_commands notif,
19642 				     u8 count, bool quiet)
19643 {
19644 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19645 	struct sk_buff *msg;
19646 	void *hdr;
19647 
19648 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19649 	if (!msg)
19650 		return;
19651 
19652 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19653 	if (!hdr) {
19654 		nlmsg_free(msg);
19655 		return;
19656 	}
19657 
19658 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19659 		goto nla_put_failure;
19660 
19661 	if (wdev->valid_links &&
19662 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19663 		goto nla_put_failure;
19664 
19665 	if (nl80211_send_chandef(msg, chandef))
19666 		goto nla_put_failure;
19667 
19668 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19669 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19670 			goto nla_put_failure;
19671 		if (quiet &&
19672 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19673 			goto nla_put_failure;
19674 	}
19675 
19676 	genlmsg_end(msg, hdr);
19677 
19678 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19679 				NL80211_MCGRP_MLME, gfp);
19680 	return;
19681 
19682  nla_put_failure:
19683 	nlmsg_free(msg);
19684 }
19685 
19686 void cfg80211_ch_switch_notify(struct net_device *dev,
19687 			       struct cfg80211_chan_def *chandef,
19688 			       unsigned int link_id)
19689 {
19690 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19691 	struct wiphy *wiphy = wdev->wiphy;
19692 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19693 
19694 	lockdep_assert_wiphy(wdev->wiphy);
19695 	WARN_INVALID_LINK_ID(wdev, link_id);
19696 
19697 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19698 
19699 	switch (wdev->iftype) {
19700 	case NL80211_IFTYPE_STATION:
19701 	case NL80211_IFTYPE_P2P_CLIENT:
19702 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19703 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19704 							chandef->chan);
19705 		break;
19706 	case NL80211_IFTYPE_MESH_POINT:
19707 		wdev->u.mesh.chandef = *chandef;
19708 		wdev->u.mesh.preset_chandef = *chandef;
19709 		break;
19710 	case NL80211_IFTYPE_AP:
19711 	case NL80211_IFTYPE_P2P_GO:
19712 		wdev->links[link_id].ap.chandef = *chandef;
19713 		break;
19714 	case NL80211_IFTYPE_ADHOC:
19715 		wdev->u.ibss.chandef = *chandef;
19716 		break;
19717 	default:
19718 		WARN_ON(1);
19719 		break;
19720 	}
19721 
19722 	cfg80211_schedule_channels_check(wdev);
19723 	cfg80211_sched_dfs_chan_update(rdev);
19724 
19725 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19726 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19727 }
19728 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19729 
19730 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19731 				       struct cfg80211_chan_def *chandef,
19732 				       unsigned int link_id, u8 count,
19733 				       bool quiet)
19734 {
19735 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19736 	struct wiphy *wiphy = wdev->wiphy;
19737 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19738 
19739 	lockdep_assert_wiphy(wdev->wiphy);
19740 	WARN_INVALID_LINK_ID(wdev, link_id);
19741 
19742 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19743 
19744 
19745 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19746 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19747 				 count, quiet);
19748 }
19749 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19750 
19751 int cfg80211_bss_color_notify(struct net_device *dev,
19752 			      enum nl80211_commands cmd, u8 count,
19753 			      u64 color_bitmap, u8 link_id)
19754 {
19755 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19756 	struct wiphy *wiphy = wdev->wiphy;
19757 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19758 	struct sk_buff *msg;
19759 	void *hdr;
19760 
19761 	lockdep_assert_wiphy(wdev->wiphy);
19762 
19763 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19764 
19765 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19766 	if (!msg)
19767 		return -ENOMEM;
19768 
19769 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19770 	if (!hdr)
19771 		goto nla_put_failure;
19772 
19773 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19774 		goto nla_put_failure;
19775 
19776 	if (wdev->valid_links &&
19777 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19778 		goto nla_put_failure;
19779 
19780 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19781 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19782 		goto nla_put_failure;
19783 
19784 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19785 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19786 			      color_bitmap, NL80211_ATTR_PAD))
19787 		goto nla_put_failure;
19788 
19789 	genlmsg_end(msg, hdr);
19790 
19791 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19792 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19793 
19794 nla_put_failure:
19795 	nlmsg_free(msg);
19796 	return -EINVAL;
19797 }
19798 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19799 
19800 void
19801 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19802 		     const struct cfg80211_chan_def *chandef,
19803 		     enum nl80211_radar_event event,
19804 		     struct net_device *netdev, gfp_t gfp)
19805 {
19806 	struct sk_buff *msg;
19807 	void *hdr;
19808 
19809 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19810 	if (!msg)
19811 		return;
19812 
19813 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19814 	if (!hdr) {
19815 		nlmsg_free(msg);
19816 		return;
19817 	}
19818 
19819 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19820 		goto nla_put_failure;
19821 
19822 	/* NOP and radar events don't need a netdev parameter */
19823 	if (netdev) {
19824 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19825 
19826 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19827 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19828 				      NL80211_ATTR_PAD))
19829 			goto nla_put_failure;
19830 	}
19831 
19832 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19833 		goto nla_put_failure;
19834 
19835 	if (nl80211_send_chandef(msg, chandef))
19836 		goto nla_put_failure;
19837 
19838 	genlmsg_end(msg, hdr);
19839 
19840 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19841 				NL80211_MCGRP_MLME, gfp);
19842 	return;
19843 
19844  nla_put_failure:
19845 	nlmsg_free(msg);
19846 }
19847 
19848 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19849 				       struct sta_opmode_info *sta_opmode,
19850 				       gfp_t gfp)
19851 {
19852 	struct sk_buff *msg;
19853 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19854 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19855 	void *hdr;
19856 
19857 	if (WARN_ON(!mac))
19858 		return;
19859 
19860 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19861 	if (!msg)
19862 		return;
19863 
19864 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19865 	if (!hdr) {
19866 		nlmsg_free(msg);
19867 		return;
19868 	}
19869 
19870 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19871 		goto nla_put_failure;
19872 
19873 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19874 		goto nla_put_failure;
19875 
19876 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19877 		goto nla_put_failure;
19878 
19879 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19880 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19881 		goto nla_put_failure;
19882 
19883 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19884 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19885 		goto nla_put_failure;
19886 
19887 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19888 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19889 		goto nla_put_failure;
19890 
19891 	genlmsg_end(msg, hdr);
19892 
19893 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19894 				NL80211_MCGRP_MLME, gfp);
19895 
19896 	return;
19897 
19898 nla_put_failure:
19899 	nlmsg_free(msg);
19900 }
19901 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19902 
19903 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19904 			   u64 cookie, bool acked, s32 ack_signal,
19905 			   bool is_valid_ack_signal, gfp_t gfp)
19906 {
19907 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19908 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19909 	struct sk_buff *msg;
19910 	void *hdr;
19911 
19912 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19913 
19914 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19915 
19916 	if (!msg)
19917 		return;
19918 
19919 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19920 	if (!hdr) {
19921 		nlmsg_free(msg);
19922 		return;
19923 	}
19924 
19925 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19926 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19927 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19928 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19929 			      NL80211_ATTR_PAD) ||
19930 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19931 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19932 						ack_signal)))
19933 		goto nla_put_failure;
19934 
19935 	genlmsg_end(msg, hdr);
19936 
19937 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19938 				NL80211_MCGRP_MLME, gfp);
19939 	return;
19940 
19941  nla_put_failure:
19942 	nlmsg_free(msg);
19943 }
19944 EXPORT_SYMBOL(cfg80211_probe_status);
19945 
19946 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19947 				     size_t len, int freq, int sig_dbm)
19948 {
19949 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19950 	struct sk_buff *msg;
19951 	void *hdr;
19952 	struct cfg80211_beacon_registration *reg;
19953 
19954 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19955 
19956 	spin_lock_bh(&rdev->beacon_registrations_lock);
19957 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19958 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19959 		if (!msg) {
19960 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19961 			return;
19962 		}
19963 
19964 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19965 		if (!hdr)
19966 			goto nla_put_failure;
19967 
19968 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19969 		    (freq &&
19970 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19971 				  KHZ_TO_MHZ(freq)) ||
19972 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19973 				  freq % 1000))) ||
19974 		    (sig_dbm &&
19975 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19976 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19977 			goto nla_put_failure;
19978 
19979 		genlmsg_end(msg, hdr);
19980 
19981 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19982 	}
19983 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19984 	return;
19985 
19986  nla_put_failure:
19987 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19988 	nlmsg_free(msg);
19989 }
19990 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19991 
19992 #ifdef CONFIG_PM
19993 static int cfg80211_net_detect_results(struct sk_buff *msg,
19994 				       struct cfg80211_wowlan_wakeup *wakeup)
19995 {
19996 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19997 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19998 	int i, j;
19999 
20000 	nl_results = nla_nest_start_noflag(msg,
20001 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
20002 	if (!nl_results)
20003 		return -EMSGSIZE;
20004 
20005 	for (i = 0; i < nd->n_matches; i++) {
20006 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
20007 
20008 		nl_match = nla_nest_start_noflag(msg, i);
20009 		if (!nl_match)
20010 			break;
20011 
20012 		/* The SSID attribute is optional in nl80211, but for
20013 		 * simplicity reasons it's always present in the
20014 		 * cfg80211 structure.  If a driver can't pass the
20015 		 * SSID, that needs to be changed.  A zero length SSID
20016 		 * is still a valid SSID (wildcard), so it cannot be
20017 		 * used for this purpose.
20018 		 */
20019 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
20020 			    match->ssid.ssid)) {
20021 			nla_nest_cancel(msg, nl_match);
20022 			goto out;
20023 		}
20024 
20025 		if (match->n_channels) {
20026 			nl_freqs = nla_nest_start_noflag(msg,
20027 							 NL80211_ATTR_SCAN_FREQUENCIES);
20028 			if (!nl_freqs) {
20029 				nla_nest_cancel(msg, nl_match);
20030 				goto out;
20031 			}
20032 
20033 			for (j = 0; j < match->n_channels; j++) {
20034 				if (nla_put_u32(msg, j, match->channels[j])) {
20035 					nla_nest_cancel(msg, nl_freqs);
20036 					nla_nest_cancel(msg, nl_match);
20037 					goto out;
20038 				}
20039 			}
20040 
20041 			nla_nest_end(msg, nl_freqs);
20042 		}
20043 
20044 		nla_nest_end(msg, nl_match);
20045 	}
20046 
20047 out:
20048 	nla_nest_end(msg, nl_results);
20049 	return 0;
20050 }
20051 
20052 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
20053 				   struct cfg80211_wowlan_wakeup *wakeup,
20054 				   gfp_t gfp)
20055 {
20056 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20057 	struct sk_buff *msg;
20058 	void *hdr;
20059 	int size = 200;
20060 
20061 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
20062 
20063 	if (wakeup)
20064 		size += wakeup->packet_present_len;
20065 
20066 	msg = nlmsg_new(size, gfp);
20067 	if (!msg)
20068 		return;
20069 
20070 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
20071 	if (!hdr)
20072 		goto free_msg;
20073 
20074 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20075 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20076 			      NL80211_ATTR_PAD))
20077 		goto free_msg;
20078 
20079 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20080 					wdev->netdev->ifindex))
20081 		goto free_msg;
20082 
20083 	if (wakeup) {
20084 		struct nlattr *reasons;
20085 
20086 		reasons = nla_nest_start_noflag(msg,
20087 						NL80211_ATTR_WOWLAN_TRIGGERS);
20088 		if (!reasons)
20089 			goto free_msg;
20090 
20091 		if (wakeup->disconnect &&
20092 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
20093 			goto free_msg;
20094 		if (wakeup->magic_pkt &&
20095 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
20096 			goto free_msg;
20097 		if (wakeup->gtk_rekey_failure &&
20098 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
20099 			goto free_msg;
20100 		if (wakeup->eap_identity_req &&
20101 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
20102 			goto free_msg;
20103 		if (wakeup->four_way_handshake &&
20104 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
20105 			goto free_msg;
20106 		if (wakeup->rfkill_release &&
20107 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
20108 			goto free_msg;
20109 
20110 		if (wakeup->pattern_idx >= 0 &&
20111 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
20112 				wakeup->pattern_idx))
20113 			goto free_msg;
20114 
20115 		if (wakeup->tcp_match &&
20116 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
20117 			goto free_msg;
20118 
20119 		if (wakeup->tcp_connlost &&
20120 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
20121 			goto free_msg;
20122 
20123 		if (wakeup->tcp_nomoretokens &&
20124 		    nla_put_flag(msg,
20125 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
20126 			goto free_msg;
20127 
20128 		if (wakeup->unprot_deauth_disassoc &&
20129 		    nla_put_flag(msg,
20130 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
20131 			goto free_msg;
20132 
20133 		if (wakeup->packet) {
20134 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
20135 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
20136 
20137 			if (!wakeup->packet_80211) {
20138 				pkt_attr =
20139 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
20140 				len_attr =
20141 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
20142 			}
20143 
20144 			if (wakeup->packet_len &&
20145 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
20146 				goto free_msg;
20147 
20148 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
20149 				    wakeup->packet))
20150 				goto free_msg;
20151 		}
20152 
20153 		if (wakeup->net_detect &&
20154 		    cfg80211_net_detect_results(msg, wakeup))
20155 				goto free_msg;
20156 
20157 		nla_nest_end(msg, reasons);
20158 	}
20159 
20160 	genlmsg_end(msg, hdr);
20161 
20162 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20163 				NL80211_MCGRP_MLME, gfp);
20164 	return;
20165 
20166  free_msg:
20167 	nlmsg_free(msg);
20168 }
20169 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
20170 #endif
20171 
20172 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
20173 				enum nl80211_tdls_operation oper,
20174 				u16 reason_code, gfp_t gfp)
20175 {
20176 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20177 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20178 	struct sk_buff *msg;
20179 	void *hdr;
20180 
20181 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
20182 					 reason_code);
20183 
20184 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20185 	if (!msg)
20186 		return;
20187 
20188 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
20189 	if (!hdr) {
20190 		nlmsg_free(msg);
20191 		return;
20192 	}
20193 
20194 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20195 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20196 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
20197 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
20198 	    (reason_code > 0 &&
20199 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
20200 		goto nla_put_failure;
20201 
20202 	genlmsg_end(msg, hdr);
20203 
20204 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20205 				NL80211_MCGRP_MLME, gfp);
20206 	return;
20207 
20208  nla_put_failure:
20209 	nlmsg_free(msg);
20210 }
20211 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
20212 
20213 static int nl80211_netlink_notify(struct notifier_block * nb,
20214 				  unsigned long state,
20215 				  void *_notify)
20216 {
20217 	struct netlink_notify *notify = _notify;
20218 	struct cfg80211_registered_device *rdev;
20219 	struct wireless_dev *wdev;
20220 	struct cfg80211_beacon_registration *reg, *tmp;
20221 
20222 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
20223 		return NOTIFY_DONE;
20224 
20225 	rcu_read_lock();
20226 
20227 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
20228 		struct cfg80211_sched_scan_request *sched_scan_req;
20229 
20230 		list_for_each_entry_rcu(sched_scan_req,
20231 					&rdev->sched_scan_req_list,
20232 					list) {
20233 			if (sched_scan_req->owner_nlportid == notify->portid) {
20234 				sched_scan_req->nl_owner_dead = true;
20235 				wiphy_work_queue(&rdev->wiphy,
20236 						 &rdev->sched_scan_stop_wk);
20237 			}
20238 		}
20239 
20240 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
20241 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
20242 
20243 			if (wdev->owner_nlportid == notify->portid) {
20244 				wdev->nl_owner_dead = true;
20245 				schedule_work(&rdev->destroy_work);
20246 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20247 				schedule_work(&wdev->disconnect_wk);
20248 			}
20249 
20250 			cfg80211_release_pmsr(wdev, notify->portid);
20251 		}
20252 
20253 		spin_lock_bh(&rdev->beacon_registrations_lock);
20254 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20255 					 list) {
20256 			if (reg->nlportid == notify->portid) {
20257 				list_del(&reg->list);
20258 				kfree(reg);
20259 				break;
20260 			}
20261 		}
20262 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20263 	}
20264 
20265 	rcu_read_unlock();
20266 
20267 	/*
20268 	 * It is possible that the user space process that is controlling the
20269 	 * indoor setting disappeared, so notify the regulatory core.
20270 	 */
20271 	regulatory_netlink_notify(notify->portid);
20272 	return NOTIFY_OK;
20273 }
20274 
20275 static struct notifier_block nl80211_netlink_notifier = {
20276 	.notifier_call = nl80211_netlink_notify,
20277 };
20278 
20279 void cfg80211_ft_event(struct net_device *netdev,
20280 		       struct cfg80211_ft_event_params *ft_event)
20281 {
20282 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20283 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20284 	struct sk_buff *msg;
20285 	void *hdr;
20286 
20287 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20288 
20289 	if (!ft_event->target_ap)
20290 		return;
20291 
20292 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20293 			GFP_KERNEL);
20294 	if (!msg)
20295 		return;
20296 
20297 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20298 	if (!hdr)
20299 		goto out;
20300 
20301 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20302 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20303 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20304 		goto out;
20305 
20306 	if (ft_event->ies &&
20307 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20308 		goto out;
20309 	if (ft_event->ric_ies &&
20310 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20311 		    ft_event->ric_ies))
20312 		goto out;
20313 
20314 	genlmsg_end(msg, hdr);
20315 
20316 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20317 				NL80211_MCGRP_MLME, GFP_KERNEL);
20318 	return;
20319  out:
20320 	nlmsg_free(msg);
20321 }
20322 EXPORT_SYMBOL(cfg80211_ft_event);
20323 
20324 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20325 {
20326 	struct cfg80211_registered_device *rdev;
20327 	struct sk_buff *msg;
20328 	void *hdr;
20329 	u32 nlportid;
20330 
20331 	rdev = wiphy_to_rdev(wdev->wiphy);
20332 	if (!rdev->crit_proto_nlportid)
20333 		return;
20334 
20335 	nlportid = rdev->crit_proto_nlportid;
20336 	rdev->crit_proto_nlportid = 0;
20337 
20338 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20339 	if (!msg)
20340 		return;
20341 
20342 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20343 	if (!hdr)
20344 		goto nla_put_failure;
20345 
20346 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20347 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20348 			      NL80211_ATTR_PAD))
20349 		goto nla_put_failure;
20350 
20351 	genlmsg_end(msg, hdr);
20352 
20353 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20354 	return;
20355 
20356  nla_put_failure:
20357 	nlmsg_free(msg);
20358 }
20359 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20360 
20361 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20362 {
20363 	struct wiphy *wiphy = wdev->wiphy;
20364 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20365 	struct sk_buff *msg;
20366 	void *hdr;
20367 
20368 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20369 	if (!msg)
20370 		return;
20371 
20372 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20373 	if (!hdr)
20374 		goto out;
20375 
20376 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20377 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20378 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20379 			      NL80211_ATTR_PAD) ||
20380 	    (wdev->valid_links &&
20381 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20382 		goto out;
20383 
20384 	genlmsg_end(msg, hdr);
20385 
20386 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20387 				NL80211_MCGRP_MLME, GFP_KERNEL);
20388 	return;
20389  out:
20390 	nlmsg_free(msg);
20391 }
20392 
20393 int cfg80211_external_auth_request(struct net_device *dev,
20394 				   struct cfg80211_external_auth_params *params,
20395 				   gfp_t gfp)
20396 {
20397 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20398 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20399 	struct sk_buff *msg;
20400 	void *hdr;
20401 
20402 	if (!wdev->conn_owner_nlportid)
20403 		return -EINVAL;
20404 
20405 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20406 	if (!msg)
20407 		return -ENOMEM;
20408 
20409 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20410 	if (!hdr)
20411 		goto nla_put_failure;
20412 
20413 	/* Some historical mistakes in drivers <-> userspace interface (notably
20414 	 * between drivers and wpa_supplicant) led to a big-endian conversion
20415 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
20416 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
20417 	 * benefit of older wpa_supplicant versions, send this particular value
20418 	 * in big-endian. Note that newer wpa_supplicant will also detect this
20419 	 * particular value in big endian still, so it all continues to work.
20420 	 */
20421 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
20422 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
20423 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
20424 			goto nla_put_failure;
20425 	} else {
20426 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
20427 				params->key_mgmt_suite))
20428 			goto nla_put_failure;
20429 	}
20430 
20431 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20432 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20433 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20434 			params->action) ||
20435 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20436 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20437 		    params->ssid.ssid) ||
20438 	    (!is_zero_ether_addr(params->mld_addr) &&
20439 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20440 		goto nla_put_failure;
20441 
20442 	genlmsg_end(msg, hdr);
20443 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20444 			wdev->conn_owner_nlportid);
20445 	return 0;
20446 
20447  nla_put_failure:
20448 	nlmsg_free(msg);
20449 	return -ENOBUFS;
20450 }
20451 EXPORT_SYMBOL(cfg80211_external_auth_request);
20452 
20453 void cfg80211_update_owe_info_event(struct net_device *netdev,
20454 				    struct cfg80211_update_owe_info *owe_info,
20455 				    gfp_t gfp)
20456 {
20457 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20458 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20459 	struct sk_buff *msg;
20460 	void *hdr;
20461 
20462 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20463 
20464 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20465 	if (!msg)
20466 		return;
20467 
20468 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20469 	if (!hdr)
20470 		goto nla_put_failure;
20471 
20472 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20473 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20474 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20475 		goto nla_put_failure;
20476 
20477 	if (!owe_info->ie_len ||
20478 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20479 		goto nla_put_failure;
20480 
20481 	if (owe_info->assoc_link_id != -1) {
20482 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20483 			       owe_info->assoc_link_id))
20484 			goto nla_put_failure;
20485 
20486 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20487 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20488 			    owe_info->peer_mld_addr))
20489 			goto nla_put_failure;
20490 	}
20491 
20492 	genlmsg_end(msg, hdr);
20493 
20494 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20495 				NL80211_MCGRP_MLME, gfp);
20496 	return;
20497 
20498 nla_put_failure:
20499 	genlmsg_cancel(msg, hdr);
20500 	nlmsg_free(msg);
20501 }
20502 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20503 
20504 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
20505 {
20506 	struct wiphy *wiphy = wdev->wiphy;
20507 
20508 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
20509 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
20510 	    (wiphy_ext_feature_isset(wiphy,
20511 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
20512 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
20513 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
20514 		reg_check_channels();
20515 }
20516 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
20517 
20518 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
20519 {
20520 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20521 	struct wiphy *wiphy = wdev->wiphy;
20522 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20523 	struct sk_buff *msg;
20524 	void *hdr;
20525 
20526 	trace_cfg80211_epcs_changed(wdev, enabled);
20527 
20528 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20529 	if (!msg)
20530 		return;
20531 
20532 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
20533 	if (!hdr) {
20534 		nlmsg_free(msg);
20535 		return;
20536 	}
20537 
20538 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
20539 		goto nla_put_failure;
20540 
20541 	genlmsg_end(msg, hdr);
20542 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20543 				NL80211_MCGRP_MLME, GFP_KERNEL);
20544 	return;
20545 
20546  nla_put_failure:
20547 	nlmsg_free(msg);
20548 }
20549 EXPORT_SYMBOL(cfg80211_epcs_changed);
20550 
20551 /* initialisation/exit functions */
20552 
20553 int __init nl80211_init(void)
20554 {
20555 	int err;
20556 
20557 	err = genl_register_family(&nl80211_fam);
20558 	if (err)
20559 		return err;
20560 
20561 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20562 	if (err)
20563 		goto err_out;
20564 
20565 	return 0;
20566  err_out:
20567 	genl_unregister_family(&nl80211_fam);
20568 	return err;
20569 }
20570 
20571 void nl80211_exit(void)
20572 {
20573 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20574 	genl_unregister_family(&nl80211_fam);
20575 }
20576