xref: /linux/net/wireless/nl80211.c (revision 8b5a19b4ff6a2096225d88cf24cfeef03edc1bed) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2025 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	const struct ieee80211_ext *ext;
233 	unsigned int fixedlen, hdrlen;
234 	bool s1g_bcn;
235 
236 	if (len < offsetofend(typeof(*mgmt), frame_control))
237 		goto err;
238 
239 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
240 	if (s1g_bcn) {
241 		ext = (struct ieee80211_ext *)mgmt;
242 		fixedlen =
243 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
244 			ieee80211_s1g_optional_len(ext->frame_control);
245 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
246 	} else {
247 		fixedlen = offsetof(struct ieee80211_mgmt,
248 				    u.beacon.variable);
249 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
250 	}
251 
252 	if (len < fixedlen)
253 		goto err;
254 
255 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
256 		goto err;
257 
258 	data += fixedlen;
259 	len -= fixedlen;
260 
261 	for_each_element(elem, data, len) {
262 		/* nothing */
263 	}
264 
265 	if (for_each_element_completed(elem, data, len))
266 		return 0;
267 
268 err:
269 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
270 	return -EINVAL;
271 }
272 
273 static int validate_ie_attr(const struct nlattr *attr,
274 			    struct netlink_ext_ack *extack)
275 {
276 	const u8 *data = nla_data(attr);
277 	unsigned int len = nla_len(attr);
278 	const struct element *elem;
279 
280 	for_each_element(elem, data, len) {
281 		/* nothing */
282 	}
283 
284 	if (for_each_element_completed(elem, data, len))
285 		return 0;
286 
287 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
288 	return -EINVAL;
289 }
290 
291 static int validate_he_capa(const struct nlattr *attr,
292 			    struct netlink_ext_ack *extack)
293 {
294 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
295 		return -EINVAL;
296 
297 	return 0;
298 }
299 
300 static int validate_supported_selectors(const struct nlattr *attr,
301 					struct netlink_ext_ack *extack)
302 {
303 	const u8 *supported_selectors = nla_data(attr);
304 	u8 supported_selectors_len = nla_len(attr);
305 
306 	/* The top bit must not be set as it is not part of the selector */
307 	for (int i = 0; i < supported_selectors_len; i++) {
308 		if (supported_selectors[i] & 0x80)
309 			return -EINVAL;
310 	}
311 
312 	return 0;
313 }
314 
315 /* policy for the attributes */
316 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
317 
318 static const struct nla_policy
319 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
320 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
321 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
322 					.len = U8_MAX },
323 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
324 					     .len = U8_MAX },
325 };
326 
327 static const struct nla_policy
328 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
329 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
330 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
331 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
332 		NLA_POLICY_MAX(NLA_U8, 15),
333 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
334 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
335 		NLA_POLICY_MAX(NLA_U8, 15),
336 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
337 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
338 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
339 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
340 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
341 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
342 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
343 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
344 };
345 
346 static const struct nla_policy
347 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
348 	[NL80211_PMSR_TYPE_FTM] =
349 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
350 };
351 
352 static const struct nla_policy
353 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
354 	[NL80211_PMSR_REQ_ATTR_DATA] =
355 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
356 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
357 };
358 
359 static const struct nla_policy
360 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
361 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
362 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
363 	[NL80211_PMSR_PEER_ATTR_REQ] =
364 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
365 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
366 };
367 
368 static const struct nla_policy
369 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
370 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
371 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
372 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
373 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
374 	[NL80211_PMSR_ATTR_PEERS] =
375 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
376 };
377 
378 static const struct nla_policy
379 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
380 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
381 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
382 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
383 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
384 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
385 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
386 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
387 		NLA_POLICY_EXACT_LEN(8),
388 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
389 		NLA_POLICY_EXACT_LEN(8),
390 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
391 };
392 
393 static const struct nla_policy
394 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
395 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
396 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
397 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
398 };
399 
400 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
401 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
402 				    .len = NL80211_MAX_SUPP_RATES },
403 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
404 				.len = NL80211_MAX_SUPP_HT_RATES },
405 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
406 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
407 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
408 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
409 						   NL80211_RATE_INFO_HE_GI_0_8,
410 						   NL80211_RATE_INFO_HE_GI_3_2),
411 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
412 						   NL80211_RATE_INFO_HE_1XLTF,
413 						   NL80211_RATE_INFO_HE_4XLTF),
414 };
415 
416 static const struct nla_policy
417 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
418 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
419 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
420 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
421 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
422 	[NL80211_TID_CONFIG_ATTR_NOACK] =
423 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
424 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
425 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
426 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
427 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
428 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
429 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
430 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
431 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
432 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
433 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
434 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
435 			NLA_POLICY_NESTED(nl80211_txattr_policy),
436 };
437 
438 static const struct nla_policy
439 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
440 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
441 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
442 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
443 			NLA_POLICY_RANGE(NLA_BINARY,
444 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
445 					 IEEE80211_MAX_DATA_LEN),
446 };
447 
448 static const struct nla_policy
449 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
450 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
451 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
452 						       .len = IEEE80211_MAX_DATA_LEN }
453 };
454 
455 static const struct nla_policy
456 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
457 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
458 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
459 };
460 
461 static const struct nla_policy
462 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
463 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
464 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
465 };
466 
467 static const struct nla_policy
468 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
469 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
470 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
471 						NLA_POLICY_MIN(NLA_U8, 1),
472 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
473 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
474 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
475 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
476 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
477 };
478 
479 static const struct nla_policy
480 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
481 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
482 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
483 };
484 
485 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
486 	.min = 0,
487 	.max = 0xffff,
488 };
489 
490 static const struct netlink_range_validation q_range = {
491 	.max = INT_MAX,
492 };
493 
494 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
495 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
496 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
497 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
498 				      .len = 20-1 },
499 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
500 
501 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
502 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
503 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
504 						NL80211_EDMG_CHANNELS_MIN,
505 						NL80211_EDMG_CHANNELS_MAX),
506 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
507 						NL80211_EDMG_BW_CONFIG_MIN,
508 						NL80211_EDMG_BW_CONFIG_MAX),
509 
510 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
511 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
512 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
513 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
514 
515 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
516 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
517 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
518 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
519 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
520 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
521 
522 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
523 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
524 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
525 
526 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
527 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
528 
529 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
530 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
531 				    .len = WLAN_MAX_KEY_LEN },
532 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
533 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
534 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
535 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
536 	[NL80211_ATTR_KEY_TYPE] =
537 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
538 
539 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
540 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
541 	[NL80211_ATTR_BEACON_HEAD] =
542 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
543 				       IEEE80211_MAX_DATA_LEN),
544 	[NL80211_ATTR_BEACON_TAIL] =
545 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
546 				       IEEE80211_MAX_DATA_LEN),
547 	[NL80211_ATTR_STA_AID] =
548 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
549 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
550 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
551 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
552 					       .len = NL80211_MAX_SUPP_RATES },
553 	[NL80211_ATTR_STA_PLINK_ACTION] =
554 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
555 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
556 		NLA_POLICY_RANGE(NLA_U8,
557 				 NL80211_TX_POWER_AUTOMATIC,
558 				 NL80211_TX_POWER_FIXED),
559 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
560 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
561 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
562 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
563 				   .len = IEEE80211_MAX_MESH_ID_LEN },
564 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
565 
566 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
567 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
568 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
569 
570 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
571 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
572 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
573 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
574 					   .len = NL80211_MAX_SUPP_RATES },
575 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
576 
577 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
578 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
579 
580 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
581 
582 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
583 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
584 						   validate_ie_attr,
585 						   IEEE80211_MAX_DATA_LEN),
586 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
587 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
588 
589 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
590 				.len = IEEE80211_MAX_SSID_LEN },
591 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
592 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
593 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
594 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
595 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
596 						  NL80211_MFP_NO,
597 						  NL80211_MFP_OPTIONAL),
598 	[NL80211_ATTR_STA_FLAGS2] =
599 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
600 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
601 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
602 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
603 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
604 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
605 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
606 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
607 	[NL80211_ATTR_WPA_VERSIONS] =
608 		NLA_POLICY_RANGE(NLA_U32, 0,
609 				 NL80211_WPA_VERSION_1 |
610 				 NL80211_WPA_VERSION_2 |
611 				 NL80211_WPA_VERSION_3),
612 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
613 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
614 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
615 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
616 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
617 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
618 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
619 				 .len = IEEE80211_MAX_DATA_LEN },
620 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
621 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
622 						   NL80211_PS_DISABLED,
623 						   NL80211_PS_ENABLED),
624 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
625 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
627 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
628 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
629 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
630 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
631 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
632 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
633 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
634 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
635 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
636 	[NL80211_ATTR_STA_PLINK_STATE] =
637 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
638 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
639 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
640 	[NL80211_ATTR_MESH_PEER_AID] =
641 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
642 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
643 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
644 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
645 	[NL80211_ATTR_HIDDEN_SSID] =
646 		NLA_POLICY_RANGE(NLA_U32,
647 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
648 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
649 	[NL80211_ATTR_IE_PROBE_RESP] =
650 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
651 				       IEEE80211_MAX_DATA_LEN),
652 	[NL80211_ATTR_IE_ASSOC_RESP] =
653 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
654 				       IEEE80211_MAX_DATA_LEN),
655 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
656 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
657 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
658 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
659 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
660 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
661 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
662 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
663 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
664 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
665 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
666 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
667 				      .len = IEEE80211_MAX_DATA_LEN },
668 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
669 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
670 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
671 		.len = NL80211_HT_CAPABILITY_LEN
672 	},
673 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
674 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
675 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
676 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
677 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
678 
679 	/* need to include at least Auth Transaction and Status Code */
680 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
681 
682 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
683 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
684 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
685 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
686 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
687 		NLA_POLICY_RANGE(NLA_U32,
688 				 NL80211_MESH_POWER_UNKNOWN + 1,
689 				 NL80211_MESH_POWER_MAX),
690 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
691 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
692 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
693 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
694 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
695 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
696 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
697 		.len = NL80211_VHT_CAPABILITY_LEN,
698 	},
699 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
700 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
701 				  .len = IEEE80211_MAX_DATA_LEN },
702 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
703 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
704 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
705 	[NL80211_ATTR_PEER_AID] =
706 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
707 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
708 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
709 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
710 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
711 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
712 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
713 	/*
714 	 * The value of the Length field of the Supported Operating
715 	 * Classes element is between 2 and 253.
716 	 */
717 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
718 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
719 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
720 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
721 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
722 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
723 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
724 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
725 						  IEEE80211_QOS_MAP_LEN_MIN,
726 						  IEEE80211_QOS_MAP_LEN_MAX),
727 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
728 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
729 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
730 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
731 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
732 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
733 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
734 	[NL80211_ATTR_USER_PRIO] =
735 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
736 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
737 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
738 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
739 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
740 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
741 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
742 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
743 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
744 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
745 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
746 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
747 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
748 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
749 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
750 	},
751 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
752 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
753 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
754 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
755 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
756 				    .len = FILS_MAX_KEK_LEN },
757 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
758 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
759 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
760 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
761 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
762 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
763 	},
764 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
765 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
766 					     .len = FILS_ERP_MAX_USERNAME_LEN },
767 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
768 					  .len = FILS_ERP_MAX_REALM_LEN },
769 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
770 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
771 					.len = FILS_ERP_MAX_RRK_LEN },
772 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
773 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
774 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
775 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
776 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
777 
778 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
779 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
780 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
781 	[NL80211_ATTR_HE_CAPABILITY] =
782 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
783 				       NL80211_HE_MAX_CAPABILITY_LEN),
784 	[NL80211_ATTR_FTM_RESPONDER] =
785 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
786 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
787 	[NL80211_ATTR_PEER_MEASUREMENTS] =
788 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
789 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
790 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
791 					.len = SAE_PASSWORD_MAX_LEN },
792 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
793 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
794 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
795 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
796 	[NL80211_ATTR_TID_CONFIG] =
797 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
798 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
799 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
800 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
801 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
802 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
803 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
804 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
805 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
806 	[NL80211_ATTR_FILS_DISCOVERY] =
807 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
808 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
809 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
810 	[NL80211_ATTR_S1G_CAPABILITY] =
811 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
812 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
813 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
814 	[NL80211_ATTR_SAE_PWE] =
815 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
816 				 NL80211_SAE_PWE_BOTH),
817 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
818 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
819 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
820 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
821 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
822 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
823 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
824 	[NL80211_ATTR_MBSSID_CONFIG] =
825 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
826 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
827 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
828 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
829 	[NL80211_ATTR_EHT_CAPABILITY] =
830 		NLA_POLICY_RANGE(NLA_BINARY,
831 				 NL80211_EHT_MIN_CAPABILITY_LEN,
832 				 NL80211_EHT_MAX_CAPABILITY_LEN),
833 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
834 	[NL80211_ATTR_MLO_LINKS] =
835 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
836 	[NL80211_ATTR_MLO_LINK_ID] =
837 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
838 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
839 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
840 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
841 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
842 	[NL80211_ATTR_PUNCT_BITMAP] =
843 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
844 
845 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
846 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
847 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
848 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
849 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
850 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
851 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
852 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
853 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
854 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
855 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
856 				       NL80211_MAX_SUPP_SELECTORS),
857 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
858 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
859 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
860 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
861 };
862 
863 /* policy for the key attributes */
864 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
865 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
866 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
867 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
868 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
869 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
870 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
871 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
872 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
873 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
874 };
875 
876 /* policy for the key default flags */
877 static const struct nla_policy
878 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
879 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
880 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
881 };
882 
883 #ifdef CONFIG_PM
884 /* policy for WoWLAN attributes */
885 static const struct nla_policy
886 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
887 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
888 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
889 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
890 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
891 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
892 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
893 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
894 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
895 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
896 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
897 };
898 
899 static const struct nla_policy
900 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
901 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
902 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
903 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
904 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
905 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
906 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
907 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
908 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
909 	},
910 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
911 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
912 	},
913 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
914 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
915 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
916 };
917 #endif /* CONFIG_PM */
918 
919 /* policy for coalesce rule attributes */
920 static const struct nla_policy
921 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
922 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
923 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
924 		NLA_POLICY_RANGE(NLA_U32,
925 				 NL80211_COALESCE_CONDITION_MATCH,
926 				 NL80211_COALESCE_CONDITION_NO_MATCH),
927 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
928 };
929 
930 /* policy for GTK rekey offload attributes */
931 static const struct nla_policy
932 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
933 	[NL80211_REKEY_DATA_KEK] = {
934 		.type = NLA_BINARY,
935 		.len = NL80211_KEK_EXT_LEN
936 	},
937 	[NL80211_REKEY_DATA_KCK] = {
938 		.type = NLA_BINARY,
939 		.len = NL80211_KCK_EXT_LEN_32
940 	},
941 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
942 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
943 };
944 
945 static const struct nla_policy
946 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
947 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
948 						 .len = IEEE80211_MAX_SSID_LEN },
949 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
950 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
951 };
952 
953 static const struct nla_policy
954 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
955 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
956 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
957 };
958 
959 static const struct nla_policy
960 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
961 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
962 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
963 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
964 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
965 	},
966 };
967 
968 /* policy for NAN function attributes */
969 static const struct nla_policy
970 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
971 	[NL80211_NAN_FUNC_TYPE] =
972 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
973 	[NL80211_NAN_FUNC_SERVICE_ID] = {
974 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
975 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
976 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
977 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
978 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
979 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
980 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
981 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
982 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
983 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
984 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
985 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
986 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
987 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
988 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
989 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
990 };
991 
992 /* policy for Service Response Filter attributes */
993 static const struct nla_policy
994 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
995 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
996 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
997 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
998 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
999 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1000 };
1001 
1002 /* policy for packet pattern attributes */
1003 static const struct nla_policy
1004 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1005 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1006 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1007 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1008 };
1009 
1010 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1011 				     struct cfg80211_registered_device **rdev,
1012 				     struct wireless_dev **wdev,
1013 				     struct nlattr **attrbuf)
1014 {
1015 	int err;
1016 
1017 	if (!cb->args[0]) {
1018 		struct nlattr **attrbuf_free = NULL;
1019 
1020 		if (!attrbuf) {
1021 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
1022 					  GFP_KERNEL);
1023 			if (!attrbuf)
1024 				return -ENOMEM;
1025 			attrbuf_free = attrbuf;
1026 		}
1027 
1028 		err = nlmsg_parse_deprecated(cb->nlh,
1029 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1030 					     attrbuf, nl80211_fam.maxattr,
1031 					     nl80211_policy, NULL);
1032 		if (err) {
1033 			kfree(attrbuf_free);
1034 			return err;
1035 		}
1036 
1037 		rtnl_lock();
1038 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1039 						   attrbuf);
1040 		kfree(attrbuf_free);
1041 		if (IS_ERR(*wdev)) {
1042 			rtnl_unlock();
1043 			return PTR_ERR(*wdev);
1044 		}
1045 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1046 		mutex_lock(&(*rdev)->wiphy.mtx);
1047 		rtnl_unlock();
1048 		/* 0 is the first index - add 1 to parse only once */
1049 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1050 		cb->args[1] = (*wdev)->identifier;
1051 	} else {
1052 		/* subtract the 1 again here */
1053 		struct wiphy *wiphy;
1054 		struct wireless_dev *tmp;
1055 
1056 		rtnl_lock();
1057 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1058 		if (!wiphy) {
1059 			rtnl_unlock();
1060 			return -ENODEV;
1061 		}
1062 		*rdev = wiphy_to_rdev(wiphy);
1063 		*wdev = NULL;
1064 
1065 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1066 			if (tmp->identifier == cb->args[1]) {
1067 				*wdev = tmp;
1068 				break;
1069 			}
1070 		}
1071 
1072 		if (!*wdev) {
1073 			rtnl_unlock();
1074 			return -ENODEV;
1075 		}
1076 		mutex_lock(&(*rdev)->wiphy.mtx);
1077 		rtnl_unlock();
1078 	}
1079 
1080 	return 0;
1081 }
1082 
1083 /* message building helper */
1084 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1085 		     int flags, u8 cmd)
1086 {
1087 	/* since there is no private header just add the generic one */
1088 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1089 }
1090 
1091 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1092 				     const struct ieee80211_reg_rule *rule)
1093 {
1094 	int j;
1095 	struct nlattr *nl_wmm_rules =
1096 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1097 
1098 	if (!nl_wmm_rules)
1099 		goto nla_put_failure;
1100 
1101 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1102 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1103 
1104 		if (!nl_wmm_rule)
1105 			goto nla_put_failure;
1106 
1107 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1108 				rule->wmm_rule.client[j].cw_min) ||
1109 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1110 				rule->wmm_rule.client[j].cw_max) ||
1111 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1112 			       rule->wmm_rule.client[j].aifsn) ||
1113 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1114 			        rule->wmm_rule.client[j].cot))
1115 			goto nla_put_failure;
1116 
1117 		nla_nest_end(msg, nl_wmm_rule);
1118 	}
1119 	nla_nest_end(msg, nl_wmm_rules);
1120 
1121 	return 0;
1122 
1123 nla_put_failure:
1124 	return -ENOBUFS;
1125 }
1126 
1127 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1128 				   struct ieee80211_channel *chan,
1129 				   bool large)
1130 {
1131 	/* Some channels must be completely excluded from the
1132 	 * list to protect old user-space tools from breaking
1133 	 */
1134 	if (!large && chan->flags &
1135 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1136 		return 0;
1137 	if (!large && chan->freq_offset)
1138 		return 0;
1139 
1140 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1141 			chan->center_freq))
1142 		goto nla_put_failure;
1143 
1144 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1145 		goto nla_put_failure;
1146 
1147 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1148 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1149 		goto nla_put_failure;
1150 
1151 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1152 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1153 		goto nla_put_failure;
1154 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1155 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1156 			goto nla_put_failure;
1157 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1158 			goto nla_put_failure;
1159 	}
1160 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1161 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1162 			goto nla_put_failure;
1163 		if (large) {
1164 			u32 time;
1165 
1166 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1167 
1168 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1169 					chan->dfs_state))
1170 				goto nla_put_failure;
1171 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1172 					time))
1173 				goto nla_put_failure;
1174 			if (nla_put_u32(msg,
1175 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1176 					chan->dfs_cac_ms))
1177 				goto nla_put_failure;
1178 		}
1179 	}
1180 
1181 	if (large) {
1182 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1183 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1184 			goto nla_put_failure;
1185 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1186 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1187 			goto nla_put_failure;
1188 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1189 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1190 			goto nla_put_failure;
1191 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1192 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1193 			goto nla_put_failure;
1194 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1195 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1196 			goto nla_put_failure;
1197 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1198 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1199 			goto nla_put_failure;
1200 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1201 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1202 			goto nla_put_failure;
1203 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1204 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1205 			goto nla_put_failure;
1206 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1207 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1208 			goto nla_put_failure;
1209 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1210 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1211 			goto nla_put_failure;
1212 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1213 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1214 			goto nla_put_failure;
1215 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1216 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1217 			goto nla_put_failure;
1218 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1219 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1220 			goto nla_put_failure;
1221 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1222 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1223 			goto nla_put_failure;
1224 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1225 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1226 			goto nla_put_failure;
1227 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1228 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1229 			goto nla_put_failure;
1230 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1231 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1232 			goto nla_put_failure;
1233 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1234 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1235 			goto nla_put_failure;
1236 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1237 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1238 			goto nla_put_failure;
1239 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1240 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1241 			goto nla_put_failure;
1242 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1243 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1244 			goto nla_put_failure;
1245 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1246 		    nla_put_flag(msg,
1247 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1248 			goto nla_put_failure;
1249 	}
1250 
1251 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1252 			DBM_TO_MBM(chan->max_power)))
1253 		goto nla_put_failure;
1254 
1255 	if (large) {
1256 		const struct ieee80211_reg_rule *rule =
1257 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1258 
1259 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1260 			if (nl80211_msg_put_wmm_rules(msg, rule))
1261 				goto nla_put_failure;
1262 		}
1263 	}
1264 
1265 	return 0;
1266 
1267  nla_put_failure:
1268 	return -ENOBUFS;
1269 }
1270 
1271 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1272 				  struct cfg80211_txq_stats *txqstats,
1273 				  int attrtype)
1274 {
1275 	struct nlattr *txqattr;
1276 
1277 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1278 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1279 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1280 		return false;						  \
1281 	} while (0)
1282 
1283 	txqattr = nla_nest_start_noflag(msg, attrtype);
1284 	if (!txqattr)
1285 		return false;
1286 
1287 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1288 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1289 	PUT_TXQVAL_U32(FLOWS, flows);
1290 	PUT_TXQVAL_U32(DROPS, drops);
1291 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1292 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1293 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1294 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1295 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1296 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1297 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1298 	nla_nest_end(msg, txqattr);
1299 
1300 #undef PUT_TXQVAL_U32
1301 	return true;
1302 }
1303 
1304 /* netlink command implementations */
1305 
1306 /**
1307  * nl80211_link_id - return link ID
1308  * @attrs: attributes to look at
1309  *
1310  * Returns: the link ID or 0 if not given
1311  *
1312  * Note this function doesn't do any validation of the link
1313  * ID validity wrt. links that were actually added, so it must
1314  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1315  * or if additional validation is done.
1316  */
1317 static unsigned int nl80211_link_id(struct nlattr **attrs)
1318 {
1319 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1320 
1321 	return nla_get_u8_default(linkid, 0);
1322 }
1323 
1324 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1325 {
1326 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1327 
1328 	if (!linkid)
1329 		return -1;
1330 
1331 	return nla_get_u8(linkid);
1332 }
1333 
1334 struct key_parse {
1335 	struct key_params p;
1336 	int idx;
1337 	int type;
1338 	bool def, defmgmt, defbeacon;
1339 	bool def_uni, def_multi;
1340 };
1341 
1342 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1343 				 struct key_parse *k)
1344 {
1345 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1346 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1347 					      nl80211_key_policy,
1348 					      info->extack);
1349 	if (err)
1350 		return err;
1351 
1352 	k->def = !!tb[NL80211_KEY_DEFAULT];
1353 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1354 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1355 
1356 	if (k->def) {
1357 		k->def_uni = true;
1358 		k->def_multi = true;
1359 	}
1360 	if (k->defmgmt || k->defbeacon)
1361 		k->def_multi = true;
1362 
1363 	if (tb[NL80211_KEY_IDX])
1364 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1365 
1366 	if (tb[NL80211_KEY_DATA]) {
1367 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1368 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1369 	}
1370 
1371 	if (tb[NL80211_KEY_SEQ]) {
1372 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1373 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1374 	}
1375 
1376 	if (tb[NL80211_KEY_CIPHER])
1377 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1378 
1379 	if (tb[NL80211_KEY_TYPE])
1380 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1381 
1382 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1383 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1384 
1385 		err = nla_parse_nested_deprecated(kdt,
1386 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1387 						  tb[NL80211_KEY_DEFAULT_TYPES],
1388 						  nl80211_key_default_policy,
1389 						  info->extack);
1390 		if (err)
1391 			return err;
1392 
1393 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1394 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1395 	}
1396 
1397 	if (tb[NL80211_KEY_MODE])
1398 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1399 
1400 	return 0;
1401 }
1402 
1403 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1404 {
1405 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1406 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1407 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1408 	}
1409 
1410 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1411 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1412 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1413 	}
1414 
1415 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1416 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1417 
1418 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1419 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1420 
1421 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1422 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1423 
1424 	if (k->def) {
1425 		k->def_uni = true;
1426 		k->def_multi = true;
1427 	}
1428 	if (k->defmgmt)
1429 		k->def_multi = true;
1430 
1431 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1432 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1433 
1434 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1435 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1436 		int err = nla_parse_nested_deprecated(kdt,
1437 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1438 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1439 						      nl80211_key_default_policy,
1440 						      info->extack);
1441 		if (err)
1442 			return err;
1443 
1444 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1445 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1446 	}
1447 
1448 	return 0;
1449 }
1450 
1451 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1452 {
1453 	int err;
1454 
1455 	memset(k, 0, sizeof(*k));
1456 	k->idx = -1;
1457 	k->type = -1;
1458 
1459 	if (info->attrs[NL80211_ATTR_KEY])
1460 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1461 	else
1462 		err = nl80211_parse_key_old(info, k);
1463 
1464 	if (err)
1465 		return err;
1466 
1467 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1468 	    (k->defbeacon ? 1 : 0) > 1) {
1469 		GENL_SET_ERR_MSG(info,
1470 				 "key with multiple default flags is invalid");
1471 		return -EINVAL;
1472 	}
1473 
1474 	if (k->defmgmt || k->defbeacon) {
1475 		if (k->def_uni || !k->def_multi) {
1476 			GENL_SET_ERR_MSG(info,
1477 					 "defmgmt/defbeacon key must be mcast");
1478 			return -EINVAL;
1479 		}
1480 	}
1481 
1482 	if (k->idx != -1) {
1483 		if (k->defmgmt) {
1484 			if (k->idx < 4 || k->idx > 5) {
1485 				GENL_SET_ERR_MSG(info,
1486 						 "defmgmt key idx not 4 or 5");
1487 				return -EINVAL;
1488 			}
1489 		} else if (k->defbeacon) {
1490 			if (k->idx < 6 || k->idx > 7) {
1491 				GENL_SET_ERR_MSG(info,
1492 						 "defbeacon key idx not 6 or 7");
1493 				return -EINVAL;
1494 			}
1495 		} else if (k->def) {
1496 			if (k->idx < 0 || k->idx > 3) {
1497 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1498 				return -EINVAL;
1499 			}
1500 		} else {
1501 			if (k->idx < 0 || k->idx > 7) {
1502 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1503 				return -EINVAL;
1504 			}
1505 		}
1506 	}
1507 
1508 	return 0;
1509 }
1510 
1511 static struct cfg80211_cached_keys *
1512 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1513 		       struct genl_info *info, bool *no_ht)
1514 {
1515 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1516 	struct key_parse parse;
1517 	struct nlattr *key;
1518 	struct cfg80211_cached_keys *result;
1519 	int rem, err, def = 0;
1520 	bool have_key = false;
1521 
1522 	nla_for_each_nested(key, keys, rem) {
1523 		have_key = true;
1524 		break;
1525 	}
1526 
1527 	if (!have_key)
1528 		return NULL;
1529 
1530 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1531 	if (!result)
1532 		return ERR_PTR(-ENOMEM);
1533 
1534 	result->def = -1;
1535 
1536 	nla_for_each_nested(key, keys, rem) {
1537 		memset(&parse, 0, sizeof(parse));
1538 		parse.idx = -1;
1539 
1540 		err = nl80211_parse_key_new(info, key, &parse);
1541 		if (err)
1542 			goto error;
1543 		err = -EINVAL;
1544 		if (!parse.p.key)
1545 			goto error;
1546 		if (parse.idx < 0 || parse.idx > 3) {
1547 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1548 			goto error;
1549 		}
1550 		if (parse.def) {
1551 			if (def) {
1552 				GENL_SET_ERR_MSG(info,
1553 						 "only one key can be default");
1554 				goto error;
1555 			}
1556 			def = 1;
1557 			result->def = parse.idx;
1558 			if (!parse.def_uni || !parse.def_multi)
1559 				goto error;
1560 		} else if (parse.defmgmt)
1561 			goto error;
1562 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1563 						     parse.idx, false, NULL);
1564 		if (err)
1565 			goto error;
1566 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1567 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1568 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1569 			err = -EINVAL;
1570 			goto error;
1571 		}
1572 		result->params[parse.idx].cipher = parse.p.cipher;
1573 		result->params[parse.idx].key_len = parse.p.key_len;
1574 		result->params[parse.idx].key = result->data[parse.idx];
1575 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1576 
1577 		/* must be WEP key if we got here */
1578 		if (no_ht)
1579 			*no_ht = true;
1580 	}
1581 
1582 	if (result->def < 0) {
1583 		err = -EINVAL;
1584 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1585 		goto error;
1586 	}
1587 
1588 	return result;
1589  error:
1590 	kfree_sensitive(result);
1591 	return ERR_PTR(err);
1592 }
1593 
1594 static int nl80211_key_allowed(struct wireless_dev *wdev)
1595 {
1596 	lockdep_assert_wiphy(wdev->wiphy);
1597 
1598 	switch (wdev->iftype) {
1599 	case NL80211_IFTYPE_AP:
1600 	case NL80211_IFTYPE_AP_VLAN:
1601 	case NL80211_IFTYPE_P2P_GO:
1602 	case NL80211_IFTYPE_MESH_POINT:
1603 		break;
1604 	case NL80211_IFTYPE_ADHOC:
1605 		if (wdev->u.ibss.current_bss)
1606 			return 0;
1607 		return -ENOLINK;
1608 	case NL80211_IFTYPE_STATION:
1609 	case NL80211_IFTYPE_P2P_CLIENT:
1610 		if (wdev->connected)
1611 			return 0;
1612 		return -ENOLINK;
1613 	case NL80211_IFTYPE_NAN:
1614 		if (wiphy_ext_feature_isset(wdev->wiphy,
1615 					    NL80211_EXT_FEATURE_SECURE_NAN))
1616 			return 0;
1617 		return -EINVAL;
1618 	case NL80211_IFTYPE_UNSPECIFIED:
1619 	case NL80211_IFTYPE_OCB:
1620 	case NL80211_IFTYPE_MONITOR:
1621 	case NL80211_IFTYPE_P2P_DEVICE:
1622 	case NL80211_IFTYPE_WDS:
1623 	case NUM_NL80211_IFTYPES:
1624 		return -EINVAL;
1625 	}
1626 
1627 	return 0;
1628 }
1629 
1630 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1631 							u32 freq)
1632 {
1633 	struct ieee80211_channel *chan;
1634 
1635 	chan = ieee80211_get_channel_khz(wiphy, freq);
1636 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1637 		return NULL;
1638 	return chan;
1639 }
1640 
1641 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1642 {
1643 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1644 	int i;
1645 
1646 	if (!nl_modes)
1647 		goto nla_put_failure;
1648 
1649 	i = 0;
1650 	while (ifmodes) {
1651 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1652 			goto nla_put_failure;
1653 		ifmodes >>= 1;
1654 		i++;
1655 	}
1656 
1657 	nla_nest_end(msg, nl_modes);
1658 	return 0;
1659 
1660 nla_put_failure:
1661 	return -ENOBUFS;
1662 }
1663 
1664 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1665 				   const struct ieee80211_iface_combination *c,
1666 				   u16 nested)
1667 {
1668 	struct nlattr *nl_combi, *nl_limits;
1669 	int i;
1670 
1671 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1672 	if (!nl_combi)
1673 		goto nla_put_failure;
1674 
1675 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1676 					       nested);
1677 	if (!nl_limits)
1678 		goto nla_put_failure;
1679 
1680 	for (i = 0; i < c->n_limits; i++) {
1681 		struct nlattr *nl_limit;
1682 
1683 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1684 		if (!nl_limit)
1685 			goto nla_put_failure;
1686 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1687 			goto nla_put_failure;
1688 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1689 					c->limits[i].types))
1690 			goto nla_put_failure;
1691 		nla_nest_end(msg, nl_limit);
1692 	}
1693 
1694 	nla_nest_end(msg, nl_limits);
1695 
1696 	if (c->beacon_int_infra_match &&
1697 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1698 		goto nla_put_failure;
1699 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1700 			c->num_different_channels) ||
1701 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1702 			c->max_interfaces))
1703 		goto nla_put_failure;
1704 	if (large &&
1705 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1706 			c->radar_detect_widths) ||
1707 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1708 			c->radar_detect_regions)))
1709 		goto nla_put_failure;
1710 	if (c->beacon_int_min_gcd &&
1711 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1712 			c->beacon_int_min_gcd))
1713 		goto nla_put_failure;
1714 
1715 	nla_nest_end(msg, nl_combi);
1716 
1717 	return 0;
1718 nla_put_failure:
1719 	return -ENOBUFS;
1720 }
1721 
1722 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1723 					  struct sk_buff *msg,
1724 					  int attr, int radio,
1725 					  bool large, u16 nested)
1726 {
1727 	const struct ieee80211_iface_combination *c;
1728 	struct nlattr *nl_combis;
1729 	int i, n;
1730 
1731 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1732 	if (!nl_combis)
1733 		goto nla_put_failure;
1734 
1735 	if (radio >= 0) {
1736 		c = wiphy->radio[0].iface_combinations;
1737 		n = wiphy->radio[0].n_iface_combinations;
1738 	} else {
1739 		c = wiphy->iface_combinations;
1740 		n = wiphy->n_iface_combinations;
1741 	}
1742 	for (i = 0; i < n; i++)
1743 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1744 			goto nla_put_failure;
1745 
1746 	nla_nest_end(msg, nl_combis);
1747 
1748 	return 0;
1749 nla_put_failure:
1750 	return -ENOBUFS;
1751 }
1752 
1753 #ifdef CONFIG_PM
1754 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1755 					struct sk_buff *msg)
1756 {
1757 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1758 	struct nlattr *nl_tcp;
1759 
1760 	if (!tcp)
1761 		return 0;
1762 
1763 	nl_tcp = nla_nest_start_noflag(msg,
1764 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1765 	if (!nl_tcp)
1766 		return -ENOBUFS;
1767 
1768 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1769 			tcp->data_payload_max))
1770 		return -ENOBUFS;
1771 
1772 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1773 			tcp->data_payload_max))
1774 		return -ENOBUFS;
1775 
1776 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1777 		return -ENOBUFS;
1778 
1779 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1780 				sizeof(*tcp->tok), tcp->tok))
1781 		return -ENOBUFS;
1782 
1783 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1784 			tcp->data_interval_max))
1785 		return -ENOBUFS;
1786 
1787 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1788 			tcp->wake_payload_max))
1789 		return -ENOBUFS;
1790 
1791 	nla_nest_end(msg, nl_tcp);
1792 	return 0;
1793 }
1794 
1795 static int nl80211_send_wowlan(struct sk_buff *msg,
1796 			       struct cfg80211_registered_device *rdev,
1797 			       bool large)
1798 {
1799 	struct nlattr *nl_wowlan;
1800 
1801 	if (!rdev->wiphy.wowlan)
1802 		return 0;
1803 
1804 	nl_wowlan = nla_nest_start_noflag(msg,
1805 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1806 	if (!nl_wowlan)
1807 		return -ENOBUFS;
1808 
1809 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1810 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1811 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1812 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1813 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1814 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1815 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1816 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1817 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1818 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1819 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1820 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1821 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1822 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1823 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1824 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1825 		return -ENOBUFS;
1826 
1827 	if (rdev->wiphy.wowlan->n_patterns) {
1828 		struct nl80211_pattern_support pat = {
1829 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1830 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1831 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1832 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1833 		};
1834 
1835 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1836 			    sizeof(pat), &pat))
1837 			return -ENOBUFS;
1838 	}
1839 
1840 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1841 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1842 			rdev->wiphy.wowlan->max_nd_match_sets))
1843 		return -ENOBUFS;
1844 
1845 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1846 		return -ENOBUFS;
1847 
1848 	nla_nest_end(msg, nl_wowlan);
1849 
1850 	return 0;
1851 }
1852 #endif
1853 
1854 static int nl80211_send_coalesce(struct sk_buff *msg,
1855 				 struct cfg80211_registered_device *rdev)
1856 {
1857 	struct nl80211_coalesce_rule_support rule;
1858 
1859 	if (!rdev->wiphy.coalesce)
1860 		return 0;
1861 
1862 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1863 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1864 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1865 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1866 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1867 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1868 
1869 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1870 		return -ENOBUFS;
1871 
1872 	return 0;
1873 }
1874 
1875 static int
1876 nl80211_send_iftype_data(struct sk_buff *msg,
1877 			 const struct ieee80211_supported_band *sband,
1878 			 const struct ieee80211_sband_iftype_data *iftdata)
1879 {
1880 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1881 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1882 
1883 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1884 				iftdata->types_mask))
1885 		return -ENOBUFS;
1886 
1887 	if (he_cap->has_he) {
1888 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1889 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1890 			    he_cap->he_cap_elem.mac_cap_info) ||
1891 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1892 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1893 			    he_cap->he_cap_elem.phy_cap_info) ||
1894 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1895 			    sizeof(he_cap->he_mcs_nss_supp),
1896 			    &he_cap->he_mcs_nss_supp) ||
1897 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1898 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1899 			return -ENOBUFS;
1900 	}
1901 
1902 	if (eht_cap->has_eht && he_cap->has_he) {
1903 		u8 mcs_nss_size, ppe_thresh_size;
1904 		u16 ppe_thres_hdr;
1905 		bool is_ap;
1906 
1907 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1908 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1909 
1910 		mcs_nss_size =
1911 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1912 						   &eht_cap->eht_cap_elem,
1913 						   is_ap);
1914 
1915 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1916 		ppe_thresh_size =
1917 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1918 					       eht_cap->eht_cap_elem.phy_cap_info);
1919 
1920 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1921 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1922 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1923 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1924 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1925 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1926 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1927 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1928 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1929 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1930 			return -ENOBUFS;
1931 	}
1932 
1933 	if (sband->band == NL80211_BAND_6GHZ &&
1934 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1935 		    sizeof(iftdata->he_6ghz_capa),
1936 		    &iftdata->he_6ghz_capa))
1937 		return -ENOBUFS;
1938 
1939 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1940 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1941 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1942 		return -ENOBUFS;
1943 
1944 	return 0;
1945 }
1946 
1947 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1948 				      struct ieee80211_supported_band *sband,
1949 				      bool large)
1950 {
1951 	struct nlattr *nl_rates, *nl_rate;
1952 	struct ieee80211_rate *rate;
1953 	int i;
1954 
1955 	/* add HT info */
1956 	if (sband->ht_cap.ht_supported &&
1957 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1958 		     sizeof(sband->ht_cap.mcs),
1959 		     &sband->ht_cap.mcs) ||
1960 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1961 			 sband->ht_cap.cap) ||
1962 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1963 			sband->ht_cap.ampdu_factor) ||
1964 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1965 			sband->ht_cap.ampdu_density)))
1966 		return -ENOBUFS;
1967 
1968 	/* add VHT info */
1969 	if (sband->vht_cap.vht_supported &&
1970 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1971 		     sizeof(sband->vht_cap.vht_mcs),
1972 		     &sband->vht_cap.vht_mcs) ||
1973 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1974 			 sband->vht_cap.cap)))
1975 		return -ENOBUFS;
1976 
1977 	if (large && sband->n_iftype_data) {
1978 		struct nlattr *nl_iftype_data =
1979 			nla_nest_start_noflag(msg,
1980 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1981 		const struct ieee80211_sband_iftype_data *iftd;
1982 		int err;
1983 
1984 		if (!nl_iftype_data)
1985 			return -ENOBUFS;
1986 
1987 		for_each_sband_iftype_data(sband, i, iftd) {
1988 			struct nlattr *iftdata;
1989 
1990 			iftdata = nla_nest_start_noflag(msg, i + 1);
1991 			if (!iftdata)
1992 				return -ENOBUFS;
1993 
1994 			err = nl80211_send_iftype_data(msg, sband, iftd);
1995 			if (err)
1996 				return err;
1997 
1998 			nla_nest_end(msg, iftdata);
1999 		}
2000 
2001 		nla_nest_end(msg, nl_iftype_data);
2002 	}
2003 
2004 	/* add EDMG info */
2005 	if (large && sband->edmg_cap.channels &&
2006 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2007 		       sband->edmg_cap.channels) ||
2008 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2009 		       sband->edmg_cap.bw_config)))
2010 
2011 		return -ENOBUFS;
2012 
2013 	/* add bitrates */
2014 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2015 	if (!nl_rates)
2016 		return -ENOBUFS;
2017 
2018 	for (i = 0; i < sband->n_bitrates; i++) {
2019 		nl_rate = nla_nest_start_noflag(msg, i);
2020 		if (!nl_rate)
2021 			return -ENOBUFS;
2022 
2023 		rate = &sband->bitrates[i];
2024 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2025 				rate->bitrate))
2026 			return -ENOBUFS;
2027 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2028 		    nla_put_flag(msg,
2029 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2030 			return -ENOBUFS;
2031 
2032 		nla_nest_end(msg, nl_rate);
2033 	}
2034 
2035 	nla_nest_end(msg, nl_rates);
2036 
2037 	/* S1G capabilities */
2038 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2039 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2040 		     sizeof(sband->s1g_cap.cap),
2041 		     sband->s1g_cap.cap) ||
2042 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2043 		     sizeof(sband->s1g_cap.nss_mcs),
2044 		     sband->s1g_cap.nss_mcs)))
2045 		return -ENOBUFS;
2046 
2047 	return 0;
2048 }
2049 
2050 static int
2051 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2052 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2053 {
2054 	u16 stypes;
2055 	struct nlattr *nl_ftypes, *nl_ifs;
2056 	enum nl80211_iftype ift;
2057 	int i;
2058 
2059 	if (!mgmt_stypes)
2060 		return 0;
2061 
2062 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2063 	if (!nl_ifs)
2064 		return -ENOBUFS;
2065 
2066 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2067 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2068 		if (!nl_ftypes)
2069 			return -ENOBUFS;
2070 		i = 0;
2071 		stypes = mgmt_stypes[ift].tx;
2072 		while (stypes) {
2073 			if ((stypes & 1) &&
2074 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2075 					(i << 4) | IEEE80211_FTYPE_MGMT))
2076 				return -ENOBUFS;
2077 			stypes >>= 1;
2078 			i++;
2079 		}
2080 		nla_nest_end(msg, nl_ftypes);
2081 	}
2082 
2083 	nla_nest_end(msg, nl_ifs);
2084 
2085 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2086 	if (!nl_ifs)
2087 		return -ENOBUFS;
2088 
2089 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2090 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2091 		if (!nl_ftypes)
2092 			return -ENOBUFS;
2093 		i = 0;
2094 		stypes = mgmt_stypes[ift].rx;
2095 		while (stypes) {
2096 			if ((stypes & 1) &&
2097 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2098 					(i << 4) | IEEE80211_FTYPE_MGMT))
2099 				return -ENOBUFS;
2100 			stypes >>= 1;
2101 			i++;
2102 		}
2103 		nla_nest_end(msg, nl_ftypes);
2104 	}
2105 	nla_nest_end(msg, nl_ifs);
2106 
2107 	return 0;
2108 }
2109 
2110 #define CMD(op, n)							\
2111 	 do {								\
2112 		if (rdev->ops->op) {					\
2113 			i++;						\
2114 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2115 				goto nla_put_failure;			\
2116 		}							\
2117 	} while (0)
2118 
2119 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2120 					struct sk_buff *msg)
2121 {
2122 	int i = 0;
2123 
2124 	/*
2125 	 * do *NOT* add anything into this function, new things need to be
2126 	 * advertised only to new versions of userspace that can deal with
2127 	 * the split (and they can't possibly care about new features...
2128 	 */
2129 	CMD(add_virtual_intf, NEW_INTERFACE);
2130 	CMD(change_virtual_intf, SET_INTERFACE);
2131 	CMD(add_key, NEW_KEY);
2132 	CMD(start_ap, START_AP);
2133 	CMD(add_station, NEW_STATION);
2134 	CMD(add_mpath, NEW_MPATH);
2135 	CMD(update_mesh_config, SET_MESH_CONFIG);
2136 	CMD(change_bss, SET_BSS);
2137 	CMD(auth, AUTHENTICATE);
2138 	CMD(assoc, ASSOCIATE);
2139 	CMD(deauth, DEAUTHENTICATE);
2140 	CMD(disassoc, DISASSOCIATE);
2141 	CMD(join_ibss, JOIN_IBSS);
2142 	CMD(join_mesh, JOIN_MESH);
2143 	CMD(set_pmksa, SET_PMKSA);
2144 	CMD(del_pmksa, DEL_PMKSA);
2145 	CMD(flush_pmksa, FLUSH_PMKSA);
2146 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2147 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2148 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2149 	CMD(mgmt_tx, FRAME);
2150 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2151 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2152 		i++;
2153 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2154 			goto nla_put_failure;
2155 	}
2156 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2157 	    rdev->ops->join_mesh) {
2158 		i++;
2159 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2160 			goto nla_put_failure;
2161 	}
2162 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2163 		CMD(tdls_mgmt, TDLS_MGMT);
2164 		CMD(tdls_oper, TDLS_OPER);
2165 	}
2166 	if (rdev->wiphy.max_sched_scan_reqs)
2167 		CMD(sched_scan_start, START_SCHED_SCAN);
2168 	CMD(probe_client, PROBE_CLIENT);
2169 	CMD(set_noack_map, SET_NOACK_MAP);
2170 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2171 		i++;
2172 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2173 			goto nla_put_failure;
2174 	}
2175 	CMD(start_p2p_device, START_P2P_DEVICE);
2176 	CMD(set_mcast_rate, SET_MCAST_RATE);
2177 #ifdef CONFIG_NL80211_TESTMODE
2178 	CMD(testmode_cmd, TESTMODE);
2179 #endif
2180 
2181 	if (rdev->ops->connect || rdev->ops->auth) {
2182 		i++;
2183 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2184 			goto nla_put_failure;
2185 	}
2186 
2187 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2188 		i++;
2189 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2190 			goto nla_put_failure;
2191 	}
2192 
2193 	return i;
2194  nla_put_failure:
2195 	return -ENOBUFS;
2196 }
2197 
2198 static int
2199 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2200 			   struct sk_buff *msg)
2201 {
2202 	struct nlattr *ftm;
2203 
2204 	if (!cap->ftm.supported)
2205 		return 0;
2206 
2207 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2208 	if (!ftm)
2209 		return -ENOBUFS;
2210 
2211 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2212 		return -ENOBUFS;
2213 	if (cap->ftm.non_asap &&
2214 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2215 		return -ENOBUFS;
2216 	if (cap->ftm.request_lci &&
2217 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2218 		return -ENOBUFS;
2219 	if (cap->ftm.request_civicloc &&
2220 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2221 		return -ENOBUFS;
2222 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2223 			cap->ftm.preambles))
2224 		return -ENOBUFS;
2225 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2226 			cap->ftm.bandwidths))
2227 		return -ENOBUFS;
2228 	if (cap->ftm.max_bursts_exponent >= 0 &&
2229 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2230 			cap->ftm.max_bursts_exponent))
2231 		return -ENOBUFS;
2232 	if (cap->ftm.max_ftms_per_burst &&
2233 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2234 			cap->ftm.max_ftms_per_burst))
2235 		return -ENOBUFS;
2236 	if (cap->ftm.trigger_based &&
2237 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2238 		return -ENOBUFS;
2239 	if (cap->ftm.non_trigger_based &&
2240 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2241 		return -ENOBUFS;
2242 
2243 	nla_nest_end(msg, ftm);
2244 	return 0;
2245 }
2246 
2247 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2248 				  struct sk_buff *msg)
2249 {
2250 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2251 	struct nlattr *pmsr, *caps;
2252 
2253 	if (!cap)
2254 		return 0;
2255 
2256 	/*
2257 	 * we don't need to clean up anything here since the caller
2258 	 * will genlmsg_cancel() if we fail
2259 	 */
2260 
2261 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2262 	if (!pmsr)
2263 		return -ENOBUFS;
2264 
2265 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2266 		return -ENOBUFS;
2267 
2268 	if (cap->report_ap_tsf &&
2269 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2270 		return -ENOBUFS;
2271 
2272 	if (cap->randomize_mac_addr &&
2273 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2274 		return -ENOBUFS;
2275 
2276 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2277 	if (!caps)
2278 		return -ENOBUFS;
2279 
2280 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2281 		return -ENOBUFS;
2282 
2283 	nla_nest_end(msg, caps);
2284 	nla_nest_end(msg, pmsr);
2285 
2286 	return 0;
2287 }
2288 
2289 static int
2290 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2291 			      struct sk_buff *msg)
2292 {
2293 	int i;
2294 	struct nlattr *nested, *nested_akms;
2295 	const struct wiphy_iftype_akm_suites *iftype_akms;
2296 
2297 	if (!rdev->wiphy.num_iftype_akm_suites ||
2298 	    !rdev->wiphy.iftype_akm_suites)
2299 		return 0;
2300 
2301 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2302 	if (!nested)
2303 		return -ENOBUFS;
2304 
2305 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2306 		nested_akms = nla_nest_start(msg, i + 1);
2307 		if (!nested_akms)
2308 			return -ENOBUFS;
2309 
2310 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2311 
2312 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2313 					iftype_akms->iftypes_mask))
2314 			return -ENOBUFS;
2315 
2316 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2317 			    sizeof(u32) * iftype_akms->n_akm_suites,
2318 			    iftype_akms->akm_suites)) {
2319 			return -ENOBUFS;
2320 		}
2321 		nla_nest_end(msg, nested_akms);
2322 	}
2323 
2324 	nla_nest_end(msg, nested);
2325 
2326 	return 0;
2327 }
2328 
2329 static int
2330 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2331 			       struct sk_buff *msg)
2332 {
2333 	struct nlattr *supp;
2334 
2335 	if (!rdev->wiphy.tid_config_support.vif &&
2336 	    !rdev->wiphy.tid_config_support.peer)
2337 		return 0;
2338 
2339 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2340 	if (!supp)
2341 		return -ENOSPC;
2342 
2343 	if (rdev->wiphy.tid_config_support.vif &&
2344 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2345 			      rdev->wiphy.tid_config_support.vif,
2346 			      NL80211_TID_CONFIG_ATTR_PAD))
2347 		goto fail;
2348 
2349 	if (rdev->wiphy.tid_config_support.peer &&
2350 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2351 			      rdev->wiphy.tid_config_support.peer,
2352 			      NL80211_TID_CONFIG_ATTR_PAD))
2353 		goto fail;
2354 
2355 	/* for now we just use the same value ... makes more sense */
2356 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2357 		       rdev->wiphy.tid_config_support.max_retry))
2358 		goto fail;
2359 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2360 		       rdev->wiphy.tid_config_support.max_retry))
2361 		goto fail;
2362 
2363 	nla_nest_end(msg, supp);
2364 
2365 	return 0;
2366 fail:
2367 	nla_nest_cancel(msg, supp);
2368 	return -ENOBUFS;
2369 }
2370 
2371 static int
2372 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2373 		      struct sk_buff *msg)
2374 {
2375 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2376 	u8 num_freq_ranges;
2377 	int i;
2378 
2379 	if (!rdev->wiphy.sar_capa)
2380 		return 0;
2381 
2382 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2383 
2384 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2385 	if (!sar_capa)
2386 		return -ENOSPC;
2387 
2388 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2389 		goto fail;
2390 
2391 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2392 	if (!specs)
2393 		goto fail;
2394 
2395 	/* report supported freq_ranges */
2396 	for (i = 0; i < num_freq_ranges; i++) {
2397 		sub_freq_range = nla_nest_start(msg, i + 1);
2398 		if (!sub_freq_range)
2399 			goto fail;
2400 
2401 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2402 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2403 			goto fail;
2404 
2405 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2406 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2407 			goto fail;
2408 
2409 		nla_nest_end(msg, sub_freq_range);
2410 	}
2411 
2412 	nla_nest_end(msg, specs);
2413 	nla_nest_end(msg, sar_capa);
2414 
2415 	return 0;
2416 fail:
2417 	nla_nest_cancel(msg, sar_capa);
2418 	return -ENOBUFS;
2419 }
2420 
2421 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2422 {
2423 	struct nlattr *config;
2424 
2425 	if (!wiphy->mbssid_max_interfaces)
2426 		return 0;
2427 
2428 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2429 	if (!config)
2430 		return -ENOBUFS;
2431 
2432 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2433 		       wiphy->mbssid_max_interfaces))
2434 		goto fail;
2435 
2436 	if (wiphy->ema_max_profile_periodicity &&
2437 	    nla_put_u8(msg,
2438 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2439 		       wiphy->ema_max_profile_periodicity))
2440 		goto fail;
2441 
2442 	nla_nest_end(msg, config);
2443 	return 0;
2444 
2445 fail:
2446 	nla_nest_cancel(msg, config);
2447 	return -ENOBUFS;
2448 }
2449 
2450 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2451 {
2452 	const struct wiphy_radio *r = &wiphy->radio[idx];
2453 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2454 	struct nlattr *radio, *freq;
2455 	int i;
2456 
2457 	radio = nla_nest_start(msg, idx);
2458 	if (!radio)
2459 		return -ENOBUFS;
2460 
2461 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2462 		goto nla_put_failure;
2463 
2464 	if (rcfg->rts_threshold &&
2465 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2466 			rcfg->rts_threshold))
2467 		goto nla_put_failure;
2468 
2469 	if (r->antenna_mask &&
2470 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2471 			r->antenna_mask))
2472 		goto nla_put_failure;
2473 
2474 	for (i = 0; i < r->n_freq_range; i++) {
2475 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2476 
2477 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2478 		if (!freq)
2479 			goto nla_put_failure;
2480 
2481 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2482 				range->start_freq) ||
2483 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2484 				range->end_freq))
2485 			goto nla_put_failure;
2486 
2487 		nla_nest_end(msg, freq);
2488 	}
2489 
2490 	for (i = 0; i < r->n_iface_combinations; i++)
2491 		if (nl80211_put_ifcomb_data(msg, true,
2492 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2493 					    &r->iface_combinations[i],
2494 					    NLA_F_NESTED))
2495 			goto nla_put_failure;
2496 
2497 	nla_nest_end(msg, radio);
2498 
2499 	return 0;
2500 
2501 nla_put_failure:
2502 	return -ENOBUFS;
2503 }
2504 
2505 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2506 {
2507 	struct nlattr *radios;
2508 	int i;
2509 
2510 	if (!wiphy->n_radio)
2511 		return 0;
2512 
2513 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2514 	if (!radios)
2515 		return -ENOBUFS;
2516 
2517 	for (i = 0; i < wiphy->n_radio; i++)
2518 		if (nl80211_put_radio(wiphy, msg, i))
2519 			goto fail;
2520 
2521 	nla_nest_end(msg, radios);
2522 
2523 	if (nl80211_put_iface_combinations(wiphy, msg,
2524 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2525 					   -1, true, NLA_F_NESTED))
2526 		return -ENOBUFS;
2527 
2528 	return 0;
2529 
2530 fail:
2531 	nla_nest_cancel(msg, radios);
2532 	return -ENOBUFS;
2533 }
2534 
2535 struct nl80211_dump_wiphy_state {
2536 	s64 filter_wiphy;
2537 	long start;
2538 	long split_start, band_start, chan_start, capa_start;
2539 	bool split;
2540 };
2541 
2542 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2543 			      enum nl80211_commands cmd,
2544 			      struct sk_buff *msg, u32 portid, u32 seq,
2545 			      int flags, struct nl80211_dump_wiphy_state *state)
2546 {
2547 	void *hdr;
2548 	struct nlattr *nl_bands, *nl_band;
2549 	struct nlattr *nl_freqs, *nl_freq;
2550 	struct nlattr *nl_cmds;
2551 	enum nl80211_band band;
2552 	struct ieee80211_channel *chan;
2553 	int i;
2554 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2555 				rdev->wiphy.mgmt_stypes;
2556 	u32 features;
2557 
2558 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2559 	if (!hdr)
2560 		return -ENOBUFS;
2561 
2562 	if (WARN_ON(!state))
2563 		return -EINVAL;
2564 
2565 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2566 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2567 			   wiphy_name(&rdev->wiphy)) ||
2568 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2569 			cfg80211_rdev_list_generation))
2570 		goto nla_put_failure;
2571 
2572 	if (cmd != NL80211_CMD_NEW_WIPHY)
2573 		goto finish;
2574 
2575 	switch (state->split_start) {
2576 	case 0:
2577 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2578 			       rdev->wiphy.retry_short) ||
2579 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2580 			       rdev->wiphy.retry_long) ||
2581 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2582 				rdev->wiphy.frag_threshold) ||
2583 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2584 				rdev->wiphy.rts_threshold) ||
2585 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2586 			       rdev->wiphy.coverage_class) ||
2587 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2588 			       rdev->wiphy.max_scan_ssids) ||
2589 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2590 			       rdev->wiphy.max_sched_scan_ssids) ||
2591 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2592 				rdev->wiphy.max_scan_ie_len) ||
2593 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2594 				rdev->wiphy.max_sched_scan_ie_len) ||
2595 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2596 			       rdev->wiphy.max_match_sets))
2597 			goto nla_put_failure;
2598 
2599 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2600 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2601 			goto nla_put_failure;
2602 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2603 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2604 			goto nla_put_failure;
2605 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2606 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2607 			goto nla_put_failure;
2608 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2609 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2610 			goto nla_put_failure;
2611 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2612 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2613 			goto nla_put_failure;
2614 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2615 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2616 			goto nla_put_failure;
2617 		state->split_start++;
2618 		if (state->split)
2619 			break;
2620 		fallthrough;
2621 	case 1:
2622 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2623 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2624 			    rdev->wiphy.cipher_suites))
2625 			goto nla_put_failure;
2626 
2627 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2628 			       rdev->wiphy.max_num_pmkids))
2629 			goto nla_put_failure;
2630 
2631 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2632 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2633 			goto nla_put_failure;
2634 
2635 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2636 				rdev->wiphy.available_antennas_tx) ||
2637 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2638 				rdev->wiphy.available_antennas_rx))
2639 			goto nla_put_failure;
2640 
2641 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2642 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2643 				rdev->wiphy.probe_resp_offload))
2644 			goto nla_put_failure;
2645 
2646 		if ((rdev->wiphy.available_antennas_tx ||
2647 		     rdev->wiphy.available_antennas_rx) &&
2648 		    rdev->ops->get_antenna) {
2649 			u32 tx_ant = 0, rx_ant = 0;
2650 			int res;
2651 
2652 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
2653 			if (!res) {
2654 				if (nla_put_u32(msg,
2655 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2656 						tx_ant) ||
2657 				    nla_put_u32(msg,
2658 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2659 						rx_ant))
2660 					goto nla_put_failure;
2661 			}
2662 		}
2663 
2664 		state->split_start++;
2665 		if (state->split)
2666 			break;
2667 		fallthrough;
2668 	case 2:
2669 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2670 					rdev->wiphy.interface_modes))
2671 				goto nla_put_failure;
2672 		state->split_start++;
2673 		if (state->split)
2674 			break;
2675 		fallthrough;
2676 	case 3:
2677 		nl_bands = nla_nest_start_noflag(msg,
2678 						 NL80211_ATTR_WIPHY_BANDS);
2679 		if (!nl_bands)
2680 			goto nla_put_failure;
2681 
2682 		for (band = state->band_start;
2683 		     band < (state->split ?
2684 				NUM_NL80211_BANDS :
2685 				NL80211_BAND_60GHZ + 1);
2686 		     band++) {
2687 			struct ieee80211_supported_band *sband;
2688 
2689 			/* omit higher bands for ancient software */
2690 			if (band > NL80211_BAND_5GHZ && !state->split)
2691 				break;
2692 
2693 			sband = rdev->wiphy.bands[band];
2694 
2695 			if (!sband)
2696 				continue;
2697 
2698 			nl_band = nla_nest_start_noflag(msg, band);
2699 			if (!nl_band)
2700 				goto nla_put_failure;
2701 
2702 			switch (state->chan_start) {
2703 			case 0:
2704 				if (nl80211_send_band_rateinfo(msg, sband,
2705 							       state->split))
2706 					goto nla_put_failure;
2707 				state->chan_start++;
2708 				if (state->split)
2709 					break;
2710 				fallthrough;
2711 			default:
2712 				/* add frequencies */
2713 				nl_freqs = nla_nest_start_noflag(msg,
2714 								 NL80211_BAND_ATTR_FREQS);
2715 				if (!nl_freqs)
2716 					goto nla_put_failure;
2717 
2718 				for (i = state->chan_start - 1;
2719 				     i < sband->n_channels;
2720 				     i++) {
2721 					nl_freq = nla_nest_start_noflag(msg,
2722 									i);
2723 					if (!nl_freq)
2724 						goto nla_put_failure;
2725 
2726 					chan = &sband->channels[i];
2727 
2728 					if (nl80211_msg_put_channel(
2729 							msg, &rdev->wiphy, chan,
2730 							state->split))
2731 						goto nla_put_failure;
2732 
2733 					nla_nest_end(msg, nl_freq);
2734 					if (state->split)
2735 						break;
2736 				}
2737 				if (i < sband->n_channels)
2738 					state->chan_start = i + 2;
2739 				else
2740 					state->chan_start = 0;
2741 				nla_nest_end(msg, nl_freqs);
2742 			}
2743 
2744 			nla_nest_end(msg, nl_band);
2745 
2746 			if (state->split) {
2747 				/* start again here */
2748 				if (state->chan_start)
2749 					band--;
2750 				break;
2751 			}
2752 		}
2753 		nla_nest_end(msg, nl_bands);
2754 
2755 		if (band < NUM_NL80211_BANDS)
2756 			state->band_start = band + 1;
2757 		else
2758 			state->band_start = 0;
2759 
2760 		/* if bands & channels are done, continue outside */
2761 		if (state->band_start == 0 && state->chan_start == 0)
2762 			state->split_start++;
2763 		if (state->split)
2764 			break;
2765 		fallthrough;
2766 	case 4:
2767 		nl_cmds = nla_nest_start_noflag(msg,
2768 						NL80211_ATTR_SUPPORTED_COMMANDS);
2769 		if (!nl_cmds)
2770 			goto nla_put_failure;
2771 
2772 		i = nl80211_add_commands_unsplit(rdev, msg);
2773 		if (i < 0)
2774 			goto nla_put_failure;
2775 		if (state->split) {
2776 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2777 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2778 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2779 				CMD(channel_switch, CHANNEL_SWITCH);
2780 			CMD(set_qos_map, SET_QOS_MAP);
2781 			if (rdev->wiphy.features &
2782 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2783 				CMD(add_tx_ts, ADD_TX_TS);
2784 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2785 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2786 			CMD(update_ft_ies, UPDATE_FT_IES);
2787 			if (rdev->wiphy.sar_capa)
2788 				CMD(set_sar_specs, SET_SAR_SPECS);
2789 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
2790 		}
2791 #undef CMD
2792 
2793 		nla_nest_end(msg, nl_cmds);
2794 		state->split_start++;
2795 		if (state->split)
2796 			break;
2797 		fallthrough;
2798 	case 5:
2799 		if (rdev->ops->remain_on_channel &&
2800 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2801 		    nla_put_u32(msg,
2802 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2803 				rdev->wiphy.max_remain_on_channel_duration))
2804 			goto nla_put_failure;
2805 
2806 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2807 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2808 			goto nla_put_failure;
2809 
2810 		state->split_start++;
2811 		if (state->split)
2812 			break;
2813 		fallthrough;
2814 	case 6:
2815 #ifdef CONFIG_PM
2816 		if (nl80211_send_wowlan(msg, rdev, state->split))
2817 			goto nla_put_failure;
2818 		state->split_start++;
2819 		if (state->split)
2820 			break;
2821 #else
2822 		state->split_start++;
2823 #endif
2824 		fallthrough;
2825 	case 7:
2826 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2827 					rdev->wiphy.software_iftypes))
2828 			goto nla_put_failure;
2829 
2830 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2831 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2832 						   rdev->wiphy.n_radio ? 0 : -1,
2833 						   state->split, 0))
2834 			goto nla_put_failure;
2835 
2836 		state->split_start++;
2837 		if (state->split)
2838 			break;
2839 		fallthrough;
2840 	case 8:
2841 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2842 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2843 				rdev->wiphy.ap_sme_capa))
2844 			goto nla_put_failure;
2845 
2846 		features = rdev->wiphy.features;
2847 		/*
2848 		 * We can only add the per-channel limit information if the
2849 		 * dump is split, otherwise it makes it too big. Therefore
2850 		 * only advertise it in that case.
2851 		 */
2852 		if (state->split)
2853 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2854 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2855 			goto nla_put_failure;
2856 
2857 		if (rdev->wiphy.ht_capa_mod_mask &&
2858 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2859 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2860 			    rdev->wiphy.ht_capa_mod_mask))
2861 			goto nla_put_failure;
2862 
2863 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2864 		    rdev->wiphy.max_acl_mac_addrs &&
2865 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2866 				rdev->wiphy.max_acl_mac_addrs))
2867 			goto nla_put_failure;
2868 
2869 		/*
2870 		 * Any information below this point is only available to
2871 		 * applications that can deal with it being split. This
2872 		 * helps ensure that newly added capabilities don't break
2873 		 * older tools by overrunning their buffers.
2874 		 *
2875 		 * We still increment split_start so that in the split
2876 		 * case we'll continue with more data in the next round,
2877 		 * but break unconditionally so unsplit data stops here.
2878 		 */
2879 		if (state->split)
2880 			state->split_start++;
2881 		else
2882 			state->split_start = 0;
2883 		break;
2884 	case 9:
2885 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2886 			goto nla_put_failure;
2887 
2888 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2889 				rdev->wiphy.max_sched_scan_plans) ||
2890 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2891 				rdev->wiphy.max_sched_scan_plan_interval) ||
2892 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2893 				rdev->wiphy.max_sched_scan_plan_iterations))
2894 			goto nla_put_failure;
2895 
2896 		if (rdev->wiphy.extended_capabilities &&
2897 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2898 			     rdev->wiphy.extended_capabilities_len,
2899 			     rdev->wiphy.extended_capabilities) ||
2900 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2901 			     rdev->wiphy.extended_capabilities_len,
2902 			     rdev->wiphy.extended_capabilities_mask)))
2903 			goto nla_put_failure;
2904 
2905 		if (rdev->wiphy.vht_capa_mod_mask &&
2906 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2907 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2908 			    rdev->wiphy.vht_capa_mod_mask))
2909 			goto nla_put_failure;
2910 
2911 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2912 			    rdev->wiphy.perm_addr))
2913 			goto nla_put_failure;
2914 
2915 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2916 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2917 			    rdev->wiphy.addr_mask))
2918 			goto nla_put_failure;
2919 
2920 		if (rdev->wiphy.n_addresses > 1) {
2921 			void *attr;
2922 
2923 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2924 			if (!attr)
2925 				goto nla_put_failure;
2926 
2927 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2928 				if (nla_put(msg, i + 1, ETH_ALEN,
2929 					    rdev->wiphy.addresses[i].addr))
2930 					goto nla_put_failure;
2931 
2932 			nla_nest_end(msg, attr);
2933 		}
2934 
2935 		state->split_start++;
2936 		break;
2937 	case 10:
2938 		if (nl80211_send_coalesce(msg, rdev))
2939 			goto nla_put_failure;
2940 
2941 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2942 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2943 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2944 			goto nla_put_failure;
2945 
2946 		if (rdev->wiphy.max_ap_assoc_sta &&
2947 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2948 				rdev->wiphy.max_ap_assoc_sta))
2949 			goto nla_put_failure;
2950 
2951 		state->split_start++;
2952 		break;
2953 	case 11:
2954 		if (rdev->wiphy.n_vendor_commands) {
2955 			const struct nl80211_vendor_cmd_info *info;
2956 			struct nlattr *nested;
2957 
2958 			nested = nla_nest_start_noflag(msg,
2959 						       NL80211_ATTR_VENDOR_DATA);
2960 			if (!nested)
2961 				goto nla_put_failure;
2962 
2963 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2964 				info = &rdev->wiphy.vendor_commands[i].info;
2965 				if (nla_put(msg, i + 1, sizeof(*info), info))
2966 					goto nla_put_failure;
2967 			}
2968 			nla_nest_end(msg, nested);
2969 		}
2970 
2971 		if (rdev->wiphy.n_vendor_events) {
2972 			const struct nl80211_vendor_cmd_info *info;
2973 			struct nlattr *nested;
2974 
2975 			nested = nla_nest_start_noflag(msg,
2976 						       NL80211_ATTR_VENDOR_EVENTS);
2977 			if (!nested)
2978 				goto nla_put_failure;
2979 
2980 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2981 				info = &rdev->wiphy.vendor_events[i];
2982 				if (nla_put(msg, i + 1, sizeof(*info), info))
2983 					goto nla_put_failure;
2984 			}
2985 			nla_nest_end(msg, nested);
2986 		}
2987 		state->split_start++;
2988 		break;
2989 	case 12:
2990 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2991 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2992 			       rdev->wiphy.max_num_csa_counters))
2993 			goto nla_put_failure;
2994 
2995 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2996 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2997 			goto nla_put_failure;
2998 
2999 		if (rdev->wiphy.max_sched_scan_reqs &&
3000 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3001 				rdev->wiphy.max_sched_scan_reqs))
3002 			goto nla_put_failure;
3003 
3004 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3005 			    sizeof(rdev->wiphy.ext_features),
3006 			    rdev->wiphy.ext_features))
3007 			goto nla_put_failure;
3008 
3009 		if (rdev->wiphy.bss_select_support) {
3010 			struct nlattr *nested;
3011 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3012 
3013 			nested = nla_nest_start_noflag(msg,
3014 						       NL80211_ATTR_BSS_SELECT);
3015 			if (!nested)
3016 				goto nla_put_failure;
3017 
3018 			i = 0;
3019 			while (bss_select_support) {
3020 				if ((bss_select_support & 1) &&
3021 				    nla_put_flag(msg, i))
3022 					goto nla_put_failure;
3023 				i++;
3024 				bss_select_support >>= 1;
3025 			}
3026 			nla_nest_end(msg, nested);
3027 		}
3028 
3029 		state->split_start++;
3030 		break;
3031 	case 13:
3032 		if (rdev->wiphy.num_iftype_ext_capab &&
3033 		    rdev->wiphy.iftype_ext_capab) {
3034 			struct nlattr *nested_ext_capab, *nested;
3035 
3036 			nested = nla_nest_start_noflag(msg,
3037 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3038 			if (!nested)
3039 				goto nla_put_failure;
3040 
3041 			for (i = state->capa_start;
3042 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3043 				const struct wiphy_iftype_ext_capab *capab;
3044 
3045 				capab = &rdev->wiphy.iftype_ext_capab[i];
3046 
3047 				nested_ext_capab = nla_nest_start_noflag(msg,
3048 									 i);
3049 				if (!nested_ext_capab ||
3050 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3051 						capab->iftype) ||
3052 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3053 					    capab->extended_capabilities_len,
3054 					    capab->extended_capabilities) ||
3055 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3056 					    capab->extended_capabilities_len,
3057 					    capab->extended_capabilities_mask))
3058 					goto nla_put_failure;
3059 
3060 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3061 				    (nla_put_u16(msg,
3062 						 NL80211_ATTR_EML_CAPABILITY,
3063 						 capab->eml_capabilities) ||
3064 				     nla_put_u16(msg,
3065 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3066 						 capab->mld_capa_and_ops)))
3067 					goto nla_put_failure;
3068 
3069 				nla_nest_end(msg, nested_ext_capab);
3070 				if (state->split)
3071 					break;
3072 			}
3073 			nla_nest_end(msg, nested);
3074 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3075 				state->capa_start = i + 1;
3076 				break;
3077 			}
3078 		}
3079 
3080 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3081 				rdev->wiphy.nan_supported_bands))
3082 			goto nla_put_failure;
3083 
3084 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3085 					    NL80211_EXT_FEATURE_TXQS)) {
3086 			struct cfg80211_txq_stats txqstats = {};
3087 			int res;
3088 
3089 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3090 			if (!res &&
3091 			    !nl80211_put_txq_stats(msg, &txqstats,
3092 						   NL80211_ATTR_TXQ_STATS))
3093 				goto nla_put_failure;
3094 
3095 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3096 					rdev->wiphy.txq_limit))
3097 				goto nla_put_failure;
3098 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3099 					rdev->wiphy.txq_memory_limit))
3100 				goto nla_put_failure;
3101 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3102 					rdev->wiphy.txq_quantum))
3103 				goto nla_put_failure;
3104 		}
3105 
3106 		state->split_start++;
3107 		break;
3108 	case 14:
3109 		if (nl80211_send_pmsr_capa(rdev, msg))
3110 			goto nla_put_failure;
3111 
3112 		state->split_start++;
3113 		break;
3114 	case 15:
3115 		if (rdev->wiphy.akm_suites &&
3116 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3117 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3118 			    rdev->wiphy.akm_suites))
3119 			goto nla_put_failure;
3120 
3121 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3122 			goto nla_put_failure;
3123 
3124 		if (nl80211_put_tid_config_support(rdev, msg))
3125 			goto nla_put_failure;
3126 		state->split_start++;
3127 		break;
3128 	case 16:
3129 		if (nl80211_put_sar_specs(rdev, msg))
3130 			goto nla_put_failure;
3131 
3132 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3133 			goto nla_put_failure;
3134 
3135 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3136 				rdev->wiphy.max_num_akm_suites))
3137 			goto nla_put_failure;
3138 
3139 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3140 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3141 
3142 		if (rdev->wiphy.hw_timestamp_max_peers &&
3143 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3144 				rdev->wiphy.hw_timestamp_max_peers))
3145 			goto nla_put_failure;
3146 
3147 		state->split_start++;
3148 		break;
3149 	case 17:
3150 		if (nl80211_put_radios(&rdev->wiphy, msg))
3151 			goto nla_put_failure;
3152 
3153 		/* done */
3154 		state->split_start = 0;
3155 		break;
3156 	}
3157  finish:
3158 	genlmsg_end(msg, hdr);
3159 	return 0;
3160 
3161  nla_put_failure:
3162 	genlmsg_cancel(msg, hdr);
3163 	return -EMSGSIZE;
3164 }
3165 
3166 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3167 				    struct netlink_callback *cb,
3168 				    struct nl80211_dump_wiphy_state *state)
3169 {
3170 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3171 	int ret;
3172 
3173 	if (!tb)
3174 		return -ENOMEM;
3175 
3176 	ret = nlmsg_parse_deprecated(cb->nlh,
3177 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3178 				     tb, nl80211_fam.maxattr,
3179 				     nl80211_policy, NULL);
3180 	/* ignore parse errors for backward compatibility */
3181 	if (ret) {
3182 		ret = 0;
3183 		goto out;
3184 	}
3185 
3186 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3187 	if (tb[NL80211_ATTR_WIPHY])
3188 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3189 	if (tb[NL80211_ATTR_WDEV])
3190 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3191 	if (tb[NL80211_ATTR_IFINDEX]) {
3192 		struct net_device *netdev;
3193 		struct cfg80211_registered_device *rdev;
3194 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3195 
3196 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3197 		if (!netdev) {
3198 			ret = -ENODEV;
3199 			goto out;
3200 		}
3201 		if (netdev->ieee80211_ptr) {
3202 			rdev = wiphy_to_rdev(
3203 				netdev->ieee80211_ptr->wiphy);
3204 			state->filter_wiphy = rdev->wiphy_idx;
3205 		}
3206 	}
3207 
3208 	ret = 0;
3209 out:
3210 	kfree(tb);
3211 	return ret;
3212 }
3213 
3214 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3215 {
3216 	int idx = 0, ret;
3217 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3218 	struct cfg80211_registered_device *rdev;
3219 
3220 	rtnl_lock();
3221 	if (!state) {
3222 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3223 		if (!state) {
3224 			rtnl_unlock();
3225 			return -ENOMEM;
3226 		}
3227 		state->filter_wiphy = -1;
3228 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3229 		if (ret) {
3230 			kfree(state);
3231 			rtnl_unlock();
3232 			return ret;
3233 		}
3234 		cb->args[0] = (long)state;
3235 	}
3236 
3237 	for_each_rdev(rdev) {
3238 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3239 			continue;
3240 		if (++idx <= state->start)
3241 			continue;
3242 		if (state->filter_wiphy != -1 &&
3243 		    state->filter_wiphy != rdev->wiphy_idx)
3244 			continue;
3245 		wiphy_lock(&rdev->wiphy);
3246 		/* attempt to fit multiple wiphy data chunks into the skb */
3247 		do {
3248 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3249 						 skb,
3250 						 NETLINK_CB(cb->skb).portid,
3251 						 cb->nlh->nlmsg_seq,
3252 						 NLM_F_MULTI, state);
3253 			if (ret < 0) {
3254 				/*
3255 				 * If sending the wiphy data didn't fit (ENOBUFS
3256 				 * or EMSGSIZE returned), this SKB is still
3257 				 * empty (so it's not too big because another
3258 				 * wiphy dataset is already in the skb) and
3259 				 * we've not tried to adjust the dump allocation
3260 				 * yet ... then adjust the alloc size to be
3261 				 * bigger, and return 1 but with the empty skb.
3262 				 * This results in an empty message being RX'ed
3263 				 * in userspace, but that is ignored.
3264 				 *
3265 				 * We can then retry with the larger buffer.
3266 				 */
3267 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3268 				    !skb->len && !state->split &&
3269 				    cb->min_dump_alloc < 4096) {
3270 					cb->min_dump_alloc = 4096;
3271 					state->split_start = 0;
3272 					wiphy_unlock(&rdev->wiphy);
3273 					rtnl_unlock();
3274 					return 1;
3275 				}
3276 				idx--;
3277 				break;
3278 			}
3279 		} while (state->split_start > 0);
3280 		wiphy_unlock(&rdev->wiphy);
3281 		break;
3282 	}
3283 	rtnl_unlock();
3284 
3285 	state->start = idx;
3286 
3287 	return skb->len;
3288 }
3289 
3290 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3291 {
3292 	kfree((void *)cb->args[0]);
3293 	return 0;
3294 }
3295 
3296 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3297 {
3298 	struct sk_buff *msg;
3299 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3300 	struct nl80211_dump_wiphy_state state = {};
3301 
3302 	msg = nlmsg_new(4096, GFP_KERNEL);
3303 	if (!msg)
3304 		return -ENOMEM;
3305 
3306 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3307 			       info->snd_portid, info->snd_seq, 0,
3308 			       &state) < 0) {
3309 		nlmsg_free(msg);
3310 		return -ENOBUFS;
3311 	}
3312 
3313 	return genlmsg_reply(msg, info);
3314 }
3315 
3316 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3317 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3318 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3319 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3320 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3321 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3322 };
3323 
3324 static int parse_txq_params(struct nlattr *tb[],
3325 			    struct ieee80211_txq_params *txq_params)
3326 {
3327 	u8 ac;
3328 
3329 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3330 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3331 	    !tb[NL80211_TXQ_ATTR_AIFS])
3332 		return -EINVAL;
3333 
3334 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3335 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3336 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3337 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3338 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3339 
3340 	if (ac >= NL80211_NUM_ACS)
3341 		return -EINVAL;
3342 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3343 	return 0;
3344 }
3345 
3346 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3347 {
3348 	/*
3349 	 * You can only set the channel explicitly for some interfaces,
3350 	 * most have their channel managed via their respective
3351 	 * "establish a connection" command (connect, join, ...)
3352 	 *
3353 	 * For AP/GO and mesh mode, the channel can be set with the
3354 	 * channel userspace API, but is only stored and passed to the
3355 	 * low-level driver when the AP starts or the mesh is joined.
3356 	 * This is for backward compatibility, userspace can also give
3357 	 * the channel in the start-ap or join-mesh commands instead.
3358 	 *
3359 	 * Monitors are special as they are normally slaved to
3360 	 * whatever else is going on, so they have their own special
3361 	 * operation to set the monitor channel if possible.
3362 	 */
3363 	return !wdev ||
3364 		wdev->iftype == NL80211_IFTYPE_AP ||
3365 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3366 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3367 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3368 }
3369 
3370 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3371 				  struct genl_info *info, bool monitor,
3372 				  struct cfg80211_chan_def *chandef)
3373 {
3374 	struct netlink_ext_ack *extack = info->extack;
3375 	struct nlattr **attrs = info->attrs;
3376 	u32 control_freq;
3377 
3378 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3379 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3380 				    "Frequency is missing");
3381 		return -EINVAL;
3382 	}
3383 
3384 	control_freq = MHZ_TO_KHZ(
3385 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3386 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3387 		control_freq +=
3388 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3389 
3390 	memset(chandef, 0, sizeof(*chandef));
3391 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3392 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3393 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3394 	chandef->freq1_offset = control_freq % 1000;
3395 	chandef->center_freq2 = 0;
3396 
3397 	if (!chandef->chan) {
3398 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3399 				    "Unknown channel");
3400 		return -EINVAL;
3401 	}
3402 
3403 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3404 		enum nl80211_channel_type chantype;
3405 
3406 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3407 
3408 		switch (chantype) {
3409 		case NL80211_CHAN_NO_HT:
3410 		case NL80211_CHAN_HT20:
3411 		case NL80211_CHAN_HT40PLUS:
3412 		case NL80211_CHAN_HT40MINUS:
3413 			cfg80211_chandef_create(chandef, chandef->chan,
3414 						chantype);
3415 			/* user input for center_freq is incorrect */
3416 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3417 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3418 				NL_SET_ERR_MSG_ATTR(extack,
3419 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3420 						    "bad center frequency 1");
3421 				return -EINVAL;
3422 			}
3423 			/* center_freq2 must be zero */
3424 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3425 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3426 				NL_SET_ERR_MSG_ATTR(extack,
3427 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3428 						    "center frequency 2 can't be used");
3429 				return -EINVAL;
3430 			}
3431 			break;
3432 		default:
3433 			NL_SET_ERR_MSG_ATTR(extack,
3434 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3435 					    "invalid channel type");
3436 			return -EINVAL;
3437 		}
3438 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3439 		chandef->width =
3440 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3441 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3442 			/* User input error for channel width doesn't match channel  */
3443 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3444 				NL_SET_ERR_MSG_ATTR(extack,
3445 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3446 						    "bad channel width");
3447 				return -EINVAL;
3448 			}
3449 		}
3450 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3451 			chandef->center_freq1 =
3452 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3453 			chandef->freq1_offset =
3454 				nla_get_u32_default(attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET],
3455 						    0);
3456 		}
3457 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3458 			chandef->center_freq2 =
3459 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3460 	}
3461 
3462 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3463 		chandef->edmg.channels =
3464 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3465 
3466 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3467 			chandef->edmg.bw_config =
3468 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3469 	} else {
3470 		chandef->edmg.bw_config = 0;
3471 		chandef->edmg.channels = 0;
3472 	}
3473 
3474 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3475 		chandef->punctured =
3476 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3477 
3478 		if (chandef->punctured &&
3479 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3480 					     NL80211_EXT_FEATURE_PUNCT)) {
3481 			NL_SET_ERR_MSG(extack,
3482 				       "driver doesn't support puncturing");
3483 			return -EINVAL;
3484 		}
3485 	}
3486 
3487 	if (!cfg80211_chandef_valid(chandef)) {
3488 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3489 		return -EINVAL;
3490 	}
3491 
3492 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3493 				      IEEE80211_CHAN_DISABLED,
3494 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3495 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3496 		return -EINVAL;
3497 	}
3498 
3499 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3500 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3501 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3502 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3503 		return -EINVAL;
3504 	}
3505 
3506 	return 0;
3507 }
3508 
3509 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3510 			  struct genl_info *info,
3511 			  struct cfg80211_chan_def *chandef)
3512 {
3513 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3514 }
3515 
3516 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3517 				 struct net_device *dev,
3518 				 struct genl_info *info,
3519 				 int _link_id)
3520 {
3521 	struct cfg80211_chan_def chandef;
3522 	int result;
3523 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3524 	struct wireless_dev *wdev = NULL;
3525 	int link_id = _link_id;
3526 
3527 	if (dev)
3528 		wdev = dev->ieee80211_ptr;
3529 	if (!nl80211_can_set_dev_channel(wdev))
3530 		return -EOPNOTSUPP;
3531 	if (wdev)
3532 		iftype = wdev->iftype;
3533 
3534 	if (link_id < 0) {
3535 		if (wdev && wdev->valid_links)
3536 			return -EINVAL;
3537 		link_id = 0;
3538 	}
3539 
3540 	result = _nl80211_parse_chandef(rdev, info,
3541 					iftype == NL80211_IFTYPE_MONITOR,
3542 					&chandef);
3543 	if (result)
3544 		return result;
3545 
3546 	switch (iftype) {
3547 	case NL80211_IFTYPE_AP:
3548 	case NL80211_IFTYPE_P2P_GO:
3549 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3550 						   iftype))
3551 			return -EINVAL;
3552 		if (wdev->links[link_id].ap.beacon_interval) {
3553 			struct ieee80211_channel *cur_chan;
3554 
3555 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3556 			    !(rdev->wiphy.features &
3557 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3558 				return -EBUSY;
3559 
3560 			/* Only allow dynamic channel width changes */
3561 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3562 			if (chandef.chan != cur_chan)
3563 				return -EBUSY;
3564 
3565 			/* only allow this for regular channel widths */
3566 			switch (wdev->links[link_id].ap.chandef.width) {
3567 			case NL80211_CHAN_WIDTH_20_NOHT:
3568 			case NL80211_CHAN_WIDTH_20:
3569 			case NL80211_CHAN_WIDTH_40:
3570 			case NL80211_CHAN_WIDTH_80:
3571 			case NL80211_CHAN_WIDTH_80P80:
3572 			case NL80211_CHAN_WIDTH_160:
3573 			case NL80211_CHAN_WIDTH_320:
3574 				break;
3575 			default:
3576 				return -EINVAL;
3577 			}
3578 
3579 			switch (chandef.width) {
3580 			case NL80211_CHAN_WIDTH_20_NOHT:
3581 			case NL80211_CHAN_WIDTH_20:
3582 			case NL80211_CHAN_WIDTH_40:
3583 			case NL80211_CHAN_WIDTH_80:
3584 			case NL80211_CHAN_WIDTH_80P80:
3585 			case NL80211_CHAN_WIDTH_160:
3586 			case NL80211_CHAN_WIDTH_320:
3587 				break;
3588 			default:
3589 				return -EINVAL;
3590 			}
3591 
3592 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3593 						       &chandef);
3594 			if (result)
3595 				return result;
3596 			wdev->links[link_id].ap.chandef = chandef;
3597 		} else {
3598 			wdev->u.ap.preset_chandef = chandef;
3599 		}
3600 		return 0;
3601 	case NL80211_IFTYPE_MESH_POINT:
3602 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3603 	case NL80211_IFTYPE_MONITOR:
3604 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3605 	default:
3606 		break;
3607 	}
3608 
3609 	return -EINVAL;
3610 }
3611 
3612 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3613 {
3614 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3615 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3616 	struct net_device *netdev = info->user_ptr[1];
3617 
3618 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3619 }
3620 
3621 static int nl80211_set_wiphy_radio(struct genl_info *info,
3622 				   struct cfg80211_registered_device *rdev,
3623 				   int radio_idx)
3624 {
3625 	u32 rts_threshold = 0, old_rts, changed = 0;
3626 	int result;
3627 
3628 	if (!rdev->ops->set_wiphy_params)
3629 		return -EOPNOTSUPP;
3630 
3631 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3632 		rts_threshold = nla_get_u32(
3633 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3634 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3635 	}
3636 
3637 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
3638 
3639 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
3640 
3641 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
3642 	if (result)
3643 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
3644 
3645 	return 0;
3646 }
3647 
3648 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3649 {
3650 	struct cfg80211_registered_device *rdev = NULL;
3651 	struct net_device *netdev = NULL;
3652 	struct wireless_dev *wdev;
3653 	int result = 0, rem_txq_params = 0;
3654 	struct nlattr *nl_txq_params;
3655 	u32 changed;
3656 	u8 retry_short = 0, retry_long = 0;
3657 	u32 frag_threshold = 0, rts_threshold = 0;
3658 	u8 coverage_class = 0;
3659 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3660 	int radio_idx = -1;
3661 
3662 	rtnl_lock();
3663 	/*
3664 	 * Try to find the wiphy and netdev. Normally this
3665 	 * function shouldn't need the netdev, but this is
3666 	 * done for backward compatibility -- previously
3667 	 * setting the channel was done per wiphy, but now
3668 	 * it is per netdev. Previous userland like hostapd
3669 	 * also passed a netdev to set_wiphy, so that it is
3670 	 * possible to let that go to the right netdev!
3671 	 */
3672 
3673 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3674 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3675 
3676 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3677 		if (netdev && netdev->ieee80211_ptr)
3678 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3679 		else
3680 			netdev = NULL;
3681 	}
3682 
3683 	if (!netdev) {
3684 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3685 						  info->attrs);
3686 		if (IS_ERR(rdev)) {
3687 			rtnl_unlock();
3688 			return PTR_ERR(rdev);
3689 		}
3690 		wdev = NULL;
3691 		netdev = NULL;
3692 		result = 0;
3693 	} else
3694 		wdev = netdev->ieee80211_ptr;
3695 
3696 	guard(wiphy)(&rdev->wiphy);
3697 
3698 	/*
3699 	 * end workaround code, by now the rdev is available
3700 	 * and locked, and wdev may or may not be NULL.
3701 	 */
3702 
3703 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3704 		result = cfg80211_dev_rename(
3705 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3706 	rtnl_unlock();
3707 
3708 	if (result)
3709 		return result;
3710 
3711 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
3712 		/* Radio idx is not expected for non-multi radio wiphy */
3713 		if (rdev->wiphy.n_radio <= 0)
3714 			return -EINVAL;
3715 
3716 		radio_idx = nla_get_u8(
3717 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
3718 		if (radio_idx >= rdev->wiphy.n_radio)
3719 			return -EINVAL;
3720 
3721 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
3722 	}
3723 
3724 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3725 		struct ieee80211_txq_params txq_params;
3726 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3727 
3728 		if (!rdev->ops->set_txq_params)
3729 			return -EOPNOTSUPP;
3730 
3731 		if (!netdev)
3732 			return -EINVAL;
3733 
3734 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3735 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3736 			return -EINVAL;
3737 
3738 		if (!netif_running(netdev))
3739 			return -ENETDOWN;
3740 
3741 		nla_for_each_nested(nl_txq_params,
3742 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3743 				    rem_txq_params) {
3744 			result = nla_parse_nested_deprecated(tb,
3745 							     NL80211_TXQ_ATTR_MAX,
3746 							     nl_txq_params,
3747 							     txq_params_policy,
3748 							     info->extack);
3749 			if (result)
3750 				return result;
3751 
3752 			result = parse_txq_params(tb, &txq_params);
3753 			if (result)
3754 				return result;
3755 
3756 			txq_params.link_id =
3757 				nl80211_link_id_or_invalid(info->attrs);
3758 
3759 			if (txq_params.link_id >= 0 &&
3760 			    !(netdev->ieee80211_ptr->valid_links &
3761 			      BIT(txq_params.link_id)))
3762 				result = -ENOLINK;
3763 			else if (txq_params.link_id >= 0 &&
3764 				 !netdev->ieee80211_ptr->valid_links)
3765 				result = -EINVAL;
3766 			else
3767 				result = rdev_set_txq_params(rdev, netdev,
3768 							     &txq_params);
3769 			if (result)
3770 				return result;
3771 		}
3772 	}
3773 
3774 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3775 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3776 
3777 		if (wdev) {
3778 			result = __nl80211_set_channel(
3779 				rdev,
3780 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3781 				info, link_id);
3782 		} else {
3783 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3784 		}
3785 
3786 		if (result)
3787 			return result;
3788 	}
3789 
3790 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3791 		struct wireless_dev *txp_wdev = wdev;
3792 		enum nl80211_tx_power_setting type;
3793 		int idx, mbm = 0;
3794 
3795 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3796 			txp_wdev = NULL;
3797 
3798 		if (!rdev->ops->set_tx_power)
3799 			return -EOPNOTSUPP;
3800 
3801 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3802 		type = nla_get_u32(info->attrs[idx]);
3803 
3804 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3805 		    (type != NL80211_TX_POWER_AUTOMATIC))
3806 			return -EINVAL;
3807 
3808 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3809 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3810 			mbm = nla_get_u32(info->attrs[idx]);
3811 		}
3812 
3813 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
3814 					   mbm);
3815 		if (result)
3816 			return result;
3817 	}
3818 
3819 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3820 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3821 		u32 tx_ant, rx_ant;
3822 
3823 		if ((!rdev->wiphy.available_antennas_tx &&
3824 		     !rdev->wiphy.available_antennas_rx) ||
3825 		    !rdev->ops->set_antenna)
3826 			return -EOPNOTSUPP;
3827 
3828 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3829 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3830 
3831 		/* reject antenna configurations which don't match the
3832 		 * available antenna masks, except for the "all" mask */
3833 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3834 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3835 			return -EINVAL;
3836 
3837 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3838 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3839 
3840 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
3841 		if (result)
3842 			return result;
3843 	}
3844 
3845 	changed = 0;
3846 
3847 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3848 		retry_short = nla_get_u8(
3849 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3850 
3851 		changed |= WIPHY_PARAM_RETRY_SHORT;
3852 	}
3853 
3854 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3855 		retry_long = nla_get_u8(
3856 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3857 
3858 		changed |= WIPHY_PARAM_RETRY_LONG;
3859 	}
3860 
3861 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3862 		frag_threshold = nla_get_u32(
3863 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3864 		if (frag_threshold < 256)
3865 			return -EINVAL;
3866 
3867 		if (frag_threshold != (u32) -1) {
3868 			/*
3869 			 * Fragments (apart from the last one) are required to
3870 			 * have even length. Make the fragmentation code
3871 			 * simpler by stripping LSB should someone try to use
3872 			 * odd threshold value.
3873 			 */
3874 			frag_threshold &= ~0x1;
3875 		}
3876 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3877 	}
3878 
3879 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3880 		rts_threshold = nla_get_u32(
3881 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3882 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3883 	}
3884 
3885 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3886 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3887 			return -EINVAL;
3888 
3889 		coverage_class = nla_get_u8(
3890 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3891 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3892 	}
3893 
3894 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3895 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3896 			return -EOPNOTSUPP;
3897 
3898 		changed |= WIPHY_PARAM_DYN_ACK;
3899 	}
3900 
3901 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3902 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3903 					     NL80211_EXT_FEATURE_TXQS))
3904 			return -EOPNOTSUPP;
3905 
3906 		txq_limit = nla_get_u32(
3907 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3908 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3909 	}
3910 
3911 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3912 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3913 					     NL80211_EXT_FEATURE_TXQS))
3914 			return -EOPNOTSUPP;
3915 
3916 		txq_memory_limit = nla_get_u32(
3917 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3918 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3919 	}
3920 
3921 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3922 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3923 					     NL80211_EXT_FEATURE_TXQS))
3924 			return -EOPNOTSUPP;
3925 
3926 		txq_quantum = nla_get_u32(
3927 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3928 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3929 	}
3930 
3931 	if (changed) {
3932 		u8 old_retry_short, old_retry_long;
3933 		u32 old_frag_threshold, old_rts_threshold;
3934 		u8 old_coverage_class, i;
3935 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3936 		u32 *old_radio_rts_threshold = NULL;
3937 
3938 		if (!rdev->ops->set_wiphy_params)
3939 			return -EOPNOTSUPP;
3940 
3941 		if (rdev->wiphy.n_radio) {
3942 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
3943 							  sizeof(u32),
3944 							  GFP_KERNEL);
3945 			if (!old_radio_rts_threshold)
3946 				return -ENOMEM;
3947 		}
3948 
3949 		old_retry_short = rdev->wiphy.retry_short;
3950 		old_retry_long = rdev->wiphy.retry_long;
3951 		old_frag_threshold = rdev->wiphy.frag_threshold;
3952 		old_rts_threshold = rdev->wiphy.rts_threshold;
3953 		if (old_radio_rts_threshold) {
3954 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
3955 				old_radio_rts_threshold[i] =
3956 					rdev->wiphy.radio_cfg[i].rts_threshold;
3957 		}
3958 		old_coverage_class = rdev->wiphy.coverage_class;
3959 		old_txq_limit = rdev->wiphy.txq_limit;
3960 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3961 		old_txq_quantum = rdev->wiphy.txq_quantum;
3962 
3963 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3964 			rdev->wiphy.retry_short = retry_short;
3965 		if (changed & WIPHY_PARAM_RETRY_LONG)
3966 			rdev->wiphy.retry_long = retry_long;
3967 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3968 			rdev->wiphy.frag_threshold = frag_threshold;
3969 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
3970 		    old_radio_rts_threshold) {
3971 			rdev->wiphy.rts_threshold = rts_threshold;
3972 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
3973 				rdev->wiphy.radio_cfg[i].rts_threshold =
3974 					rdev->wiphy.rts_threshold;
3975 		}
3976 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3977 			rdev->wiphy.coverage_class = coverage_class;
3978 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3979 			rdev->wiphy.txq_limit = txq_limit;
3980 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3981 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3982 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3983 			rdev->wiphy.txq_quantum = txq_quantum;
3984 
3985 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
3986 		if (result) {
3987 			rdev->wiphy.retry_short = old_retry_short;
3988 			rdev->wiphy.retry_long = old_retry_long;
3989 			rdev->wiphy.frag_threshold = old_frag_threshold;
3990 			rdev->wiphy.rts_threshold = old_rts_threshold;
3991 			if (old_radio_rts_threshold) {
3992 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
3993 					rdev->wiphy.radio_cfg[i].rts_threshold =
3994 						old_radio_rts_threshold[i];
3995 			}
3996 			rdev->wiphy.coverage_class = old_coverage_class;
3997 			rdev->wiphy.txq_limit = old_txq_limit;
3998 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3999 			rdev->wiphy.txq_quantum = old_txq_quantum;
4000 		}
4001 
4002 		if (old_rts_threshold)
4003 			kfree(old_radio_rts_threshold);
4004 		return result;
4005 	}
4006 
4007 	return 0;
4008 }
4009 
4010 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4011 {
4012 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4013 		return -EINVAL;
4014 
4015 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4016 			chandef->chan->center_freq))
4017 		return -ENOBUFS;
4018 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4019 			chandef->chan->freq_offset))
4020 		return -ENOBUFS;
4021 	switch (chandef->width) {
4022 	case NL80211_CHAN_WIDTH_20_NOHT:
4023 	case NL80211_CHAN_WIDTH_20:
4024 	case NL80211_CHAN_WIDTH_40:
4025 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4026 				cfg80211_get_chandef_type(chandef)))
4027 			return -ENOBUFS;
4028 		break;
4029 	default:
4030 		break;
4031 	}
4032 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4033 		return -ENOBUFS;
4034 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4035 		return -ENOBUFS;
4036 	if (chandef->center_freq2 &&
4037 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4038 		return -ENOBUFS;
4039 	if (chandef->punctured &&
4040 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4041 		return -ENOBUFS;
4042 
4043 	return 0;
4044 }
4045 EXPORT_SYMBOL(nl80211_send_chandef);
4046 
4047 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4048 			      struct cfg80211_registered_device *rdev,
4049 			      struct wireless_dev *wdev,
4050 			      enum nl80211_commands cmd)
4051 {
4052 	struct net_device *dev = wdev->netdev;
4053 	void *hdr;
4054 
4055 	lockdep_assert_wiphy(&rdev->wiphy);
4056 
4057 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4058 		cmd != NL80211_CMD_DEL_INTERFACE &&
4059 		cmd != NL80211_CMD_SET_INTERFACE);
4060 
4061 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4062 	if (!hdr)
4063 		return -1;
4064 
4065 	if (dev &&
4066 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4067 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4068 		goto nla_put_failure;
4069 
4070 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4071 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4072 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4073 			      NL80211_ATTR_PAD) ||
4074 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4075 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4076 			rdev->devlist_generation ^
4077 			(cfg80211_rdev_list_generation << 2)) ||
4078 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4079 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4080 		goto nla_put_failure;
4081 
4082 	if (rdev->ops->get_channel && !wdev->valid_links) {
4083 		struct cfg80211_chan_def chandef = {};
4084 		int ret;
4085 
4086 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4087 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4088 			goto nla_put_failure;
4089 	}
4090 
4091 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4092 		int dbm, ret;
4093 
4094 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4095 		if (ret == 0 &&
4096 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4097 				DBM_TO_MBM(dbm)))
4098 			goto nla_put_failure;
4099 	}
4100 
4101 	switch (wdev->iftype) {
4102 	case NL80211_IFTYPE_AP:
4103 	case NL80211_IFTYPE_P2P_GO:
4104 		if (wdev->u.ap.ssid_len &&
4105 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4106 			    wdev->u.ap.ssid))
4107 			goto nla_put_failure;
4108 		break;
4109 	case NL80211_IFTYPE_STATION:
4110 	case NL80211_IFTYPE_P2P_CLIENT:
4111 		if (wdev->u.client.ssid_len &&
4112 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4113 			    wdev->u.client.ssid))
4114 			goto nla_put_failure;
4115 		break;
4116 	case NL80211_IFTYPE_ADHOC:
4117 		if (wdev->u.ibss.ssid_len &&
4118 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4119 			    wdev->u.ibss.ssid))
4120 			goto nla_put_failure;
4121 		break;
4122 	default:
4123 		/* nothing */
4124 		break;
4125 	}
4126 
4127 	if (rdev->ops->get_txq_stats) {
4128 		struct cfg80211_txq_stats txqstats = {};
4129 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4130 
4131 		if (ret == 0 &&
4132 		    !nl80211_put_txq_stats(msg, &txqstats,
4133 					   NL80211_ATTR_TXQ_STATS))
4134 			goto nla_put_failure;
4135 	}
4136 
4137 	if (wdev->valid_links) {
4138 		unsigned int link_id;
4139 		struct nlattr *links = nla_nest_start(msg,
4140 						      NL80211_ATTR_MLO_LINKS);
4141 
4142 		if (!links)
4143 			goto nla_put_failure;
4144 
4145 		for_each_valid_link(wdev, link_id) {
4146 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4147 			struct cfg80211_chan_def chandef = {};
4148 			int ret;
4149 
4150 			if (!link)
4151 				goto nla_put_failure;
4152 
4153 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4154 				goto nla_put_failure;
4155 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4156 				    wdev->links[link_id].addr))
4157 				goto nla_put_failure;
4158 
4159 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4160 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4161 				goto nla_put_failure;
4162 
4163 			if (rdev->ops->get_tx_power) {
4164 				int dbm, ret;
4165 
4166 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4167 				if (ret == 0 &&
4168 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4169 						DBM_TO_MBM(dbm)))
4170 					goto nla_put_failure;
4171 			}
4172 			nla_nest_end(msg, link);
4173 		}
4174 
4175 		nla_nest_end(msg, links);
4176 	}
4177 
4178 	genlmsg_end(msg, hdr);
4179 	return 0;
4180 
4181  nla_put_failure:
4182 	genlmsg_cancel(msg, hdr);
4183 	return -EMSGSIZE;
4184 }
4185 
4186 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4187 {
4188 	int wp_idx = 0;
4189 	int if_idx = 0;
4190 	int wp_start = cb->args[0];
4191 	int if_start = cb->args[1];
4192 	int filter_wiphy = -1;
4193 	struct cfg80211_registered_device *rdev;
4194 	struct wireless_dev *wdev;
4195 	int ret;
4196 
4197 	rtnl_lock();
4198 	if (!cb->args[2]) {
4199 		struct nl80211_dump_wiphy_state state = {
4200 			.filter_wiphy = -1,
4201 		};
4202 
4203 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4204 		if (ret)
4205 			goto out_unlock;
4206 
4207 		filter_wiphy = state.filter_wiphy;
4208 
4209 		/*
4210 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4211 		 * value needed to determine that parsing is necessary.
4212 		 */
4213 		if (filter_wiphy >= 0)
4214 			cb->args[2] = filter_wiphy + 1;
4215 		else
4216 			cb->args[2] = -1;
4217 	} else if (cb->args[2] > 0) {
4218 		filter_wiphy = cb->args[2] - 1;
4219 	}
4220 
4221 	for_each_rdev(rdev) {
4222 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4223 			continue;
4224 		if (wp_idx < wp_start) {
4225 			wp_idx++;
4226 			continue;
4227 		}
4228 
4229 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4230 			continue;
4231 
4232 		if_idx = 0;
4233 
4234 		guard(wiphy)(&rdev->wiphy);
4235 
4236 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4237 			if (if_idx < if_start) {
4238 				if_idx++;
4239 				continue;
4240 			}
4241 
4242 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4243 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4244 					       rdev, wdev,
4245 					       NL80211_CMD_NEW_INTERFACE) < 0)
4246 				goto out;
4247 
4248 			if_idx++;
4249 		}
4250 
4251 		if_start = 0;
4252 		wp_idx++;
4253 	}
4254  out:
4255 	cb->args[0] = wp_idx;
4256 	cb->args[1] = if_idx;
4257 
4258 	ret = skb->len;
4259  out_unlock:
4260 	rtnl_unlock();
4261 
4262 	return ret;
4263 }
4264 
4265 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4266 {
4267 	struct sk_buff *msg;
4268 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4269 	struct wireless_dev *wdev = info->user_ptr[1];
4270 
4271 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4272 	if (!msg)
4273 		return -ENOMEM;
4274 
4275 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4276 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4277 		nlmsg_free(msg);
4278 		return -ENOBUFS;
4279 	}
4280 
4281 	return genlmsg_reply(msg, info);
4282 }
4283 
4284 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4285 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4286 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4287 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4288 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4289 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4290 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4291 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4292 };
4293 
4294 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4295 {
4296 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4297 	int flag;
4298 
4299 	*mntrflags = 0;
4300 
4301 	if (!nla)
4302 		return -EINVAL;
4303 
4304 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4305 		return -EINVAL;
4306 
4307 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4308 		if (flags[flag])
4309 			*mntrflags |= (1<<flag);
4310 
4311 	/* cooked monitor mode is incompatible with other modes */
4312 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4313 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4314 		return -EOPNOTSUPP;
4315 
4316 	*mntrflags |= MONITOR_FLAG_CHANGED;
4317 
4318 	return 0;
4319 }
4320 
4321 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4322 				     enum nl80211_iftype type,
4323 				     struct genl_info *info,
4324 				     struct vif_params *params)
4325 {
4326 	bool change = false;
4327 	int err;
4328 
4329 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4330 		if (type != NL80211_IFTYPE_MONITOR)
4331 			return -EINVAL;
4332 
4333 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4334 					  &params->flags);
4335 		if (err)
4336 			return err;
4337 
4338 		change = true;
4339 	}
4340 
4341 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4342 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4343 		return -EOPNOTSUPP;
4344 
4345 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4346 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4347 		return -EOPNOTSUPP;
4348 
4349 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4350 		const u8 *mumimo_groups;
4351 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4352 
4353 		if (type != NL80211_IFTYPE_MONITOR)
4354 			return -EINVAL;
4355 
4356 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4357 			return -EOPNOTSUPP;
4358 
4359 		mumimo_groups =
4360 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4361 
4362 		/* bits 0 and 63 are reserved and must be zero */
4363 		if ((mumimo_groups[0] & BIT(0)) ||
4364 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4365 			return -EINVAL;
4366 
4367 		params->vht_mumimo_groups = mumimo_groups;
4368 		change = true;
4369 	}
4370 
4371 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4372 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4373 
4374 		if (type != NL80211_IFTYPE_MONITOR)
4375 			return -EINVAL;
4376 
4377 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4378 			return -EOPNOTSUPP;
4379 
4380 		params->vht_mumimo_follow_addr =
4381 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4382 		change = true;
4383 	}
4384 
4385 	return change ? 1 : 0;
4386 }
4387 
4388 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4389 			       struct net_device *netdev, u8 use_4addr,
4390 			       enum nl80211_iftype iftype)
4391 {
4392 	if (!use_4addr) {
4393 		if (netdev && netif_is_bridge_port(netdev))
4394 			return -EBUSY;
4395 		return 0;
4396 	}
4397 
4398 	switch (iftype) {
4399 	case NL80211_IFTYPE_AP_VLAN:
4400 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4401 			return 0;
4402 		break;
4403 	case NL80211_IFTYPE_STATION:
4404 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4405 			return 0;
4406 		break;
4407 	default:
4408 		break;
4409 	}
4410 
4411 	return -EOPNOTSUPP;
4412 }
4413 
4414 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4415 					u32 *radio_mask)
4416 {
4417 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4418 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4419 	u32 mask, allowed;
4420 
4421 	if (!attr) {
4422 		*radio_mask = 0;
4423 		return 0;
4424 	}
4425 
4426 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4427 	mask = nla_get_u32(attr);
4428 	if (mask & ~allowed)
4429 		return -EINVAL;
4430 	if (!mask)
4431 		mask = allowed;
4432 	*radio_mask = mask;
4433 
4434 	return 1;
4435 }
4436 
4437 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4438 {
4439 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4440 	struct vif_params params;
4441 	int err;
4442 	enum nl80211_iftype otype, ntype;
4443 	struct net_device *dev = info->user_ptr[1];
4444 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4445 	u32 radio_mask = 0;
4446 	bool change = false;
4447 
4448 	memset(&params, 0, sizeof(params));
4449 
4450 	otype = ntype = dev->ieee80211_ptr->iftype;
4451 
4452 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4453 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4454 		if (otype != ntype)
4455 			change = true;
4456 	}
4457 
4458 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4459 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4460 			return -EINVAL;
4461 		if (otype != NL80211_IFTYPE_MESH_POINT)
4462 			return -EINVAL;
4463 		if (netif_running(dev))
4464 			return -EBUSY;
4465 
4466 		wdev->u.mesh.id_up_len =
4467 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4468 		memcpy(wdev->u.mesh.id,
4469 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4470 		       wdev->u.mesh.id_up_len);
4471 	}
4472 
4473 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4474 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4475 		change = true;
4476 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4477 		if (err)
4478 			return err;
4479 	} else {
4480 		params.use_4addr = -1;
4481 	}
4482 
4483 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4484 	if (err < 0)
4485 		return err;
4486 	if (err > 0)
4487 		change = true;
4488 
4489 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4490 	if (err < 0)
4491 		return err;
4492 	if (err && netif_running(dev))
4493 		return -EBUSY;
4494 
4495 	if (change)
4496 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4497 	else
4498 		err = 0;
4499 
4500 	if (!err && params.use_4addr != -1)
4501 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4502 
4503 	if (radio_mask)
4504 		wdev->radio_mask = radio_mask;
4505 
4506 	if (change && !err)
4507 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4508 
4509 	return err;
4510 }
4511 
4512 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4513 {
4514 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4515 	struct vif_params params;
4516 	struct wireless_dev *wdev;
4517 	struct sk_buff *msg;
4518 	u32 radio_mask;
4519 	int err;
4520 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4521 
4522 	memset(&params, 0, sizeof(params));
4523 
4524 	if (!info->attrs[NL80211_ATTR_IFNAME])
4525 		return -EINVAL;
4526 
4527 	if (info->attrs[NL80211_ATTR_IFTYPE])
4528 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4529 
4530 	if (!rdev->ops->add_virtual_intf)
4531 		return -EOPNOTSUPP;
4532 
4533 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4534 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4535 	    info->attrs[NL80211_ATTR_MAC]) {
4536 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4537 			   ETH_ALEN);
4538 		if (!is_valid_ether_addr(params.macaddr))
4539 			return -EADDRNOTAVAIL;
4540 	}
4541 
4542 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4543 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4544 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4545 		if (err)
4546 			return err;
4547 	}
4548 
4549 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4550 		return -EOPNOTSUPP;
4551 
4552 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4553 	if (err < 0)
4554 		return err;
4555 
4556 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4557 	if (err < 0)
4558 		return err;
4559 
4560 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4561 	if (!msg)
4562 		return -ENOMEM;
4563 
4564 	wdev = rdev_add_virtual_intf(rdev,
4565 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4566 				NET_NAME_USER, type, &params);
4567 	if (WARN_ON(!wdev)) {
4568 		nlmsg_free(msg);
4569 		return -EPROTO;
4570 	} else if (IS_ERR(wdev)) {
4571 		nlmsg_free(msg);
4572 		return PTR_ERR(wdev);
4573 	}
4574 
4575 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4576 		wdev->owner_nlportid = info->snd_portid;
4577 
4578 	switch (type) {
4579 	case NL80211_IFTYPE_MESH_POINT:
4580 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4581 			break;
4582 		wdev->u.mesh.id_up_len =
4583 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4584 		memcpy(wdev->u.mesh.id,
4585 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4586 		       wdev->u.mesh.id_up_len);
4587 		break;
4588 	case NL80211_IFTYPE_NAN:
4589 	case NL80211_IFTYPE_P2P_DEVICE:
4590 		/*
4591 		 * P2P Device and NAN do not have a netdev, so don't go
4592 		 * through the netdev notifier and must be added here
4593 		 */
4594 		cfg80211_init_wdev(wdev);
4595 		cfg80211_register_wdev(rdev, wdev);
4596 		break;
4597 	default:
4598 		break;
4599 	}
4600 
4601 	if (radio_mask)
4602 		wdev->radio_mask = radio_mask;
4603 
4604 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4605 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4606 		nlmsg_free(msg);
4607 		return -ENOBUFS;
4608 	}
4609 
4610 	return genlmsg_reply(msg, info);
4611 }
4612 
4613 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4614 {
4615 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4616 
4617 	/* to avoid failing a new interface creation due to pending removal */
4618 	cfg80211_destroy_ifaces(rdev);
4619 
4620 	guard(wiphy)(&rdev->wiphy);
4621 
4622 	return _nl80211_new_interface(skb, info);
4623 }
4624 
4625 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4626 {
4627 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4628 	struct wireless_dev *wdev = info->user_ptr[1];
4629 
4630 	if (!rdev->ops->del_virtual_intf)
4631 		return -EOPNOTSUPP;
4632 
4633 	/*
4634 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4635 	 * reach 0, and thus the rdev cannot be deleted.
4636 	 *
4637 	 * We need to do it for the dev_close(), since that will call
4638 	 * the netdev notifiers, and we need to acquire the mutex there
4639 	 * but don't know if we get there from here or from some other
4640 	 * place (e.g. "ip link set ... down").
4641 	 */
4642 	mutex_unlock(&rdev->wiphy.mtx);
4643 
4644 	/*
4645 	 * If we remove a wireless device without a netdev then clear
4646 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4647 	 * to check if it needs to do dev_put(). Otherwise it crashes
4648 	 * since the wdev has been freed, unlike with a netdev where
4649 	 * we need the dev_put() for the netdev to really be freed.
4650 	 */
4651 	if (!wdev->netdev)
4652 		info->user_ptr[1] = NULL;
4653 	else
4654 		dev_close(wdev->netdev);
4655 
4656 	mutex_lock(&rdev->wiphy.mtx);
4657 
4658 	return cfg80211_remove_virtual_intf(rdev, wdev);
4659 }
4660 
4661 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4662 {
4663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4664 	struct net_device *dev = info->user_ptr[1];
4665 	u16 noack_map;
4666 
4667 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4668 		return -EINVAL;
4669 
4670 	if (!rdev->ops->set_noack_map)
4671 		return -EOPNOTSUPP;
4672 
4673 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4674 
4675 	return rdev_set_noack_map(rdev, dev, noack_map);
4676 }
4677 
4678 static int nl80211_validate_key_link_id(struct genl_info *info,
4679 					struct wireless_dev *wdev,
4680 					int link_id, bool pairwise)
4681 {
4682 	if (pairwise) {
4683 		if (link_id != -1) {
4684 			GENL_SET_ERR_MSG(info,
4685 					 "link ID not allowed for pairwise key");
4686 			return -EINVAL;
4687 		}
4688 
4689 		return 0;
4690 	}
4691 
4692 	if (wdev->valid_links) {
4693 		if (link_id == -1) {
4694 			GENL_SET_ERR_MSG(info,
4695 					 "link ID must for MLO group key");
4696 			return -EINVAL;
4697 		}
4698 		if (!(wdev->valid_links & BIT(link_id))) {
4699 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4700 			return -EINVAL;
4701 		}
4702 	} else if (link_id != -1) {
4703 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4704 		return -EINVAL;
4705 	}
4706 
4707 	return 0;
4708 }
4709 
4710 struct get_key_cookie {
4711 	struct sk_buff *msg;
4712 	int error;
4713 	int idx;
4714 };
4715 
4716 static void get_key_callback(void *c, struct key_params *params)
4717 {
4718 	struct nlattr *key;
4719 	struct get_key_cookie *cookie = c;
4720 
4721 	if ((params->seq &&
4722 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4723 		     params->seq_len, params->seq)) ||
4724 	    (params->cipher &&
4725 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4726 			 params->cipher)))
4727 		goto nla_put_failure;
4728 
4729 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4730 	if (!key)
4731 		goto nla_put_failure;
4732 
4733 	if ((params->seq &&
4734 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4735 		     params->seq_len, params->seq)) ||
4736 	    (params->cipher &&
4737 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4738 			 params->cipher)))
4739 		goto nla_put_failure;
4740 
4741 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4742 		goto nla_put_failure;
4743 
4744 	nla_nest_end(cookie->msg, key);
4745 
4746 	return;
4747  nla_put_failure:
4748 	cookie->error = 1;
4749 }
4750 
4751 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4752 {
4753 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4754 	int err;
4755 	struct net_device *dev = info->user_ptr[1];
4756 	u8 key_idx = 0;
4757 	const u8 *mac_addr = NULL;
4758 	bool pairwise;
4759 	struct get_key_cookie cookie = {
4760 		.error = 0,
4761 	};
4762 	void *hdr;
4763 	struct sk_buff *msg;
4764 	bool bigtk_support = false;
4765 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4766 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4767 
4768 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4769 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4770 		bigtk_support = true;
4771 
4772 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4773 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4774 	    wiphy_ext_feature_isset(&rdev->wiphy,
4775 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4776 		bigtk_support = true;
4777 
4778 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4779 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4780 
4781 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4782 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4783 			return -EINVAL;
4784 		}
4785 	}
4786 
4787 	if (info->attrs[NL80211_ATTR_MAC])
4788 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4789 
4790 	pairwise = !!mac_addr;
4791 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4792 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4793 
4794 		if (kt != NL80211_KEYTYPE_GROUP &&
4795 		    kt != NL80211_KEYTYPE_PAIRWISE)
4796 			return -EINVAL;
4797 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4798 	}
4799 
4800 	if (!rdev->ops->get_key)
4801 		return -EOPNOTSUPP;
4802 
4803 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4804 		return -ENOENT;
4805 
4806 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4807 	if (!msg)
4808 		return -ENOMEM;
4809 
4810 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4811 			     NL80211_CMD_NEW_KEY);
4812 	if (!hdr)
4813 		goto nla_put_failure;
4814 
4815 	cookie.msg = msg;
4816 	cookie.idx = key_idx;
4817 
4818 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4819 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4820 		goto nla_put_failure;
4821 	if (mac_addr &&
4822 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4823 		goto nla_put_failure;
4824 
4825 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4826 	if (err)
4827 		goto free_msg;
4828 
4829 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4830 			   &cookie, get_key_callback);
4831 
4832 	if (err)
4833 		goto free_msg;
4834 
4835 	if (cookie.error)
4836 		goto nla_put_failure;
4837 
4838 	genlmsg_end(msg, hdr);
4839 	return genlmsg_reply(msg, info);
4840 
4841  nla_put_failure:
4842 	err = -ENOBUFS;
4843  free_msg:
4844 	nlmsg_free(msg);
4845 	return err;
4846 }
4847 
4848 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4849 {
4850 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4851 	struct key_parse key;
4852 	int err;
4853 	struct net_device *dev = info->user_ptr[1];
4854 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4855 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4856 
4857 	err = nl80211_parse_key(info, &key);
4858 	if (err)
4859 		return err;
4860 
4861 	if (key.idx < 0)
4862 		return -EINVAL;
4863 
4864 	/* Only support setting default key and
4865 	 * Extended Key ID action NL80211_KEY_SET_TX.
4866 	 */
4867 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4868 	    !(key.p.mode == NL80211_KEY_SET_TX))
4869 		return -EINVAL;
4870 
4871 	if (key.def) {
4872 		if (!rdev->ops->set_default_key)
4873 			return -EOPNOTSUPP;
4874 
4875 		err = nl80211_key_allowed(wdev);
4876 		if (err)
4877 			return err;
4878 
4879 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4880 		if (err)
4881 			return err;
4882 
4883 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4884 					   key.def_uni, key.def_multi);
4885 
4886 		if (err)
4887 			return err;
4888 
4889 #ifdef CONFIG_CFG80211_WEXT
4890 		wdev->wext.default_key = key.idx;
4891 #endif
4892 		return 0;
4893 	} else if (key.defmgmt) {
4894 		if (key.def_uni || !key.def_multi)
4895 			return -EINVAL;
4896 
4897 		if (!rdev->ops->set_default_mgmt_key)
4898 			return -EOPNOTSUPP;
4899 
4900 		err = nl80211_key_allowed(wdev);
4901 		if (err)
4902 			return err;
4903 
4904 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4905 		if (err)
4906 			return err;
4907 
4908 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4909 		if (err)
4910 			return err;
4911 
4912 #ifdef CONFIG_CFG80211_WEXT
4913 		wdev->wext.default_mgmt_key = key.idx;
4914 #endif
4915 		return 0;
4916 	} else if (key.defbeacon) {
4917 		if (key.def_uni || !key.def_multi)
4918 			return -EINVAL;
4919 
4920 		if (!rdev->ops->set_default_beacon_key)
4921 			return -EOPNOTSUPP;
4922 
4923 		err = nl80211_key_allowed(wdev);
4924 		if (err)
4925 			return err;
4926 
4927 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4928 		if (err)
4929 			return err;
4930 
4931 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4932 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4933 		   wiphy_ext_feature_isset(&rdev->wiphy,
4934 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4935 		u8 *mac_addr = NULL;
4936 
4937 		if (info->attrs[NL80211_ATTR_MAC])
4938 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4939 
4940 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4941 			return -EINVAL;
4942 
4943 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4944 		if (err)
4945 			return err;
4946 
4947 		return rdev_add_key(rdev, dev, link_id, key.idx,
4948 				    NL80211_KEYTYPE_PAIRWISE,
4949 				    mac_addr, &key.p);
4950 	}
4951 
4952 	return -EINVAL;
4953 }
4954 
4955 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4956 {
4957 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4958 	int err;
4959 	struct net_device *dev = info->user_ptr[1];
4960 	struct key_parse key;
4961 	const u8 *mac_addr = NULL;
4962 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4963 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4964 
4965 	err = nl80211_parse_key(info, &key);
4966 	if (err)
4967 		return err;
4968 
4969 	if (!key.p.key) {
4970 		GENL_SET_ERR_MSG(info, "no key");
4971 		return -EINVAL;
4972 	}
4973 
4974 	if (info->attrs[NL80211_ATTR_MAC])
4975 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4976 
4977 	if (key.type == -1) {
4978 		if (mac_addr)
4979 			key.type = NL80211_KEYTYPE_PAIRWISE;
4980 		else
4981 			key.type = NL80211_KEYTYPE_GROUP;
4982 	}
4983 
4984 	/* for now */
4985 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4986 	    key.type != NL80211_KEYTYPE_GROUP) {
4987 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4988 		return -EINVAL;
4989 	}
4990 
4991 	if (key.type == NL80211_KEYTYPE_GROUP &&
4992 	    info->attrs[NL80211_ATTR_VLAN_ID])
4993 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4994 
4995 	if (!rdev->ops->add_key)
4996 		return -EOPNOTSUPP;
4997 
4998 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4999 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5000 					   mac_addr)) {
5001 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5002 		return -EINVAL;
5003 	}
5004 
5005 	err = nl80211_key_allowed(wdev);
5006 	if (err)
5007 		GENL_SET_ERR_MSG(info, "key not allowed");
5008 
5009 	if (!err)
5010 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5011 				key.type == NL80211_KEYTYPE_PAIRWISE);
5012 
5013 	if (!err) {
5014 		err = rdev_add_key(rdev, dev, link_id, key.idx,
5015 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5016 				    mac_addr, &key.p);
5017 		if (err)
5018 			GENL_SET_ERR_MSG(info, "key addition failed");
5019 	}
5020 
5021 	return err;
5022 }
5023 
5024 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5025 {
5026 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5027 	int err;
5028 	struct net_device *dev = info->user_ptr[1];
5029 	u8 *mac_addr = NULL;
5030 	struct key_parse key;
5031 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5032 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5033 
5034 	err = nl80211_parse_key(info, &key);
5035 	if (err)
5036 		return err;
5037 
5038 	if (info->attrs[NL80211_ATTR_MAC])
5039 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5040 
5041 	if (key.type == -1) {
5042 		if (mac_addr)
5043 			key.type = NL80211_KEYTYPE_PAIRWISE;
5044 		else
5045 			key.type = NL80211_KEYTYPE_GROUP;
5046 	}
5047 
5048 	/* for now */
5049 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5050 	    key.type != NL80211_KEYTYPE_GROUP)
5051 		return -EINVAL;
5052 
5053 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5054 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5055 		return -EINVAL;
5056 
5057 	if (!rdev->ops->del_key)
5058 		return -EOPNOTSUPP;
5059 
5060 	err = nl80211_key_allowed(wdev);
5061 
5062 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5063 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5064 		err = -ENOENT;
5065 
5066 	if (!err)
5067 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5068 				key.type == NL80211_KEYTYPE_PAIRWISE);
5069 
5070 	if (!err)
5071 		err = rdev_del_key(rdev, dev, link_id, key.idx,
5072 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5073 				   mac_addr);
5074 
5075 #ifdef CONFIG_CFG80211_WEXT
5076 	if (!err) {
5077 		if (key.idx == wdev->wext.default_key)
5078 			wdev->wext.default_key = -1;
5079 		else if (key.idx == wdev->wext.default_mgmt_key)
5080 			wdev->wext.default_mgmt_key = -1;
5081 	}
5082 #endif
5083 
5084 	return err;
5085 }
5086 
5087 /* This function returns an error or the number of nested attributes */
5088 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5089 {
5090 	struct nlattr *attr;
5091 	int n_entries = 0, tmp;
5092 
5093 	nla_for_each_nested(attr, nl_attr, tmp) {
5094 		if (nla_len(attr) != ETH_ALEN)
5095 			return -EINVAL;
5096 
5097 		n_entries++;
5098 	}
5099 
5100 	return n_entries;
5101 }
5102 
5103 /*
5104  * This function parses ACL information and allocates memory for ACL data.
5105  * On successful return, the calling function is responsible to free the
5106  * ACL buffer returned by this function.
5107  */
5108 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5109 						struct genl_info *info)
5110 {
5111 	enum nl80211_acl_policy acl_policy;
5112 	struct nlattr *attr;
5113 	struct cfg80211_acl_data *acl;
5114 	int i = 0, n_entries, tmp;
5115 
5116 	if (!wiphy->max_acl_mac_addrs)
5117 		return ERR_PTR(-EOPNOTSUPP);
5118 
5119 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5120 		return ERR_PTR(-EINVAL);
5121 
5122 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5123 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5124 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5125 		return ERR_PTR(-EINVAL);
5126 
5127 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5128 		return ERR_PTR(-EINVAL);
5129 
5130 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5131 	if (n_entries < 0)
5132 		return ERR_PTR(n_entries);
5133 
5134 	if (n_entries > wiphy->max_acl_mac_addrs)
5135 		return ERR_PTR(-EOPNOTSUPP);
5136 
5137 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5138 	if (!acl)
5139 		return ERR_PTR(-ENOMEM);
5140 	acl->n_acl_entries = n_entries;
5141 
5142 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5143 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5144 		i++;
5145 	}
5146 	acl->acl_policy = acl_policy;
5147 
5148 	return acl;
5149 }
5150 
5151 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5152 {
5153 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5154 	struct net_device *dev = info->user_ptr[1];
5155 	struct cfg80211_acl_data *acl;
5156 	int err;
5157 
5158 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5159 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5160 		return -EOPNOTSUPP;
5161 
5162 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5163 		return -EINVAL;
5164 
5165 	acl = parse_acl_data(&rdev->wiphy, info);
5166 	if (IS_ERR(acl))
5167 		return PTR_ERR(acl);
5168 
5169 	err = rdev_set_mac_acl(rdev, dev, acl);
5170 
5171 	kfree(acl);
5172 
5173 	return err;
5174 }
5175 
5176 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5177 			   u8 *rates, u8 rates_len)
5178 {
5179 	u8 i;
5180 	u32 mask = 0;
5181 
5182 	for (i = 0; i < rates_len; i++) {
5183 		int rate = (rates[i] & 0x7f) * 5;
5184 		int ridx;
5185 
5186 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5187 			struct ieee80211_rate *srate =
5188 				&sband->bitrates[ridx];
5189 			if (rate == srate->bitrate) {
5190 				mask |= 1 << ridx;
5191 				break;
5192 			}
5193 		}
5194 		if (ridx == sband->n_bitrates)
5195 			return 0; /* rate not found */
5196 	}
5197 
5198 	return mask;
5199 }
5200 
5201 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5202 			       u8 *rates, u8 rates_len,
5203 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5204 {
5205 	u8 i;
5206 
5207 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5208 
5209 	for (i = 0; i < rates_len; i++) {
5210 		int ridx, rbit;
5211 
5212 		ridx = rates[i] / 8;
5213 		rbit = BIT(rates[i] % 8);
5214 
5215 		/* check validity */
5216 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5217 			return false;
5218 
5219 		/* check availability */
5220 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5221 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5222 			mcs[ridx] |= rbit;
5223 		else
5224 			return false;
5225 	}
5226 
5227 	return true;
5228 }
5229 
5230 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5231 {
5232 	u16 mcs_mask = 0;
5233 
5234 	switch (vht_mcs_map) {
5235 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5236 		break;
5237 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5238 		mcs_mask = 0x00FF;
5239 		break;
5240 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5241 		mcs_mask = 0x01FF;
5242 		break;
5243 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5244 		mcs_mask = 0x03FF;
5245 		break;
5246 	default:
5247 		break;
5248 	}
5249 
5250 	return mcs_mask;
5251 }
5252 
5253 static void vht_build_mcs_mask(u16 vht_mcs_map,
5254 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5255 {
5256 	u8 nss;
5257 
5258 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5259 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5260 		vht_mcs_map >>= 2;
5261 	}
5262 }
5263 
5264 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5265 			     struct nl80211_txrate_vht *txrate,
5266 			     u16 mcs[NL80211_VHT_NSS_MAX])
5267 {
5268 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5269 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5270 	u8 i;
5271 
5272 	if (!sband->vht_cap.vht_supported)
5273 		return false;
5274 
5275 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5276 
5277 	/* Build vht_mcs_mask from VHT capabilities */
5278 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5279 
5280 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5281 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5282 			mcs[i] = txrate->mcs[i];
5283 		else
5284 			return false;
5285 	}
5286 
5287 	return true;
5288 }
5289 
5290 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5291 {
5292 	switch (he_mcs_map) {
5293 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5294 		return 0;
5295 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5296 		return 0x00FF;
5297 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5298 		return 0x03FF;
5299 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5300 		return 0xFFF;
5301 	default:
5302 		break;
5303 	}
5304 	return 0;
5305 }
5306 
5307 static void he_build_mcs_mask(u16 he_mcs_map,
5308 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5309 {
5310 	u8 nss;
5311 
5312 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5313 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5314 		he_mcs_map >>= 2;
5315 	}
5316 }
5317 
5318 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5319 			   const struct ieee80211_sta_he_cap *he_cap)
5320 {
5321 	struct net_device *dev = info->user_ptr[1];
5322 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5323 	struct cfg80211_chan_def *chandef;
5324 	__le16 tx_mcs;
5325 
5326 	chandef = wdev_chandef(wdev, link_id);
5327 	if (!chandef) {
5328 		/*
5329 		 * This is probably broken, but we never maintained
5330 		 * a chandef in these cases, so it always was.
5331 		 */
5332 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5333 	}
5334 
5335 	switch (chandef->width) {
5336 	case NL80211_CHAN_WIDTH_80P80:
5337 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5338 		break;
5339 	case NL80211_CHAN_WIDTH_160:
5340 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5341 		break;
5342 	default:
5343 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5344 		break;
5345 	}
5346 
5347 	return le16_to_cpu(tx_mcs);
5348 }
5349 
5350 static bool he_set_mcs_mask(struct genl_info *info,
5351 			    struct wireless_dev *wdev,
5352 			    struct ieee80211_supported_band *sband,
5353 			    struct nl80211_txrate_he *txrate,
5354 			    u16 mcs[NL80211_HE_NSS_MAX],
5355 			    unsigned int link_id)
5356 {
5357 	const struct ieee80211_sta_he_cap *he_cap;
5358 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5359 	u16 tx_mcs_map = 0;
5360 	u8 i;
5361 
5362 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5363 	if (!he_cap)
5364 		return false;
5365 
5366 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5367 
5368 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5369 
5370 	/* Build he_mcs_mask from HE capabilities */
5371 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5372 
5373 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5374 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5375 			mcs[i] = txrate->mcs[i];
5376 		else
5377 			return false;
5378 	}
5379 
5380 	return true;
5381 }
5382 
5383 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5384 					 struct nlattr *attrs[],
5385 					 enum nl80211_attrs attr,
5386 					 struct cfg80211_bitrate_mask *mask,
5387 					 struct net_device *dev,
5388 					 bool default_all_enabled,
5389 					 unsigned int link_id)
5390 {
5391 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5392 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5393 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5394 	int rem, i;
5395 	struct nlattr *tx_rates;
5396 	struct ieee80211_supported_band *sband;
5397 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5398 
5399 	memset(mask, 0, sizeof(*mask));
5400 	/* Default to all rates enabled */
5401 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5402 		const struct ieee80211_sta_he_cap *he_cap;
5403 
5404 		if (!default_all_enabled)
5405 			break;
5406 
5407 		sband = rdev->wiphy.bands[i];
5408 
5409 		if (!sband)
5410 			continue;
5411 
5412 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5413 		memcpy(mask->control[i].ht_mcs,
5414 		       sband->ht_cap.mcs.rx_mask,
5415 		       sizeof(mask->control[i].ht_mcs));
5416 
5417 		if (sband->vht_cap.vht_supported) {
5418 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5419 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5420 		}
5421 
5422 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5423 		if (!he_cap)
5424 			continue;
5425 
5426 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5427 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5428 
5429 		mask->control[i].he_gi = 0xFF;
5430 		mask->control[i].he_ltf = 0xFF;
5431 	}
5432 
5433 	/* if no rates are given set it back to the defaults */
5434 	if (!attrs[attr])
5435 		goto out;
5436 
5437 	/* The nested attribute uses enum nl80211_band as the index. This maps
5438 	 * directly to the enum nl80211_band values used in cfg80211.
5439 	 */
5440 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5441 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5442 		enum nl80211_band band = nla_type(tx_rates);
5443 		int err;
5444 
5445 		if (band < 0 || band >= NUM_NL80211_BANDS)
5446 			return -EINVAL;
5447 		sband = rdev->wiphy.bands[band];
5448 		if (sband == NULL)
5449 			return -EINVAL;
5450 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5451 						  tx_rates,
5452 						  nl80211_txattr_policy,
5453 						  info->extack);
5454 		if (err)
5455 			return err;
5456 		if (tb[NL80211_TXRATE_LEGACY]) {
5457 			mask->control[band].legacy = rateset_to_mask(
5458 				sband,
5459 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5460 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5461 			if ((mask->control[band].legacy == 0) &&
5462 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5463 				return -EINVAL;
5464 		}
5465 		if (tb[NL80211_TXRATE_HT]) {
5466 			if (!ht_rateset_to_mask(
5467 					sband,
5468 					nla_data(tb[NL80211_TXRATE_HT]),
5469 					nla_len(tb[NL80211_TXRATE_HT]),
5470 					mask->control[band].ht_mcs))
5471 				return -EINVAL;
5472 		}
5473 
5474 		if (tb[NL80211_TXRATE_VHT]) {
5475 			if (!vht_set_mcs_mask(
5476 					sband,
5477 					nla_data(tb[NL80211_TXRATE_VHT]),
5478 					mask->control[band].vht_mcs))
5479 				return -EINVAL;
5480 		}
5481 
5482 		if (tb[NL80211_TXRATE_GI]) {
5483 			mask->control[band].gi =
5484 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5485 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5486 				return -EINVAL;
5487 		}
5488 		if (tb[NL80211_TXRATE_HE] &&
5489 		    !he_set_mcs_mask(info, wdev, sband,
5490 				     nla_data(tb[NL80211_TXRATE_HE]),
5491 				     mask->control[band].he_mcs,
5492 				     link_id))
5493 			return -EINVAL;
5494 
5495 		if (tb[NL80211_TXRATE_HE_GI])
5496 			mask->control[band].he_gi =
5497 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5498 		if (tb[NL80211_TXRATE_HE_LTF])
5499 			mask->control[band].he_ltf =
5500 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5501 
5502 		if (mask->control[band].legacy == 0) {
5503 			/* don't allow empty legacy rates if HT, VHT or HE
5504 			 * are not even supported.
5505 			 */
5506 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5507 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5508 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5509 				return -EINVAL;
5510 
5511 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5512 				if (mask->control[band].ht_mcs[i])
5513 					goto out;
5514 
5515 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5516 				if (mask->control[band].vht_mcs[i])
5517 					goto out;
5518 
5519 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5520 				if (mask->control[band].he_mcs[i])
5521 					goto out;
5522 
5523 			/* legacy and mcs rates may not be both empty */
5524 			return -EINVAL;
5525 		}
5526 	}
5527 
5528 out:
5529 	return 0;
5530 }
5531 
5532 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5533 				   enum nl80211_band band,
5534 				   struct cfg80211_bitrate_mask *beacon_rate)
5535 {
5536 	u32 count_ht, count_vht, count_he, i;
5537 	u32 rate = beacon_rate->control[band].legacy;
5538 
5539 	/* Allow only one rate */
5540 	if (hweight32(rate) > 1)
5541 		return -EINVAL;
5542 
5543 	count_ht = 0;
5544 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5545 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5546 			return -EINVAL;
5547 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5548 			count_ht++;
5549 			if (count_ht > 1)
5550 				return -EINVAL;
5551 		}
5552 		if (count_ht && rate)
5553 			return -EINVAL;
5554 	}
5555 
5556 	count_vht = 0;
5557 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5558 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5559 			return -EINVAL;
5560 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5561 			count_vht++;
5562 			if (count_vht > 1)
5563 				return -EINVAL;
5564 		}
5565 		if (count_vht && rate)
5566 			return -EINVAL;
5567 	}
5568 
5569 	count_he = 0;
5570 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5571 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5572 			return -EINVAL;
5573 		} else if (beacon_rate->control[band].he_mcs[i]) {
5574 			count_he++;
5575 			if (count_he > 1)
5576 				return -EINVAL;
5577 		}
5578 		if (count_he && rate)
5579 			return -EINVAL;
5580 	}
5581 
5582 	if ((count_ht && count_vht && count_he) ||
5583 	    (!rate && !count_ht && !count_vht && !count_he))
5584 		return -EINVAL;
5585 
5586 	if (rate &&
5587 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5588 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5589 		return -EINVAL;
5590 	if (count_ht &&
5591 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5592 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5593 		return -EINVAL;
5594 	if (count_vht &&
5595 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5596 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5597 		return -EINVAL;
5598 	if (count_he &&
5599 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5600 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5601 		return -EINVAL;
5602 
5603 	return 0;
5604 }
5605 
5606 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5607 				       struct net_device *dev,
5608 				       unsigned int link_id,
5609 				       struct nlattr *attrs,
5610 				       struct cfg80211_mbssid_config *config,
5611 				       u8 num_elems)
5612 {
5613 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5614 	int tx_link_id = -1;
5615 
5616 	if (!wiphy->mbssid_max_interfaces)
5617 		return -EOPNOTSUPP;
5618 
5619 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5620 			     NULL) ||
5621 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5622 		return -EINVAL;
5623 
5624 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5625 	if (config->ema) {
5626 		if (!wiphy->ema_max_profile_periodicity)
5627 			return -EOPNOTSUPP;
5628 
5629 		if (num_elems > wiphy->ema_max_profile_periodicity)
5630 			return -EINVAL;
5631 	}
5632 
5633 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5634 	if (config->index >= wiphy->mbssid_max_interfaces ||
5635 	    (!config->index && !num_elems))
5636 		return -EINVAL;
5637 
5638 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
5639 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
5640 
5641 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5642 		u32 tx_ifindex =
5643 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5644 
5645 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5646 		    (config->index && tx_ifindex == dev->ifindex))
5647 			return -EINVAL;
5648 
5649 		if (tx_ifindex != dev->ifindex) {
5650 			struct net_device *tx_netdev =
5651 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5652 
5653 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5654 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5655 			    tx_netdev->ieee80211_ptr->iftype !=
5656 							NL80211_IFTYPE_AP) {
5657 				dev_put(tx_netdev);
5658 				return -EINVAL;
5659 			}
5660 
5661 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5662 			/* Caller should call dev_put(config->tx_wdev) from this point */
5663 
5664 			if (config->tx_wdev->valid_links) {
5665 				if (tx_link_id == -1 ||
5666 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
5667 					return -ENOLINK;
5668 
5669 				config->tx_link_id = tx_link_id;
5670 			}
5671 		} else {
5672 			if (tx_link_id >= 0 && tx_link_id != link_id)
5673 				return -EINVAL;
5674 
5675 			config->tx_wdev = dev->ieee80211_ptr;
5676 		}
5677 	} else if (!config->index) {
5678 		if (tx_link_id >= 0 && tx_link_id != link_id)
5679 			return -EINVAL;
5680 
5681 		config->tx_wdev = dev->ieee80211_ptr;
5682 	} else {
5683 		return -EINVAL;
5684 	}
5685 
5686 	return 0;
5687 }
5688 
5689 static struct cfg80211_mbssid_elems *
5690 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5691 {
5692 	struct nlattr *nl_elems;
5693 	struct cfg80211_mbssid_elems *elems;
5694 	int rem_elems;
5695 	u8 i = 0, num_elems = 0;
5696 
5697 	if (!wiphy->mbssid_max_interfaces)
5698 		return ERR_PTR(-EINVAL);
5699 
5700 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5701 		if (num_elems >= 255)
5702 			return ERR_PTR(-EINVAL);
5703 		num_elems++;
5704 	}
5705 
5706 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5707 	if (!elems)
5708 		return ERR_PTR(-ENOMEM);
5709 	elems->cnt = num_elems;
5710 
5711 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5712 		elems->elem[i].data = nla_data(nl_elems);
5713 		elems->elem[i].len = nla_len(nl_elems);
5714 		i++;
5715 	}
5716 	return elems;
5717 }
5718 
5719 static struct cfg80211_rnr_elems *
5720 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5721 			struct netlink_ext_ack *extack)
5722 {
5723 	struct nlattr *nl_elems;
5724 	struct cfg80211_rnr_elems *elems;
5725 	int rem_elems;
5726 	u8 i = 0, num_elems = 0;
5727 
5728 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5729 		int ret;
5730 
5731 		ret = validate_ie_attr(nl_elems, extack);
5732 		if (ret)
5733 			return ERR_PTR(ret);
5734 
5735 		num_elems++;
5736 	}
5737 
5738 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5739 	if (!elems)
5740 		return ERR_PTR(-ENOMEM);
5741 	elems->cnt = num_elems;
5742 
5743 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5744 		elems->elem[i].data = nla_data(nl_elems);
5745 		elems->elem[i].len = nla_len(nl_elems);
5746 		i++;
5747 	}
5748 	return elems;
5749 }
5750 
5751 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5752 				      struct cfg80211_he_bss_color *he_bss_color)
5753 {
5754 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5755 	int err;
5756 
5757 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5758 			       he_bss_color_policy, NULL);
5759 	if (err)
5760 		return err;
5761 
5762 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5763 		return -EINVAL;
5764 
5765 	he_bss_color->color =
5766 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5767 	he_bss_color->enabled =
5768 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5769 	he_bss_color->partial =
5770 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5771 
5772 	return 0;
5773 }
5774 
5775 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5776 				struct nlattr *attrs[],
5777 				struct cfg80211_beacon_data *bcn,
5778 				struct netlink_ext_ack *extack)
5779 {
5780 	bool haveinfo = false;
5781 	int err;
5782 
5783 	memset(bcn, 0, sizeof(*bcn));
5784 
5785 	bcn->link_id = nl80211_link_id(attrs);
5786 
5787 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5788 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5789 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5790 		if (!bcn->head_len)
5791 			return -EINVAL;
5792 		haveinfo = true;
5793 	}
5794 
5795 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5796 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5797 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5798 		haveinfo = true;
5799 	}
5800 
5801 	if (!haveinfo)
5802 		return -EINVAL;
5803 
5804 	if (attrs[NL80211_ATTR_IE]) {
5805 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5806 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5807 	}
5808 
5809 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5810 		bcn->proberesp_ies =
5811 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5812 		bcn->proberesp_ies_len =
5813 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5814 	}
5815 
5816 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5817 		bcn->assocresp_ies =
5818 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5819 		bcn->assocresp_ies_len =
5820 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5821 	}
5822 
5823 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5824 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5825 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5826 	}
5827 
5828 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5829 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5830 
5831 		err = nla_parse_nested_deprecated(tb,
5832 						  NL80211_FTM_RESP_ATTR_MAX,
5833 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5834 						  NULL, NULL);
5835 		if (err)
5836 			return err;
5837 
5838 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5839 		    wiphy_ext_feature_isset(&rdev->wiphy,
5840 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5841 			bcn->ftm_responder = 1;
5842 		else
5843 			return -EOPNOTSUPP;
5844 
5845 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5846 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5847 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5848 		}
5849 
5850 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5851 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5852 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5853 		}
5854 	} else {
5855 		bcn->ftm_responder = -1;
5856 	}
5857 
5858 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5859 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5860 						 &bcn->he_bss_color);
5861 		if (err)
5862 			return err;
5863 		bcn->he_bss_color_valid = true;
5864 	}
5865 
5866 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5867 		struct cfg80211_mbssid_elems *mbssid =
5868 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5869 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5870 
5871 		if (IS_ERR(mbssid))
5872 			return PTR_ERR(mbssid);
5873 
5874 		bcn->mbssid_ies = mbssid;
5875 
5876 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5877 			struct cfg80211_rnr_elems *rnr =
5878 				nl80211_parse_rnr_elems(&rdev->wiphy,
5879 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5880 							extack);
5881 
5882 			if (IS_ERR(rnr))
5883 				return PTR_ERR(rnr);
5884 
5885 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5886 				return -EINVAL;
5887 
5888 			bcn->rnr_ies = rnr;
5889 		}
5890 	}
5891 
5892 	return 0;
5893 }
5894 
5895 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5896 				    struct ieee80211_he_obss_pd *he_obss_pd)
5897 {
5898 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5899 	int err;
5900 
5901 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5902 			       he_obss_pd_policy, NULL);
5903 	if (err)
5904 		return err;
5905 
5906 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5907 		return -EINVAL;
5908 
5909 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5910 
5911 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5912 		he_obss_pd->min_offset =
5913 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5914 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5915 		he_obss_pd->max_offset =
5916 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5917 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5918 		he_obss_pd->non_srg_max_offset =
5919 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5920 
5921 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5922 		return -EINVAL;
5923 
5924 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5925 		memcpy(he_obss_pd->bss_color_bitmap,
5926 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5927 		       sizeof(he_obss_pd->bss_color_bitmap));
5928 
5929 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5930 		memcpy(he_obss_pd->partial_bssid_bitmap,
5931 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5932 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5933 
5934 	he_obss_pd->enable = true;
5935 
5936 	return 0;
5937 }
5938 
5939 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5940 					struct nlattr *attrs,
5941 					struct cfg80211_fils_discovery *fd)
5942 {
5943 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5944 	int ret;
5945 
5946 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5947 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5948 		return -EINVAL;
5949 
5950 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5951 			       NULL, NULL);
5952 	if (ret)
5953 		return ret;
5954 
5955 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5956 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5957 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5958 		fd->update = true;
5959 		return 0;
5960 	}
5961 
5962 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5963 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5964 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5965 		return -EINVAL;
5966 
5967 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5968 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5969 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5970 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5971 	fd->update = true;
5972 	return 0;
5973 }
5974 
5975 static int
5976 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5977 				     struct nlattr *attrs,
5978 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5979 {
5980 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5981 	int ret;
5982 
5983 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5984 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5985 		return -EINVAL;
5986 
5987 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5988 			       attrs, NULL, NULL);
5989 	if (ret)
5990 		return ret;
5991 
5992 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5993 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5994 		presp->update = true;
5995 		return 0;
5996 	}
5997 
5998 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5999 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6000 		return -EINVAL;
6001 
6002 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6003 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6004 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6005 	presp->update = true;
6006 	return 0;
6007 }
6008 
6009 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6010 					    const struct element *rates)
6011 {
6012 	int i;
6013 
6014 	if (!rates)
6015 		return;
6016 
6017 	for (i = 0; i < rates->datalen; i++) {
6018 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6019 			params->ht_required = true;
6020 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6021 			params->vht_required = true;
6022 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6023 			params->he_required = true;
6024 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6025 			params->sae_h2e_required = true;
6026 	}
6027 }
6028 
6029 /*
6030  * Since the nl80211 API didn't include, from the beginning, attributes about
6031  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6032  * benefit of drivers that rebuild IEs in the firmware.
6033  */
6034 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6035 {
6036 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6037 	size_t ies_len = bcn->tail_len;
6038 	const u8 *ies = bcn->tail;
6039 	const struct element *rates;
6040 	const struct element *cap;
6041 
6042 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6043 	nl80211_check_ap_rate_selectors(params, rates);
6044 
6045 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6046 	nl80211_check_ap_rate_selectors(params, rates);
6047 
6048 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6049 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6050 		params->ht_cap = (void *)cap->data;
6051 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6052 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6053 		params->vht_cap = (void *)cap->data;
6054 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6055 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6056 		params->he_cap = (void *)(cap->data + 1);
6057 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6058 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6059 		params->he_oper = (void *)(cap->data + 1);
6060 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6061 	if (cap) {
6062 		if (!cap->datalen)
6063 			return -EINVAL;
6064 		params->eht_cap = (void *)(cap->data + 1);
6065 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6066 						(const u8 *)params->eht_cap,
6067 						cap->datalen - 1, true))
6068 			return -EINVAL;
6069 	}
6070 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6071 	if (cap) {
6072 		if (!cap->datalen)
6073 			return -EINVAL;
6074 		params->eht_oper = (void *)(cap->data + 1);
6075 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6076 						cap->datalen - 1))
6077 			return -EINVAL;
6078 	}
6079 	return 0;
6080 }
6081 
6082 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6083 				   struct cfg80211_ap_settings *params)
6084 {
6085 	struct wireless_dev *wdev;
6086 
6087 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6088 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6089 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6090 			continue;
6091 
6092 		if (!wdev->u.ap.preset_chandef.chan)
6093 			continue;
6094 
6095 		params->chandef = wdev->u.ap.preset_chandef;
6096 		return true;
6097 	}
6098 
6099 	return false;
6100 }
6101 
6102 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6103 				    enum nl80211_auth_type auth_type,
6104 				    enum nl80211_commands cmd)
6105 {
6106 	if (auth_type > NL80211_AUTHTYPE_MAX)
6107 		return false;
6108 
6109 	switch (cmd) {
6110 	case NL80211_CMD_AUTHENTICATE:
6111 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6112 		    auth_type == NL80211_AUTHTYPE_SAE)
6113 			return false;
6114 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6115 					     NL80211_EXT_FEATURE_FILS_STA) &&
6116 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6117 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6118 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6119 			return false;
6120 		return true;
6121 	case NL80211_CMD_CONNECT:
6122 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6123 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6124 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6125 		    auth_type == NL80211_AUTHTYPE_SAE)
6126 			return false;
6127 
6128 		/* FILS with SK PFS or PK not supported yet */
6129 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6130 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6131 			return false;
6132 		if (!wiphy_ext_feature_isset(
6133 			    &rdev->wiphy,
6134 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6135 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6136 			return false;
6137 		return true;
6138 	case NL80211_CMD_START_AP:
6139 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6140 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6141 		    auth_type == NL80211_AUTHTYPE_SAE)
6142 			return false;
6143 		/* FILS not supported yet */
6144 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6145 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6146 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6147 			return false;
6148 		return true;
6149 	default:
6150 		return false;
6151 	}
6152 }
6153 
6154 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6155 				    unsigned int link_id)
6156 {
6157 	struct wiphy *wiphy = wdev->wiphy;
6158 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6159 	struct sk_buff *msg;
6160 	void *hdr;
6161 
6162 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6163 	if (!msg)
6164 		return;
6165 
6166 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6167 	if (!hdr)
6168 		goto out;
6169 
6170 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6171 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6172 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6173 			      NL80211_ATTR_PAD) ||
6174 	    (wdev->u.ap.ssid_len &&
6175 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6176 		     wdev->u.ap.ssid)) ||
6177 	    (wdev->valid_links &&
6178 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6179 		goto out;
6180 
6181 	genlmsg_end(msg, hdr);
6182 
6183 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6184 				NL80211_MCGRP_MLME, GFP_KERNEL);
6185 	return;
6186 out:
6187 	nlmsg_free(msg);
6188 }
6189 
6190 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6191 {
6192 	struct ieee80211_channel *channel = params->chandef.chan;
6193 
6194 	if ((params->he_cap ||  params->he_oper) &&
6195 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6196 		return -EOPNOTSUPP;
6197 
6198 	if ((params->eht_cap || params->eht_oper) &&
6199 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6200 		return -EOPNOTSUPP;
6201 
6202 	return 0;
6203 }
6204 
6205 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6206 {
6207 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6208 	struct cfg80211_beaconing_check_config beacon_check = {};
6209 	unsigned int link_id = nl80211_link_id(info->attrs);
6210 	struct net_device *dev = info->user_ptr[1];
6211 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6212 	struct cfg80211_ap_settings *params;
6213 	int err;
6214 
6215 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6216 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6217 		return -EOPNOTSUPP;
6218 
6219 	if (!rdev->ops->start_ap)
6220 		return -EOPNOTSUPP;
6221 
6222 	if (wdev->links[link_id].cac_started)
6223 		return -EBUSY;
6224 
6225 	if (wdev->links[link_id].ap.beacon_interval)
6226 		return -EALREADY;
6227 
6228 	/* these are required for START_AP */
6229 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6230 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6231 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6232 		return -EINVAL;
6233 
6234 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6235 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6236 		return -EOPNOTSUPP;
6237 
6238 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6239 	if (!params)
6240 		return -ENOMEM;
6241 
6242 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6243 				   info->extack);
6244 	if (err)
6245 		goto out;
6246 
6247 	params->beacon_interval =
6248 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6249 	params->dtim_period =
6250 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6251 
6252 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6253 					   params->beacon_interval);
6254 	if (err)
6255 		goto out;
6256 
6257 	/*
6258 	 * In theory, some of these attributes should be required here
6259 	 * but since they were not used when the command was originally
6260 	 * added, keep them optional for old user space programs to let
6261 	 * them continue to work with drivers that do not need the
6262 	 * additional information -- drivers must check!
6263 	 */
6264 	if (info->attrs[NL80211_ATTR_SSID]) {
6265 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6266 		params->ssid_len =
6267 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6268 		if (params->ssid_len == 0) {
6269 			err = -EINVAL;
6270 			goto out;
6271 		}
6272 
6273 		if (wdev->u.ap.ssid_len &&
6274 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6275 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6276 			/* require identical SSID for MLO */
6277 			err = -EINVAL;
6278 			goto out;
6279 		}
6280 	} else if (wdev->valid_links) {
6281 		/* require SSID for MLO */
6282 		err = -EINVAL;
6283 		goto out;
6284 	}
6285 
6286 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6287 		params->hidden_ssid = nla_get_u32(
6288 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6289 
6290 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6291 
6292 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6293 		params->auth_type = nla_get_u32(
6294 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6295 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6296 					     NL80211_CMD_START_AP)) {
6297 			err = -EINVAL;
6298 			goto out;
6299 		}
6300 	} else
6301 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6302 
6303 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6304 				      NL80211_MAX_NR_CIPHER_SUITES);
6305 	if (err)
6306 		goto out;
6307 
6308 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6309 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6310 			err = -EOPNOTSUPP;
6311 			goto out;
6312 		}
6313 		params->inactivity_timeout = nla_get_u16(
6314 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6315 	}
6316 
6317 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6318 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6319 			err = -EINVAL;
6320 			goto out;
6321 		}
6322 		params->p2p_ctwindow =
6323 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6324 		if (params->p2p_ctwindow != 0 &&
6325 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6326 			err = -EINVAL;
6327 			goto out;
6328 		}
6329 	}
6330 
6331 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6332 		u8 tmp;
6333 
6334 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6335 			err = -EINVAL;
6336 			goto out;
6337 		}
6338 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6339 		params->p2p_opp_ps = tmp;
6340 		if (params->p2p_opp_ps != 0 &&
6341 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6342 			err = -EINVAL;
6343 			goto out;
6344 		}
6345 	}
6346 
6347 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6348 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6349 		if (err)
6350 			goto out;
6351 	} else if (wdev->valid_links) {
6352 		/* with MLD need to specify the channel configuration */
6353 		err = -EINVAL;
6354 		goto out;
6355 	} else if (wdev->u.ap.preset_chandef.chan) {
6356 		params->chandef = wdev->u.ap.preset_chandef;
6357 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6358 		err = -EINVAL;
6359 		goto out;
6360 	}
6361 
6362 	beacon_check.iftype = wdev->iftype;
6363 	beacon_check.relax = true;
6364 	beacon_check.reg_power =
6365 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6366 					     params->beacon.tail_len);
6367 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6368 					  &beacon_check)) {
6369 		err = -EINVAL;
6370 		goto out;
6371 	}
6372 
6373 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6374 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6375 						    NL80211_ATTR_TX_RATES,
6376 						    &params->beacon_rate,
6377 						    dev, false, link_id);
6378 		if (err)
6379 			goto out;
6380 
6381 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6382 					      &params->beacon_rate);
6383 		if (err)
6384 			goto out;
6385 	}
6386 
6387 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6388 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6389 		err = -EOPNOTSUPP;
6390 		goto out;
6391 	}
6392 
6393 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6394 		params->acl = parse_acl_data(&rdev->wiphy, info);
6395 		if (IS_ERR(params->acl)) {
6396 			err = PTR_ERR(params->acl);
6397 			params->acl = NULL;
6398 			goto out;
6399 		}
6400 	}
6401 
6402 	params->twt_responder =
6403 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6404 
6405 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6406 		err = nl80211_parse_he_obss_pd(
6407 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6408 					&params->he_obss_pd);
6409 		if (err)
6410 			goto out;
6411 	}
6412 
6413 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6414 		err = nl80211_parse_fils_discovery(rdev,
6415 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6416 						   &params->fils_discovery);
6417 		if (err)
6418 			goto out;
6419 	}
6420 
6421 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6422 		err = nl80211_parse_unsol_bcast_probe_resp(
6423 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6424 			&params->unsol_bcast_probe_resp);
6425 		if (err)
6426 			goto out;
6427 	}
6428 
6429 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6430 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
6431 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6432 						  &params->mbssid_config,
6433 						  params->beacon.mbssid_ies ?
6434 							params->beacon.mbssid_ies->cnt :
6435 							0);
6436 		if (err)
6437 			goto out;
6438 	}
6439 
6440 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6441 		err = -EINVAL;
6442 		goto out;
6443 	}
6444 
6445 	err = nl80211_calculate_ap_params(params);
6446 	if (err)
6447 		goto out;
6448 
6449 	err = nl80211_validate_ap_phy_operation(params);
6450 	if (err)
6451 		goto out;
6452 
6453 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6454 		params->flags = nla_get_u32(
6455 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6456 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6457 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6458 
6459 	if (wdev->conn_owner_nlportid &&
6460 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6461 	    wdev->conn_owner_nlportid != info->snd_portid) {
6462 		err = -EINVAL;
6463 		goto out;
6464 	}
6465 
6466 	/* FIXME: validate MLO/link-id against driver capabilities */
6467 
6468 	err = rdev_start_ap(rdev, dev, params);
6469 	if (!err) {
6470 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6471 		wdev->links[link_id].ap.chandef = params->chandef;
6472 		wdev->u.ap.ssid_len = params->ssid_len;
6473 		memcpy(wdev->u.ap.ssid, params->ssid,
6474 		       params->ssid_len);
6475 
6476 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6477 			wdev->conn_owner_nlportid = info->snd_portid;
6478 
6479 		nl80211_send_ap_started(wdev, link_id);
6480 	}
6481 out:
6482 	kfree(params->acl);
6483 	kfree(params->beacon.mbssid_ies);
6484 	if (params->mbssid_config.tx_wdev &&
6485 	    params->mbssid_config.tx_wdev->netdev &&
6486 	    params->mbssid_config.tx_wdev->netdev != dev)
6487 		dev_put(params->mbssid_config.tx_wdev->netdev);
6488 	kfree(params->beacon.rnr_ies);
6489 	kfree(params);
6490 
6491 	return err;
6492 }
6493 
6494 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6495 {
6496 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6497 	struct cfg80211_beaconing_check_config beacon_check = {};
6498 	unsigned int link_id = nl80211_link_id(info->attrs);
6499 	struct net_device *dev = info->user_ptr[1];
6500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6501 	struct cfg80211_ap_update *params;
6502 	struct nlattr *attr;
6503 	int err;
6504 
6505 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6506 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6507 		return -EOPNOTSUPP;
6508 
6509 	if (!rdev->ops->change_beacon)
6510 		return -EOPNOTSUPP;
6511 
6512 	if (!wdev->links[link_id].ap.beacon_interval)
6513 		return -EINVAL;
6514 
6515 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6516 	if (!params)
6517 		return -ENOMEM;
6518 
6519 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6520 				   info->extack);
6521 	if (err)
6522 		goto out;
6523 
6524 	/* recheck beaconing is permitted with possibly changed power type */
6525 	beacon_check.iftype = wdev->iftype;
6526 	beacon_check.relax = true;
6527 	beacon_check.reg_power =
6528 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6529 					     params->beacon.tail_len);
6530 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6531 					  &wdev->links[link_id].ap.chandef,
6532 					  &beacon_check)) {
6533 		err = -EINVAL;
6534 		goto out;
6535 	}
6536 
6537 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6538 	if (attr) {
6539 		err = nl80211_parse_fils_discovery(rdev, attr,
6540 						   &params->fils_discovery);
6541 		if (err)
6542 			goto out;
6543 	}
6544 
6545 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6546 	if (attr) {
6547 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6548 							   &params->unsol_bcast_probe_resp);
6549 		if (err)
6550 			goto out;
6551 	}
6552 
6553 	err = rdev_change_beacon(rdev, dev, params);
6554 
6555 out:
6556 	kfree(params->beacon.mbssid_ies);
6557 	kfree(params->beacon.rnr_ies);
6558 	kfree(params);
6559 	return err;
6560 }
6561 
6562 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6563 {
6564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6565 	unsigned int link_id = nl80211_link_id(info->attrs);
6566 	struct net_device *dev = info->user_ptr[1];
6567 
6568 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6569 }
6570 
6571 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6572 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6573 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6574 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6575 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6576 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6577 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6578 };
6579 
6580 static int parse_station_flags(struct genl_info *info,
6581 			       enum nl80211_iftype iftype,
6582 			       struct station_parameters *params)
6583 {
6584 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6585 	struct nlattr *nla;
6586 	int flag;
6587 
6588 	/*
6589 	 * Try parsing the new attribute first so userspace
6590 	 * can specify both for older kernels.
6591 	 */
6592 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6593 	if (nla) {
6594 		struct nl80211_sta_flag_update *sta_flags;
6595 
6596 		sta_flags = nla_data(nla);
6597 		params->sta_flags_mask = sta_flags->mask;
6598 		params->sta_flags_set = sta_flags->set;
6599 		params->sta_flags_set &= params->sta_flags_mask;
6600 		if ((params->sta_flags_mask |
6601 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6602 			return -EINVAL;
6603 		return 0;
6604 	}
6605 
6606 	/* if present, parse the old attribute */
6607 
6608 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6609 	if (!nla)
6610 		return 0;
6611 
6612 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6613 		return -EINVAL;
6614 
6615 	/*
6616 	 * Only allow certain flags for interface types so that
6617 	 * other attributes are silently ignored. Remember that
6618 	 * this is backward compatibility code with old userspace
6619 	 * and shouldn't be hit in other cases anyway.
6620 	 */
6621 	switch (iftype) {
6622 	case NL80211_IFTYPE_AP:
6623 	case NL80211_IFTYPE_AP_VLAN:
6624 	case NL80211_IFTYPE_P2P_GO:
6625 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6626 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6627 					 BIT(NL80211_STA_FLAG_WME) |
6628 					 BIT(NL80211_STA_FLAG_MFP);
6629 		break;
6630 	case NL80211_IFTYPE_P2P_CLIENT:
6631 	case NL80211_IFTYPE_STATION:
6632 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6633 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6634 		break;
6635 	case NL80211_IFTYPE_MESH_POINT:
6636 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6637 					 BIT(NL80211_STA_FLAG_MFP) |
6638 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6639 		break;
6640 	default:
6641 		return -EINVAL;
6642 	}
6643 
6644 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6645 		if (flags[flag]) {
6646 			params->sta_flags_set |= (1<<flag);
6647 
6648 			/* no longer support new API additions in old API */
6649 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6650 				return -EINVAL;
6651 		}
6652 	}
6653 
6654 	return 0;
6655 }
6656 
6657 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6658 {
6659 	struct nlattr *rate;
6660 	u32 bitrate;
6661 	u16 bitrate_compat;
6662 	enum nl80211_rate_info rate_flg;
6663 
6664 	rate = nla_nest_start_noflag(msg, attr);
6665 	if (!rate)
6666 		return false;
6667 
6668 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6669 	bitrate = cfg80211_calculate_bitrate(info);
6670 	/* report 16-bit bitrate only if we can */
6671 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6672 	if (bitrate > 0 &&
6673 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6674 		return false;
6675 	if (bitrate_compat > 0 &&
6676 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6677 		return false;
6678 
6679 	switch (info->bw) {
6680 	case RATE_INFO_BW_1:
6681 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6682 		break;
6683 	case RATE_INFO_BW_2:
6684 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6685 		break;
6686 	case RATE_INFO_BW_4:
6687 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6688 		break;
6689 	case RATE_INFO_BW_5:
6690 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6691 		break;
6692 	case RATE_INFO_BW_8:
6693 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6694 		break;
6695 	case RATE_INFO_BW_10:
6696 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6697 		break;
6698 	case RATE_INFO_BW_16:
6699 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6700 		break;
6701 	default:
6702 		WARN_ON(1);
6703 		fallthrough;
6704 	case RATE_INFO_BW_20:
6705 		rate_flg = 0;
6706 		break;
6707 	case RATE_INFO_BW_40:
6708 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6709 		break;
6710 	case RATE_INFO_BW_80:
6711 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6712 		break;
6713 	case RATE_INFO_BW_160:
6714 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6715 		break;
6716 	case RATE_INFO_BW_HE_RU:
6717 		rate_flg = 0;
6718 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6719 		break;
6720 	case RATE_INFO_BW_320:
6721 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6722 		break;
6723 	case RATE_INFO_BW_EHT_RU:
6724 		rate_flg = 0;
6725 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6726 		break;
6727 	}
6728 
6729 	if (rate_flg && nla_put_flag(msg, rate_flg))
6730 		return false;
6731 
6732 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6733 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6734 			return false;
6735 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6736 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6737 			return false;
6738 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6739 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6740 			return false;
6741 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6742 			return false;
6743 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6744 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6745 			return false;
6746 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6747 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6748 			return false;
6749 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6750 			return false;
6751 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6752 			return false;
6753 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6754 			return false;
6755 		if (info->bw == RATE_INFO_BW_HE_RU &&
6756 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6757 			       info->he_ru_alloc))
6758 			return false;
6759 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6760 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6761 			return false;
6762 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6763 			return false;
6764 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6765 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6766 			return false;
6767 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6768 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6769 			return false;
6770 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6771 			return false;
6772 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6773 			return false;
6774 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6775 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6776 			       info->eht_ru_alloc))
6777 			return false;
6778 	}
6779 
6780 	nla_nest_end(msg, rate);
6781 	return true;
6782 }
6783 
6784 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6785 			       int id)
6786 {
6787 	void *attr;
6788 	int i = 0;
6789 
6790 	if (!mask)
6791 		return true;
6792 
6793 	attr = nla_nest_start_noflag(msg, id);
6794 	if (!attr)
6795 		return false;
6796 
6797 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6798 		if (!(mask & BIT(i)))
6799 			continue;
6800 
6801 		if (nla_put_u8(msg, i, signal[i]))
6802 			return false;
6803 	}
6804 
6805 	nla_nest_end(msg, attr);
6806 
6807 	return true;
6808 }
6809 
6810 static int nl80211_fill_link_station(struct sk_buff *msg,
6811 				     struct cfg80211_registered_device *rdev,
6812 				     struct link_station_info *link_sinfo)
6813 {
6814 	struct nlattr *bss_param, *link_sinfoattr;
6815 
6816 #define PUT_LINK_SINFO(attr, memb, type) do {				\
6817 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6818 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6819 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6820 			     link_sinfo->memb))				\
6821 		goto nla_put_failure;					\
6822 	} while (0)
6823 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
6824 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6825 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6826 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
6827 		goto nla_put_failure;					\
6828 	} while (0)
6829 
6830 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6831 	if (!link_sinfoattr)
6832 		goto nla_put_failure;
6833 
6834 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
6835 
6836 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6837 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6838 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6839 			(u32)link_sinfo->rx_bytes))
6840 		goto nla_put_failure;
6841 
6842 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6843 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6844 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6845 			(u32)link_sinfo->tx_bytes))
6846 		goto nla_put_failure;
6847 
6848 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
6849 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
6850 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
6851 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
6852 
6853 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6854 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6855 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6856 
6857 	switch (rdev->wiphy.signal_type) {
6858 	case CFG80211_SIGNAL_TYPE_MBM:
6859 		PUT_LINK_SINFO(SIGNAL, signal, u8);
6860 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
6861 		break;
6862 	default:
6863 		break;
6864 	}
6865 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6866 		if (!nl80211_put_signal(msg, link_sinfo->chains,
6867 					link_sinfo->chain_signal,
6868 					NL80211_STA_INFO_CHAIN_SIGNAL))
6869 			goto nla_put_failure;
6870 	}
6871 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6872 		if (!nl80211_put_signal(msg, link_sinfo->chains,
6873 					link_sinfo->chain_signal_avg,
6874 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6875 			goto nla_put_failure;
6876 	}
6877 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6878 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
6879 					  NL80211_STA_INFO_TX_BITRATE))
6880 			goto nla_put_failure;
6881 	}
6882 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6883 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
6884 					  NL80211_STA_INFO_RX_BITRATE))
6885 			goto nla_put_failure;
6886 	}
6887 
6888 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
6889 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
6890 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
6891 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
6892 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6893 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6894 
6895 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6896 		bss_param = nla_nest_start_noflag(msg,
6897 						  NL80211_STA_INFO_BSS_PARAM);
6898 		if (!bss_param)
6899 			goto nla_put_failure;
6900 
6901 		if (((link_sinfo->bss_param.flags &
6902 		      BSS_PARAM_FLAGS_CTS_PROT) &&
6903 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6904 		    ((link_sinfo->bss_param.flags &
6905 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6906 		     nla_put_flag(msg,
6907 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6908 		    ((link_sinfo->bss_param.flags &
6909 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6910 		     nla_put_flag(msg,
6911 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6912 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6913 			       link_sinfo->bss_param.dtim_period) ||
6914 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6915 				link_sinfo->bss_param.beacon_interval))
6916 			goto nla_put_failure;
6917 
6918 		nla_nest_end(msg, bss_param);
6919 	}
6920 
6921 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6922 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
6923 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6924 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6925 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6926 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6927 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6928 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
6929 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6930 	}
6931 
6932 #undef PUT_LINK_SINFO
6933 #undef PUT_LINK_SINFO_U64
6934 
6935 	if (link_sinfo->pertid) {
6936 		struct nlattr *tidsattr;
6937 		int tid;
6938 
6939 		tidsattr = nla_nest_start_noflag(msg,
6940 						 NL80211_STA_INFO_TID_STATS);
6941 		if (!tidsattr)
6942 			goto nla_put_failure;
6943 
6944 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6945 			struct cfg80211_tid_stats *tidstats;
6946 			struct nlattr *tidattr;
6947 
6948 			tidstats = &link_sinfo->pertid[tid];
6949 
6950 			if (!tidstats->filled)
6951 				continue;
6952 
6953 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6954 			if (!tidattr)
6955 				goto nla_put_failure;
6956 
6957 #define PUT_TIDVAL_U64(attr, memb) do {					\
6958 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6959 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6960 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6961 		goto nla_put_failure;					\
6962 	} while (0)
6963 
6964 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6965 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6966 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6967 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6968 
6969 #undef PUT_TIDVAL_U64
6970 			if ((tidstats->filled &
6971 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6972 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6973 						   NL80211_TID_STATS_TXQ_STATS))
6974 				goto nla_put_failure;
6975 
6976 			nla_nest_end(msg, tidattr);
6977 		}
6978 
6979 		nla_nest_end(msg, tidsattr);
6980 	}
6981 
6982 	nla_nest_end(msg, link_sinfoattr);
6983 	return 0;
6984 
6985 nla_put_failure:
6986 	return -EMSGSIZE;
6987 }
6988 
6989 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6990 				u32 seq, int flags,
6991 				struct cfg80211_registered_device *rdev,
6992 				struct net_device *dev,
6993 				const u8 *mac_addr, struct station_info *sinfo)
6994 {
6995 	void *hdr;
6996 	struct nlattr *sinfoattr, *bss_param;
6997 	struct link_station_info *link_sinfo;
6998 	struct nlattr *links, *link;
6999 	int link_id;
7000 
7001 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7002 	if (!hdr) {
7003 		cfg80211_sinfo_release_content(sinfo);
7004 		return -1;
7005 	}
7006 
7007 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7008 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7009 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7010 		goto nla_put_failure;
7011 
7012 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7013 	if (!sinfoattr)
7014 		goto nla_put_failure;
7015 
7016 #define PUT_SINFO(attr, memb, type) do {				\
7017 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7018 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7019 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7020 			     sinfo->memb))				\
7021 		goto nla_put_failure;					\
7022 	} while (0)
7023 #define PUT_SINFO_U64(attr, memb) do {					\
7024 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7025 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7026 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7027 		goto nla_put_failure;					\
7028 	} while (0)
7029 
7030 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7031 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7032 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7033 
7034 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7035 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7036 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7037 			(u32)sinfo->rx_bytes))
7038 		goto nla_put_failure;
7039 
7040 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7041 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7042 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7043 			(u32)sinfo->tx_bytes))
7044 		goto nla_put_failure;
7045 
7046 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7047 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7048 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7049 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7050 
7051 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7052 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7053 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7054 
7055 	switch (rdev->wiphy.signal_type) {
7056 	case CFG80211_SIGNAL_TYPE_MBM:
7057 		PUT_SINFO(SIGNAL, signal, u8);
7058 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7059 		break;
7060 	default:
7061 		break;
7062 	}
7063 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7064 		if (!nl80211_put_signal(msg, sinfo->chains,
7065 					sinfo->chain_signal,
7066 					NL80211_STA_INFO_CHAIN_SIGNAL))
7067 			goto nla_put_failure;
7068 	}
7069 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7070 		if (!nl80211_put_signal(msg, sinfo->chains,
7071 					sinfo->chain_signal_avg,
7072 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7073 			goto nla_put_failure;
7074 	}
7075 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7076 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7077 					  NL80211_STA_INFO_TX_BITRATE))
7078 			goto nla_put_failure;
7079 	}
7080 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7081 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7082 					  NL80211_STA_INFO_RX_BITRATE))
7083 			goto nla_put_failure;
7084 	}
7085 
7086 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7087 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7088 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7089 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7090 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7091 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7092 
7093 	PUT_SINFO(LLID, llid, u16);
7094 	PUT_SINFO(PLID, plid, u16);
7095 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7096 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7097 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7098 	PUT_SINFO(PEER_PM, peer_pm, u32);
7099 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7100 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7101 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7102 	PUT_SINFO_U64(T_OFFSET, t_offset);
7103 
7104 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7105 		bss_param = nla_nest_start_noflag(msg,
7106 						  NL80211_STA_INFO_BSS_PARAM);
7107 		if (!bss_param)
7108 			goto nla_put_failure;
7109 
7110 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7111 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7112 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7113 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7114 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7115 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7116 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7117 			       sinfo->bss_param.dtim_period) ||
7118 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7119 				sinfo->bss_param.beacon_interval))
7120 			goto nla_put_failure;
7121 
7122 		nla_nest_end(msg, bss_param);
7123 	}
7124 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7125 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7126 		    sizeof(struct nl80211_sta_flag_update),
7127 		    &sinfo->sta_flags))
7128 		goto nla_put_failure;
7129 
7130 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7131 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7132 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7133 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7134 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7135 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7136 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7137 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7138 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7139 	}
7140 
7141 #undef PUT_SINFO
7142 #undef PUT_SINFO_U64
7143 
7144 	if (sinfo->pertid) {
7145 		struct nlattr *tidsattr;
7146 		int tid;
7147 
7148 		tidsattr = nla_nest_start_noflag(msg,
7149 						 NL80211_STA_INFO_TID_STATS);
7150 		if (!tidsattr)
7151 			goto nla_put_failure;
7152 
7153 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7154 			struct cfg80211_tid_stats *tidstats;
7155 			struct nlattr *tidattr;
7156 
7157 			tidstats = &sinfo->pertid[tid];
7158 
7159 			if (!tidstats->filled)
7160 				continue;
7161 
7162 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7163 			if (!tidattr)
7164 				goto nla_put_failure;
7165 
7166 #define PUT_TIDVAL_U64(attr, memb) do {					\
7167 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7168 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7169 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7170 		goto nla_put_failure;					\
7171 	} while (0)
7172 
7173 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7174 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7175 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7176 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7177 
7178 #undef PUT_TIDVAL_U64
7179 			if ((tidstats->filled &
7180 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7181 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7182 						   NL80211_TID_STATS_TXQ_STATS))
7183 				goto nla_put_failure;
7184 
7185 			nla_nest_end(msg, tidattr);
7186 		}
7187 
7188 		nla_nest_end(msg, tidsattr);
7189 	}
7190 
7191 	nla_nest_end(msg, sinfoattr);
7192 
7193 	if (sinfo->assoc_req_ies_len &&
7194 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7195 		    sinfo->assoc_req_ies))
7196 		goto nla_put_failure;
7197 
7198 	if (sinfo->assoc_resp_ies_len &&
7199 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7200 		    sinfo->assoc_resp_ies))
7201 		goto nla_put_failure;
7202 
7203 	if (sinfo->mlo_params_valid) {
7204 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7205 			       sinfo->assoc_link_id))
7206 			goto nla_put_failure;
7207 
7208 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7209 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7210 			    sinfo->mld_addr))
7211 			goto nla_put_failure;
7212 	}
7213 
7214 	if (sinfo->valid_links) {
7215 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7216 		if (!links)
7217 			goto nla_put_failure;
7218 
7219 		for_each_valid_link(sinfo, link_id) {
7220 			link_sinfo = sinfo->links[link_id];
7221 
7222 			if (WARN_ON_ONCE(!link_sinfo))
7223 				continue;
7224 
7225 			if (!is_valid_ether_addr(link_sinfo->addr))
7226 				continue;
7227 
7228 			link = nla_nest_start(msg, link_id + 1);
7229 			if (!link)
7230 				goto nla_put_failure;
7231 
7232 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7233 				       link_id))
7234 				goto nla_put_failure;
7235 
7236 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7237 				    link_sinfo->addr))
7238 				goto nla_put_failure;
7239 
7240 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
7241 				goto nla_put_failure;
7242 
7243 			nla_nest_end(msg, link);
7244 		}
7245 		nla_nest_end(msg, links);
7246 	}
7247 
7248 	cfg80211_sinfo_release_content(sinfo);
7249 	genlmsg_end(msg, hdr);
7250 	return 0;
7251 
7252  nla_put_failure:
7253 	cfg80211_sinfo_release_content(sinfo);
7254 	genlmsg_cancel(msg, hdr);
7255 	return -EMSGSIZE;
7256 }
7257 
7258 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
7259 {
7260 	struct link_station_info *link_sinfo;
7261 	int link_id, init = 0;
7262 	u32 link_inactive_time;
7263 
7264 	sinfo->signal = -99;
7265 
7266 	for_each_valid_link(sinfo, link_id) {
7267 		link_sinfo = sinfo->links[link_id];
7268 		if (!link_sinfo)
7269 			continue;
7270 
7271 		if ((link_sinfo->filled &
7272 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
7273 			sinfo->tx_packets += link_sinfo->tx_packets;
7274 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
7275 		}
7276 
7277 		if ((link_sinfo->filled &
7278 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
7279 			sinfo->rx_packets += link_sinfo->rx_packets;
7280 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
7281 		}
7282 
7283 		if (link_sinfo->filled &
7284 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7285 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7286 			sinfo->tx_bytes += link_sinfo->tx_bytes;
7287 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
7288 		}
7289 
7290 		if (link_sinfo->filled &
7291 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7292 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7293 			sinfo->rx_bytes += link_sinfo->rx_bytes;
7294 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
7295 		}
7296 
7297 		if (link_sinfo->filled &
7298 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
7299 			sinfo->tx_retries += link_sinfo->tx_retries;
7300 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
7301 		}
7302 
7303 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
7304 			sinfo->tx_failed += link_sinfo->tx_failed;
7305 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
7306 		}
7307 
7308 		if (link_sinfo->filled &
7309 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
7310 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
7311 			sinfo->filled |=
7312 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
7313 		}
7314 
7315 		if (link_sinfo->filled &
7316 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
7317 			sinfo->beacon_loss_count +=
7318 				link_sinfo->beacon_loss_count;
7319 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
7320 		}
7321 
7322 		if (link_sinfo->filled &
7323 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
7324 			sinfo->expected_throughput +=
7325 				link_sinfo->expected_throughput;
7326 			sinfo->filled |=
7327 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
7328 		}
7329 
7330 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
7331 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
7332 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
7333 		}
7334 
7335 		if (link_sinfo->filled &
7336 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
7337 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
7338 			sinfo->filled |=
7339 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
7340 		}
7341 
7342 		if (link_sinfo->filled &
7343 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
7344 			sinfo->rx_beacon += link_sinfo->rx_beacon;
7345 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
7346 		}
7347 
7348 		/* Update MLO signal, signal_avg as best among links */
7349 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
7350 		    link_sinfo->signal > sinfo->signal) {
7351 			sinfo->signal = link_sinfo->signal;
7352 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
7353 		}
7354 
7355 		if ((link_sinfo->filled &
7356 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
7357 		    link_sinfo->signal_avg > sinfo->signal_avg) {
7358 			sinfo->signal_avg = link_sinfo->signal_avg;
7359 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
7360 		}
7361 
7362 		/* Update MLO inactive_time, bss_param based on least
7363 		 * value for corresponding field of link.
7364 		 */
7365 		if ((link_sinfo->filled &
7366 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
7367 		    (!init ||
7368 		     link_inactive_time > link_sinfo->inactive_time)) {
7369 			link_inactive_time = link_sinfo->inactive_time;
7370 			sinfo->inactive_time = link_sinfo->inactive_time;
7371 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
7372 		}
7373 
7374 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
7375 		    (!init ||
7376 		     sinfo->bss_param.dtim_period >
7377 		      link_sinfo->bss_param.dtim_period)) {
7378 			sinfo->bss_param.dtim_period =
7379 				link_sinfo->bss_param.dtim_period;
7380 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
7381 			sinfo->bss_param.beacon_interval =
7382 				link_sinfo->bss_param.beacon_interval;
7383 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
7384 		}
7385 
7386 		/* Update MLO rates as per last updated link rate */
7387 		if ((link_sinfo->filled &
7388 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
7389 		    (!init ||
7390 		     link_inactive_time > link_sinfo->inactive_time)) {
7391 			sinfo->txrate = link_sinfo->txrate;
7392 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
7393 		}
7394 		if ((link_sinfo->filled &
7395 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
7396 		    (!init ||
7397 		     link_inactive_time > link_sinfo->inactive_time)) {
7398 			sinfo->rxrate = link_sinfo->rxrate;
7399 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
7400 		}
7401 
7402 		if (link_sinfo->filled &
7403 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
7404 		    (!init ||
7405 		     link_inactive_time > link_sinfo->inactive_time)) {
7406 			sinfo->tx_duration += link_sinfo->tx_duration;
7407 			sinfo->filled |=
7408 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
7409 		}
7410 		if (link_sinfo->filled &
7411 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
7412 		    (!init ||
7413 		     link_inactive_time > link_sinfo->inactive_time)) {
7414 			sinfo->rx_duration += link_sinfo->rx_duration;
7415 			sinfo->filled |=
7416 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
7417 		}
7418 		init++;
7419 
7420 		/* pertid stats accumulate for rx/tx fields */
7421 		if (sinfo->pertid) {
7422 			sinfo->pertid->rx_msdu +=
7423 				link_sinfo->pertid->rx_msdu;
7424 			sinfo->pertid->tx_msdu +=
7425 				link_sinfo->pertid->tx_msdu;
7426 			sinfo->pertid->tx_msdu_retries +=
7427 				link_sinfo->pertid->tx_msdu_retries;
7428 			sinfo->pertid->tx_msdu_failed +=
7429 				link_sinfo->pertid->tx_msdu_failed;
7430 
7431 			sinfo->pertid->filled |=
7432 				BIT(NL80211_TID_STATS_RX_MSDU) |
7433 				BIT(NL80211_TID_STATS_TX_MSDU) |
7434 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
7435 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
7436 		}
7437 	}
7438 
7439 	/* Reset sinfo->filled bits to exclude fields which don't make
7440 	 * much sense at the MLO level.
7441 	 */
7442 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
7443 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
7444 }
7445 
7446 static int nl80211_dump_station(struct sk_buff *skb,
7447 				struct netlink_callback *cb)
7448 {
7449 	struct station_info sinfo;
7450 	struct cfg80211_registered_device *rdev;
7451 	struct wireless_dev *wdev;
7452 	u8 mac_addr[ETH_ALEN];
7453 	int sta_idx = cb->args[2];
7454 	bool sinfo_alloc = false;
7455 	int err, i;
7456 
7457 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7458 	if (err)
7459 		return err;
7460 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7461 	__acquire(&rdev->wiphy.mtx);
7462 
7463 	if (!wdev->netdev) {
7464 		err = -EINVAL;
7465 		goto out_err;
7466 	}
7467 
7468 	if (!rdev->ops->dump_station) {
7469 		err = -EOPNOTSUPP;
7470 		goto out_err;
7471 	}
7472 
7473 	while (1) {
7474 		memset(&sinfo, 0, sizeof(sinfo));
7475 
7476 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7477 			sinfo.links[i] =
7478 				kzalloc(sizeof(*sinfo.links[0]), GFP_KERNEL);
7479 			if (!sinfo.links[i]) {
7480 				err = -ENOMEM;
7481 				goto out_err;
7482 			}
7483 			sinfo_alloc = true;
7484 		}
7485 
7486 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
7487 					mac_addr, &sinfo);
7488 		if (err == -ENOENT)
7489 			break;
7490 		if (err)
7491 			goto out_err;
7492 
7493 		if (sinfo.valid_links)
7494 			cfg80211_sta_set_mld_sinfo(&sinfo);
7495 
7496 		/* reset the sinfo_alloc flag as nl80211_send_station()
7497 		 * always releases sinfo
7498 		 */
7499 		sinfo_alloc = false;
7500 
7501 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
7502 				NETLINK_CB(cb->skb).portid,
7503 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7504 				rdev, wdev->netdev, mac_addr,
7505 				&sinfo) < 0)
7506 			goto out;
7507 
7508 		sta_idx++;
7509 	}
7510 
7511  out:
7512 	cb->args[2] = sta_idx;
7513 	err = skb->len;
7514  out_err:
7515 	if (sinfo_alloc)
7516 		cfg80211_sinfo_release_content(&sinfo);
7517 	wiphy_unlock(&rdev->wiphy);
7518 
7519 	return err;
7520 }
7521 
7522 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
7523 {
7524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7525 	struct net_device *dev = info->user_ptr[1];
7526 	struct station_info sinfo;
7527 	struct sk_buff *msg;
7528 	u8 *mac_addr = NULL;
7529 	int err, i;
7530 
7531 	memset(&sinfo, 0, sizeof(sinfo));
7532 
7533 	if (!info->attrs[NL80211_ATTR_MAC])
7534 		return -EINVAL;
7535 
7536 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7537 
7538 	if (!rdev->ops->get_station)
7539 		return -EOPNOTSUPP;
7540 
7541 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7542 		sinfo.links[i] = kzalloc(sizeof(*sinfo.links[0]), GFP_KERNEL);
7543 		if (!sinfo.links[i]) {
7544 			cfg80211_sinfo_release_content(&sinfo);
7545 			return -ENOMEM;
7546 		}
7547 	}
7548 
7549 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
7550 	if (err) {
7551 		cfg80211_sinfo_release_content(&sinfo);
7552 		return err;
7553 	}
7554 
7555 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7556 	if (!msg) {
7557 		cfg80211_sinfo_release_content(&sinfo);
7558 		return -ENOMEM;
7559 	}
7560 
7561 	if (sinfo.valid_links)
7562 		cfg80211_sta_set_mld_sinfo(&sinfo);
7563 
7564 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
7565 				 info->snd_portid, info->snd_seq, 0,
7566 				 rdev, dev, mac_addr, &sinfo) < 0) {
7567 		nlmsg_free(msg);
7568 		return -ENOBUFS;
7569 	}
7570 
7571 	return genlmsg_reply(msg, info);
7572 }
7573 
7574 int cfg80211_check_station_change(struct wiphy *wiphy,
7575 				  struct station_parameters *params,
7576 				  enum cfg80211_station_type statype)
7577 {
7578 	if (params->listen_interval != -1 &&
7579 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7580 		return -EINVAL;
7581 
7582 	if (params->support_p2p_ps != -1 &&
7583 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7584 		return -EINVAL;
7585 
7586 	if (params->aid &&
7587 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7588 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7589 		return -EINVAL;
7590 
7591 	/* When you run into this, adjust the code below for the new flag */
7592 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7593 
7594 	switch (statype) {
7595 	case CFG80211_STA_MESH_PEER_KERNEL:
7596 	case CFG80211_STA_MESH_PEER_USER:
7597 		/*
7598 		 * No ignoring the TDLS flag here -- the userspace mesh
7599 		 * code doesn't have the bug of including TDLS in the
7600 		 * mask everywhere.
7601 		 */
7602 		if (params->sta_flags_mask &
7603 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7604 				  BIT(NL80211_STA_FLAG_MFP) |
7605 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7606 			return -EINVAL;
7607 		break;
7608 	case CFG80211_STA_TDLS_PEER_SETUP:
7609 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7610 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7611 			return -EINVAL;
7612 		/* ignore since it can't change */
7613 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7614 		break;
7615 	default:
7616 		/* disallow mesh-specific things */
7617 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7618 			return -EINVAL;
7619 		if (params->local_pm)
7620 			return -EINVAL;
7621 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7622 			return -EINVAL;
7623 	}
7624 
7625 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7626 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7627 		/* TDLS can't be set, ... */
7628 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7629 			return -EINVAL;
7630 		/*
7631 		 * ... but don't bother the driver with it. This works around
7632 		 * a hostapd/wpa_supplicant issue -- it always includes the
7633 		 * TLDS_PEER flag in the mask even for AP mode.
7634 		 */
7635 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7636 	}
7637 
7638 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7639 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7640 		/* reject other things that can't change */
7641 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7642 			return -EINVAL;
7643 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7644 			return -EINVAL;
7645 		if (params->link_sta_params.supported_rates)
7646 			return -EINVAL;
7647 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7648 		    params->link_sta_params.vht_capa ||
7649 		    params->link_sta_params.he_capa ||
7650 		    params->link_sta_params.eht_capa)
7651 			return -EINVAL;
7652 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7653 			return -EINVAL;
7654 	}
7655 
7656 	if (statype != CFG80211_STA_AP_CLIENT &&
7657 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7658 		if (params->vlan)
7659 			return -EINVAL;
7660 	}
7661 
7662 	/* Accept EMLSR capabilities only for AP client before association */
7663 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7664 	    params->eml_cap_present)
7665 		return -EINVAL;
7666 
7667 	switch (statype) {
7668 	case CFG80211_STA_AP_MLME_CLIENT:
7669 		/* Use this only for authorizing/unauthorizing a station */
7670 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7671 			return -EOPNOTSUPP;
7672 		break;
7673 	case CFG80211_STA_AP_CLIENT:
7674 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7675 		/* accept only the listed bits */
7676 		if (params->sta_flags_mask &
7677 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7678 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7679 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7680 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7681 				  BIT(NL80211_STA_FLAG_WME) |
7682 				  BIT(NL80211_STA_FLAG_MFP) |
7683 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7684 			return -EINVAL;
7685 
7686 		/* but authenticated/associated only if driver handles it */
7687 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7688 		    params->sta_flags_mask &
7689 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7690 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7691 			return -EINVAL;
7692 		break;
7693 	case CFG80211_STA_IBSS:
7694 	case CFG80211_STA_AP_STA:
7695 		/* reject any changes other than AUTHORIZED */
7696 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7697 			return -EINVAL;
7698 		break;
7699 	case CFG80211_STA_TDLS_PEER_SETUP:
7700 		/* reject any changes other than AUTHORIZED or WME */
7701 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7702 					       BIT(NL80211_STA_FLAG_WME)))
7703 			return -EINVAL;
7704 		/* force (at least) rates when authorizing */
7705 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7706 		    !params->link_sta_params.supported_rates)
7707 			return -EINVAL;
7708 		break;
7709 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7710 		/* reject any changes */
7711 		return -EINVAL;
7712 	case CFG80211_STA_MESH_PEER_KERNEL:
7713 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7714 			return -EINVAL;
7715 		break;
7716 	case CFG80211_STA_MESH_PEER_USER:
7717 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7718 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7719 			return -EINVAL;
7720 		break;
7721 	}
7722 
7723 	/*
7724 	 * Older kernel versions ignored this attribute entirely, so don't
7725 	 * reject attempts to update it but mark it as unused instead so the
7726 	 * driver won't look at the data.
7727 	 */
7728 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7729 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7730 		params->link_sta_params.opmode_notif_used = false;
7731 
7732 	return 0;
7733 }
7734 EXPORT_SYMBOL(cfg80211_check_station_change);
7735 
7736 /*
7737  * Get vlan interface making sure it is running and on the right wiphy.
7738  */
7739 static struct net_device *get_vlan(struct genl_info *info,
7740 				   struct cfg80211_registered_device *rdev)
7741 {
7742 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7743 	struct net_device *v;
7744 	int ret;
7745 
7746 	if (!vlanattr)
7747 		return NULL;
7748 
7749 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7750 	if (!v)
7751 		return ERR_PTR(-ENODEV);
7752 
7753 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7754 		ret = -EINVAL;
7755 		goto error;
7756 	}
7757 
7758 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7759 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7760 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7761 		ret = -EINVAL;
7762 		goto error;
7763 	}
7764 
7765 	if (!netif_running(v)) {
7766 		ret = -ENETDOWN;
7767 		goto error;
7768 	}
7769 
7770 	return v;
7771  error:
7772 	dev_put(v);
7773 	return ERR_PTR(ret);
7774 }
7775 
7776 static int nl80211_parse_sta_wme(struct genl_info *info,
7777 				 struct station_parameters *params)
7778 {
7779 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7780 	struct nlattr *nla;
7781 	int err;
7782 
7783 	/* parse WME attributes if present */
7784 	if (!info->attrs[NL80211_ATTR_STA_WME])
7785 		return 0;
7786 
7787 	nla = info->attrs[NL80211_ATTR_STA_WME];
7788 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7789 					  nl80211_sta_wme_policy,
7790 					  info->extack);
7791 	if (err)
7792 		return err;
7793 
7794 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7795 		params->uapsd_queues = nla_get_u8(
7796 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7797 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7798 		return -EINVAL;
7799 
7800 	if (tb[NL80211_STA_WME_MAX_SP])
7801 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7802 
7803 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7804 		return -EINVAL;
7805 
7806 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7807 
7808 	return 0;
7809 }
7810 
7811 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7812 				      struct station_parameters *params)
7813 {
7814 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7815 		params->supported_channels =
7816 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7817 		params->supported_channels_len =
7818 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7819 		/*
7820 		 * Need to include at least one (first channel, number of
7821 		 * channels) tuple for each subband (checked in policy),
7822 		 * and must have proper tuples for the rest of the data as well.
7823 		 */
7824 		if (params->supported_channels_len % 2)
7825 			return -EINVAL;
7826 	}
7827 
7828 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7829 		params->supported_oper_classes =
7830 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7831 		params->supported_oper_classes_len =
7832 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7833 	}
7834 	return 0;
7835 }
7836 
7837 static int nl80211_set_station_tdls(struct genl_info *info,
7838 				    struct station_parameters *params)
7839 {
7840 	int err;
7841 	/* Dummy STA entry gets updated once the peer capabilities are known */
7842 	if (info->attrs[NL80211_ATTR_PEER_AID])
7843 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7844 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7845 		params->link_sta_params.ht_capa =
7846 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7847 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7848 		params->link_sta_params.vht_capa =
7849 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7850 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7851 		params->link_sta_params.he_capa =
7852 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7853 		params->link_sta_params.he_capa_len =
7854 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7855 
7856 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7857 			params->link_sta_params.eht_capa =
7858 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7859 			params->link_sta_params.eht_capa_len =
7860 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7861 
7862 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7863 							(const u8 *)params->link_sta_params.eht_capa,
7864 							params->link_sta_params.eht_capa_len,
7865 							false))
7866 				return -EINVAL;
7867 		}
7868 	}
7869 
7870 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
7871 		params->link_sta_params.s1g_capa =
7872 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
7873 
7874 	err = nl80211_parse_sta_channel_info(info, params);
7875 	if (err)
7876 		return err;
7877 
7878 	return nl80211_parse_sta_wme(info, params);
7879 }
7880 
7881 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7882 					     struct sta_txpwr *txpwr,
7883 					     bool *txpwr_set)
7884 {
7885 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7886 	int idx;
7887 
7888 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7889 		if (!rdev->ops->set_tx_power ||
7890 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7891 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7892 			return -EOPNOTSUPP;
7893 
7894 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7895 		txpwr->type = nla_get_u8(info->attrs[idx]);
7896 
7897 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7898 			idx = NL80211_ATTR_STA_TX_POWER;
7899 
7900 			if (info->attrs[idx])
7901 				txpwr->power = nla_get_s16(info->attrs[idx]);
7902 			else
7903 				return -EINVAL;
7904 		}
7905 
7906 		*txpwr_set = true;
7907 	} else {
7908 		*txpwr_set = false;
7909 	}
7910 
7911 	return 0;
7912 }
7913 
7914 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7915 {
7916 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7917 	struct net_device *dev = info->user_ptr[1];
7918 	struct station_parameters params;
7919 	u8 *mac_addr;
7920 	int err;
7921 
7922 	memset(&params, 0, sizeof(params));
7923 
7924 	if (!rdev->ops->change_station)
7925 		return -EOPNOTSUPP;
7926 
7927 	/*
7928 	 * AID and listen_interval properties can be set only for unassociated
7929 	 * station. Include these parameters here and will check them in
7930 	 * cfg80211_check_station_change().
7931 	 */
7932 	if (info->attrs[NL80211_ATTR_STA_AID])
7933 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7934 
7935 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7936 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7937 
7938 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7939 		params.listen_interval =
7940 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7941 	else
7942 		params.listen_interval = -1;
7943 
7944 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7945 		params.support_p2p_ps =
7946 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7947 	else
7948 		params.support_p2p_ps = -1;
7949 
7950 	if (!info->attrs[NL80211_ATTR_MAC])
7951 		return -EINVAL;
7952 
7953 	params.link_sta_params.link_id =
7954 		nl80211_link_id_or_invalid(info->attrs);
7955 
7956 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7957 		/* If MLD_ADDR attribute is set then this is an MLD station
7958 		 * and the MLD_ADDR attribute holds the MLD address and the
7959 		 * MAC attribute holds for the LINK address.
7960 		 * In that case, the link_id is also expected to be valid.
7961 		 */
7962 		if (params.link_sta_params.link_id < 0)
7963 			return -EINVAL;
7964 
7965 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7966 		params.link_sta_params.mld_mac = mac_addr;
7967 		params.link_sta_params.link_mac =
7968 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7969 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7970 			return -EINVAL;
7971 	} else {
7972 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7973 	}
7974 
7975 
7976 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7977 		params.link_sta_params.supported_rates =
7978 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7979 		params.link_sta_params.supported_rates_len =
7980 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7981 	}
7982 
7983 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7984 		params.capability =
7985 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7986 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7987 	}
7988 
7989 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7990 		params.ext_capab =
7991 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7992 		params.ext_capab_len =
7993 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7994 	}
7995 
7996 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7997 		return -EINVAL;
7998 
7999 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8000 		params.plink_action =
8001 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8002 
8003 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8004 		params.plink_state =
8005 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8006 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8007 			params.peer_aid = nla_get_u16(
8008 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8009 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8010 	}
8011 
8012 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8013 		params.local_pm = nla_get_u32(
8014 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8015 
8016 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8017 		params.link_sta_params.opmode_notif_used = true;
8018 		params.link_sta_params.opmode_notif =
8019 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8020 	}
8021 
8022 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8023 		params.link_sta_params.he_6ghz_capa =
8024 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8025 
8026 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8027 		params.eml_cap_present = true;
8028 		params.eml_cap =
8029 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8030 	}
8031 
8032 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8033 		params.airtime_weight =
8034 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8035 
8036 	if (params.airtime_weight &&
8037 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8038 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8039 		return -EOPNOTSUPP;
8040 
8041 	err = nl80211_parse_sta_txpower_setting(info,
8042 						&params.link_sta_params.txpwr,
8043 						&params.link_sta_params.txpwr_set);
8044 	if (err)
8045 		return err;
8046 
8047 	/* Include parameters for TDLS peer (will check later) */
8048 	err = nl80211_set_station_tdls(info, &params);
8049 	if (err)
8050 		return err;
8051 
8052 	params.vlan = get_vlan(info, rdev);
8053 	if (IS_ERR(params.vlan))
8054 		return PTR_ERR(params.vlan);
8055 
8056 	switch (dev->ieee80211_ptr->iftype) {
8057 	case NL80211_IFTYPE_AP:
8058 	case NL80211_IFTYPE_AP_VLAN:
8059 	case NL80211_IFTYPE_P2P_GO:
8060 	case NL80211_IFTYPE_P2P_CLIENT:
8061 	case NL80211_IFTYPE_STATION:
8062 	case NL80211_IFTYPE_ADHOC:
8063 	case NL80211_IFTYPE_MESH_POINT:
8064 		break;
8065 	default:
8066 		err = -EOPNOTSUPP;
8067 		goto out_put_vlan;
8068 	}
8069 
8070 	/* driver will call cfg80211_check_station_change() */
8071 	err = rdev_change_station(rdev, dev, mac_addr, &params);
8072 
8073  out_put_vlan:
8074 	dev_put(params.vlan);
8075 
8076 	return err;
8077 }
8078 
8079 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8080 {
8081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8082 	int err;
8083 	struct net_device *dev = info->user_ptr[1];
8084 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8085 	struct station_parameters params;
8086 	u8 *mac_addr = NULL;
8087 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8088 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8089 
8090 	memset(&params, 0, sizeof(params));
8091 
8092 	if (!rdev->ops->add_station)
8093 		return -EOPNOTSUPP;
8094 
8095 	if (!info->attrs[NL80211_ATTR_MAC])
8096 		return -EINVAL;
8097 
8098 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8099 		return -EINVAL;
8100 
8101 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8102 		return -EINVAL;
8103 
8104 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
8105 	    !info->attrs[NL80211_ATTR_PEER_AID])
8106 		return -EINVAL;
8107 
8108 	params.link_sta_params.link_id =
8109 		nl80211_link_id_or_invalid(info->attrs);
8110 
8111 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8112 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8113 		params.link_sta_params.mld_mac = mac_addr;
8114 		params.link_sta_params.link_mac =
8115 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8116 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8117 			return -EINVAL;
8118 	} else {
8119 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8120 	}
8121 
8122 	params.link_sta_params.supported_rates =
8123 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8124 	params.link_sta_params.supported_rates_len =
8125 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8126 	params.listen_interval =
8127 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8128 
8129 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8130 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8131 
8132 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8133 		params.support_p2p_ps =
8134 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8135 	} else {
8136 		/*
8137 		 * if not specified, assume it's supported for P2P GO interface,
8138 		 * and is NOT supported for AP interface
8139 		 */
8140 		params.support_p2p_ps =
8141 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
8142 	}
8143 
8144 	if (info->attrs[NL80211_ATTR_PEER_AID])
8145 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8146 	else
8147 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8148 
8149 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8150 		params.capability =
8151 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8152 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8153 	}
8154 
8155 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8156 		params.ext_capab =
8157 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8158 		params.ext_capab_len =
8159 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8160 	}
8161 
8162 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8163 		params.link_sta_params.ht_capa =
8164 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8165 
8166 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8167 		params.link_sta_params.vht_capa =
8168 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8169 
8170 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8171 		params.link_sta_params.he_capa =
8172 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8173 		params.link_sta_params.he_capa_len =
8174 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8175 
8176 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8177 			params.link_sta_params.eht_capa =
8178 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8179 			params.link_sta_params.eht_capa_len =
8180 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8181 
8182 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
8183 							(const u8 *)params.link_sta_params.eht_capa,
8184 							params.link_sta_params.eht_capa_len,
8185 							false))
8186 				return -EINVAL;
8187 		}
8188 	}
8189 
8190 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8191 		params.eml_cap_present = true;
8192 		params.eml_cap =
8193 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8194 	}
8195 
8196 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8197 		params.link_sta_params.he_6ghz_capa =
8198 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8199 
8200 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8201 		params.link_sta_params.s1g_capa =
8202 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8203 
8204 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8205 		params.link_sta_params.opmode_notif_used = true;
8206 		params.link_sta_params.opmode_notif =
8207 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8208 	}
8209 
8210 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8211 		params.plink_action =
8212 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8213 
8214 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8215 		params.airtime_weight =
8216 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8217 
8218 	if (params.airtime_weight &&
8219 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8220 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8221 		return -EOPNOTSUPP;
8222 
8223 	err = nl80211_parse_sta_txpower_setting(info,
8224 						&params.link_sta_params.txpwr,
8225 						&params.link_sta_params.txpwr_set);
8226 	if (err)
8227 		return err;
8228 
8229 	err = nl80211_parse_sta_channel_info(info, &params);
8230 	if (err)
8231 		return err;
8232 
8233 	err = nl80211_parse_sta_wme(info, &params);
8234 	if (err)
8235 		return err;
8236 
8237 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8238 		return -EINVAL;
8239 
8240 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
8241 	 * as userspace might just pass through the capabilities from the IEs
8242 	 * directly, rather than enforcing this restriction and returning an
8243 	 * error in this case.
8244 	 */
8245 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
8246 		params.link_sta_params.ht_capa = NULL;
8247 		params.link_sta_params.vht_capa = NULL;
8248 
8249 		/* HE and EHT require WME */
8250 		if (params.link_sta_params.he_capa_len ||
8251 		    params.link_sta_params.he_6ghz_capa ||
8252 		    params.link_sta_params.eht_capa_len)
8253 			return -EINVAL;
8254 	}
8255 
8256 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
8257 	if (params.link_sta_params.he_6ghz_capa &&
8258 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
8259 		return -EINVAL;
8260 
8261 	/* When you run into this, adjust the code below for the new flag */
8262 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8263 
8264 	switch (dev->ieee80211_ptr->iftype) {
8265 	case NL80211_IFTYPE_AP:
8266 	case NL80211_IFTYPE_AP_VLAN:
8267 	case NL80211_IFTYPE_P2P_GO:
8268 		/* ignore WME attributes if iface/sta is not capable */
8269 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
8270 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
8271 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8272 
8273 		/* TDLS peers cannot be added */
8274 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8275 		    info->attrs[NL80211_ATTR_PEER_AID])
8276 			return -EINVAL;
8277 		/* but don't bother the driver with it */
8278 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8279 
8280 		/* allow authenticated/associated only if driver handles it */
8281 		if (!(rdev->wiphy.features &
8282 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8283 		    params.sta_flags_mask & auth_assoc)
8284 			return -EINVAL;
8285 
8286 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8287 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
8288 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8289 			return -EINVAL;
8290 
8291 		/* Older userspace, or userspace wanting to be compatible with
8292 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
8293 		 * and assoc flags in the mask, but assumes the station will be
8294 		 * added as associated anyway since this was the required driver
8295 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
8296 		 * introduced.
8297 		 * In order to not bother drivers with this quirk in the API
8298 		 * set the flags in both the mask and set for new stations in
8299 		 * this case.
8300 		 */
8301 		if (!(params.sta_flags_mask & auth_assoc)) {
8302 			params.sta_flags_mask |= auth_assoc;
8303 			params.sta_flags_set |= auth_assoc;
8304 		}
8305 
8306 		/* must be last in here for error handling */
8307 		params.vlan = get_vlan(info, rdev);
8308 		if (IS_ERR(params.vlan))
8309 			return PTR_ERR(params.vlan);
8310 		break;
8311 	case NL80211_IFTYPE_MESH_POINT:
8312 		/* ignore uAPSD data */
8313 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8314 
8315 		/* associated is disallowed */
8316 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
8317 			return -EINVAL;
8318 		/* TDLS peers cannot be added */
8319 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8320 		    info->attrs[NL80211_ATTR_PEER_AID])
8321 			return -EINVAL;
8322 		break;
8323 	case NL80211_IFTYPE_STATION:
8324 	case NL80211_IFTYPE_P2P_CLIENT:
8325 		/* ignore uAPSD data */
8326 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8327 
8328 		/* these are disallowed */
8329 		if (params.sta_flags_mask &
8330 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
8331 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
8332 			return -EINVAL;
8333 		/* Only TDLS peers can be added */
8334 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8335 			return -EINVAL;
8336 		/* Can only add if TDLS ... */
8337 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
8338 			return -EOPNOTSUPP;
8339 		/* ... with external setup is supported */
8340 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
8341 			return -EOPNOTSUPP;
8342 		/*
8343 		 * Older wpa_supplicant versions always mark the TDLS peer
8344 		 * as authorized, but it shouldn't yet be.
8345 		 */
8346 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
8347 		break;
8348 	default:
8349 		return -EOPNOTSUPP;
8350 	}
8351 
8352 	/* be aware of params.vlan when changing code here */
8353 
8354 	if (wdev->valid_links) {
8355 		if (params.link_sta_params.link_id < 0) {
8356 			err = -EINVAL;
8357 			goto out;
8358 		}
8359 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
8360 			err = -ENOLINK;
8361 			goto out;
8362 		}
8363 	} else {
8364 		if (params.link_sta_params.link_id >= 0) {
8365 			err = -EINVAL;
8366 			goto out;
8367 		}
8368 	}
8369 	err = rdev_add_station(rdev, dev, mac_addr, &params);
8370 out:
8371 	dev_put(params.vlan);
8372 	return err;
8373 }
8374 
8375 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
8376 {
8377 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8378 	struct net_device *dev = info->user_ptr[1];
8379 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8380 	struct station_del_parameters params;
8381 	int link_id = nl80211_link_id_or_invalid(info->attrs);
8382 
8383 	memset(&params, 0, sizeof(params));
8384 
8385 	if (info->attrs[NL80211_ATTR_MAC])
8386 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
8387 
8388 	switch (wdev->iftype) {
8389 	case NL80211_IFTYPE_AP:
8390 	case NL80211_IFTYPE_AP_VLAN:
8391 	case NL80211_IFTYPE_MESH_POINT:
8392 	case NL80211_IFTYPE_P2P_GO:
8393 		/* always accept these */
8394 		break;
8395 	case NL80211_IFTYPE_ADHOC:
8396 		/* conditionally accept */
8397 		if (wiphy_ext_feature_isset(&rdev->wiphy,
8398 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
8399 			break;
8400 		return -EINVAL;
8401 	default:
8402 		return -EINVAL;
8403 	}
8404 
8405 	if (!rdev->ops->del_station)
8406 		return -EOPNOTSUPP;
8407 
8408 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
8409 		params.subtype =
8410 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
8411 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
8412 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
8413 			return -EINVAL;
8414 	} else {
8415 		/* Default to Deauthentication frame */
8416 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
8417 	}
8418 
8419 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
8420 		params.reason_code =
8421 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8422 		if (params.reason_code == 0)
8423 			return -EINVAL; /* 0 is reserved */
8424 	} else {
8425 		/* Default to reason code 2 */
8426 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
8427 	}
8428 
8429 	/* Link ID not expected in case of non-ML operation */
8430 	if (!wdev->valid_links && link_id != -1)
8431 		return -EINVAL;
8432 
8433 	/* If given, a valid link ID should be passed during MLO */
8434 	if (wdev->valid_links && link_id >= 0 &&
8435 	    !(wdev->valid_links & BIT(link_id)))
8436 		return -EINVAL;
8437 
8438 	params.link_id = link_id;
8439 
8440 	return rdev_del_station(rdev, dev, &params);
8441 }
8442 
8443 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
8444 				int flags, struct net_device *dev,
8445 				u8 *dst, u8 *next_hop,
8446 				struct mpath_info *pinfo)
8447 {
8448 	void *hdr;
8449 	struct nlattr *pinfoattr;
8450 
8451 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
8452 	if (!hdr)
8453 		return -1;
8454 
8455 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8456 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
8457 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
8458 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
8459 		goto nla_put_failure;
8460 
8461 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
8462 	if (!pinfoattr)
8463 		goto nla_put_failure;
8464 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
8465 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
8466 			pinfo->frame_qlen))
8467 		goto nla_put_failure;
8468 	if (((pinfo->filled & MPATH_INFO_SN) &&
8469 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
8470 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
8471 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
8472 			 pinfo->metric)) ||
8473 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
8474 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
8475 			 pinfo->exptime)) ||
8476 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
8477 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
8478 			pinfo->flags)) ||
8479 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
8480 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
8481 			 pinfo->discovery_timeout)) ||
8482 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
8483 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
8484 			pinfo->discovery_retries)) ||
8485 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
8486 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
8487 			pinfo->hop_count)) ||
8488 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
8489 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
8490 			 pinfo->path_change_count)))
8491 		goto nla_put_failure;
8492 
8493 	nla_nest_end(msg, pinfoattr);
8494 
8495 	genlmsg_end(msg, hdr);
8496 	return 0;
8497 
8498  nla_put_failure:
8499 	genlmsg_cancel(msg, hdr);
8500 	return -EMSGSIZE;
8501 }
8502 
8503 static int nl80211_dump_mpath(struct sk_buff *skb,
8504 			      struct netlink_callback *cb)
8505 {
8506 	struct mpath_info pinfo;
8507 	struct cfg80211_registered_device *rdev;
8508 	struct wireless_dev *wdev;
8509 	u8 dst[ETH_ALEN];
8510 	u8 next_hop[ETH_ALEN];
8511 	int path_idx = cb->args[2];
8512 	int err;
8513 
8514 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8515 	if (err)
8516 		return err;
8517 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8518 	__acquire(&rdev->wiphy.mtx);
8519 
8520 	if (!rdev->ops->dump_mpath) {
8521 		err = -EOPNOTSUPP;
8522 		goto out_err;
8523 	}
8524 
8525 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8526 		err = -EOPNOTSUPP;
8527 		goto out_err;
8528 	}
8529 
8530 	while (1) {
8531 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
8532 				      next_hop, &pinfo);
8533 		if (err == -ENOENT)
8534 			break;
8535 		if (err)
8536 			goto out_err;
8537 
8538 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8539 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8540 				       wdev->netdev, dst, next_hop,
8541 				       &pinfo) < 0)
8542 			goto out;
8543 
8544 		path_idx++;
8545 	}
8546 
8547  out:
8548 	cb->args[2] = path_idx;
8549 	err = skb->len;
8550  out_err:
8551 	wiphy_unlock(&rdev->wiphy);
8552 	return err;
8553 }
8554 
8555 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
8556 {
8557 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8558 	int err;
8559 	struct net_device *dev = info->user_ptr[1];
8560 	struct mpath_info pinfo;
8561 	struct sk_buff *msg;
8562 	u8 *dst = NULL;
8563 	u8 next_hop[ETH_ALEN];
8564 
8565 	memset(&pinfo, 0, sizeof(pinfo));
8566 
8567 	if (!info->attrs[NL80211_ATTR_MAC])
8568 		return -EINVAL;
8569 
8570 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8571 
8572 	if (!rdev->ops->get_mpath)
8573 		return -EOPNOTSUPP;
8574 
8575 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8576 		return -EOPNOTSUPP;
8577 
8578 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
8579 	if (err)
8580 		return err;
8581 
8582 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8583 	if (!msg)
8584 		return -ENOMEM;
8585 
8586 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8587 				 dev, dst, next_hop, &pinfo) < 0) {
8588 		nlmsg_free(msg);
8589 		return -ENOBUFS;
8590 	}
8591 
8592 	return genlmsg_reply(msg, info);
8593 }
8594 
8595 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8596 {
8597 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8598 	struct net_device *dev = info->user_ptr[1];
8599 	u8 *dst = NULL;
8600 	u8 *next_hop = NULL;
8601 
8602 	if (!info->attrs[NL80211_ATTR_MAC])
8603 		return -EINVAL;
8604 
8605 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8606 		return -EINVAL;
8607 
8608 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8609 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8610 
8611 	if (!rdev->ops->change_mpath)
8612 		return -EOPNOTSUPP;
8613 
8614 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8615 		return -EOPNOTSUPP;
8616 
8617 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8618 }
8619 
8620 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8621 {
8622 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8623 	struct net_device *dev = info->user_ptr[1];
8624 	u8 *dst = NULL;
8625 	u8 *next_hop = NULL;
8626 
8627 	if (!info->attrs[NL80211_ATTR_MAC])
8628 		return -EINVAL;
8629 
8630 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8631 		return -EINVAL;
8632 
8633 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8634 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8635 
8636 	if (!rdev->ops->add_mpath)
8637 		return -EOPNOTSUPP;
8638 
8639 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8640 		return -EOPNOTSUPP;
8641 
8642 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8643 }
8644 
8645 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8646 {
8647 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8648 	struct net_device *dev = info->user_ptr[1];
8649 	u8 *dst = NULL;
8650 
8651 	if (info->attrs[NL80211_ATTR_MAC])
8652 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8653 
8654 	if (!rdev->ops->del_mpath)
8655 		return -EOPNOTSUPP;
8656 
8657 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8658 		return -EOPNOTSUPP;
8659 
8660 	return rdev_del_mpath(rdev, dev, dst);
8661 }
8662 
8663 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8664 {
8665 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8666 	int err;
8667 	struct net_device *dev = info->user_ptr[1];
8668 	struct mpath_info pinfo;
8669 	struct sk_buff *msg;
8670 	u8 *dst = NULL;
8671 	u8 mpp[ETH_ALEN];
8672 
8673 	memset(&pinfo, 0, sizeof(pinfo));
8674 
8675 	if (!info->attrs[NL80211_ATTR_MAC])
8676 		return -EINVAL;
8677 
8678 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8679 
8680 	if (!rdev->ops->get_mpp)
8681 		return -EOPNOTSUPP;
8682 
8683 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8684 		return -EOPNOTSUPP;
8685 
8686 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
8687 	if (err)
8688 		return err;
8689 
8690 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8691 	if (!msg)
8692 		return -ENOMEM;
8693 
8694 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8695 			       dev, dst, mpp, &pinfo) < 0) {
8696 		nlmsg_free(msg);
8697 		return -ENOBUFS;
8698 	}
8699 
8700 	return genlmsg_reply(msg, info);
8701 }
8702 
8703 static int nl80211_dump_mpp(struct sk_buff *skb,
8704 			    struct netlink_callback *cb)
8705 {
8706 	struct mpath_info pinfo;
8707 	struct cfg80211_registered_device *rdev;
8708 	struct wireless_dev *wdev;
8709 	u8 dst[ETH_ALEN];
8710 	u8 mpp[ETH_ALEN];
8711 	int path_idx = cb->args[2];
8712 	int err;
8713 
8714 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8715 	if (err)
8716 		return err;
8717 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8718 	__acquire(&rdev->wiphy.mtx);
8719 
8720 	if (!rdev->ops->dump_mpp) {
8721 		err = -EOPNOTSUPP;
8722 		goto out_err;
8723 	}
8724 
8725 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8726 		err = -EOPNOTSUPP;
8727 		goto out_err;
8728 	}
8729 
8730 	while (1) {
8731 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8732 				    mpp, &pinfo);
8733 		if (err == -ENOENT)
8734 			break;
8735 		if (err)
8736 			goto out_err;
8737 
8738 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8739 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8740 				       wdev->netdev, dst, mpp,
8741 				       &pinfo) < 0)
8742 			goto out;
8743 
8744 		path_idx++;
8745 	}
8746 
8747  out:
8748 	cb->args[2] = path_idx;
8749 	err = skb->len;
8750  out_err:
8751 	wiphy_unlock(&rdev->wiphy);
8752 	return err;
8753 }
8754 
8755 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8756 {
8757 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8758 	struct net_device *dev = info->user_ptr[1];
8759 	struct bss_parameters params;
8760 
8761 	memset(&params, 0, sizeof(params));
8762 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8763 	/* default to not changing parameters */
8764 	params.use_cts_prot = -1;
8765 	params.use_short_preamble = -1;
8766 	params.use_short_slot_time = -1;
8767 	params.ap_isolate = -1;
8768 	params.ht_opmode = -1;
8769 	params.p2p_ctwindow = -1;
8770 	params.p2p_opp_ps = -1;
8771 
8772 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8773 		params.use_cts_prot =
8774 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8775 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8776 		params.use_short_preamble =
8777 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8778 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8779 		params.use_short_slot_time =
8780 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8781 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8782 		params.basic_rates =
8783 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8784 		params.basic_rates_len =
8785 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8786 	}
8787 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8788 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8789 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8790 		params.ht_opmode =
8791 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8792 
8793 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8794 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8795 			return -EINVAL;
8796 		params.p2p_ctwindow =
8797 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8798 		if (params.p2p_ctwindow != 0 &&
8799 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8800 			return -EINVAL;
8801 	}
8802 
8803 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8804 		u8 tmp;
8805 
8806 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8807 			return -EINVAL;
8808 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8809 		params.p2p_opp_ps = tmp;
8810 		if (params.p2p_opp_ps &&
8811 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8812 			return -EINVAL;
8813 	}
8814 
8815 	if (!rdev->ops->change_bss)
8816 		return -EOPNOTSUPP;
8817 
8818 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8819 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8820 		return -EOPNOTSUPP;
8821 
8822 	return rdev_change_bss(rdev, dev, &params);
8823 }
8824 
8825 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8826 {
8827 	char *data = NULL;
8828 	bool is_indoor;
8829 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8830 	u32 owner_nlportid;
8831 
8832 	/*
8833 	 * You should only get this when cfg80211 hasn't yet initialized
8834 	 * completely when built-in to the kernel right between the time
8835 	 * window between nl80211_init() and regulatory_init(), if that is
8836 	 * even possible.
8837 	 */
8838 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8839 		return -EINPROGRESS;
8840 
8841 	user_reg_hint_type =
8842 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
8843 				    NL80211_USER_REG_HINT_USER);
8844 
8845 	switch (user_reg_hint_type) {
8846 	case NL80211_USER_REG_HINT_USER:
8847 	case NL80211_USER_REG_HINT_CELL_BASE:
8848 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8849 			return -EINVAL;
8850 
8851 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8852 		return regulatory_hint_user(data, user_reg_hint_type);
8853 	case NL80211_USER_REG_HINT_INDOOR:
8854 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8855 			owner_nlportid = info->snd_portid;
8856 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8857 		} else {
8858 			owner_nlportid = 0;
8859 			is_indoor = true;
8860 		}
8861 
8862 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8863 		return 0;
8864 	default:
8865 		return -EINVAL;
8866 	}
8867 }
8868 
8869 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8870 {
8871 	return reg_reload_regdb();
8872 }
8873 
8874 static int nl80211_get_mesh_config(struct sk_buff *skb,
8875 				   struct genl_info *info)
8876 {
8877 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8878 	struct net_device *dev = info->user_ptr[1];
8879 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8880 	struct mesh_config cur_params;
8881 	int err = 0;
8882 	void *hdr;
8883 	struct nlattr *pinfoattr;
8884 	struct sk_buff *msg;
8885 
8886 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8887 		return -EOPNOTSUPP;
8888 
8889 	if (!rdev->ops->get_mesh_config)
8890 		return -EOPNOTSUPP;
8891 
8892 	/* If not connected, get default parameters */
8893 	if (!wdev->u.mesh.id_len)
8894 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8895 	else
8896 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8897 
8898 	if (err)
8899 		return err;
8900 
8901 	/* Draw up a netlink message to send back */
8902 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8903 	if (!msg)
8904 		return -ENOMEM;
8905 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8906 			     NL80211_CMD_GET_MESH_CONFIG);
8907 	if (!hdr)
8908 		goto out;
8909 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8910 	if (!pinfoattr)
8911 		goto nla_put_failure;
8912 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8913 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8914 			cur_params.dot11MeshRetryTimeout) ||
8915 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8916 			cur_params.dot11MeshConfirmTimeout) ||
8917 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8918 			cur_params.dot11MeshHoldingTimeout) ||
8919 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8920 			cur_params.dot11MeshMaxPeerLinks) ||
8921 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8922 		       cur_params.dot11MeshMaxRetries) ||
8923 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8924 		       cur_params.dot11MeshTTL) ||
8925 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8926 		       cur_params.element_ttl) ||
8927 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8928 		       cur_params.auto_open_plinks) ||
8929 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8930 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8931 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8932 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8933 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8934 			cur_params.path_refresh_time) ||
8935 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8936 			cur_params.min_discovery_timeout) ||
8937 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8938 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8939 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8940 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8941 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8942 			cur_params.dot11MeshHWMPperrMinInterval) ||
8943 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8944 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8945 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8946 		       cur_params.dot11MeshHWMPRootMode) ||
8947 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8948 			cur_params.dot11MeshHWMPRannInterval) ||
8949 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8950 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8951 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8952 		       cur_params.dot11MeshForwarding) ||
8953 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8954 			cur_params.rssi_threshold) ||
8955 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8956 			cur_params.ht_opmode) ||
8957 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8958 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8959 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8960 			cur_params.dot11MeshHWMProotInterval) ||
8961 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8962 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8963 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8964 			cur_params.power_mode) ||
8965 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8966 			cur_params.dot11MeshAwakeWindowDuration) ||
8967 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8968 			cur_params.plink_timeout) ||
8969 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8970 		       cur_params.dot11MeshConnectedToMeshGate) ||
8971 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8972 		       cur_params.dot11MeshNolearn) ||
8973 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8974 		       cur_params.dot11MeshConnectedToAuthServer))
8975 		goto nla_put_failure;
8976 	nla_nest_end(msg, pinfoattr);
8977 	genlmsg_end(msg, hdr);
8978 	return genlmsg_reply(msg, info);
8979 
8980  nla_put_failure:
8981  out:
8982 	nlmsg_free(msg);
8983 	return -ENOBUFS;
8984 }
8985 
8986 static const struct nla_policy
8987 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8988 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8989 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8990 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8991 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8992 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8993 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8994 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8995 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8996 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8997 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8998 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8999 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9000 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9001 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9002 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9003 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9004 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9005 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9006 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9007 		NLA_POLICY_MIN(NLA_U16, 1),
9008 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9009 		NLA_POLICY_MIN(NLA_U16, 1),
9010 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9011 		NLA_POLICY_MIN(NLA_U16, 1),
9012 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9013 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9014 		NLA_POLICY_MIN(NLA_U16, 1),
9015 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9016 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9017 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9018 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9019 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9020 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9021 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9022 		NLA_POLICY_MIN(NLA_U16, 1),
9023 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9024 		NLA_POLICY_MIN(NLA_U16, 1),
9025 	[NL80211_MESHCONF_POWER_MODE] =
9026 		NLA_POLICY_RANGE(NLA_U32,
9027 				 NL80211_MESH_POWER_ACTIVE,
9028 				 NL80211_MESH_POWER_MAX),
9029 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9030 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9031 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9032 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9033 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9034 };
9035 
9036 static const struct nla_policy
9037 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9038 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9039 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9040 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9041 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9042 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9043 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9044 	[NL80211_MESH_SETUP_IE] =
9045 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9046 				       IEEE80211_MAX_DATA_LEN),
9047 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9048 };
9049 
9050 static int nl80211_parse_mesh_config(struct genl_info *info,
9051 				     struct mesh_config *cfg,
9052 				     u32 *mask_out)
9053 {
9054 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9055 	u32 mask = 0;
9056 	u16 ht_opmode;
9057 
9058 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9059 do {									\
9060 	if (tb[attr]) {							\
9061 		cfg->param = fn(tb[attr]);				\
9062 		mask |= BIT((attr) - 1);				\
9063 	}								\
9064 } while (0)
9065 
9066 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9067 		return -EINVAL;
9068 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9069 		return -EINVAL;
9070 
9071 	/* This makes sure that there aren't more than 32 mesh config
9072 	 * parameters (otherwise our bitfield scheme would not work.) */
9073 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9074 
9075 	/* Fill in the params struct */
9076 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9077 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9078 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9079 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9080 				  nla_get_u16);
9081 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9082 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9083 				  nla_get_u16);
9084 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9085 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9086 				  nla_get_u16);
9087 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9088 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9089 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9090 				  NL80211_MESHCONF_TTL, nla_get_u8);
9091 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9092 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9093 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9094 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9095 				  nla_get_u8);
9096 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9097 				  mask,
9098 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9099 				  nla_get_u32);
9100 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9101 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9102 				  nla_get_u8);
9103 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9104 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9105 				  nla_get_u32);
9106 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9107 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9108 		return -EINVAL;
9109 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
9110 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9111 				  nla_get_u16);
9112 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
9113 				  mask,
9114 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9115 				  nla_get_u32);
9116 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
9117 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
9118 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
9119 		return -EINVAL;
9120 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
9121 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9122 				  nla_get_u16);
9123 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
9124 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9125 				  nla_get_u16);
9126 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9127 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
9128 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9129 				  nla_get_u16);
9130 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
9131 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
9132 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
9133 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9134 				  nla_get_u16);
9135 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
9136 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9137 				  nla_get_u8);
9138 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
9139 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
9140 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
9141 				  NL80211_MESHCONF_RSSI_THRESHOLD,
9142 				  nla_get_s32);
9143 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
9144 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
9145 				  nla_get_u8);
9146 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
9147 				  NL80211_MESHCONF_CONNECTED_TO_AS,
9148 				  nla_get_u8);
9149 	/*
9150 	 * Check HT operation mode based on
9151 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
9152 	 */
9153 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
9154 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
9155 
9156 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
9157 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
9158 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
9159 			return -EINVAL;
9160 
9161 		/* NON_HT_STA bit is reserved, but some programs set it */
9162 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
9163 
9164 		cfg->ht_opmode = ht_opmode;
9165 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
9166 	}
9167 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9168 				  dot11MeshHWMPactivePathToRootTimeout, mask,
9169 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9170 				  nla_get_u32);
9171 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
9172 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
9173 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
9174 		return -EINVAL;
9175 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
9176 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9177 				  nla_get_u16);
9178 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
9179 				  mask,
9180 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9181 				  nla_get_u16);
9182 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
9183 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
9184 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
9185 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
9186 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
9187 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
9188 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
9189 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
9190 	if (mask_out)
9191 		*mask_out = mask;
9192 
9193 	return 0;
9194 
9195 #undef FILL_IN_MESH_PARAM_IF_SET
9196 }
9197 
9198 static int nl80211_parse_mesh_setup(struct genl_info *info,
9199 				     struct mesh_setup *setup)
9200 {
9201 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9202 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
9203 
9204 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
9205 		return -EINVAL;
9206 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
9207 		return -EINVAL;
9208 
9209 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
9210 		setup->sync_method =
9211 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
9212 		 IEEE80211_SYNC_METHOD_VENDOR :
9213 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
9214 
9215 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
9216 		setup->path_sel_proto =
9217 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
9218 		 IEEE80211_PATH_PROTOCOL_VENDOR :
9219 		 IEEE80211_PATH_PROTOCOL_HWMP;
9220 
9221 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
9222 		setup->path_metric =
9223 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
9224 		 IEEE80211_PATH_METRIC_VENDOR :
9225 		 IEEE80211_PATH_METRIC_AIRTIME;
9226 
9227 	if (tb[NL80211_MESH_SETUP_IE]) {
9228 		struct nlattr *ieattr =
9229 			tb[NL80211_MESH_SETUP_IE];
9230 		setup->ie = nla_data(ieattr);
9231 		setup->ie_len = nla_len(ieattr);
9232 	}
9233 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
9234 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
9235 		return -EINVAL;
9236 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
9237 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
9238 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
9239 	if (setup->is_secure)
9240 		setup->user_mpm = true;
9241 
9242 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
9243 		if (!setup->user_mpm)
9244 			return -EINVAL;
9245 		setup->auth_id =
9246 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
9247 	}
9248 
9249 	return 0;
9250 }
9251 
9252 static int nl80211_update_mesh_config(struct sk_buff *skb,
9253 				      struct genl_info *info)
9254 {
9255 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9256 	struct net_device *dev = info->user_ptr[1];
9257 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9258 	struct mesh_config cfg = {};
9259 	u32 mask;
9260 	int err;
9261 
9262 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9263 		return -EOPNOTSUPP;
9264 
9265 	if (!rdev->ops->update_mesh_config)
9266 		return -EOPNOTSUPP;
9267 
9268 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
9269 	if (err)
9270 		return err;
9271 
9272 	if (!wdev->u.mesh.id_len)
9273 		err = -ENOLINK;
9274 
9275 	if (!err)
9276 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
9277 
9278 	return err;
9279 }
9280 
9281 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
9282 			      struct sk_buff *msg)
9283 {
9284 	struct nlattr *nl_reg_rules;
9285 	unsigned int i;
9286 
9287 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
9288 	    (regdom->dfs_region &&
9289 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
9290 		goto nla_put_failure;
9291 
9292 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
9293 	if (!nl_reg_rules)
9294 		goto nla_put_failure;
9295 
9296 	for (i = 0; i < regdom->n_reg_rules; i++) {
9297 		struct nlattr *nl_reg_rule;
9298 		const struct ieee80211_reg_rule *reg_rule;
9299 		const struct ieee80211_freq_range *freq_range;
9300 		const struct ieee80211_power_rule *power_rule;
9301 		unsigned int max_bandwidth_khz;
9302 
9303 		reg_rule = &regdom->reg_rules[i];
9304 		freq_range = &reg_rule->freq_range;
9305 		power_rule = &reg_rule->power_rule;
9306 
9307 		nl_reg_rule = nla_nest_start_noflag(msg, i);
9308 		if (!nl_reg_rule)
9309 			goto nla_put_failure;
9310 
9311 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
9312 		if (!max_bandwidth_khz)
9313 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
9314 								  reg_rule);
9315 
9316 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
9317 				reg_rule->flags) ||
9318 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
9319 				freq_range->start_freq_khz) ||
9320 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
9321 				freq_range->end_freq_khz) ||
9322 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
9323 				max_bandwidth_khz) ||
9324 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
9325 				power_rule->max_antenna_gain) ||
9326 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
9327 				power_rule->max_eirp) ||
9328 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
9329 				reg_rule->dfs_cac_ms))
9330 			goto nla_put_failure;
9331 
9332 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
9333 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
9334 			       reg_rule->psd))
9335 			goto nla_put_failure;
9336 
9337 		nla_nest_end(msg, nl_reg_rule);
9338 	}
9339 
9340 	nla_nest_end(msg, nl_reg_rules);
9341 	return 0;
9342 
9343 nla_put_failure:
9344 	return -EMSGSIZE;
9345 }
9346 
9347 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
9348 {
9349 	const struct ieee80211_regdomain *regdom = NULL;
9350 	struct cfg80211_registered_device *rdev;
9351 	struct wiphy *wiphy = NULL;
9352 	struct sk_buff *msg;
9353 	int err = -EMSGSIZE;
9354 	void *hdr;
9355 
9356 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9357 	if (!msg)
9358 		return -ENOBUFS;
9359 
9360 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9361 			     NL80211_CMD_GET_REG);
9362 	if (!hdr)
9363 		goto put_failure;
9364 
9365 	rtnl_lock();
9366 
9367 	if (info->attrs[NL80211_ATTR_WIPHY]) {
9368 		bool self_managed;
9369 
9370 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9371 		if (IS_ERR(rdev)) {
9372 			err = PTR_ERR(rdev);
9373 			goto nla_put_failure;
9374 		}
9375 
9376 		wiphy = &rdev->wiphy;
9377 		self_managed = wiphy->regulatory_flags &
9378 			       REGULATORY_WIPHY_SELF_MANAGED;
9379 
9380 		rcu_read_lock();
9381 
9382 		regdom = get_wiphy_regdom(wiphy);
9383 
9384 		/* a self-managed-reg device must have a private regdom */
9385 		if (WARN_ON(!regdom && self_managed)) {
9386 			err = -EINVAL;
9387 			goto nla_put_failure_rcu;
9388 		}
9389 
9390 		if (regdom &&
9391 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9392 			goto nla_put_failure_rcu;
9393 	} else {
9394 		rcu_read_lock();
9395 	}
9396 
9397 	if (!wiphy && reg_last_request_cell_base() &&
9398 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9399 			NL80211_USER_REG_HINT_CELL_BASE))
9400 		goto nla_put_failure_rcu;
9401 
9402 	if (!regdom)
9403 		regdom = rcu_dereference(cfg80211_regdomain);
9404 
9405 	if (nl80211_put_regdom(regdom, msg))
9406 		goto nla_put_failure_rcu;
9407 
9408 	rcu_read_unlock();
9409 
9410 	genlmsg_end(msg, hdr);
9411 	rtnl_unlock();
9412 	return genlmsg_reply(msg, info);
9413 
9414 nla_put_failure_rcu:
9415 	rcu_read_unlock();
9416 nla_put_failure:
9417 	rtnl_unlock();
9418 put_failure:
9419 	nlmsg_free(msg);
9420 	return err;
9421 }
9422 
9423 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
9424 			       u32 seq, int flags, struct wiphy *wiphy,
9425 			       const struct ieee80211_regdomain *regdom)
9426 {
9427 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9428 				   NL80211_CMD_GET_REG);
9429 
9430 	if (!hdr)
9431 		return -1;
9432 
9433 	genl_dump_check_consistent(cb, hdr);
9434 
9435 	if (nl80211_put_regdom(regdom, msg))
9436 		goto nla_put_failure;
9437 
9438 	if (!wiphy && reg_last_request_cell_base() &&
9439 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9440 			NL80211_USER_REG_HINT_CELL_BASE))
9441 		goto nla_put_failure;
9442 
9443 	if (wiphy &&
9444 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9445 		goto nla_put_failure;
9446 
9447 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
9448 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
9449 		goto nla_put_failure;
9450 
9451 	genlmsg_end(msg, hdr);
9452 	return 0;
9453 
9454 nla_put_failure:
9455 	genlmsg_cancel(msg, hdr);
9456 	return -EMSGSIZE;
9457 }
9458 
9459 static int nl80211_get_reg_dump(struct sk_buff *skb,
9460 				struct netlink_callback *cb)
9461 {
9462 	const struct ieee80211_regdomain *regdom = NULL;
9463 	struct cfg80211_registered_device *rdev;
9464 	int err, reg_idx, start = cb->args[2];
9465 
9466 	rcu_read_lock();
9467 
9468 	if (cfg80211_regdomain && start == 0) {
9469 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
9470 					  NLM_F_MULTI, NULL,
9471 					  rcu_dereference(cfg80211_regdomain));
9472 		if (err < 0)
9473 			goto out_err;
9474 	}
9475 
9476 	/* the global regdom is idx 0 */
9477 	reg_idx = 1;
9478 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
9479 		regdom = get_wiphy_regdom(&rdev->wiphy);
9480 		if (!regdom)
9481 			continue;
9482 
9483 		if (++reg_idx <= start)
9484 			continue;
9485 
9486 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
9487 					  NLM_F_MULTI, &rdev->wiphy, regdom);
9488 		if (err < 0) {
9489 			reg_idx--;
9490 			break;
9491 		}
9492 	}
9493 
9494 	cb->args[2] = reg_idx;
9495 	err = skb->len;
9496 out_err:
9497 	rcu_read_unlock();
9498 	return err;
9499 }
9500 
9501 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
9502 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
9503 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
9504 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
9505 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
9506 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
9507 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
9508 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
9509 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
9510 };
9511 
9512 static int parse_reg_rule(struct nlattr *tb[],
9513 	struct ieee80211_reg_rule *reg_rule)
9514 {
9515 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
9516 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
9517 
9518 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
9519 		return -EINVAL;
9520 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
9521 		return -EINVAL;
9522 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
9523 		return -EINVAL;
9524 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
9525 		return -EINVAL;
9526 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
9527 		return -EINVAL;
9528 
9529 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
9530 
9531 	freq_range->start_freq_khz =
9532 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
9533 	freq_range->end_freq_khz =
9534 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
9535 	freq_range->max_bandwidth_khz =
9536 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
9537 
9538 	power_rule->max_eirp =
9539 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
9540 
9541 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
9542 		power_rule->max_antenna_gain =
9543 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
9544 
9545 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
9546 		reg_rule->dfs_cac_ms =
9547 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
9548 
9549 	return 0;
9550 }
9551 
9552 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
9553 {
9554 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
9555 	struct nlattr *nl_reg_rule;
9556 	char *alpha2;
9557 	int rem_reg_rules, r;
9558 	u32 num_rules = 0, rule_idx = 0;
9559 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
9560 	struct ieee80211_regdomain *rd;
9561 
9562 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9563 		return -EINVAL;
9564 
9565 	if (!info->attrs[NL80211_ATTR_REG_RULES])
9566 		return -EINVAL;
9567 
9568 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9569 
9570 	if (info->attrs[NL80211_ATTR_DFS_REGION])
9571 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
9572 
9573 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9574 			    rem_reg_rules) {
9575 		num_rules++;
9576 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
9577 			return -EINVAL;
9578 	}
9579 
9580 	rtnl_lock();
9581 	if (!reg_is_valid_request(alpha2)) {
9582 		r = -EINVAL;
9583 		goto out;
9584 	}
9585 
9586 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
9587 	if (!rd) {
9588 		r = -ENOMEM;
9589 		goto out;
9590 	}
9591 
9592 	rd->n_reg_rules = num_rules;
9593 	rd->alpha2[0] = alpha2[0];
9594 	rd->alpha2[1] = alpha2[1];
9595 
9596 	/*
9597 	 * Disable DFS master mode if the DFS region was
9598 	 * not supported or known on this kernel.
9599 	 */
9600 	if (reg_supported_dfs_region(dfs_region))
9601 		rd->dfs_region = dfs_region;
9602 
9603 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9604 			    rem_reg_rules) {
9605 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9606 						nl_reg_rule, reg_rule_policy,
9607 						info->extack);
9608 		if (r)
9609 			goto bad_reg;
9610 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9611 		if (r)
9612 			goto bad_reg;
9613 
9614 		rule_idx++;
9615 
9616 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9617 			r = -EINVAL;
9618 			goto bad_reg;
9619 		}
9620 	}
9621 
9622 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9623 	/* set_regdom takes ownership of rd */
9624 	rd = NULL;
9625  bad_reg:
9626 	kfree(rd);
9627  out:
9628 	rtnl_unlock();
9629 	return r;
9630 }
9631 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9632 
9633 static int validate_scan_freqs(struct nlattr *freqs)
9634 {
9635 	struct nlattr *attr1, *attr2;
9636 	int n_channels = 0, tmp1, tmp2;
9637 
9638 	nla_for_each_nested(attr1, freqs, tmp1)
9639 		if (nla_len(attr1) != sizeof(u32))
9640 			return 0;
9641 
9642 	nla_for_each_nested(attr1, freqs, tmp1) {
9643 		n_channels++;
9644 		/*
9645 		 * Some hardware has a limited channel list for
9646 		 * scanning, and it is pretty much nonsensical
9647 		 * to scan for a channel twice, so disallow that
9648 		 * and don't require drivers to check that the
9649 		 * channel list they get isn't longer than what
9650 		 * they can scan, as long as they can scan all
9651 		 * the channels they registered at once.
9652 		 */
9653 		nla_for_each_nested(attr2, freqs, tmp2)
9654 			if (attr1 != attr2 &&
9655 			    nla_get_u32(attr1) == nla_get_u32(attr2))
9656 				return 0;
9657 	}
9658 
9659 	return n_channels;
9660 }
9661 
9662 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
9663 {
9664 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
9665 }
9666 
9667 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
9668 			    struct cfg80211_bss_selection *bss_select)
9669 {
9670 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
9671 	struct nlattr *nest;
9672 	int err;
9673 	bool found = false;
9674 	int i;
9675 
9676 	/* only process one nested attribute */
9677 	nest = nla_data(nla);
9678 	if (!nla_ok(nest, nla_len(nest)))
9679 		return -EINVAL;
9680 
9681 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
9682 					  nest, nl80211_bss_select_policy,
9683 					  NULL);
9684 	if (err)
9685 		return err;
9686 
9687 	/* only one attribute may be given */
9688 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9689 		if (attr[i]) {
9690 			if (found)
9691 				return -EINVAL;
9692 			found = true;
9693 		}
9694 	}
9695 
9696 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9697 
9698 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9699 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9700 
9701 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9702 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9703 		bss_select->param.band_pref =
9704 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9705 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9706 			return -EINVAL;
9707 	}
9708 
9709 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9710 		struct nl80211_bss_select_rssi_adjust *adj_param;
9711 
9712 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9713 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9714 		bss_select->param.adjust.band = adj_param->band;
9715 		bss_select->param.adjust.delta = adj_param->delta;
9716 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9717 			return -EINVAL;
9718 	}
9719 
9720 	/* user-space did not provide behaviour attribute */
9721 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9722 		return -EINVAL;
9723 
9724 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9725 		return -EINVAL;
9726 
9727 	return 0;
9728 }
9729 
9730 int nl80211_parse_random_mac(struct nlattr **attrs,
9731 			     u8 *mac_addr, u8 *mac_addr_mask)
9732 {
9733 	int i;
9734 
9735 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9736 		eth_zero_addr(mac_addr);
9737 		eth_zero_addr(mac_addr_mask);
9738 		mac_addr[0] = 0x2;
9739 		mac_addr_mask[0] = 0x3;
9740 
9741 		return 0;
9742 	}
9743 
9744 	/* need both or none */
9745 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9746 		return -EINVAL;
9747 
9748 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9749 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9750 
9751 	/* don't allow or configure an mcast address */
9752 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9753 	    is_multicast_ether_addr(mac_addr))
9754 		return -EINVAL;
9755 
9756 	/*
9757 	 * allow users to pass a MAC address that has bits set outside
9758 	 * of the mask, but don't bother drivers with having to deal
9759 	 * with such bits
9760 	 */
9761 	for (i = 0; i < ETH_ALEN; i++)
9762 		mac_addr[i] &= mac_addr_mask[i];
9763 
9764 	return 0;
9765 }
9766 
9767 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9768 					      struct ieee80211_channel *chan)
9769 {
9770 	unsigned int link_id;
9771 	bool all_ok = true;
9772 	int radio_idx;
9773 
9774 	lockdep_assert_wiphy(wdev->wiphy);
9775 
9776 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
9777 		return false;
9778 
9779 	if (!cfg80211_beaconing_iface_active(wdev))
9780 		return true;
9781 
9782 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
9783 
9784 	/*
9785 	 * FIXME: check if we have a free radio/link for chan
9786 	 *
9787 	 * This, as well as the FIXME below, requires knowing the link
9788 	 * capabilities of the hardware.
9789 	 */
9790 
9791 	/* we cannot leave radar channels */
9792 	for_each_valid_link(wdev, link_id) {
9793 		struct cfg80211_chan_def *chandef;
9794 		int link_radio_idx;
9795 
9796 		chandef = wdev_chandef(wdev, link_id);
9797 		if (!chandef || !chandef->chan)
9798 			continue;
9799 
9800 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
9801 			continue;
9802 
9803 		/*
9804 		 * chandef->chan is a radar channel. If the radio/link onto
9805 		 * which this radar channel falls is the same radio/link onto
9806 		 * which the input 'chan' falls, off-channel operation should
9807 		 * not be allowed. Hence, set 'all_ok' to false.
9808 		 */
9809 
9810 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
9811 								chandef->chan);
9812 		if (link_radio_idx == radio_idx) {
9813 			all_ok = false;
9814 			break;
9815 		}
9816 	}
9817 
9818 	if (all_ok)
9819 		return true;
9820 
9821 	return regulatory_pre_cac_allowed(wdev->wiphy);
9822 }
9823 
9824 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9825 				    enum nl80211_ext_feature_index feat)
9826 {
9827 	if (!(flags & flag))
9828 		return true;
9829 	if (wiphy_ext_feature_isset(wiphy, feat))
9830 		return true;
9831 	return false;
9832 }
9833 
9834 static int
9835 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9836 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
9837 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
9838 {
9839 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9840 		return 0;
9841 
9842 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9843 
9844 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9845 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9846 	    !nl80211_check_scan_feat(wiphy, *flags,
9847 				     NL80211_SCAN_FLAG_LOW_SPAN,
9848 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9849 	    !nl80211_check_scan_feat(wiphy, *flags,
9850 				     NL80211_SCAN_FLAG_LOW_POWER,
9851 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9852 	    !nl80211_check_scan_feat(wiphy, *flags,
9853 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9854 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9855 	    !nl80211_check_scan_feat(wiphy, *flags,
9856 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9857 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9858 	    !nl80211_check_scan_feat(wiphy, *flags,
9859 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9860 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9861 	    !nl80211_check_scan_feat(wiphy, *flags,
9862 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9863 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9864 	    !nl80211_check_scan_feat(wiphy, *flags,
9865 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9866 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9867 	    !nl80211_check_scan_feat(wiphy, *flags,
9868 				     NL80211_SCAN_FLAG_RANDOM_SN,
9869 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9870 	    !nl80211_check_scan_feat(wiphy, *flags,
9871 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9872 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9873 		return -EOPNOTSUPP;
9874 
9875 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9876 		int err;
9877 
9878 		if (!(wiphy->features & randomness_flag) ||
9879 		    (wdev && wdev->connected))
9880 			return -EOPNOTSUPP;
9881 
9882 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9883 		if (err)
9884 			return err;
9885 	}
9886 
9887 	return 0;
9888 }
9889 
9890 static int
9891 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
9892 			       struct nlattr **attrs,
9893 			       struct cfg80211_sched_scan_request *req)
9894 {
9895 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
9896 					req->mac_addr, req->mac_addr_mask,
9897 					&req->flags,
9898 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9899 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
9900 }
9901 
9902 static int
9903 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
9904 			     struct nlattr **attrs,
9905 			     struct cfg80211_scan_request_int *req)
9906 {
9907 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
9908 					req->req.mac_addr,
9909 					req->req.mac_addr_mask,
9910 					&req->req.flags,
9911 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
9912 }
9913 
9914 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9915 {
9916 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9917 	struct wireless_dev *wdev = info->user_ptr[1];
9918 	struct cfg80211_scan_request_int *request;
9919 	struct nlattr *scan_freqs = NULL;
9920 	bool scan_freqs_khz = false;
9921 	struct nlattr *attr;
9922 	struct wiphy *wiphy;
9923 	int err, tmp, n_ssids = 0, n_channels, i;
9924 	size_t ie_len, size;
9925 	size_t ssids_offset, ie_offset;
9926 
9927 	wiphy = &rdev->wiphy;
9928 
9929 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9930 		return -EOPNOTSUPP;
9931 
9932 	if (!rdev->ops->scan)
9933 		return -EOPNOTSUPP;
9934 
9935 	if (rdev->scan_req || rdev->scan_msg)
9936 		return -EBUSY;
9937 
9938 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9939 		if (!wiphy_ext_feature_isset(wiphy,
9940 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9941 			return -EOPNOTSUPP;
9942 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9943 		scan_freqs_khz = true;
9944 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9945 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9946 
9947 	if (scan_freqs) {
9948 		n_channels = validate_scan_freqs(scan_freqs);
9949 		if (!n_channels)
9950 			return -EINVAL;
9951 	} else {
9952 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9953 	}
9954 
9955 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9956 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9957 			n_ssids++;
9958 
9959 	if (n_ssids > wiphy->max_scan_ssids)
9960 		return -EINVAL;
9961 
9962 	if (info->attrs[NL80211_ATTR_IE])
9963 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9964 	else
9965 		ie_len = 0;
9966 
9967 	if (ie_len > wiphy->max_scan_ie_len)
9968 		return -EINVAL;
9969 
9970 	size = struct_size(request, req.channels, n_channels);
9971 	ssids_offset = size;
9972 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
9973 	ie_offset = size;
9974 	size = size_add(size, ie_len);
9975 	request = kzalloc(size, GFP_KERNEL);
9976 	if (!request)
9977 		return -ENOMEM;
9978 	request->req.n_channels = n_channels;
9979 
9980 	if (n_ssids)
9981 		request->req.ssids = (void *)request + ssids_offset;
9982 	request->req.n_ssids = n_ssids;
9983 	if (ie_len)
9984 		request->req.ie = (void *)request + ie_offset;
9985 
9986 	i = 0;
9987 	if (scan_freqs) {
9988 		/* user specified, bail out if channel not found */
9989 		nla_for_each_nested(attr, scan_freqs, tmp) {
9990 			struct ieee80211_channel *chan;
9991 			int freq = nla_get_u32(attr);
9992 
9993 			if (!scan_freqs_khz)
9994 				freq = MHZ_TO_KHZ(freq);
9995 
9996 			chan = ieee80211_get_channel_khz(wiphy, freq);
9997 			if (!chan) {
9998 				err = -EINVAL;
9999 				goto out_free;
10000 			}
10001 
10002 			/* ignore disabled channels */
10003 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10004 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10005 				continue;
10006 
10007 			request->req.channels[i] = chan;
10008 			i++;
10009 		}
10010 	} else {
10011 		enum nl80211_band band;
10012 
10013 		/* all channels */
10014 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10015 			int j;
10016 
10017 			if (!wiphy->bands[band])
10018 				continue;
10019 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10020 				struct ieee80211_channel *chan;
10021 
10022 				chan = &wiphy->bands[band]->channels[j];
10023 
10024 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10025 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10026 					continue;
10027 
10028 				request->req.channels[i] = chan;
10029 				i++;
10030 			}
10031 		}
10032 	}
10033 
10034 	if (!i) {
10035 		err = -EINVAL;
10036 		goto out_free;
10037 	}
10038 
10039 	request->req.n_channels = i;
10040 
10041 	for (i = 0; i < request->req.n_channels; i++) {
10042 		struct ieee80211_channel *chan = request->req.channels[i];
10043 
10044 		/* if we can go off-channel to the target channel we're good */
10045 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10046 			continue;
10047 
10048 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10049 			err = -EBUSY;
10050 			goto out_free;
10051 		}
10052 	}
10053 
10054 	i = 0;
10055 	if (n_ssids) {
10056 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10057 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10058 				err = -EINVAL;
10059 				goto out_free;
10060 			}
10061 			request->req.ssids[i].ssid_len = nla_len(attr);
10062 			memcpy(request->req.ssids[i].ssid,
10063 			       nla_data(attr), nla_len(attr));
10064 			i++;
10065 		}
10066 	}
10067 
10068 	if (info->attrs[NL80211_ATTR_IE]) {
10069 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10070 		memcpy((void *)request->req.ie,
10071 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10072 		       request->req.ie_len);
10073 	}
10074 
10075 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10076 		if (wiphy->bands[i])
10077 			request->req.rates[i] =
10078 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10079 
10080 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10081 		nla_for_each_nested(attr,
10082 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10083 				    tmp) {
10084 			enum nl80211_band band = nla_type(attr);
10085 
10086 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10087 				err = -EINVAL;
10088 				goto out_free;
10089 			}
10090 
10091 			if (!wiphy->bands[band])
10092 				continue;
10093 
10094 			err = ieee80211_get_ratemask(wiphy->bands[band],
10095 						     nla_data(attr),
10096 						     nla_len(attr),
10097 						     &request->req.rates[band]);
10098 			if (err)
10099 				goto out_free;
10100 		}
10101 	}
10102 
10103 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10104 		request->req.duration =
10105 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10106 		request->req.duration_mandatory =
10107 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
10108 	}
10109 
10110 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
10111 	if (err)
10112 		goto out_free;
10113 
10114 	request->req.no_cck =
10115 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10116 
10117 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
10118 	 * BSSID to scan for. This was problematic because that same attribute
10119 	 * was already used for another purpose (local random MAC address). The
10120 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
10121 	 * compatibility with older userspace components, also use the
10122 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
10123 	 * the specific BSSID use case instead of the random MAC address
10124 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
10125 	 */
10126 	if (info->attrs[NL80211_ATTR_BSSID])
10127 		memcpy(request->req.bssid,
10128 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
10129 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
10130 		 info->attrs[NL80211_ATTR_MAC])
10131 		memcpy(request->req.bssid,
10132 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
10133 		       ETH_ALEN);
10134 	else
10135 		eth_broadcast_addr(request->req.bssid);
10136 
10137 	request->req.tsf_report_link_id =
10138 		nl80211_link_id_or_invalid(info->attrs);
10139 	request->req.wdev = wdev;
10140 	request->req.wiphy = &rdev->wiphy;
10141 	request->req.scan_start = jiffies;
10142 
10143 	rdev->scan_req = request;
10144 	err = cfg80211_scan(rdev);
10145 
10146 	if (err)
10147 		goto out_free;
10148 
10149 	nl80211_send_scan_start(rdev, wdev);
10150 	dev_hold(wdev->netdev);
10151 
10152 	return 0;
10153 
10154  out_free:
10155 	rdev->scan_req = NULL;
10156 	kfree(request);
10157 
10158 	return err;
10159 }
10160 
10161 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
10162 {
10163 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10164 	struct wireless_dev *wdev = info->user_ptr[1];
10165 
10166 	if (!rdev->ops->abort_scan)
10167 		return -EOPNOTSUPP;
10168 
10169 	if (rdev->scan_msg)
10170 		return 0;
10171 
10172 	if (!rdev->scan_req)
10173 		return -ENOENT;
10174 
10175 	rdev_abort_scan(rdev, wdev);
10176 	return 0;
10177 }
10178 
10179 static int
10180 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
10181 			       struct cfg80211_sched_scan_request *request,
10182 			       struct nlattr **attrs)
10183 {
10184 	int tmp, err, i = 0;
10185 	struct nlattr *attr;
10186 
10187 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10188 		u32 interval;
10189 
10190 		/*
10191 		 * If scan plans are not specified,
10192 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
10193 		 * case one scan plan will be set with the specified scan
10194 		 * interval and infinite number of iterations.
10195 		 */
10196 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
10197 		if (!interval)
10198 			return -EINVAL;
10199 
10200 		request->scan_plans[0].interval =
10201 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
10202 		if (!request->scan_plans[0].interval)
10203 			return -EINVAL;
10204 
10205 		if (request->scan_plans[0].interval >
10206 		    wiphy->max_sched_scan_plan_interval)
10207 			request->scan_plans[0].interval =
10208 				wiphy->max_sched_scan_plan_interval;
10209 
10210 		return 0;
10211 	}
10212 
10213 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
10214 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
10215 
10216 		if (WARN_ON(i >= n_plans))
10217 			return -EINVAL;
10218 
10219 		err = nla_parse_nested_deprecated(plan,
10220 						  NL80211_SCHED_SCAN_PLAN_MAX,
10221 						  attr, nl80211_plan_policy,
10222 						  NULL);
10223 		if (err)
10224 			return err;
10225 
10226 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
10227 			return -EINVAL;
10228 
10229 		request->scan_plans[i].interval =
10230 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
10231 		if (!request->scan_plans[i].interval ||
10232 		    request->scan_plans[i].interval >
10233 		    wiphy->max_sched_scan_plan_interval)
10234 			return -EINVAL;
10235 
10236 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
10237 			request->scan_plans[i].iterations =
10238 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
10239 			if (!request->scan_plans[i].iterations ||
10240 			    (request->scan_plans[i].iterations >
10241 			     wiphy->max_sched_scan_plan_iterations))
10242 				return -EINVAL;
10243 		} else if (i < n_plans - 1) {
10244 			/*
10245 			 * All scan plans but the last one must specify
10246 			 * a finite number of iterations
10247 			 */
10248 			return -EINVAL;
10249 		}
10250 
10251 		i++;
10252 	}
10253 
10254 	/*
10255 	 * The last scan plan must not specify the number of
10256 	 * iterations, it is supposed to run infinitely
10257 	 */
10258 	if (request->scan_plans[n_plans - 1].iterations)
10259 		return  -EINVAL;
10260 
10261 	return 0;
10262 }
10263 
10264 static struct cfg80211_sched_scan_request *
10265 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
10266 			 struct nlattr **attrs, int max_match_sets)
10267 {
10268 	struct cfg80211_sched_scan_request *request;
10269 	struct nlattr *attr;
10270 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
10271 	enum nl80211_band band;
10272 	size_t ie_len, size;
10273 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
10274 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
10275 
10276 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10277 		n_channels = validate_scan_freqs(
10278 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
10279 		if (!n_channels)
10280 			return ERR_PTR(-EINVAL);
10281 	} else {
10282 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10283 	}
10284 
10285 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
10286 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10287 				    tmp)
10288 			n_ssids++;
10289 
10290 	if (n_ssids > wiphy->max_sched_scan_ssids)
10291 		return ERR_PTR(-EINVAL);
10292 
10293 	/*
10294 	 * First, count the number of 'real' matchsets. Due to an issue with
10295 	 * the old implementation, matchsets containing only the RSSI attribute
10296 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
10297 	 * RSSI for all matchsets, rather than their own matchset for reporting
10298 	 * all APs with a strong RSSI. This is needed to be compatible with
10299 	 * older userspace that treated a matchset with only the RSSI as the
10300 	 * global RSSI for all other matchsets - if there are other matchsets.
10301 	 */
10302 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10303 		nla_for_each_nested(attr,
10304 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10305 				    tmp) {
10306 			struct nlattr *rssi;
10307 
10308 			err = nla_parse_nested_deprecated(tb,
10309 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10310 							  attr,
10311 							  nl80211_match_policy,
10312 							  NULL);
10313 			if (err)
10314 				return ERR_PTR(err);
10315 
10316 			/* SSID and BSSID are mutually exclusive */
10317 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
10318 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
10319 				return ERR_PTR(-EINVAL);
10320 
10321 			/* add other standalone attributes here */
10322 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
10323 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
10324 				n_match_sets++;
10325 				continue;
10326 			}
10327 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10328 			if (rssi)
10329 				default_match_rssi = nla_get_s32(rssi);
10330 		}
10331 	}
10332 
10333 	/* However, if there's no other matchset, add the RSSI one */
10334 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
10335 		n_match_sets = 1;
10336 
10337 	if (n_match_sets > max_match_sets)
10338 		return ERR_PTR(-EINVAL);
10339 
10340 	if (attrs[NL80211_ATTR_IE])
10341 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
10342 	else
10343 		ie_len = 0;
10344 
10345 	if (ie_len > wiphy->max_sched_scan_ie_len)
10346 		return ERR_PTR(-EINVAL);
10347 
10348 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10349 		/*
10350 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
10351 		 * each scan plan already specifies its own interval
10352 		 */
10353 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10354 			return ERR_PTR(-EINVAL);
10355 
10356 		nla_for_each_nested(attr,
10357 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
10358 			n_plans++;
10359 	} else {
10360 		/*
10361 		 * The scan interval attribute is kept for backward
10362 		 * compatibility. If no scan plans are specified and sched scan
10363 		 * interval is specified, one scan plan will be set with this
10364 		 * scan interval and infinite number of iterations.
10365 		 */
10366 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10367 			return ERR_PTR(-EINVAL);
10368 
10369 		n_plans = 1;
10370 	}
10371 
10372 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
10373 		return ERR_PTR(-EINVAL);
10374 
10375 	if (!wiphy_ext_feature_isset(
10376 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
10377 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
10378 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
10379 		return ERR_PTR(-EINVAL);
10380 
10381 	size = struct_size(request, channels, n_channels);
10382 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
10383 	size = size_add(size, array_size(sizeof(*request->match_sets),
10384 					 n_match_sets));
10385 	size = size_add(size, array_size(sizeof(*request->scan_plans),
10386 					 n_plans));
10387 	size = size_add(size, ie_len);
10388 	request = kzalloc(size, GFP_KERNEL);
10389 	if (!request)
10390 		return ERR_PTR(-ENOMEM);
10391 	request->n_channels = n_channels;
10392 
10393 	if (n_ssids)
10394 		request->ssids = (void *)request +
10395 			struct_size(request, channels, n_channels);
10396 	request->n_ssids = n_ssids;
10397 	if (ie_len) {
10398 		if (n_ssids)
10399 			request->ie = (void *)(request->ssids + n_ssids);
10400 		else
10401 			request->ie = (void *)(request->channels + n_channels);
10402 	}
10403 
10404 	if (n_match_sets) {
10405 		if (request->ie)
10406 			request->match_sets = (void *)(request->ie + ie_len);
10407 		else if (n_ssids)
10408 			request->match_sets =
10409 				(void *)(request->ssids + n_ssids);
10410 		else
10411 			request->match_sets =
10412 				(void *)(request->channels + n_channels);
10413 	}
10414 	request->n_match_sets = n_match_sets;
10415 
10416 	if (n_match_sets)
10417 		request->scan_plans = (void *)(request->match_sets +
10418 					       n_match_sets);
10419 	else if (request->ie)
10420 		request->scan_plans = (void *)(request->ie + ie_len);
10421 	else if (n_ssids)
10422 		request->scan_plans = (void *)(request->ssids + n_ssids);
10423 	else
10424 		request->scan_plans = (void *)(request->channels + n_channels);
10425 
10426 	request->n_scan_plans = n_plans;
10427 
10428 	i = 0;
10429 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10430 		/* user specified, bail out if channel not found */
10431 		nla_for_each_nested(attr,
10432 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
10433 				    tmp) {
10434 			struct ieee80211_channel *chan;
10435 
10436 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
10437 
10438 			if (!chan) {
10439 				err = -EINVAL;
10440 				goto out_free;
10441 			}
10442 
10443 			/* ignore disabled channels */
10444 			if (chan->flags & IEEE80211_CHAN_DISABLED)
10445 				continue;
10446 
10447 			request->channels[i] = chan;
10448 			i++;
10449 		}
10450 	} else {
10451 		/* all channels */
10452 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10453 			int j;
10454 
10455 			if (!wiphy->bands[band])
10456 				continue;
10457 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10458 				struct ieee80211_channel *chan;
10459 
10460 				chan = &wiphy->bands[band]->channels[j];
10461 
10462 				if (chan->flags & IEEE80211_CHAN_DISABLED)
10463 					continue;
10464 
10465 				request->channels[i] = chan;
10466 				i++;
10467 			}
10468 		}
10469 	}
10470 
10471 	if (!i) {
10472 		err = -EINVAL;
10473 		goto out_free;
10474 	}
10475 
10476 	request->n_channels = i;
10477 
10478 	i = 0;
10479 	if (n_ssids) {
10480 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10481 				    tmp) {
10482 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10483 				err = -EINVAL;
10484 				goto out_free;
10485 			}
10486 			request->ssids[i].ssid_len = nla_len(attr);
10487 			memcpy(request->ssids[i].ssid, nla_data(attr),
10488 			       nla_len(attr));
10489 			i++;
10490 		}
10491 	}
10492 
10493 	i = 0;
10494 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10495 		nla_for_each_nested(attr,
10496 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10497 				    tmp) {
10498 			struct nlattr *ssid, *bssid, *rssi;
10499 
10500 			err = nla_parse_nested_deprecated(tb,
10501 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10502 							  attr,
10503 							  nl80211_match_policy,
10504 							  NULL);
10505 			if (err)
10506 				goto out_free;
10507 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
10508 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
10509 
10510 			if (!ssid && !bssid) {
10511 				i++;
10512 				continue;
10513 			}
10514 
10515 			if (WARN_ON(i >= n_match_sets)) {
10516 				/* this indicates a programming error,
10517 				 * the loop above should have verified
10518 				 * things properly
10519 				 */
10520 				err = -EINVAL;
10521 				goto out_free;
10522 			}
10523 
10524 			if (ssid) {
10525 				memcpy(request->match_sets[i].ssid.ssid,
10526 				       nla_data(ssid), nla_len(ssid));
10527 				request->match_sets[i].ssid.ssid_len =
10528 					nla_len(ssid);
10529 			}
10530 			if (bssid)
10531 				memcpy(request->match_sets[i].bssid,
10532 				       nla_data(bssid), ETH_ALEN);
10533 
10534 			/* special attribute - old implementation w/a */
10535 			request->match_sets[i].rssi_thold = default_match_rssi;
10536 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10537 			if (rssi)
10538 				request->match_sets[i].rssi_thold =
10539 					nla_get_s32(rssi);
10540 			i++;
10541 		}
10542 
10543 		/* there was no other matchset, so the RSSI one is alone */
10544 		if (i == 0 && n_match_sets)
10545 			request->match_sets[0].rssi_thold = default_match_rssi;
10546 
10547 		request->min_rssi_thold = INT_MAX;
10548 		for (i = 0; i < n_match_sets; i++)
10549 			request->min_rssi_thold =
10550 				min(request->match_sets[i].rssi_thold,
10551 				    request->min_rssi_thold);
10552 	} else {
10553 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
10554 	}
10555 
10556 	if (ie_len) {
10557 		request->ie_len = ie_len;
10558 		memcpy((void *)request->ie,
10559 		       nla_data(attrs[NL80211_ATTR_IE]),
10560 		       request->ie_len);
10561 	}
10562 
10563 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
10564 	if (err)
10565 		goto out_free;
10566 
10567 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
10568 		request->delay =
10569 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
10570 
10571 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
10572 		request->relative_rssi = nla_get_s8(
10573 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
10574 		request->relative_rssi_set = true;
10575 	}
10576 
10577 	if (request->relative_rssi_set &&
10578 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
10579 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
10580 
10581 		rssi_adjust = nla_data(
10582 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
10583 		request->rssi_adjust.band = rssi_adjust->band;
10584 		request->rssi_adjust.delta = rssi_adjust->delta;
10585 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
10586 			err = -EINVAL;
10587 			goto out_free;
10588 		}
10589 	}
10590 
10591 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
10592 	if (err)
10593 		goto out_free;
10594 
10595 	request->scan_start = jiffies;
10596 
10597 	return request;
10598 
10599 out_free:
10600 	kfree(request);
10601 	return ERR_PTR(err);
10602 }
10603 
10604 static int nl80211_start_sched_scan(struct sk_buff *skb,
10605 				    struct genl_info *info)
10606 {
10607 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10608 	struct net_device *dev = info->user_ptr[1];
10609 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10610 	struct cfg80211_sched_scan_request *sched_scan_req;
10611 	bool want_multi;
10612 	int err;
10613 
10614 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10615 		return -EOPNOTSUPP;
10616 
10617 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10618 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10619 	if (err)
10620 		return err;
10621 
10622 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10623 						  info->attrs,
10624 						  rdev->wiphy.max_match_sets);
10625 
10626 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10627 	if (err)
10628 		goto out_err;
10629 
10630 	/* leave request id zero for legacy request
10631 	 * or if driver does not support multi-scheduled scan
10632 	 */
10633 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10634 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10635 
10636 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
10637 	if (err)
10638 		goto out_free;
10639 
10640 	sched_scan_req->dev = dev;
10641 	sched_scan_req->wiphy = &rdev->wiphy;
10642 
10643 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10644 		sched_scan_req->owner_nlportid = info->snd_portid;
10645 
10646 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
10647 
10648 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
10649 	return 0;
10650 
10651 out_free:
10652 	kfree(sched_scan_req);
10653 out_err:
10654 	return err;
10655 }
10656 
10657 static int nl80211_stop_sched_scan(struct sk_buff *skb,
10658 				   struct genl_info *info)
10659 {
10660 	struct cfg80211_sched_scan_request *req;
10661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10662 	u64 cookie;
10663 
10664 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
10665 		return -EOPNOTSUPP;
10666 
10667 	if (info->attrs[NL80211_ATTR_COOKIE]) {
10668 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10669 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
10670 	}
10671 
10672 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
10673 				     struct cfg80211_sched_scan_request,
10674 				     list);
10675 	if (!req || req->reqid ||
10676 	    (req->owner_nlportid &&
10677 	     req->owner_nlportid != info->snd_portid))
10678 		return -ENOENT;
10679 
10680 	return cfg80211_stop_sched_scan_req(rdev, req, false);
10681 }
10682 
10683 static int nl80211_start_radar_detection(struct sk_buff *skb,
10684 					 struct genl_info *info)
10685 {
10686 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10687 	struct net_device *dev = info->user_ptr[1];
10688 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10689 	int link_id = nl80211_link_id(info->attrs);
10690 	struct wiphy *wiphy = wdev->wiphy;
10691 	struct cfg80211_chan_def chandef;
10692 	enum nl80211_dfs_regions dfs_region;
10693 	unsigned int cac_time_ms;
10694 	int err;
10695 
10696 	flush_delayed_work(&rdev->dfs_update_channels_wk);
10697 
10698 	switch (wdev->iftype) {
10699 	case NL80211_IFTYPE_AP:
10700 	case NL80211_IFTYPE_P2P_GO:
10701 	case NL80211_IFTYPE_MESH_POINT:
10702 	case NL80211_IFTYPE_ADHOC:
10703 		break;
10704 	default:
10705 		/* caution - see cfg80211_beaconing_iface_active() below */
10706 		return -EINVAL;
10707 	}
10708 
10709 	guard(wiphy)(wiphy);
10710 
10711 	dfs_region = reg_get_dfs_region(wiphy);
10712 	if (dfs_region == NL80211_DFS_UNSET)
10713 		return -EINVAL;
10714 
10715 	err = nl80211_parse_chandef(rdev, info, &chandef);
10716 	if (err)
10717 		return err;
10718 
10719 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10720 	if (err < 0)
10721 		return err;
10722 
10723 	if (err == 0)
10724 		return -EINVAL;
10725 
10726 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
10727 		return -EINVAL;
10728 
10729 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
10730 		return cfg80211_start_background_radar_detection(rdev, wdev,
10731 								 &chandef);
10732 
10733 	if (cfg80211_beaconing_iface_active(wdev)) {
10734 		/* During MLO other link(s) can beacon, only the current link
10735 		 * can not already beacon
10736 		 */
10737 		if (wdev->valid_links &&
10738 		    !wdev->links[link_id].ap.beacon_interval) {
10739 			/* nothing */
10740 		} else {
10741 			return -EBUSY;
10742 		}
10743 	}
10744 
10745 	if (wdev->links[link_id].cac_started)
10746 		return -EBUSY;
10747 
10748 	/* CAC start is offloaded to HW and can't be started manually */
10749 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
10750 		return -EOPNOTSUPP;
10751 
10752 	if (!rdev->ops->start_radar_detection)
10753 		return -EOPNOTSUPP;
10754 
10755 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10756 	if (WARN_ON(!cac_time_ms))
10757 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10758 
10759 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
10760 					 link_id);
10761 	if (err)
10762 		return err;
10763 
10764 	switch (wdev->iftype) {
10765 	case NL80211_IFTYPE_AP:
10766 	case NL80211_IFTYPE_P2P_GO:
10767 		wdev->links[link_id].ap.chandef = chandef;
10768 		break;
10769 	case NL80211_IFTYPE_ADHOC:
10770 		wdev->u.ibss.chandef = chandef;
10771 		break;
10772 	case NL80211_IFTYPE_MESH_POINT:
10773 		wdev->u.mesh.chandef = chandef;
10774 		break;
10775 	default:
10776 		break;
10777 	}
10778 	wdev->links[link_id].cac_started = true;
10779 	wdev->links[link_id].cac_start_time = jiffies;
10780 	wdev->links[link_id].cac_time_ms = cac_time_ms;
10781 
10782 	return 0;
10783 }
10784 
10785 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10786 					  struct genl_info *info)
10787 {
10788 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10789 	struct net_device *dev = info->user_ptr[1];
10790 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10791 	struct wiphy *wiphy = wdev->wiphy;
10792 	struct cfg80211_chan_def chandef;
10793 	enum nl80211_dfs_regions dfs_region;
10794 	int err;
10795 
10796 	dfs_region = reg_get_dfs_region(wiphy);
10797 	if (dfs_region == NL80211_DFS_UNSET) {
10798 		GENL_SET_ERR_MSG(info,
10799 				 "DFS Region is not set. Unexpected Radar indication");
10800 		return -EINVAL;
10801 	}
10802 
10803 	err = nl80211_parse_chandef(rdev, info, &chandef);
10804 	if (err) {
10805 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10806 		return err;
10807 	}
10808 
10809 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10810 	if (err < 0) {
10811 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10812 		return err;
10813 	}
10814 
10815 	if (err == 0) {
10816 		GENL_SET_ERR_MSG(info,
10817 				 "Unexpected Radar indication for chandef/iftype");
10818 		return -EINVAL;
10819 	}
10820 
10821 	/* Do not process this notification if radar is already detected
10822 	 * by kernel on this channel, and return success.
10823 	 */
10824 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10825 		return 0;
10826 
10827 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10828 
10829 	cfg80211_sched_dfs_chan_update(rdev);
10830 
10831 	rdev->radar_chandef = chandef;
10832 
10833 	/* Propagate this notification to other radios as well */
10834 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10835 
10836 	return 0;
10837 }
10838 
10839 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10840 					 const u8 *data, size_t datalen,
10841 					 int first_count, struct nlattr *attr,
10842 					 const u16 **offsets, unsigned int *n_offsets)
10843 {
10844 	int i;
10845 
10846 	*n_offsets = 0;
10847 
10848 	if (!attr)
10849 		return 0;
10850 
10851 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10852 		return -EINVAL;
10853 
10854 	*n_offsets = nla_len(attr) / sizeof(u16);
10855 	if (rdev->wiphy.max_num_csa_counters &&
10856 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10857 		return -EINVAL;
10858 
10859 	*offsets = nla_data(attr);
10860 
10861 	/* sanity checks - counters should fit and be the same */
10862 	for (i = 0; i < *n_offsets; i++) {
10863 		u16 offset = (*offsets)[i];
10864 
10865 		if (offset >= datalen)
10866 			return -EINVAL;
10867 
10868 		if (first_count != -1 && data[offset] != first_count)
10869 			return -EINVAL;
10870 	}
10871 
10872 	return 0;
10873 }
10874 
10875 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10876 {
10877 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10878 	unsigned int link_id = nl80211_link_id(info->attrs);
10879 	struct net_device *dev = info->user_ptr[1];
10880 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10881 	struct cfg80211_csa_settings params;
10882 	struct nlattr **csa_attrs = NULL;
10883 	int err;
10884 	bool need_new_beacon = false;
10885 	bool need_handle_dfs_flag = true;
10886 	u32 cs_count;
10887 
10888 	if (!rdev->ops->channel_switch ||
10889 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10890 		return -EOPNOTSUPP;
10891 
10892 	switch (dev->ieee80211_ptr->iftype) {
10893 	case NL80211_IFTYPE_AP:
10894 	case NL80211_IFTYPE_P2P_GO:
10895 		need_new_beacon = true;
10896 		/* For all modes except AP the handle_dfs flag needs to be
10897 		 * supplied to tell the kernel that userspace will handle radar
10898 		 * events when they happen. Otherwise a switch to a channel
10899 		 * requiring DFS will be rejected.
10900 		 */
10901 		need_handle_dfs_flag = false;
10902 
10903 		/* useless if AP is not running */
10904 		if (!wdev->links[link_id].ap.beacon_interval)
10905 			return -ENOTCONN;
10906 		break;
10907 	case NL80211_IFTYPE_ADHOC:
10908 		if (!wdev->u.ibss.ssid_len)
10909 			return -ENOTCONN;
10910 		break;
10911 	case NL80211_IFTYPE_MESH_POINT:
10912 		if (!wdev->u.mesh.id_len)
10913 			return -ENOTCONN;
10914 		break;
10915 	default:
10916 		return -EOPNOTSUPP;
10917 	}
10918 
10919 	memset(&params, 0, sizeof(params));
10920 	params.beacon_csa.ftm_responder = -1;
10921 
10922 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10923 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10924 		return -EINVAL;
10925 
10926 	/* only important for AP, IBSS and mesh create IEs internally */
10927 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10928 		return -EINVAL;
10929 
10930 	/* Even though the attribute is u32, the specification says
10931 	 * u8, so let's make sure we don't overflow.
10932 	 */
10933 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10934 	if (cs_count > 255)
10935 		return -EINVAL;
10936 
10937 	params.count = cs_count;
10938 
10939 	if (!need_new_beacon)
10940 		goto skip_beacons;
10941 
10942 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10943 				   info->extack);
10944 	if (err)
10945 		goto free;
10946 
10947 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10948 			    GFP_KERNEL);
10949 	if (!csa_attrs) {
10950 		err = -ENOMEM;
10951 		goto free;
10952 	}
10953 
10954 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10955 					  info->attrs[NL80211_ATTR_CSA_IES],
10956 					  nl80211_policy, info->extack);
10957 	if (err)
10958 		goto free;
10959 
10960 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10961 				   info->extack);
10962 	if (err)
10963 		goto free;
10964 
10965 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10966 		err = -EINVAL;
10967 		goto free;
10968 	}
10969 
10970 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10971 					    params.beacon_csa.tail_len,
10972 					    params.count,
10973 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10974 					    &params.counter_offsets_beacon,
10975 					    &params.n_counter_offsets_beacon);
10976 	if (err)
10977 		goto free;
10978 
10979 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10980 					    params.beacon_csa.probe_resp_len,
10981 					    params.count,
10982 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10983 					    &params.counter_offsets_presp,
10984 					    &params.n_counter_offsets_presp);
10985 	if (err)
10986 		goto free;
10987 
10988 skip_beacons:
10989 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10990 	if (err)
10991 		goto free;
10992 
10993 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10994 					   wdev->iftype)) {
10995 		err = -EINVAL;
10996 		goto free;
10997 	}
10998 
10999 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11000 					    &params.chandef,
11001 					    wdev->iftype);
11002 	if (err < 0)
11003 		goto free;
11004 
11005 	if (err > 0) {
11006 		params.radar_required = true;
11007 		if (need_handle_dfs_flag &&
11008 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11009 			err = -EINVAL;
11010 			goto free;
11011 		}
11012 	}
11013 
11014 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11015 		params.block_tx = true;
11016 
11017 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11018 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11019 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11020 		err = nl80211_parse_unsol_bcast_probe_resp(
11021 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11022 			&params.unsol_bcast_probe_resp);
11023 		if (err)
11024 			goto free;
11025 	}
11026 
11027 	params.link_id = link_id;
11028 	err = rdev_channel_switch(rdev, dev, &params);
11029 
11030 free:
11031 	kfree(params.beacon_after.mbssid_ies);
11032 	kfree(params.beacon_csa.mbssid_ies);
11033 	kfree(params.beacon_after.rnr_ies);
11034 	kfree(params.beacon_csa.rnr_ies);
11035 	kfree(csa_attrs);
11036 	return err;
11037 }
11038 
11039 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11040 			    u32 seq, int flags,
11041 			    struct cfg80211_registered_device *rdev,
11042 			    struct wireless_dev *wdev,
11043 			    struct cfg80211_internal_bss *intbss)
11044 {
11045 	struct cfg80211_bss *res = &intbss->pub;
11046 	const struct cfg80211_bss_ies *ies;
11047 	unsigned int link_id;
11048 	void *hdr;
11049 	struct nlattr *bss;
11050 
11051 	lockdep_assert_wiphy(wdev->wiphy);
11052 
11053 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11054 			     NL80211_CMD_NEW_SCAN_RESULTS);
11055 	if (!hdr)
11056 		return -1;
11057 
11058 	genl_dump_check_consistent(cb, hdr);
11059 
11060 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11061 		goto nla_put_failure;
11062 	if (wdev->netdev &&
11063 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11064 		goto nla_put_failure;
11065 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11066 			      NL80211_ATTR_PAD))
11067 		goto nla_put_failure;
11068 
11069 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11070 	if (!bss)
11071 		goto nla_put_failure;
11072 	if ((!is_zero_ether_addr(res->bssid) &&
11073 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11074 		goto nla_put_failure;
11075 
11076 	rcu_read_lock();
11077 	/* indicate whether we have probe response data or not */
11078 	if (rcu_access_pointer(res->proberesp_ies) &&
11079 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11080 		goto fail_unlock_rcu;
11081 
11082 	/* this pointer prefers to be pointed to probe response data
11083 	 * but is always valid
11084 	 */
11085 	ies = rcu_dereference(res->ies);
11086 	if (ies) {
11087 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11088 				      NL80211_BSS_PAD))
11089 			goto fail_unlock_rcu;
11090 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11091 					ies->len, ies->data))
11092 			goto fail_unlock_rcu;
11093 	}
11094 
11095 	/* and this pointer is always (unless driver didn't know) beacon data */
11096 	ies = rcu_dereference(res->beacon_ies);
11097 	if (ies && ies->from_beacon) {
11098 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11099 				      NL80211_BSS_PAD))
11100 			goto fail_unlock_rcu;
11101 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11102 					ies->len, ies->data))
11103 			goto fail_unlock_rcu;
11104 	}
11105 	rcu_read_unlock();
11106 
11107 	if (res->beacon_interval &&
11108 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
11109 		goto nla_put_failure;
11110 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
11111 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
11112 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
11113 			res->channel->freq_offset) ||
11114 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
11115 			jiffies_to_msecs(jiffies - intbss->ts)))
11116 		goto nla_put_failure;
11117 
11118 	if (intbss->parent_tsf &&
11119 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
11120 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
11121 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
11122 		     intbss->parent_bssid)))
11123 		goto nla_put_failure;
11124 
11125 	if (res->ts_boottime &&
11126 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
11127 			      res->ts_boottime, NL80211_BSS_PAD))
11128 		goto nla_put_failure;
11129 
11130 	if (!nl80211_put_signal(msg, intbss->pub.chains,
11131 				intbss->pub.chain_signal,
11132 				NL80211_BSS_CHAIN_SIGNAL))
11133 		goto nla_put_failure;
11134 
11135 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
11136 		switch (rdev->wiphy.signal_type) {
11137 		case CFG80211_SIGNAL_TYPE_MBM:
11138 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
11139 					res->signal))
11140 				goto nla_put_failure;
11141 			break;
11142 		case CFG80211_SIGNAL_TYPE_UNSPEC:
11143 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
11144 				       res->signal))
11145 				goto nla_put_failure;
11146 			break;
11147 		default:
11148 			break;
11149 		}
11150 	}
11151 
11152 	switch (wdev->iftype) {
11153 	case NL80211_IFTYPE_P2P_CLIENT:
11154 	case NL80211_IFTYPE_STATION:
11155 		for_each_valid_link(wdev, link_id) {
11156 			if (intbss == wdev->links[link_id].client.current_bss &&
11157 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
11158 					 NL80211_BSS_STATUS_ASSOCIATED) ||
11159 			     (wdev->valid_links &&
11160 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
11161 					  link_id) ||
11162 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
11163 				       wdev->u.client.connected_addr)))))
11164 				goto nla_put_failure;
11165 		}
11166 		break;
11167 	case NL80211_IFTYPE_ADHOC:
11168 		if (intbss == wdev->u.ibss.current_bss &&
11169 		    nla_put_u32(msg, NL80211_BSS_STATUS,
11170 				NL80211_BSS_STATUS_IBSS_JOINED))
11171 			goto nla_put_failure;
11172 		break;
11173 	default:
11174 		break;
11175 	}
11176 
11177 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
11178 		goto nla_put_failure;
11179 
11180 	if (res->cannot_use_reasons &&
11181 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
11182 			      res->cannot_use_reasons,
11183 			      NL80211_BSS_PAD))
11184 		goto nla_put_failure;
11185 
11186 	nla_nest_end(msg, bss);
11187 
11188 	genlmsg_end(msg, hdr);
11189 	return 0;
11190 
11191  fail_unlock_rcu:
11192 	rcu_read_unlock();
11193  nla_put_failure:
11194 	genlmsg_cancel(msg, hdr);
11195 	return -EMSGSIZE;
11196 }
11197 
11198 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
11199 {
11200 	struct cfg80211_registered_device *rdev;
11201 	struct cfg80211_internal_bss *scan;
11202 	struct wireless_dev *wdev;
11203 	struct nlattr **attrbuf;
11204 	int start = cb->args[2], idx = 0;
11205 	bool dump_include_use_data;
11206 	int err;
11207 
11208 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
11209 	if (!attrbuf)
11210 		return -ENOMEM;
11211 
11212 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11213 	if (err) {
11214 		kfree(attrbuf);
11215 		return err;
11216 	}
11217 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11218 	__acquire(&rdev->wiphy.mtx);
11219 
11220 	dump_include_use_data =
11221 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
11222 	kfree(attrbuf);
11223 
11224 	spin_lock_bh(&rdev->bss_lock);
11225 
11226 	/*
11227 	 * dump_scan will be called multiple times to break up the scan results
11228 	 * into multiple messages.  It is unlikely that any more bss-es will be
11229 	 * expired after the first call, so only call only call this on the
11230 	 * first dump_scan invocation.
11231 	 */
11232 	if (start == 0)
11233 		cfg80211_bss_expire(rdev);
11234 
11235 	cb->seq = rdev->bss_generation;
11236 
11237 	list_for_each_entry(scan, &rdev->bss_list, list) {
11238 		if (++idx <= start)
11239 			continue;
11240 		if (!dump_include_use_data &&
11241 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
11242 			continue;
11243 		if (nl80211_send_bss(skb, cb,
11244 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11245 				rdev, wdev, scan) < 0) {
11246 			idx--;
11247 			break;
11248 		}
11249 	}
11250 
11251 	spin_unlock_bh(&rdev->bss_lock);
11252 
11253 	cb->args[2] = idx;
11254 	wiphy_unlock(&rdev->wiphy);
11255 
11256 	return skb->len;
11257 }
11258 
11259 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
11260 			       int flags, struct net_device *dev,
11261 			       bool allow_radio_stats,
11262 			       struct survey_info *survey)
11263 {
11264 	void *hdr;
11265 	struct nlattr *infoattr;
11266 
11267 	/* skip radio stats if userspace didn't request them */
11268 	if (!survey->channel && !allow_radio_stats)
11269 		return 0;
11270 
11271 	hdr = nl80211hdr_put(msg, portid, seq, flags,
11272 			     NL80211_CMD_NEW_SURVEY_RESULTS);
11273 	if (!hdr)
11274 		return -ENOMEM;
11275 
11276 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11277 		goto nla_put_failure;
11278 
11279 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
11280 	if (!infoattr)
11281 		goto nla_put_failure;
11282 
11283 	if (survey->channel &&
11284 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
11285 			survey->channel->center_freq))
11286 		goto nla_put_failure;
11287 
11288 	if (survey->channel && survey->channel->freq_offset &&
11289 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
11290 			survey->channel->freq_offset))
11291 		goto nla_put_failure;
11292 
11293 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
11294 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
11295 		goto nla_put_failure;
11296 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
11297 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
11298 		goto nla_put_failure;
11299 	if ((survey->filled & SURVEY_INFO_TIME) &&
11300 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
11301 			survey->time, NL80211_SURVEY_INFO_PAD))
11302 		goto nla_put_failure;
11303 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
11304 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
11305 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
11306 		goto nla_put_failure;
11307 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
11308 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
11309 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
11310 		goto nla_put_failure;
11311 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
11312 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
11313 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
11314 		goto nla_put_failure;
11315 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
11316 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
11317 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
11318 		goto nla_put_failure;
11319 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
11320 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
11321 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
11322 		goto nla_put_failure;
11323 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
11324 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
11325 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
11326 		goto nla_put_failure;
11327 
11328 	nla_nest_end(msg, infoattr);
11329 
11330 	genlmsg_end(msg, hdr);
11331 	return 0;
11332 
11333  nla_put_failure:
11334 	genlmsg_cancel(msg, hdr);
11335 	return -EMSGSIZE;
11336 }
11337 
11338 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
11339 {
11340 	struct nlattr **attrbuf;
11341 	struct survey_info survey;
11342 	struct cfg80211_registered_device *rdev;
11343 	struct wireless_dev *wdev;
11344 	int survey_idx = cb->args[2];
11345 	int res;
11346 	bool radio_stats;
11347 
11348 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
11349 	if (!attrbuf)
11350 		return -ENOMEM;
11351 
11352 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11353 	if (res) {
11354 		kfree(attrbuf);
11355 		return res;
11356 	}
11357 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11358 	__acquire(&rdev->wiphy.mtx);
11359 
11360 	/* prepare_wdev_dump parsed the attributes */
11361 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
11362 
11363 	if (!wdev->netdev) {
11364 		res = -EINVAL;
11365 		goto out_err;
11366 	}
11367 
11368 	if (!rdev->ops->dump_survey) {
11369 		res = -EOPNOTSUPP;
11370 		goto out_err;
11371 	}
11372 
11373 	while (1) {
11374 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
11375 		if (res == -ENOENT)
11376 			break;
11377 		if (res)
11378 			goto out_err;
11379 
11380 		/* don't send disabled channels, but do send non-channel data */
11381 		if (survey.channel &&
11382 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
11383 			survey_idx++;
11384 			continue;
11385 		}
11386 
11387 		if (nl80211_send_survey(skb,
11388 				NETLINK_CB(cb->skb).portid,
11389 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11390 				wdev->netdev, radio_stats, &survey) < 0)
11391 			goto out;
11392 		survey_idx++;
11393 	}
11394 
11395  out:
11396 	cb->args[2] = survey_idx;
11397 	res = skb->len;
11398  out_err:
11399 	kfree(attrbuf);
11400 	wiphy_unlock(&rdev->wiphy);
11401 	return res;
11402 }
11403 
11404 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
11405 {
11406 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11407 	struct net_device *dev = info->user_ptr[1];
11408 	struct ieee80211_channel *chan;
11409 	const u8 *bssid, *ssid;
11410 	int err, ssid_len;
11411 	enum nl80211_auth_type auth_type;
11412 	struct key_parse key;
11413 	bool local_state_change;
11414 	struct cfg80211_auth_request req = {};
11415 	u32 freq;
11416 
11417 	if (!info->attrs[NL80211_ATTR_MAC])
11418 		return -EINVAL;
11419 
11420 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
11421 		return -EINVAL;
11422 
11423 	if (!info->attrs[NL80211_ATTR_SSID])
11424 		return -EINVAL;
11425 
11426 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11427 		return -EINVAL;
11428 
11429 	err = nl80211_parse_key(info, &key);
11430 	if (err)
11431 		return err;
11432 
11433 	if (key.idx >= 0) {
11434 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
11435 			return -EINVAL;
11436 		if (!key.p.key || !key.p.key_len)
11437 			return -EINVAL;
11438 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
11439 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
11440 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
11441 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
11442 			return -EINVAL;
11443 		if (key.idx > 3)
11444 			return -EINVAL;
11445 	} else {
11446 		key.p.key_len = 0;
11447 		key.p.key = NULL;
11448 	}
11449 
11450 	if (key.idx >= 0) {
11451 		int i;
11452 		bool ok = false;
11453 
11454 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
11455 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
11456 				ok = true;
11457 				break;
11458 			}
11459 		}
11460 		if (!ok)
11461 			return -EINVAL;
11462 	}
11463 
11464 	if (!rdev->ops->auth)
11465 		return -EOPNOTSUPP;
11466 
11467 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11468 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11469 		return -EOPNOTSUPP;
11470 
11471 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11472 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11473 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11474 		freq +=
11475 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11476 
11477 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11478 	if (!chan)
11479 		return -EINVAL;
11480 
11481 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11482 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11483 
11484 	if (info->attrs[NL80211_ATTR_IE]) {
11485 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11486 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11487 	}
11488 
11489 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
11490 		req.supported_selectors =
11491 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11492 		req.supported_selectors_len =
11493 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11494 	}
11495 
11496 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11497 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
11498 		return -EINVAL;
11499 
11500 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
11501 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
11502 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
11503 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
11504 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
11505 		return -EINVAL;
11506 
11507 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
11508 		if (auth_type != NL80211_AUTHTYPE_SAE &&
11509 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
11510 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
11511 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
11512 			return -EINVAL;
11513 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
11514 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
11515 	}
11516 
11517 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11518 
11519 	/*
11520 	 * Since we no longer track auth state, ignore
11521 	 * requests to only change local state.
11522 	 */
11523 	if (local_state_change)
11524 		return 0;
11525 
11526 	req.auth_type = auth_type;
11527 	req.key = key.p.key;
11528 	req.key_len = key.p.key_len;
11529 	req.key_idx = key.idx;
11530 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11531 	if (req.link_id >= 0) {
11532 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11533 			return -EINVAL;
11534 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
11535 			return -EINVAL;
11536 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11537 		if (!is_valid_ether_addr(req.ap_mld_addr))
11538 			return -EINVAL;
11539 	}
11540 
11541 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
11542 				   IEEE80211_BSS_TYPE_ESS,
11543 				   IEEE80211_PRIVACY_ANY);
11544 	if (!req.bss)
11545 		return -ENOENT;
11546 
11547 	err = cfg80211_mlme_auth(rdev, dev, &req);
11548 
11549 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11550 
11551 	return err;
11552 }
11553 
11554 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
11555 				     struct genl_info *info)
11556 {
11557 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11558 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
11559 		return -EINVAL;
11560 	}
11561 
11562 	if (!rdev->ops->tx_control_port ||
11563 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11564 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
11565 		return -EOPNOTSUPP;
11566 
11567 	return 0;
11568 }
11569 
11570 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
11571 				   struct genl_info *info,
11572 				   struct cfg80211_crypto_settings *settings,
11573 				   int cipher_limit)
11574 {
11575 	memset(settings, 0, sizeof(*settings));
11576 
11577 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
11578 
11579 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
11580 		u16 proto;
11581 
11582 		proto = nla_get_u16(
11583 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
11584 		settings->control_port_ethertype = cpu_to_be16(proto);
11585 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
11586 		    proto != ETH_P_PAE)
11587 			return -EINVAL;
11588 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
11589 			settings->control_port_no_encrypt = true;
11590 	} else
11591 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
11592 
11593 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11594 		int r = validate_pae_over_nl80211(rdev, info);
11595 
11596 		if (r < 0)
11597 			return r;
11598 
11599 		settings->control_port_over_nl80211 = true;
11600 
11601 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
11602 			settings->control_port_no_preauth = true;
11603 	}
11604 
11605 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
11606 		void *data;
11607 		int len, i;
11608 
11609 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11610 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11611 		settings->n_ciphers_pairwise = len / sizeof(u32);
11612 
11613 		if (len % sizeof(u32))
11614 			return -EINVAL;
11615 
11616 		if (settings->n_ciphers_pairwise > cipher_limit)
11617 			return -EINVAL;
11618 
11619 		memcpy(settings->ciphers_pairwise, data, len);
11620 
11621 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
11622 			if (!cfg80211_supported_cipher_suite(
11623 					&rdev->wiphy,
11624 					settings->ciphers_pairwise[i]))
11625 				return -EINVAL;
11626 	}
11627 
11628 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
11629 		settings->cipher_group =
11630 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
11631 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
11632 						     settings->cipher_group))
11633 			return -EINVAL;
11634 	}
11635 
11636 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
11637 		settings->wpa_versions =
11638 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
11639 
11640 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
11641 		void *data;
11642 		int len;
11643 
11644 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
11645 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
11646 		settings->n_akm_suites = len / sizeof(u32);
11647 
11648 		if (len % sizeof(u32))
11649 			return -EINVAL;
11650 
11651 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
11652 			return -EINVAL;
11653 
11654 		memcpy(settings->akm_suites, data, len);
11655 	}
11656 
11657 	if (info->attrs[NL80211_ATTR_PMK]) {
11658 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
11659 			return -EINVAL;
11660 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11661 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
11662 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11663 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
11664 			return -EINVAL;
11665 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11666 	}
11667 
11668 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
11669 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11670 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
11671 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11672 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
11673 			return -EINVAL;
11674 		settings->sae_pwd =
11675 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11676 		settings->sae_pwd_len =
11677 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11678 	}
11679 
11680 	settings->sae_pwe =
11681 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
11682 				   NL80211_SAE_PWE_UNSPECIFIED);
11683 
11684 	return 0;
11685 }
11686 
11687 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
11688 					      const u8 *ssid, int ssid_len,
11689 					      struct nlattr **attrs,
11690 					      int assoc_link_id, int link_id)
11691 {
11692 	struct ieee80211_channel *chan;
11693 	struct cfg80211_bss *bss;
11694 	const u8 *bssid;
11695 	u32 freq, use_for = 0;
11696 
11697 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
11698 		return ERR_PTR(-EINVAL);
11699 
11700 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
11701 
11702 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
11703 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11704 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11705 
11706 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11707 	if (!chan)
11708 		return ERR_PTR(-EINVAL);
11709 
11710 	if (assoc_link_id >= 0)
11711 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
11712 	if (assoc_link_id == link_id)
11713 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
11714 
11715 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
11716 				 ssid, ssid_len,
11717 				 IEEE80211_BSS_TYPE_ESS,
11718 				 IEEE80211_PRIVACY_ANY,
11719 				 use_for);
11720 	if (!bss)
11721 		return ERR_PTR(-ENOENT);
11722 
11723 	return bss;
11724 }
11725 
11726 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
11727 				 struct cfg80211_assoc_link *links,
11728 				 int assoc_link_id,
11729 				 const u8 *ssid, int ssid_len,
11730 				 struct genl_info *info)
11731 {
11732 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
11733 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
11734 	struct nlattr *link;
11735 	unsigned int link_id;
11736 	int rem, err;
11737 
11738 	if (!attrs)
11739 		return -ENOMEM;
11740 
11741 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
11742 		memset(attrs, 0, attrsize);
11743 
11744 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
11745 
11746 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11747 			NL_SET_BAD_ATTR(info->extack, link);
11748 			return -EINVAL;
11749 		}
11750 
11751 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11752 		/* cannot use the same link ID again */
11753 		if (links[link_id].bss) {
11754 			NL_SET_BAD_ATTR(info->extack, link);
11755 			return -EINVAL;
11756 		}
11757 		links[link_id].bss =
11758 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11759 					  assoc_link_id, link_id);
11760 		if (IS_ERR(links[link_id].bss)) {
11761 			err = PTR_ERR(links[link_id].bss);
11762 			links[link_id].bss = NULL;
11763 			NL_SET_ERR_MSG_ATTR(info->extack, link,
11764 					    "Error fetching BSS for link");
11765 			return err;
11766 		}
11767 
11768 		if (attrs[NL80211_ATTR_IE]) {
11769 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
11770 			links[link_id].elems_len =
11771 				nla_len(attrs[NL80211_ATTR_IE]);
11772 
11773 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11774 					       links[link_id].elems,
11775 					       links[link_id].elems_len)) {
11776 				NL_SET_ERR_MSG_ATTR(info->extack,
11777 						    attrs[NL80211_ATTR_IE],
11778 						    "cannot deal with fragmentation");
11779 				return -EINVAL;
11780 			}
11781 
11782 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11783 						   links[link_id].elems,
11784 						   links[link_id].elems_len)) {
11785 				NL_SET_ERR_MSG_ATTR(info->extack,
11786 						    attrs[NL80211_ATTR_IE],
11787 						    "cannot deal with non-inheritance");
11788 				return -EINVAL;
11789 			}
11790 		}
11791 
11792 		links[link_id].disabled =
11793 			nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11794 	}
11795 
11796 	return 0;
11797 }
11798 
11799 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
11800 {
11801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11802 	struct net_device *dev = info->user_ptr[1];
11803 	struct cfg80211_assoc_request req = {};
11804 	const u8 *ap_addr, *ssid;
11805 	unsigned int link_id;
11806 	int err, ssid_len;
11807 
11808 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11809 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11810 		return -EPERM;
11811 
11812 	if (!info->attrs[NL80211_ATTR_SSID])
11813 		return -EINVAL;
11814 
11815 	if (!rdev->ops->assoc)
11816 		return -EOPNOTSUPP;
11817 
11818 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11819 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11820 		return -EOPNOTSUPP;
11821 
11822 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11823 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11824 
11825 	if (info->attrs[NL80211_ATTR_IE]) {
11826 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11827 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11828 
11829 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11830 					   req.ie, req.ie_len)) {
11831 			NL_SET_ERR_MSG_ATTR(info->extack,
11832 					    info->attrs[NL80211_ATTR_IE],
11833 					    "non-inheritance makes no sense");
11834 			return -EINVAL;
11835 		}
11836 	}
11837 
11838 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11839 		enum nl80211_mfp mfp =
11840 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11841 		if (mfp == NL80211_MFP_REQUIRED)
11842 			req.use_mfp = true;
11843 		else if (mfp != NL80211_MFP_NO)
11844 			return -EINVAL;
11845 	}
11846 
11847 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11848 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11849 
11850 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
11851 		req.supported_selectors =
11852 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11853 		req.supported_selectors_len =
11854 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11855 	}
11856 
11857 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11858 		req.flags |= ASSOC_REQ_DISABLE_HT;
11859 
11860 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11861 		memcpy(&req.ht_capa_mask,
11862 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11863 		       sizeof(req.ht_capa_mask));
11864 
11865 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11866 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11867 			return -EINVAL;
11868 		memcpy(&req.ht_capa,
11869 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11870 		       sizeof(req.ht_capa));
11871 	}
11872 
11873 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11874 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11875 
11876 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11877 		req.flags |= ASSOC_REQ_DISABLE_HE;
11878 
11879 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11880 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11881 
11882 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11883 		memcpy(&req.vht_capa_mask,
11884 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11885 		       sizeof(req.vht_capa_mask));
11886 
11887 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11888 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11889 			return -EINVAL;
11890 		memcpy(&req.vht_capa,
11891 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11892 		       sizeof(req.vht_capa));
11893 	}
11894 
11895 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11896 		if (!((rdev->wiphy.features &
11897 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11898 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11899 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11900 					     NL80211_EXT_FEATURE_RRM))
11901 			return -EINVAL;
11902 		req.flags |= ASSOC_REQ_USE_RRM;
11903 	}
11904 
11905 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11906 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11907 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11908 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11909 			return -EINVAL;
11910 		req.fils_nonces =
11911 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11912 	}
11913 
11914 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11915 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11916 			return -EINVAL;
11917 		memcpy(&req.s1g_capa_mask,
11918 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11919 		       sizeof(req.s1g_capa_mask));
11920 	}
11921 
11922 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11923 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11924 			return -EINVAL;
11925 		memcpy(&req.s1g_capa,
11926 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11927 		       sizeof(req.s1g_capa));
11928 	}
11929 
11930 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11931 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11932 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11933 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11934 			return -EINVAL;
11935 		}
11936 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11937 	}
11938 
11939 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11940 
11941 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11942 		if (req.link_id < 0)
11943 			return -EINVAL;
11944 
11945 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11946 			return -EINVAL;
11947 
11948 		if (info->attrs[NL80211_ATTR_MAC] ||
11949 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11950 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11951 			return -EINVAL;
11952 
11953 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11954 		ap_addr = req.ap_mld_addr;
11955 
11956 		err = nl80211_process_links(rdev, req.links, req.link_id,
11957 					    ssid, ssid_len, info);
11958 		if (err)
11959 			goto free;
11960 
11961 		if (!req.links[req.link_id].bss) {
11962 			err = -EINVAL;
11963 			goto free;
11964 		}
11965 
11966 		if (req.links[req.link_id].elems_len) {
11967 			GENL_SET_ERR_MSG(info,
11968 					 "cannot have per-link elems on assoc link");
11969 			err = -EINVAL;
11970 			goto free;
11971 		}
11972 
11973 		if (req.links[req.link_id].disabled) {
11974 			GENL_SET_ERR_MSG(info,
11975 					 "cannot have assoc link disabled");
11976 			err = -EINVAL;
11977 			goto free;
11978 		}
11979 
11980 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
11981 			req.ext_mld_capa_ops =
11982 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
11983 	} else {
11984 		if (req.link_id >= 0)
11985 			return -EINVAL;
11986 
11987 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11988 					    -1, -1);
11989 		if (IS_ERR(req.bss))
11990 			return PTR_ERR(req.bss);
11991 		ap_addr = req.bss->bssid;
11992 
11993 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
11994 			return -EINVAL;
11995 	}
11996 
11997 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11998 	if (!err) {
11999 		struct nlattr *link;
12000 		int rem = 0;
12001 
12002 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12003 					  info->extack);
12004 
12005 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12006 			dev->ieee80211_ptr->conn_owner_nlportid =
12007 				info->snd_portid;
12008 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12009 			       ap_addr, ETH_ALEN);
12010 		}
12011 
12012 		/* Report error from first problematic link */
12013 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12014 			nla_for_each_nested(link,
12015 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12016 					    rem) {
12017 				struct nlattr *link_id_attr =
12018 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12019 
12020 				if (!link_id_attr)
12021 					continue;
12022 
12023 				link_id = nla_get_u8(link_id_attr);
12024 
12025 				if (link_id == req.link_id)
12026 					continue;
12027 
12028 				if (!req.links[link_id].error ||
12029 				    WARN_ON(req.links[link_id].error > 0))
12030 					continue;
12031 
12032 				WARN_ON(err >= 0);
12033 
12034 				NL_SET_BAD_ATTR(info->extack, link);
12035 				err = req.links[link_id].error;
12036 				break;
12037 			}
12038 		}
12039 	}
12040 
12041 free:
12042 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12043 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12044 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12045 
12046 	return err;
12047 }
12048 
12049 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12050 {
12051 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12052 	struct net_device *dev = info->user_ptr[1];
12053 	const u8 *ie = NULL, *bssid;
12054 	int ie_len = 0;
12055 	u16 reason_code;
12056 	bool local_state_change;
12057 
12058 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12059 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12060 		return -EPERM;
12061 
12062 	if (!info->attrs[NL80211_ATTR_MAC])
12063 		return -EINVAL;
12064 
12065 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12066 		return -EINVAL;
12067 
12068 	if (!rdev->ops->deauth)
12069 		return -EOPNOTSUPP;
12070 
12071 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12072 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12073 		return -EOPNOTSUPP;
12074 
12075 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12076 
12077 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12078 	if (reason_code == 0) {
12079 		/* Reason Code 0 is reserved */
12080 		return -EINVAL;
12081 	}
12082 
12083 	if (info->attrs[NL80211_ATTR_IE]) {
12084 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12085 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12086 	}
12087 
12088 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12089 
12090 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12091 				    local_state_change);
12092 }
12093 
12094 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12095 {
12096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12097 	struct net_device *dev = info->user_ptr[1];
12098 	const u8 *ie = NULL, *bssid;
12099 	int ie_len = 0;
12100 	u16 reason_code;
12101 	bool local_state_change;
12102 
12103 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12104 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12105 		return -EPERM;
12106 
12107 	if (!info->attrs[NL80211_ATTR_MAC])
12108 		return -EINVAL;
12109 
12110 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12111 		return -EINVAL;
12112 
12113 	if (!rdev->ops->disassoc)
12114 		return -EOPNOTSUPP;
12115 
12116 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12117 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12118 		return -EOPNOTSUPP;
12119 
12120 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12121 
12122 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12123 	if (reason_code == 0) {
12124 		/* Reason Code 0 is reserved */
12125 		return -EINVAL;
12126 	}
12127 
12128 	if (info->attrs[NL80211_ATTR_IE]) {
12129 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12130 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12131 	}
12132 
12133 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12134 
12135 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
12136 				      local_state_change);
12137 }
12138 
12139 static bool
12140 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
12141 			 int mcast_rate[NUM_NL80211_BANDS],
12142 			 int rateval)
12143 {
12144 	struct wiphy *wiphy = &rdev->wiphy;
12145 	bool found = false;
12146 	int band, i;
12147 
12148 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
12149 		struct ieee80211_supported_band *sband;
12150 
12151 		sband = wiphy->bands[band];
12152 		if (!sband)
12153 			continue;
12154 
12155 		for (i = 0; i < sband->n_bitrates; i++) {
12156 			if (sband->bitrates[i].bitrate == rateval) {
12157 				mcast_rate[band] = i + 1;
12158 				found = true;
12159 				break;
12160 			}
12161 		}
12162 	}
12163 
12164 	return found;
12165 }
12166 
12167 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
12168 {
12169 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12170 	struct net_device *dev = info->user_ptr[1];
12171 	struct cfg80211_ibss_params ibss;
12172 	struct wiphy *wiphy;
12173 	struct cfg80211_cached_keys *connkeys = NULL;
12174 	int err;
12175 
12176 	memset(&ibss, 0, sizeof(ibss));
12177 
12178 	if (!info->attrs[NL80211_ATTR_SSID] ||
12179 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12180 		return -EINVAL;
12181 
12182 	ibss.beacon_interval = 100;
12183 
12184 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
12185 		ibss.beacon_interval =
12186 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12187 
12188 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
12189 					   ibss.beacon_interval);
12190 	if (err)
12191 		return err;
12192 
12193 	if (!rdev->ops->join_ibss)
12194 		return -EOPNOTSUPP;
12195 
12196 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12197 		return -EOPNOTSUPP;
12198 
12199 	wiphy = &rdev->wiphy;
12200 
12201 	if (info->attrs[NL80211_ATTR_MAC]) {
12202 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12203 
12204 		if (!is_valid_ether_addr(ibss.bssid))
12205 			return -EINVAL;
12206 	}
12207 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12208 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12209 
12210 	if (info->attrs[NL80211_ATTR_IE]) {
12211 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12212 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12213 	}
12214 
12215 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
12216 	if (err)
12217 		return err;
12218 
12219 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
12220 				     NL80211_IFTYPE_ADHOC))
12221 		return -EINVAL;
12222 
12223 	switch (ibss.chandef.width) {
12224 	case NL80211_CHAN_WIDTH_5:
12225 	case NL80211_CHAN_WIDTH_10:
12226 	case NL80211_CHAN_WIDTH_20_NOHT:
12227 		break;
12228 	case NL80211_CHAN_WIDTH_20:
12229 	case NL80211_CHAN_WIDTH_40:
12230 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12231 			return -EINVAL;
12232 		break;
12233 	case NL80211_CHAN_WIDTH_80:
12234 	case NL80211_CHAN_WIDTH_80P80:
12235 	case NL80211_CHAN_WIDTH_160:
12236 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12237 			return -EINVAL;
12238 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12239 					     NL80211_EXT_FEATURE_VHT_IBSS))
12240 			return -EINVAL;
12241 		break;
12242 	case NL80211_CHAN_WIDTH_320:
12243 		return -EINVAL;
12244 	default:
12245 		return -EINVAL;
12246 	}
12247 
12248 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
12249 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
12250 
12251 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12252 		u8 *rates =
12253 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12254 		int n_rates =
12255 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12256 		struct ieee80211_supported_band *sband =
12257 			wiphy->bands[ibss.chandef.chan->band];
12258 
12259 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12260 					     &ibss.basic_rates);
12261 		if (err)
12262 			return err;
12263 	}
12264 
12265 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12266 		memcpy(&ibss.ht_capa_mask,
12267 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12268 		       sizeof(ibss.ht_capa_mask));
12269 
12270 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12271 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12272 			return -EINVAL;
12273 		memcpy(&ibss.ht_capa,
12274 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12275 		       sizeof(ibss.ht_capa));
12276 	}
12277 
12278 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12279 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
12280 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12281 		return -EINVAL;
12282 
12283 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12284 		bool no_ht = false;
12285 
12286 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
12287 		if (IS_ERR(connkeys))
12288 			return PTR_ERR(connkeys);
12289 
12290 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
12291 		    no_ht) {
12292 			kfree_sensitive(connkeys);
12293 			return -EINVAL;
12294 		}
12295 	}
12296 
12297 	ibss.control_port =
12298 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
12299 
12300 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12301 		int r = validate_pae_over_nl80211(rdev, info);
12302 
12303 		if (r < 0) {
12304 			kfree_sensitive(connkeys);
12305 			return r;
12306 		}
12307 
12308 		ibss.control_port_over_nl80211 = true;
12309 	}
12310 
12311 	ibss.userspace_handles_dfs =
12312 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12313 
12314 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
12315 	if (err)
12316 		kfree_sensitive(connkeys);
12317 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
12318 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12319 
12320 	return err;
12321 }
12322 
12323 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
12324 {
12325 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12326 	struct net_device *dev = info->user_ptr[1];
12327 
12328 	if (!rdev->ops->leave_ibss)
12329 		return -EOPNOTSUPP;
12330 
12331 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12332 		return -EOPNOTSUPP;
12333 
12334 	return cfg80211_leave_ibss(rdev, dev, false);
12335 }
12336 
12337 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
12338 {
12339 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12340 	struct net_device *dev = info->user_ptr[1];
12341 	int mcast_rate[NUM_NL80211_BANDS];
12342 	u32 nla_rate;
12343 
12344 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
12345 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
12346 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
12347 		return -EOPNOTSUPP;
12348 
12349 	if (!rdev->ops->set_mcast_rate)
12350 		return -EOPNOTSUPP;
12351 
12352 	memset(mcast_rate, 0, sizeof(mcast_rate));
12353 
12354 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
12355 		return -EINVAL;
12356 
12357 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
12358 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
12359 		return -EINVAL;
12360 
12361 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
12362 }
12363 
12364 static struct sk_buff *
12365 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
12366 			    struct wireless_dev *wdev, int approxlen,
12367 			    u32 portid, u32 seq, enum nl80211_commands cmd,
12368 			    enum nl80211_attrs attr,
12369 			    const struct nl80211_vendor_cmd_info *info,
12370 			    gfp_t gfp)
12371 {
12372 	struct sk_buff *skb;
12373 	void *hdr;
12374 	struct nlattr *data;
12375 
12376 	skb = nlmsg_new(approxlen + 100, gfp);
12377 	if (!skb)
12378 		return NULL;
12379 
12380 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
12381 	if (!hdr) {
12382 		kfree_skb(skb);
12383 		return NULL;
12384 	}
12385 
12386 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12387 		goto nla_put_failure;
12388 
12389 	if (info) {
12390 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
12391 				info->vendor_id))
12392 			goto nla_put_failure;
12393 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
12394 				info->subcmd))
12395 			goto nla_put_failure;
12396 	}
12397 
12398 	if (wdev) {
12399 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12400 				      wdev_id(wdev), NL80211_ATTR_PAD))
12401 			goto nla_put_failure;
12402 		if (wdev->netdev &&
12403 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
12404 				wdev->netdev->ifindex))
12405 			goto nla_put_failure;
12406 	}
12407 
12408 	data = nla_nest_start_noflag(skb, attr);
12409 	if (!data)
12410 		goto nla_put_failure;
12411 
12412 	((void **)skb->cb)[0] = rdev;
12413 	((void **)skb->cb)[1] = hdr;
12414 	((void **)skb->cb)[2] = data;
12415 
12416 	return skb;
12417 
12418  nla_put_failure:
12419 	kfree_skb(skb);
12420 	return NULL;
12421 }
12422 
12423 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
12424 					   struct wireless_dev *wdev,
12425 					   enum nl80211_commands cmd,
12426 					   enum nl80211_attrs attr,
12427 					   unsigned int portid,
12428 					   int vendor_event_idx,
12429 					   int approxlen, gfp_t gfp)
12430 {
12431 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12432 	const struct nl80211_vendor_cmd_info *info;
12433 
12434 	switch (cmd) {
12435 	case NL80211_CMD_TESTMODE:
12436 		if (WARN_ON(vendor_event_idx != -1))
12437 			return NULL;
12438 		info = NULL;
12439 		break;
12440 	case NL80211_CMD_VENDOR:
12441 		if (WARN_ON(vendor_event_idx < 0 ||
12442 			    vendor_event_idx >= wiphy->n_vendor_events))
12443 			return NULL;
12444 		info = &wiphy->vendor_events[vendor_event_idx];
12445 		break;
12446 	default:
12447 		WARN_ON(1);
12448 		return NULL;
12449 	}
12450 
12451 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
12452 					   cmd, attr, info, gfp);
12453 }
12454 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
12455 
12456 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
12457 {
12458 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
12459 	void *hdr = ((void **)skb->cb)[1];
12460 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
12461 	struct nlattr *data = ((void **)skb->cb)[2];
12462 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
12463 
12464 	/* clear CB data for netlink core to own from now on */
12465 	memset(skb->cb, 0, sizeof(skb->cb));
12466 
12467 	nla_nest_end(skb, data);
12468 	genlmsg_end(skb, hdr);
12469 
12470 	if (nlhdr->nlmsg_pid) {
12471 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
12472 				nlhdr->nlmsg_pid);
12473 	} else {
12474 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
12475 			mcgrp = NL80211_MCGRP_VENDOR;
12476 
12477 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12478 					skb, 0, mcgrp, gfp);
12479 	}
12480 }
12481 EXPORT_SYMBOL(__cfg80211_send_event_skb);
12482 
12483 #ifdef CONFIG_NL80211_TESTMODE
12484 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
12485 {
12486 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12487 	struct wireless_dev *wdev;
12488 	int err;
12489 
12490 	lockdep_assert_held(&rdev->wiphy.mtx);
12491 
12492 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
12493 					  info->attrs);
12494 
12495 	if (!rdev->ops->testmode_cmd)
12496 		return -EOPNOTSUPP;
12497 
12498 	if (IS_ERR(wdev)) {
12499 		err = PTR_ERR(wdev);
12500 		if (err != -EINVAL)
12501 			return err;
12502 		wdev = NULL;
12503 	} else if (wdev->wiphy != &rdev->wiphy) {
12504 		return -EINVAL;
12505 	}
12506 
12507 	if (!info->attrs[NL80211_ATTR_TESTDATA])
12508 		return -EINVAL;
12509 
12510 	rdev->cur_cmd_info = info;
12511 	err = rdev_testmode_cmd(rdev, wdev,
12512 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
12513 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
12514 	rdev->cur_cmd_info = NULL;
12515 
12516 	return err;
12517 }
12518 
12519 static int nl80211_testmode_dump(struct sk_buff *skb,
12520 				 struct netlink_callback *cb)
12521 {
12522 	struct cfg80211_registered_device *rdev;
12523 	struct nlattr **attrbuf = NULL;
12524 	int err;
12525 	long phy_idx;
12526 	void *data = NULL;
12527 	int data_len = 0;
12528 
12529 	rtnl_lock();
12530 
12531 	if (cb->args[0]) {
12532 		/*
12533 		 * 0 is a valid index, but not valid for args[0],
12534 		 * so we need to offset by 1.
12535 		 */
12536 		phy_idx = cb->args[0] - 1;
12537 
12538 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
12539 		if (!rdev) {
12540 			err = -ENOENT;
12541 			goto out_err;
12542 		}
12543 	} else {
12544 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
12545 				  GFP_KERNEL);
12546 		if (!attrbuf) {
12547 			err = -ENOMEM;
12548 			goto out_err;
12549 		}
12550 
12551 		err = nlmsg_parse_deprecated(cb->nlh,
12552 					     GENL_HDRLEN + nl80211_fam.hdrsize,
12553 					     attrbuf, nl80211_fam.maxattr,
12554 					     nl80211_policy, NULL);
12555 		if (err)
12556 			goto out_err;
12557 
12558 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12559 		if (IS_ERR(rdev)) {
12560 			err = PTR_ERR(rdev);
12561 			goto out_err;
12562 		}
12563 		phy_idx = rdev->wiphy_idx;
12564 
12565 		if (attrbuf[NL80211_ATTR_TESTDATA])
12566 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
12567 	}
12568 
12569 	if (cb->args[1]) {
12570 		data = nla_data((void *)cb->args[1]);
12571 		data_len = nla_len((void *)cb->args[1]);
12572 	}
12573 
12574 	if (!rdev->ops->testmode_dump) {
12575 		err = -EOPNOTSUPP;
12576 		goto out_err;
12577 	}
12578 
12579 	while (1) {
12580 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
12581 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
12582 					   NL80211_CMD_TESTMODE);
12583 		struct nlattr *tmdata;
12584 
12585 		if (!hdr)
12586 			break;
12587 
12588 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
12589 			genlmsg_cancel(skb, hdr);
12590 			break;
12591 		}
12592 
12593 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
12594 		if (!tmdata) {
12595 			genlmsg_cancel(skb, hdr);
12596 			break;
12597 		}
12598 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
12599 		nla_nest_end(skb, tmdata);
12600 
12601 		if (err == -ENOBUFS || err == -ENOENT) {
12602 			genlmsg_cancel(skb, hdr);
12603 			break;
12604 		} else if (err) {
12605 			genlmsg_cancel(skb, hdr);
12606 			goto out_err;
12607 		}
12608 
12609 		genlmsg_end(skb, hdr);
12610 	}
12611 
12612 	err = skb->len;
12613 	/* see above */
12614 	cb->args[0] = phy_idx + 1;
12615  out_err:
12616 	kfree(attrbuf);
12617 	rtnl_unlock();
12618 	return err;
12619 }
12620 #endif
12621 
12622 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
12623 {
12624 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12625 	struct net_device *dev = info->user_ptr[1];
12626 	struct cfg80211_connect_params connect;
12627 	struct wiphy *wiphy;
12628 	struct cfg80211_cached_keys *connkeys = NULL;
12629 	u32 freq = 0;
12630 	int err;
12631 
12632 	memset(&connect, 0, sizeof(connect));
12633 
12634 	if (!info->attrs[NL80211_ATTR_SSID] ||
12635 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12636 		return -EINVAL;
12637 
12638 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12639 		connect.auth_type =
12640 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12641 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
12642 					     NL80211_CMD_CONNECT))
12643 			return -EINVAL;
12644 	} else
12645 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
12646 
12647 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
12648 
12649 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
12650 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12651 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12652 		return -EINVAL;
12653 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
12654 
12655 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
12656 				      NL80211_MAX_NR_CIPHER_SUITES);
12657 	if (err)
12658 		return err;
12659 
12660 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12661 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12662 		return -EOPNOTSUPP;
12663 
12664 	wiphy = &rdev->wiphy;
12665 
12666 	connect.bg_scan_period = -1;
12667 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
12668 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
12669 		connect.bg_scan_period =
12670 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
12671 	}
12672 
12673 	if (info->attrs[NL80211_ATTR_MAC])
12674 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12675 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
12676 		connect.bssid_hint =
12677 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
12678 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12679 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12680 
12681 	if (info->attrs[NL80211_ATTR_IE]) {
12682 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12683 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12684 	}
12685 
12686 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12687 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12688 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
12689 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12690 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
12691 			return -EOPNOTSUPP;
12692 	} else {
12693 		connect.mfp = NL80211_MFP_NO;
12694 	}
12695 
12696 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12697 		connect.prev_bssid =
12698 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12699 
12700 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
12701 		freq = MHZ_TO_KHZ(nla_get_u32(
12702 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12703 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12704 		freq +=
12705 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12706 
12707 	if (freq) {
12708 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
12709 		if (!connect.channel)
12710 			return -EINVAL;
12711 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
12712 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
12713 		freq = MHZ_TO_KHZ(freq);
12714 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
12715 		if (!connect.channel_hint)
12716 			return -EINVAL;
12717 	}
12718 
12719 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
12720 		connect.edmg.channels =
12721 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
12722 
12723 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
12724 			connect.edmg.bw_config =
12725 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
12726 	}
12727 
12728 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12729 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
12730 		if (IS_ERR(connkeys))
12731 			return PTR_ERR(connkeys);
12732 	}
12733 
12734 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12735 		connect.flags |= ASSOC_REQ_DISABLE_HT;
12736 
12737 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12738 		memcpy(&connect.ht_capa_mask,
12739 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12740 		       sizeof(connect.ht_capa_mask));
12741 
12742 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12743 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
12744 			kfree_sensitive(connkeys);
12745 			return -EINVAL;
12746 		}
12747 		memcpy(&connect.ht_capa,
12748 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12749 		       sizeof(connect.ht_capa));
12750 	}
12751 
12752 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12753 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
12754 
12755 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12756 		connect.flags |= ASSOC_REQ_DISABLE_HE;
12757 
12758 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12759 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12760 
12761 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12762 		memcpy(&connect.vht_capa_mask,
12763 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12764 		       sizeof(connect.vht_capa_mask));
12765 
12766 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12767 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12768 			kfree_sensitive(connkeys);
12769 			return -EINVAL;
12770 		}
12771 		memcpy(&connect.vht_capa,
12772 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12773 		       sizeof(connect.vht_capa));
12774 	}
12775 
12776 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12777 		if (!((rdev->wiphy.features &
12778 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12779 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12780 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12781 					     NL80211_EXT_FEATURE_RRM)) {
12782 			kfree_sensitive(connkeys);
12783 			return -EINVAL;
12784 		}
12785 		connect.flags |= ASSOC_REQ_USE_RRM;
12786 	}
12787 
12788 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12789 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12790 		kfree_sensitive(connkeys);
12791 		return -EOPNOTSUPP;
12792 	}
12793 
12794 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12795 		/* bss selection makes no sense if bssid is set */
12796 		if (connect.bssid) {
12797 			kfree_sensitive(connkeys);
12798 			return -EINVAL;
12799 		}
12800 
12801 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12802 				       wiphy, &connect.bss_select);
12803 		if (err) {
12804 			kfree_sensitive(connkeys);
12805 			return err;
12806 		}
12807 	}
12808 
12809 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12810 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12811 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12812 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12813 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12814 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12815 		connect.fils_erp_username =
12816 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12817 		connect.fils_erp_username_len =
12818 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12819 		connect.fils_erp_realm =
12820 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12821 		connect.fils_erp_realm_len =
12822 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12823 		connect.fils_erp_next_seq_num =
12824 			nla_get_u16(
12825 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12826 		connect.fils_erp_rrk =
12827 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12828 		connect.fils_erp_rrk_len =
12829 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12830 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12831 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12832 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12833 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12834 		kfree_sensitive(connkeys);
12835 		return -EINVAL;
12836 	}
12837 
12838 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12839 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12840 			kfree_sensitive(connkeys);
12841 			GENL_SET_ERR_MSG(info,
12842 					 "external auth requires connection ownership");
12843 			return -EINVAL;
12844 		}
12845 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12846 	}
12847 
12848 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12849 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12850 
12851 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12852 			       connect.prev_bssid);
12853 	if (err)
12854 		kfree_sensitive(connkeys);
12855 
12856 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12857 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12858 		if (connect.bssid)
12859 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12860 			       connect.bssid, ETH_ALEN);
12861 		else
12862 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12863 	}
12864 
12865 	return err;
12866 }
12867 
12868 static int nl80211_update_connect_params(struct sk_buff *skb,
12869 					 struct genl_info *info)
12870 {
12871 	struct cfg80211_connect_params connect = {};
12872 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12873 	struct net_device *dev = info->user_ptr[1];
12874 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12875 	bool fils_sk_offload;
12876 	u32 auth_type;
12877 	u32 changed = 0;
12878 
12879 	if (!rdev->ops->update_connect_params)
12880 		return -EOPNOTSUPP;
12881 
12882 	if (info->attrs[NL80211_ATTR_IE]) {
12883 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12884 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12885 		changed |= UPDATE_ASSOC_IES;
12886 	}
12887 
12888 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12889 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12890 
12891 	/*
12892 	 * when driver supports fils-sk offload all attributes must be
12893 	 * provided. So the else covers "fils-sk-not-all" and
12894 	 * "no-fils-sk-any".
12895 	 */
12896 	if (fils_sk_offload &&
12897 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12898 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12899 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12900 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12901 		connect.fils_erp_username =
12902 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12903 		connect.fils_erp_username_len =
12904 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12905 		connect.fils_erp_realm =
12906 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12907 		connect.fils_erp_realm_len =
12908 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12909 		connect.fils_erp_next_seq_num =
12910 			nla_get_u16(
12911 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12912 		connect.fils_erp_rrk =
12913 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12914 		connect.fils_erp_rrk_len =
12915 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12916 		changed |= UPDATE_FILS_ERP_INFO;
12917 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12918 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12919 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12920 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12921 		return -EINVAL;
12922 	}
12923 
12924 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12925 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12926 		if (!nl80211_valid_auth_type(rdev, auth_type,
12927 					     NL80211_CMD_CONNECT))
12928 			return -EINVAL;
12929 
12930 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12931 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12932 			return -EINVAL;
12933 
12934 		connect.auth_type = auth_type;
12935 		changed |= UPDATE_AUTH_TYPE;
12936 	}
12937 
12938 	if (!wdev->connected)
12939 		return -ENOLINK;
12940 
12941 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12942 }
12943 
12944 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12945 {
12946 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12947 	struct net_device *dev = info->user_ptr[1];
12948 	u16 reason;
12949 
12950 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12951 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12952 		return -EPERM;
12953 
12954 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
12955 				     WLAN_REASON_DEAUTH_LEAVING);
12956 
12957 	if (reason == 0)
12958 		return -EINVAL;
12959 
12960 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12961 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12962 		return -EOPNOTSUPP;
12963 
12964 	return cfg80211_disconnect(rdev, dev, reason, true);
12965 }
12966 
12967 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12968 {
12969 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12970 	struct net *net;
12971 	int err;
12972 
12973 	if (info->attrs[NL80211_ATTR_PID]) {
12974 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12975 
12976 		net = get_net_ns_by_pid(pid);
12977 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12978 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12979 
12980 		net = get_net_ns_by_fd(fd);
12981 	} else {
12982 		return -EINVAL;
12983 	}
12984 
12985 	if (IS_ERR(net))
12986 		return PTR_ERR(net);
12987 
12988 	err = 0;
12989 
12990 	/* check if anything to do */
12991 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12992 		err = cfg80211_switch_netns(rdev, net);
12993 
12994 	put_net(net);
12995 	return err;
12996 }
12997 
12998 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12999 {
13000 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13001 	struct net_device *dev = info->user_ptr[1];
13002 	struct cfg80211_pmksa pmksa;
13003 	bool ap_pmksa_caching_support = false;
13004 
13005 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13006 
13007 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13008 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13009 
13010 	if (!info->attrs[NL80211_ATTR_PMKID])
13011 		return -EINVAL;
13012 
13013 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13014 
13015 	if (info->attrs[NL80211_ATTR_MAC]) {
13016 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13017 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13018 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13019 	           info->attrs[NL80211_ATTR_PMK]) {
13020 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13021 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13022 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13023 	} else {
13024 		return -EINVAL;
13025 	}
13026 
13027 	if (info->attrs[NL80211_ATTR_PMK]) {
13028 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13029 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13030 	}
13031 
13032 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13033 		pmksa.pmk_lifetime =
13034 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13035 
13036 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13037 		pmksa.pmk_reauth_threshold =
13038 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13039 
13040 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13041 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13042 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13043 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13044 	       ap_pmksa_caching_support))
13045 		return -EOPNOTSUPP;
13046 
13047 	if (!rdev->ops->set_pmksa)
13048 		return -EOPNOTSUPP;
13049 
13050 	return rdev_set_pmksa(rdev, dev, &pmksa);
13051 }
13052 
13053 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13054 {
13055 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13056 	struct net_device *dev = info->user_ptr[1];
13057 	struct cfg80211_pmksa pmksa;
13058 	bool sae_offload_support = false;
13059 	bool owe_offload_support = false;
13060 	bool ap_pmksa_caching_support = false;
13061 
13062 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13063 
13064 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13065 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13066 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13067 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13068 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13069 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13070 
13071 	if (info->attrs[NL80211_ATTR_PMKID])
13072 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13073 
13074 	if (info->attrs[NL80211_ATTR_MAC]) {
13075 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13076 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13077 		/* SSID based pmksa flush supported only for FILS,
13078 		 * OWE/SAE OFFLOAD cases
13079 		 */
13080 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13081 		    info->attrs[NL80211_ATTR_PMK]) {
13082 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13083 		} else if (!sae_offload_support && !owe_offload_support) {
13084 			return -EINVAL;
13085 		}
13086 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13087 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13088 	} else {
13089 		return -EINVAL;
13090 	}
13091 
13092 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13093 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13094 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13095 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13096 	       ap_pmksa_caching_support))
13097 		return -EOPNOTSUPP;
13098 
13099 	if (!rdev->ops->del_pmksa)
13100 		return -EOPNOTSUPP;
13101 
13102 	return rdev_del_pmksa(rdev, dev, &pmksa);
13103 }
13104 
13105 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
13106 {
13107 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13108 	struct net_device *dev = info->user_ptr[1];
13109 
13110 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13111 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13112 		return -EOPNOTSUPP;
13113 
13114 	if (!rdev->ops->flush_pmksa)
13115 		return -EOPNOTSUPP;
13116 
13117 	return rdev_flush_pmksa(rdev, dev);
13118 }
13119 
13120 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
13121 {
13122 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13123 	struct net_device *dev = info->user_ptr[1];
13124 	u8 action_code, dialog_token;
13125 	u32 peer_capability = 0;
13126 	u16 status_code;
13127 	u8 *peer;
13128 	int link_id;
13129 	bool initiator;
13130 
13131 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13132 	    !rdev->ops->tdls_mgmt)
13133 		return -EOPNOTSUPP;
13134 
13135 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
13136 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
13137 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
13138 	    !info->attrs[NL80211_ATTR_IE] ||
13139 	    !info->attrs[NL80211_ATTR_MAC])
13140 		return -EINVAL;
13141 
13142 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13143 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
13144 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13145 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
13146 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
13147 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
13148 		peer_capability =
13149 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
13150 	link_id = nl80211_link_id_or_invalid(info->attrs);
13151 
13152 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
13153 			      dialog_token, status_code, peer_capability,
13154 			      initiator,
13155 			      nla_data(info->attrs[NL80211_ATTR_IE]),
13156 			      nla_len(info->attrs[NL80211_ATTR_IE]));
13157 }
13158 
13159 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
13160 {
13161 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13162 	struct net_device *dev = info->user_ptr[1];
13163 	enum nl80211_tdls_operation operation;
13164 	u8 *peer;
13165 
13166 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13167 	    !rdev->ops->tdls_oper)
13168 		return -EOPNOTSUPP;
13169 
13170 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
13171 	    !info->attrs[NL80211_ATTR_MAC])
13172 		return -EINVAL;
13173 
13174 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
13175 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13176 
13177 	return rdev_tdls_oper(rdev, dev, peer, operation);
13178 }
13179 
13180 static int nl80211_remain_on_channel(struct sk_buff *skb,
13181 				     struct genl_info *info)
13182 {
13183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13184 	unsigned int link_id = nl80211_link_id(info->attrs);
13185 	struct wireless_dev *wdev = info->user_ptr[1];
13186 	struct cfg80211_chan_def chandef;
13187 	struct sk_buff *msg;
13188 	void *hdr;
13189 	u64 cookie;
13190 	u32 duration;
13191 	int err;
13192 
13193 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
13194 	    !info->attrs[NL80211_ATTR_DURATION])
13195 		return -EINVAL;
13196 
13197 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13198 
13199 	if (!rdev->ops->remain_on_channel ||
13200 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
13201 		return -EOPNOTSUPP;
13202 
13203 	/*
13204 	 * We should be on that channel for at least a minimum amount of
13205 	 * time (10ms) but no longer than the driver supports.
13206 	 */
13207 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13208 	    duration > rdev->wiphy.max_remain_on_channel_duration)
13209 		return -EINVAL;
13210 
13211 	err = nl80211_parse_chandef(rdev, info, &chandef);
13212 	if (err)
13213 		return err;
13214 
13215 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
13216 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
13217 
13218 		oper_chandef = wdev_chandef(wdev, link_id);
13219 
13220 		if (WARN_ON(!oper_chandef)) {
13221 			/* cannot happen since we must beacon to get here */
13222 			WARN_ON(1);
13223 			return -EBUSY;
13224 		}
13225 
13226 		/* note: returns first one if identical chandefs */
13227 		compat_chandef = cfg80211_chandef_compatible(&chandef,
13228 							     oper_chandef);
13229 
13230 		if (compat_chandef != &chandef)
13231 			return -EBUSY;
13232 	}
13233 
13234 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13235 	if (!msg)
13236 		return -ENOMEM;
13237 
13238 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13239 			     NL80211_CMD_REMAIN_ON_CHANNEL);
13240 	if (!hdr) {
13241 		err = -ENOBUFS;
13242 		goto free_msg;
13243 	}
13244 
13245 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
13246 				     duration, &cookie);
13247 
13248 	if (err)
13249 		goto free_msg;
13250 
13251 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13252 			      NL80211_ATTR_PAD))
13253 		goto nla_put_failure;
13254 
13255 	genlmsg_end(msg, hdr);
13256 
13257 	return genlmsg_reply(msg, info);
13258 
13259  nla_put_failure:
13260 	err = -ENOBUFS;
13261  free_msg:
13262 	nlmsg_free(msg);
13263 	return err;
13264 }
13265 
13266 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
13267 					    struct genl_info *info)
13268 {
13269 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13270 	struct wireless_dev *wdev = info->user_ptr[1];
13271 	u64 cookie;
13272 
13273 	if (!info->attrs[NL80211_ATTR_COOKIE])
13274 		return -EINVAL;
13275 
13276 	if (!rdev->ops->cancel_remain_on_channel)
13277 		return -EOPNOTSUPP;
13278 
13279 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13280 
13281 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
13282 }
13283 
13284 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
13285 				       struct genl_info *info)
13286 {
13287 	struct cfg80211_bitrate_mask mask;
13288 	unsigned int link_id = nl80211_link_id(info->attrs);
13289 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13290 	struct net_device *dev = info->user_ptr[1];
13291 	int err;
13292 
13293 	if (!rdev->ops->set_bitrate_mask)
13294 		return -EOPNOTSUPP;
13295 
13296 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13297 					    NL80211_ATTR_TX_RATES, &mask,
13298 					    dev, true, link_id);
13299 	if (err)
13300 		return err;
13301 
13302 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
13303 }
13304 
13305 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
13306 {
13307 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13308 	struct wireless_dev *wdev = info->user_ptr[1];
13309 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
13310 
13311 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
13312 		return -EINVAL;
13313 
13314 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
13315 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
13316 
13317 	switch (wdev->iftype) {
13318 	case NL80211_IFTYPE_STATION:
13319 	case NL80211_IFTYPE_ADHOC:
13320 	case NL80211_IFTYPE_P2P_CLIENT:
13321 	case NL80211_IFTYPE_AP:
13322 	case NL80211_IFTYPE_AP_VLAN:
13323 	case NL80211_IFTYPE_MESH_POINT:
13324 	case NL80211_IFTYPE_P2P_GO:
13325 	case NL80211_IFTYPE_P2P_DEVICE:
13326 		break;
13327 	case NL80211_IFTYPE_NAN:
13328 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13329 					     NL80211_EXT_FEATURE_SECURE_NAN))
13330 			return -EOPNOTSUPP;
13331 		break;
13332 	default:
13333 		return -EOPNOTSUPP;
13334 	}
13335 
13336 	/* not much point in registering if we can't reply */
13337 	if (!rdev->ops->mgmt_tx)
13338 		return -EOPNOTSUPP;
13339 
13340 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
13341 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13342 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
13343 		GENL_SET_ERR_MSG(info,
13344 				 "multicast RX registrations are not supported");
13345 		return -EOPNOTSUPP;
13346 	}
13347 
13348 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
13349 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13350 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13351 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
13352 					   info->extack);
13353 }
13354 
13355 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
13356 {
13357 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13358 	struct wireless_dev *wdev = info->user_ptr[1];
13359 	struct cfg80211_chan_def chandef;
13360 	int err;
13361 	void *hdr = NULL;
13362 	u64 cookie;
13363 	struct sk_buff *msg = NULL;
13364 	struct cfg80211_mgmt_tx_params params = {
13365 		.dont_wait_for_ack =
13366 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
13367 	};
13368 
13369 	if (!info->attrs[NL80211_ATTR_FRAME])
13370 		return -EINVAL;
13371 
13372 	if (!rdev->ops->mgmt_tx)
13373 		return -EOPNOTSUPP;
13374 
13375 	switch (wdev->iftype) {
13376 	case NL80211_IFTYPE_P2P_DEVICE:
13377 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
13378 			return -EINVAL;
13379 		break;
13380 	case NL80211_IFTYPE_STATION:
13381 	case NL80211_IFTYPE_ADHOC:
13382 	case NL80211_IFTYPE_P2P_CLIENT:
13383 	case NL80211_IFTYPE_AP:
13384 	case NL80211_IFTYPE_AP_VLAN:
13385 	case NL80211_IFTYPE_MESH_POINT:
13386 	case NL80211_IFTYPE_P2P_GO:
13387 		break;
13388 	case NL80211_IFTYPE_NAN:
13389 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13390 					     NL80211_EXT_FEATURE_SECURE_NAN))
13391 			return -EOPNOTSUPP;
13392 		break;
13393 	default:
13394 		return -EOPNOTSUPP;
13395 	}
13396 
13397 	if (info->attrs[NL80211_ATTR_DURATION]) {
13398 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13399 			return -EINVAL;
13400 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13401 
13402 		/*
13403 		 * We should wait on the channel for at least a minimum amount
13404 		 * of time (10ms) but no longer than the driver supports.
13405 		 */
13406 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13407 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
13408 			return -EINVAL;
13409 	}
13410 
13411 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
13412 
13413 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13414 		return -EINVAL;
13415 
13416 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
13417 
13418 	/* get the channel if any has been specified, otherwise pass NULL to
13419 	 * the driver. The latter will use the current one
13420 	 */
13421 	chandef.chan = NULL;
13422 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13423 		err = nl80211_parse_chandef(rdev, info, &chandef);
13424 		if (err)
13425 			return err;
13426 	}
13427 
13428 	if (!chandef.chan && params.offchan)
13429 		return -EINVAL;
13430 
13431 	if (params.offchan &&
13432 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
13433 		return -EBUSY;
13434 
13435 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
13436 	/*
13437 	 * This now races due to the unlock, but we cannot check
13438 	 * the valid links for the _station_ anyway, so that's up
13439 	 * to the driver.
13440 	 */
13441 	if (params.link_id >= 0 &&
13442 	    !(wdev->valid_links & BIT(params.link_id)))
13443 		return -EINVAL;
13444 
13445 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13446 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13447 
13448 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
13449 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
13450 					    &params.csa_offsets,
13451 					    &params.n_csa_offsets);
13452 	if (err)
13453 		return err;
13454 
13455 	if (!params.dont_wait_for_ack) {
13456 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13457 		if (!msg)
13458 			return -ENOMEM;
13459 
13460 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13461 				     NL80211_CMD_FRAME);
13462 		if (!hdr) {
13463 			err = -ENOBUFS;
13464 			goto free_msg;
13465 		}
13466 	}
13467 
13468 	params.chan = chandef.chan;
13469 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
13470 	if (err)
13471 		goto free_msg;
13472 
13473 	if (msg) {
13474 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13475 				      NL80211_ATTR_PAD))
13476 			goto nla_put_failure;
13477 
13478 		genlmsg_end(msg, hdr);
13479 		return genlmsg_reply(msg, info);
13480 	}
13481 
13482 	return 0;
13483 
13484  nla_put_failure:
13485 	err = -ENOBUFS;
13486  free_msg:
13487 	nlmsg_free(msg);
13488 	return err;
13489 }
13490 
13491 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
13492 {
13493 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13494 	struct wireless_dev *wdev = info->user_ptr[1];
13495 	u64 cookie;
13496 
13497 	if (!info->attrs[NL80211_ATTR_COOKIE])
13498 		return -EINVAL;
13499 
13500 	if (!rdev->ops->mgmt_tx_cancel_wait)
13501 		return -EOPNOTSUPP;
13502 
13503 	switch (wdev->iftype) {
13504 	case NL80211_IFTYPE_STATION:
13505 	case NL80211_IFTYPE_ADHOC:
13506 	case NL80211_IFTYPE_P2P_CLIENT:
13507 	case NL80211_IFTYPE_AP:
13508 	case NL80211_IFTYPE_AP_VLAN:
13509 	case NL80211_IFTYPE_P2P_GO:
13510 	case NL80211_IFTYPE_P2P_DEVICE:
13511 		break;
13512 	case NL80211_IFTYPE_NAN:
13513 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13514 					     NL80211_EXT_FEATURE_SECURE_NAN))
13515 			return -EOPNOTSUPP;
13516 		break;
13517 	default:
13518 		return -EOPNOTSUPP;
13519 	}
13520 
13521 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13522 
13523 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
13524 }
13525 
13526 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
13527 {
13528 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13529 	struct wireless_dev *wdev;
13530 	struct net_device *dev = info->user_ptr[1];
13531 	u8 ps_state;
13532 	bool state;
13533 	int err;
13534 
13535 	if (!info->attrs[NL80211_ATTR_PS_STATE])
13536 		return -EINVAL;
13537 
13538 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
13539 
13540 	wdev = dev->ieee80211_ptr;
13541 
13542 	if (!rdev->ops->set_power_mgmt)
13543 		return -EOPNOTSUPP;
13544 
13545 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
13546 
13547 	if (state == wdev->ps)
13548 		return 0;
13549 
13550 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
13551 	if (!err)
13552 		wdev->ps = state;
13553 	return err;
13554 }
13555 
13556 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
13557 {
13558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13559 	enum nl80211_ps_state ps_state;
13560 	struct wireless_dev *wdev;
13561 	struct net_device *dev = info->user_ptr[1];
13562 	struct sk_buff *msg;
13563 	void *hdr;
13564 	int err;
13565 
13566 	wdev = dev->ieee80211_ptr;
13567 
13568 	if (!rdev->ops->set_power_mgmt)
13569 		return -EOPNOTSUPP;
13570 
13571 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13572 	if (!msg)
13573 		return -ENOMEM;
13574 
13575 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13576 			     NL80211_CMD_GET_POWER_SAVE);
13577 	if (!hdr) {
13578 		err = -ENOBUFS;
13579 		goto free_msg;
13580 	}
13581 
13582 	if (wdev->ps)
13583 		ps_state = NL80211_PS_ENABLED;
13584 	else
13585 		ps_state = NL80211_PS_DISABLED;
13586 
13587 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
13588 		goto nla_put_failure;
13589 
13590 	genlmsg_end(msg, hdr);
13591 	return genlmsg_reply(msg, info);
13592 
13593  nla_put_failure:
13594 	err = -ENOBUFS;
13595  free_msg:
13596 	nlmsg_free(msg);
13597 	return err;
13598 }
13599 
13600 static const struct nla_policy
13601 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
13602 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
13603 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
13604 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
13605 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
13606 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
13607 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
13608 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
13609 };
13610 
13611 static int nl80211_set_cqm_txe(struct genl_info *info,
13612 			       u32 rate, u32 pkts, u32 intvl)
13613 {
13614 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13615 	struct net_device *dev = info->user_ptr[1];
13616 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13617 
13618 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
13619 		return -EINVAL;
13620 
13621 	if (!rdev->ops->set_cqm_txe_config)
13622 		return -EOPNOTSUPP;
13623 
13624 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13625 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13626 		return -EOPNOTSUPP;
13627 
13628 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
13629 }
13630 
13631 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
13632 				    struct net_device *dev,
13633 				    struct cfg80211_cqm_config *cqm_config)
13634 {
13635 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13636 	s32 last, low, high;
13637 	u32 hyst;
13638 	int i, n, low_index;
13639 	int err;
13640 
13641 	/*
13642 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
13643 	 * event has been received yet, we should receive an event after a
13644 	 * connection is established and enough beacons received to calculate
13645 	 * the average.
13646 	 */
13647 	if (!cqm_config->last_rssi_event_value &&
13648 	    wdev->links[0].client.current_bss &&
13649 	    rdev->ops->get_station) {
13650 		struct station_info sinfo = {};
13651 		u8 *mac_addr;
13652 
13653 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
13654 
13655 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
13656 		if (err)
13657 			return err;
13658 
13659 		cfg80211_sinfo_release_content(&sinfo);
13660 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
13661 			cqm_config->last_rssi_event_value =
13662 				(s8) sinfo.rx_beacon_signal_avg;
13663 	}
13664 
13665 	last = cqm_config->last_rssi_event_value;
13666 	hyst = cqm_config->rssi_hyst;
13667 	n = cqm_config->n_rssi_thresholds;
13668 
13669 	for (i = 0; i < n; i++) {
13670 		i = array_index_nospec(i, n);
13671 		if (last < cqm_config->rssi_thresholds[i])
13672 			break;
13673 	}
13674 
13675 	low_index = i - 1;
13676 	if (low_index >= 0) {
13677 		low_index = array_index_nospec(low_index, n);
13678 		low = cqm_config->rssi_thresholds[low_index] - hyst;
13679 	} else {
13680 		low = S32_MIN;
13681 	}
13682 	if (i < n) {
13683 		i = array_index_nospec(i, n);
13684 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
13685 	} else {
13686 		high = S32_MAX;
13687 	}
13688 
13689 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
13690 }
13691 
13692 static int nl80211_set_cqm_rssi(struct genl_info *info,
13693 				const s32 *thresholds, int n_thresholds,
13694 				u32 hysteresis)
13695 {
13696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13697 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
13698 	struct net_device *dev = info->user_ptr[1];
13699 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13700 	s32 prev = S32_MIN;
13701 	int i, err;
13702 
13703 	/* Check all values negative and sorted */
13704 	for (i = 0; i < n_thresholds; i++) {
13705 		if (thresholds[i] > 0 || thresholds[i] <= prev)
13706 			return -EINVAL;
13707 
13708 		prev = thresholds[i];
13709 	}
13710 
13711 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13712 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13713 		return -EOPNOTSUPP;
13714 
13715 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
13716 		n_thresholds = 0;
13717 
13718 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
13719 
13720 	/* if already disabled just succeed */
13721 	if (!n_thresholds && !old)
13722 		return 0;
13723 
13724 	if (n_thresholds > 1) {
13725 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13726 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
13727 		    !rdev->ops->set_cqm_rssi_range_config)
13728 			return -EOPNOTSUPP;
13729 	} else {
13730 		if (!rdev->ops->set_cqm_rssi_config)
13731 			return -EOPNOTSUPP;
13732 	}
13733 
13734 	if (n_thresholds) {
13735 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
13736 						 n_thresholds),
13737 				     GFP_KERNEL);
13738 		if (!cqm_config)
13739 			return -ENOMEM;
13740 
13741 		cqm_config->rssi_hyst = hysteresis;
13742 		cqm_config->n_rssi_thresholds = n_thresholds;
13743 		memcpy(cqm_config->rssi_thresholds, thresholds,
13744 		       flex_array_size(cqm_config, rssi_thresholds,
13745 				       n_thresholds));
13746 		cqm_config->use_range_api = n_thresholds > 1 ||
13747 					    !rdev->ops->set_cqm_rssi_config;
13748 
13749 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
13750 
13751 		if (cqm_config->use_range_api)
13752 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
13753 		else
13754 			err = rdev_set_cqm_rssi_config(rdev, dev,
13755 						       thresholds[0],
13756 						       hysteresis);
13757 	} else {
13758 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13759 		/* if enabled as range also disable via range */
13760 		if (old->use_range_api)
13761 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13762 		else
13763 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13764 	}
13765 
13766 	if (err) {
13767 		rcu_assign_pointer(wdev->cqm_config, old);
13768 		kfree_rcu(cqm_config, rcu_head);
13769 	} else {
13770 		kfree_rcu(old, rcu_head);
13771 	}
13772 
13773 	return err;
13774 }
13775 
13776 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13777 {
13778 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13779 	struct nlattr *cqm;
13780 	int err;
13781 
13782 	cqm = info->attrs[NL80211_ATTR_CQM];
13783 	if (!cqm)
13784 		return -EINVAL;
13785 
13786 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13787 					  nl80211_attr_cqm_policy,
13788 					  info->extack);
13789 	if (err)
13790 		return err;
13791 
13792 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13793 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13794 		const s32 *thresholds =
13795 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13796 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13797 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13798 
13799 		if (len % 4)
13800 			return -EINVAL;
13801 
13802 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13803 					    hysteresis);
13804 	}
13805 
13806 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13807 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13808 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13809 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13810 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13811 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13812 
13813 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13814 	}
13815 
13816 	return -EINVAL;
13817 }
13818 
13819 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13820 {
13821 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13822 	struct net_device *dev = info->user_ptr[1];
13823 	struct ocb_setup setup = {};
13824 	int err;
13825 
13826 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13827 	if (err)
13828 		return err;
13829 
13830 	return cfg80211_join_ocb(rdev, dev, &setup);
13831 }
13832 
13833 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13834 {
13835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13836 	struct net_device *dev = info->user_ptr[1];
13837 
13838 	return cfg80211_leave_ocb(rdev, dev);
13839 }
13840 
13841 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13842 {
13843 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13844 	struct net_device *dev = info->user_ptr[1];
13845 	struct mesh_config cfg;
13846 	struct mesh_setup setup;
13847 	int err;
13848 
13849 	/* start with default */
13850 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13851 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13852 
13853 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13854 		/* and parse parameters if given */
13855 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13856 		if (err)
13857 			return err;
13858 	}
13859 
13860 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13861 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13862 		return -EINVAL;
13863 
13864 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13865 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13866 
13867 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13868 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13869 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13870 			return -EINVAL;
13871 
13872 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13873 		setup.beacon_interval =
13874 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13875 
13876 		err = cfg80211_validate_beacon_int(rdev,
13877 						   NL80211_IFTYPE_MESH_POINT,
13878 						   setup.beacon_interval);
13879 		if (err)
13880 			return err;
13881 	}
13882 
13883 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13884 		setup.dtim_period =
13885 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13886 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13887 			return -EINVAL;
13888 	}
13889 
13890 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13891 		/* parse additional setup parameters if given */
13892 		err = nl80211_parse_mesh_setup(info, &setup);
13893 		if (err)
13894 			return err;
13895 	}
13896 
13897 	if (setup.user_mpm)
13898 		cfg.auto_open_plinks = false;
13899 
13900 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13901 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13902 		if (err)
13903 			return err;
13904 	} else {
13905 		/* __cfg80211_join_mesh() will sort it out */
13906 		setup.chandef.chan = NULL;
13907 	}
13908 
13909 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13910 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13911 		int n_rates =
13912 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13913 		struct ieee80211_supported_band *sband;
13914 
13915 		if (!setup.chandef.chan)
13916 			return -EINVAL;
13917 
13918 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13919 
13920 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13921 					     &setup.basic_rates);
13922 		if (err)
13923 			return err;
13924 	}
13925 
13926 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13927 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13928 						    NL80211_ATTR_TX_RATES,
13929 						    &setup.beacon_rate,
13930 						    dev, false, 0);
13931 		if (err)
13932 			return err;
13933 
13934 		if (!setup.chandef.chan)
13935 			return -EINVAL;
13936 
13937 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13938 					      &setup.beacon_rate);
13939 		if (err)
13940 			return err;
13941 	}
13942 
13943 	setup.userspace_handles_dfs =
13944 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13945 
13946 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13947 		int r = validate_pae_over_nl80211(rdev, info);
13948 
13949 		if (r < 0)
13950 			return r;
13951 
13952 		setup.control_port_over_nl80211 = true;
13953 	}
13954 
13955 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13956 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13957 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13958 
13959 	return err;
13960 }
13961 
13962 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13963 {
13964 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13965 	struct net_device *dev = info->user_ptr[1];
13966 
13967 	return cfg80211_leave_mesh(rdev, dev);
13968 }
13969 
13970 #ifdef CONFIG_PM
13971 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13972 					struct cfg80211_registered_device *rdev)
13973 {
13974 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13975 	struct nlattr *nl_pats, *nl_pat;
13976 	int i, pat_len;
13977 
13978 	if (!wowlan->n_patterns)
13979 		return 0;
13980 
13981 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13982 	if (!nl_pats)
13983 		return -ENOBUFS;
13984 
13985 	for (i = 0; i < wowlan->n_patterns; i++) {
13986 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13987 		if (!nl_pat)
13988 			return -ENOBUFS;
13989 		pat_len = wowlan->patterns[i].pattern_len;
13990 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13991 			    wowlan->patterns[i].mask) ||
13992 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13993 			    wowlan->patterns[i].pattern) ||
13994 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13995 				wowlan->patterns[i].pkt_offset))
13996 			return -ENOBUFS;
13997 		nla_nest_end(msg, nl_pat);
13998 	}
13999 	nla_nest_end(msg, nl_pats);
14000 
14001 	return 0;
14002 }
14003 
14004 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14005 				   struct cfg80211_wowlan_tcp *tcp)
14006 {
14007 	struct nlattr *nl_tcp;
14008 
14009 	if (!tcp)
14010 		return 0;
14011 
14012 	nl_tcp = nla_nest_start_noflag(msg,
14013 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14014 	if (!nl_tcp)
14015 		return -ENOBUFS;
14016 
14017 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14018 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14019 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14020 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14021 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14022 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14023 		    tcp->payload_len, tcp->payload) ||
14024 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14025 			tcp->data_interval) ||
14026 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14027 		    tcp->wake_len, tcp->wake_data) ||
14028 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14029 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14030 		return -ENOBUFS;
14031 
14032 	if (tcp->payload_seq.len &&
14033 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14034 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14035 		return -ENOBUFS;
14036 
14037 	if (tcp->payload_tok.len &&
14038 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14039 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14040 		    &tcp->payload_tok))
14041 		return -ENOBUFS;
14042 
14043 	nla_nest_end(msg, nl_tcp);
14044 
14045 	return 0;
14046 }
14047 
14048 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14049 				  struct cfg80211_sched_scan_request *req)
14050 {
14051 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14052 	int i;
14053 
14054 	if (!req)
14055 		return 0;
14056 
14057 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14058 	if (!nd)
14059 		return -ENOBUFS;
14060 
14061 	if (req->n_scan_plans == 1 &&
14062 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14063 			req->scan_plans[0].interval * 1000))
14064 		return -ENOBUFS;
14065 
14066 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14067 		return -ENOBUFS;
14068 
14069 	if (req->relative_rssi_set) {
14070 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14071 
14072 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14073 			       req->relative_rssi))
14074 			return -ENOBUFS;
14075 
14076 		rssi_adjust.band = req->rssi_adjust.band;
14077 		rssi_adjust.delta = req->rssi_adjust.delta;
14078 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14079 			    sizeof(rssi_adjust), &rssi_adjust))
14080 			return -ENOBUFS;
14081 	}
14082 
14083 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14084 	if (!freqs)
14085 		return -ENOBUFS;
14086 
14087 	for (i = 0; i < req->n_channels; i++) {
14088 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14089 			return -ENOBUFS;
14090 	}
14091 
14092 	nla_nest_end(msg, freqs);
14093 
14094 	if (req->n_match_sets) {
14095 		matches = nla_nest_start_noflag(msg,
14096 						NL80211_ATTR_SCHED_SCAN_MATCH);
14097 		if (!matches)
14098 			return -ENOBUFS;
14099 
14100 		for (i = 0; i < req->n_match_sets; i++) {
14101 			match = nla_nest_start_noflag(msg, i);
14102 			if (!match)
14103 				return -ENOBUFS;
14104 
14105 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
14106 				    req->match_sets[i].ssid.ssid_len,
14107 				    req->match_sets[i].ssid.ssid))
14108 				return -ENOBUFS;
14109 			nla_nest_end(msg, match);
14110 		}
14111 		nla_nest_end(msg, matches);
14112 	}
14113 
14114 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
14115 	if (!scan_plans)
14116 		return -ENOBUFS;
14117 
14118 	for (i = 0; i < req->n_scan_plans; i++) {
14119 		scan_plan = nla_nest_start_noflag(msg, i + 1);
14120 		if (!scan_plan)
14121 			return -ENOBUFS;
14122 
14123 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
14124 				req->scan_plans[i].interval) ||
14125 		    (req->scan_plans[i].iterations &&
14126 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
14127 				 req->scan_plans[i].iterations)))
14128 			return -ENOBUFS;
14129 		nla_nest_end(msg, scan_plan);
14130 	}
14131 	nla_nest_end(msg, scan_plans);
14132 
14133 	nla_nest_end(msg, nd);
14134 
14135 	return 0;
14136 }
14137 
14138 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
14139 {
14140 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14141 	struct sk_buff *msg;
14142 	void *hdr;
14143 	u32 size = NLMSG_DEFAULT_SIZE;
14144 
14145 	if (!rdev->wiphy.wowlan)
14146 		return -EOPNOTSUPP;
14147 
14148 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
14149 		/* adjust size to have room for all the data */
14150 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
14151 			rdev->wiphy.wowlan_config->tcp->payload_len +
14152 			rdev->wiphy.wowlan_config->tcp->wake_len +
14153 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
14154 	}
14155 
14156 	msg = nlmsg_new(size, GFP_KERNEL);
14157 	if (!msg)
14158 		return -ENOMEM;
14159 
14160 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14161 			     NL80211_CMD_GET_WOWLAN);
14162 	if (!hdr)
14163 		goto nla_put_failure;
14164 
14165 	if (rdev->wiphy.wowlan_config) {
14166 		struct nlattr *nl_wowlan;
14167 
14168 		nl_wowlan = nla_nest_start_noflag(msg,
14169 						  NL80211_ATTR_WOWLAN_TRIGGERS);
14170 		if (!nl_wowlan)
14171 			goto nla_put_failure;
14172 
14173 		if ((rdev->wiphy.wowlan_config->any &&
14174 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
14175 		    (rdev->wiphy.wowlan_config->disconnect &&
14176 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
14177 		    (rdev->wiphy.wowlan_config->magic_pkt &&
14178 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
14179 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
14180 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
14181 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
14182 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
14183 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
14184 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
14185 		    (rdev->wiphy.wowlan_config->rfkill_release &&
14186 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
14187 			goto nla_put_failure;
14188 
14189 		if (nl80211_send_wowlan_patterns(msg, rdev))
14190 			goto nla_put_failure;
14191 
14192 		if (nl80211_send_wowlan_tcp(msg,
14193 					    rdev->wiphy.wowlan_config->tcp))
14194 			goto nla_put_failure;
14195 
14196 		if (nl80211_send_wowlan_nd(
14197 			    msg,
14198 			    rdev->wiphy.wowlan_config->nd_config))
14199 			goto nla_put_failure;
14200 
14201 		nla_nest_end(msg, nl_wowlan);
14202 	}
14203 
14204 	genlmsg_end(msg, hdr);
14205 	return genlmsg_reply(msg, info);
14206 
14207 nla_put_failure:
14208 	nlmsg_free(msg);
14209 	return -ENOBUFS;
14210 }
14211 
14212 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
14213 				    struct nlattr *attr,
14214 				    struct cfg80211_wowlan *trig)
14215 {
14216 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
14217 	struct cfg80211_wowlan_tcp *cfg;
14218 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
14219 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
14220 	u32 size;
14221 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
14222 	int err, port;
14223 
14224 	if (!rdev->wiphy.wowlan->tcp)
14225 		return -EINVAL;
14226 
14227 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
14228 					  nl80211_wowlan_tcp_policy, NULL);
14229 	if (err)
14230 		return err;
14231 
14232 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
14233 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
14234 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
14235 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
14236 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
14237 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
14238 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
14239 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
14240 		return -EINVAL;
14241 
14242 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
14243 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
14244 		return -EINVAL;
14245 
14246 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
14247 			rdev->wiphy.wowlan->tcp->data_interval_max ||
14248 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
14249 		return -EINVAL;
14250 
14251 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
14252 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
14253 		return -EINVAL;
14254 
14255 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
14256 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
14257 		return -EINVAL;
14258 
14259 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
14260 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14261 
14262 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14263 		tokens_size = tokln - sizeof(*tok);
14264 
14265 		if (!tok->len || tokens_size % tok->len)
14266 			return -EINVAL;
14267 		if (!rdev->wiphy.wowlan->tcp->tok)
14268 			return -EINVAL;
14269 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
14270 			return -EINVAL;
14271 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
14272 			return -EINVAL;
14273 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
14274 			return -EINVAL;
14275 		if (tok->offset + tok->len > data_size)
14276 			return -EINVAL;
14277 	}
14278 
14279 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
14280 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
14281 		if (!rdev->wiphy.wowlan->tcp->seq)
14282 			return -EINVAL;
14283 		if (seq->len == 0 || seq->len > 4)
14284 			return -EINVAL;
14285 		if (seq->len + seq->offset > data_size)
14286 			return -EINVAL;
14287 	}
14288 
14289 	size = sizeof(*cfg);
14290 	size += data_size;
14291 	size += wake_size + wake_mask_size;
14292 	size += tokens_size;
14293 
14294 	cfg = kzalloc(size, GFP_KERNEL);
14295 	if (!cfg)
14296 		return -ENOMEM;
14297 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
14298 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
14299 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
14300 	       ETH_ALEN);
14301 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
14302 #ifdef CONFIG_INET
14303 	/* allocate a socket and port for it and use it */
14304 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
14305 			    IPPROTO_TCP, &cfg->sock, 1);
14306 	if (err) {
14307 		kfree(cfg);
14308 		return err;
14309 	}
14310 	if (inet_csk_get_port(cfg->sock->sk, port)) {
14311 		sock_release(cfg->sock);
14312 		kfree(cfg);
14313 		return -EADDRINUSE;
14314 	}
14315 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
14316 #else
14317 	if (!port) {
14318 		kfree(cfg);
14319 		return -EINVAL;
14320 	}
14321 	cfg->src_port = port;
14322 #endif
14323 
14324 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
14325 	cfg->payload_len = data_size;
14326 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
14327 	memcpy((void *)cfg->payload,
14328 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
14329 	       data_size);
14330 	if (seq)
14331 		cfg->payload_seq = *seq;
14332 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
14333 	cfg->wake_len = wake_size;
14334 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
14335 	memcpy((void *)cfg->wake_data,
14336 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
14337 	       wake_size);
14338 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
14339 			 data_size + wake_size;
14340 	memcpy((void *)cfg->wake_mask,
14341 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
14342 	       wake_mask_size);
14343 	if (tok) {
14344 		cfg->tokens_size = tokens_size;
14345 		cfg->payload_tok = *tok;
14346 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
14347 		       tokens_size);
14348 	}
14349 
14350 	trig->tcp = cfg;
14351 
14352 	return 0;
14353 }
14354 
14355 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
14356 				   const struct wiphy_wowlan_support *wowlan,
14357 				   struct nlattr *attr,
14358 				   struct cfg80211_wowlan *trig)
14359 {
14360 	struct nlattr **tb;
14361 	int err;
14362 
14363 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
14364 	if (!tb)
14365 		return -ENOMEM;
14366 
14367 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
14368 		err = -EOPNOTSUPP;
14369 		goto out;
14370 	}
14371 
14372 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
14373 					  nl80211_policy, NULL);
14374 	if (err)
14375 		goto out;
14376 
14377 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
14378 						   wowlan->max_nd_match_sets);
14379 	err = PTR_ERR_OR_ZERO(trig->nd_config);
14380 	if (err)
14381 		trig->nd_config = NULL;
14382 
14383 out:
14384 	kfree(tb);
14385 	return err;
14386 }
14387 
14388 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
14389 {
14390 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14391 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
14392 	struct cfg80211_wowlan new_triggers = {};
14393 	struct cfg80211_wowlan *ntrig;
14394 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
14395 	int err, i;
14396 	bool prev_enabled = rdev->wiphy.wowlan_config;
14397 	bool regular = false;
14398 
14399 	if (!wowlan)
14400 		return -EOPNOTSUPP;
14401 
14402 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
14403 		cfg80211_rdev_free_wowlan(rdev);
14404 		rdev->wiphy.wowlan_config = NULL;
14405 		goto set_wakeup;
14406 	}
14407 
14408 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
14409 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
14410 					  nl80211_wowlan_policy, info->extack);
14411 	if (err)
14412 		return err;
14413 
14414 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
14415 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
14416 			return -EINVAL;
14417 		new_triggers.any = true;
14418 	}
14419 
14420 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
14421 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
14422 			return -EINVAL;
14423 		new_triggers.disconnect = true;
14424 		regular = true;
14425 	}
14426 
14427 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
14428 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
14429 			return -EINVAL;
14430 		new_triggers.magic_pkt = true;
14431 		regular = true;
14432 	}
14433 
14434 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
14435 		return -EINVAL;
14436 
14437 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
14438 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
14439 			return -EINVAL;
14440 		new_triggers.gtk_rekey_failure = true;
14441 		regular = true;
14442 	}
14443 
14444 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
14445 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
14446 			return -EINVAL;
14447 		new_triggers.eap_identity_req = true;
14448 		regular = true;
14449 	}
14450 
14451 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
14452 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
14453 			return -EINVAL;
14454 		new_triggers.four_way_handshake = true;
14455 		regular = true;
14456 	}
14457 
14458 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
14459 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
14460 			return -EINVAL;
14461 		new_triggers.rfkill_release = true;
14462 		regular = true;
14463 	}
14464 
14465 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
14466 		struct nlattr *pat;
14467 		int n_patterns = 0;
14468 		int rem, pat_len, mask_len, pkt_offset;
14469 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14470 
14471 		regular = true;
14472 
14473 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
14474 				    rem)
14475 			n_patterns++;
14476 		if (n_patterns > wowlan->n_patterns)
14477 			return -EINVAL;
14478 
14479 		new_triggers.patterns = kcalloc(n_patterns,
14480 						sizeof(new_triggers.patterns[0]),
14481 						GFP_KERNEL);
14482 		if (!new_triggers.patterns)
14483 			return -ENOMEM;
14484 
14485 		new_triggers.n_patterns = n_patterns;
14486 		i = 0;
14487 
14488 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
14489 				    rem) {
14490 			u8 *mask_pat;
14491 
14492 			err = nla_parse_nested_deprecated(pat_tb,
14493 							  MAX_NL80211_PKTPAT,
14494 							  pat,
14495 							  nl80211_packet_pattern_policy,
14496 							  info->extack);
14497 			if (err)
14498 				goto error;
14499 
14500 			err = -EINVAL;
14501 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
14502 			    !pat_tb[NL80211_PKTPAT_PATTERN])
14503 				goto error;
14504 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14505 			mask_len = DIV_ROUND_UP(pat_len, 8);
14506 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14507 				goto error;
14508 			if (pat_len > wowlan->pattern_max_len ||
14509 			    pat_len < wowlan->pattern_min_len)
14510 				goto error;
14511 
14512 			pkt_offset =
14513 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
14514 						    0);
14515 			if (pkt_offset > wowlan->max_pkt_offset)
14516 				goto error;
14517 			new_triggers.patterns[i].pkt_offset = pkt_offset;
14518 
14519 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14520 			if (!mask_pat) {
14521 				err = -ENOMEM;
14522 				goto error;
14523 			}
14524 			new_triggers.patterns[i].mask = mask_pat;
14525 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14526 			       mask_len);
14527 			mask_pat += mask_len;
14528 			new_triggers.patterns[i].pattern = mask_pat;
14529 			new_triggers.patterns[i].pattern_len = pat_len;
14530 			memcpy(mask_pat,
14531 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14532 			       pat_len);
14533 			i++;
14534 		}
14535 	}
14536 
14537 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
14538 		regular = true;
14539 		err = nl80211_parse_wowlan_tcp(
14540 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
14541 			&new_triggers);
14542 		if (err)
14543 			goto error;
14544 	}
14545 
14546 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
14547 		regular = true;
14548 		err = nl80211_parse_wowlan_nd(
14549 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
14550 			&new_triggers);
14551 		if (err)
14552 			goto error;
14553 	}
14554 
14555 	/* The 'any' trigger means the device continues operating more or less
14556 	 * as in its normal operation mode and wakes up the host on most of the
14557 	 * normal interrupts (like packet RX, ...)
14558 	 * It therefore makes little sense to combine with the more constrained
14559 	 * wakeup trigger modes.
14560 	 */
14561 	if (new_triggers.any && regular) {
14562 		err = -EINVAL;
14563 		goto error;
14564 	}
14565 
14566 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
14567 	if (!ntrig) {
14568 		err = -ENOMEM;
14569 		goto error;
14570 	}
14571 	cfg80211_rdev_free_wowlan(rdev);
14572 	rdev->wiphy.wowlan_config = ntrig;
14573 
14574  set_wakeup:
14575 	if (rdev->ops->set_wakeup &&
14576 	    prev_enabled != !!rdev->wiphy.wowlan_config)
14577 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
14578 
14579 	return 0;
14580  error:
14581 	for (i = 0; i < new_triggers.n_patterns; i++)
14582 		kfree(new_triggers.patterns[i].mask);
14583 	kfree(new_triggers.patterns);
14584 	if (new_triggers.tcp && new_triggers.tcp->sock)
14585 		sock_release(new_triggers.tcp->sock);
14586 	kfree(new_triggers.tcp);
14587 	kfree(new_triggers.nd_config);
14588 	return err;
14589 }
14590 #endif
14591 
14592 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
14593 				       struct cfg80211_registered_device *rdev)
14594 {
14595 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
14596 	int i, j, pat_len;
14597 	struct cfg80211_coalesce_rules *rule;
14598 
14599 	if (!rdev->coalesce->n_rules)
14600 		return 0;
14601 
14602 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
14603 	if (!nl_rules)
14604 		return -ENOBUFS;
14605 
14606 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
14607 		nl_rule = nla_nest_start_noflag(msg, i + 1);
14608 		if (!nl_rule)
14609 			return -ENOBUFS;
14610 
14611 		rule = &rdev->coalesce->rules[i];
14612 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
14613 				rule->delay))
14614 			return -ENOBUFS;
14615 
14616 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
14617 				rule->condition))
14618 			return -ENOBUFS;
14619 
14620 		nl_pats = nla_nest_start_noflag(msg,
14621 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
14622 		if (!nl_pats)
14623 			return -ENOBUFS;
14624 
14625 		for (j = 0; j < rule->n_patterns; j++) {
14626 			nl_pat = nla_nest_start_noflag(msg, j + 1);
14627 			if (!nl_pat)
14628 				return -ENOBUFS;
14629 			pat_len = rule->patterns[j].pattern_len;
14630 			if (nla_put(msg, NL80211_PKTPAT_MASK,
14631 				    DIV_ROUND_UP(pat_len, 8),
14632 				    rule->patterns[j].mask) ||
14633 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14634 				    rule->patterns[j].pattern) ||
14635 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14636 					rule->patterns[j].pkt_offset))
14637 				return -ENOBUFS;
14638 			nla_nest_end(msg, nl_pat);
14639 		}
14640 		nla_nest_end(msg, nl_pats);
14641 		nla_nest_end(msg, nl_rule);
14642 	}
14643 	nla_nest_end(msg, nl_rules);
14644 
14645 	return 0;
14646 }
14647 
14648 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
14649 {
14650 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14651 	struct sk_buff *msg;
14652 	void *hdr;
14653 
14654 	if (!rdev->wiphy.coalesce)
14655 		return -EOPNOTSUPP;
14656 
14657 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14658 	if (!msg)
14659 		return -ENOMEM;
14660 
14661 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14662 			     NL80211_CMD_GET_COALESCE);
14663 	if (!hdr)
14664 		goto nla_put_failure;
14665 
14666 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
14667 		goto nla_put_failure;
14668 
14669 	genlmsg_end(msg, hdr);
14670 	return genlmsg_reply(msg, info);
14671 
14672 nla_put_failure:
14673 	nlmsg_free(msg);
14674 	return -ENOBUFS;
14675 }
14676 
14677 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
14678 {
14679 	int i, j;
14680 	struct cfg80211_coalesce_rules *rule;
14681 
14682 	if (!coalesce)
14683 		return;
14684 
14685 	for (i = 0; i < coalesce->n_rules; i++) {
14686 		rule = &coalesce->rules[i];
14687 		for (j = 0; j < rule->n_patterns; j++)
14688 			kfree(rule->patterns[j].mask);
14689 		kfree(rule->patterns);
14690 	}
14691 	kfree(coalesce);
14692 }
14693 
14694 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
14695 				       struct nlattr *rule,
14696 				       struct cfg80211_coalesce_rules *new_rule)
14697 {
14698 	int err, i;
14699 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14700 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
14701 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
14702 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14703 
14704 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
14705 					  rule, nl80211_coalesce_policy, NULL);
14706 	if (err)
14707 		return err;
14708 
14709 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
14710 		new_rule->delay =
14711 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
14712 	if (new_rule->delay > coalesce->max_delay)
14713 		return -EINVAL;
14714 
14715 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
14716 		new_rule->condition =
14717 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
14718 
14719 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
14720 		return -EINVAL;
14721 
14722 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14723 			    rem)
14724 		n_patterns++;
14725 	if (n_patterns > coalesce->n_patterns)
14726 		return -EINVAL;
14727 
14728 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
14729 				     GFP_KERNEL);
14730 	if (!new_rule->patterns)
14731 		return -ENOMEM;
14732 
14733 	new_rule->n_patterns = n_patterns;
14734 	i = 0;
14735 
14736 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14737 			    rem) {
14738 		u8 *mask_pat;
14739 
14740 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
14741 						  pat,
14742 						  nl80211_packet_pattern_policy,
14743 						  NULL);
14744 		if (err)
14745 			return err;
14746 
14747 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
14748 		    !pat_tb[NL80211_PKTPAT_PATTERN])
14749 			return -EINVAL;
14750 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14751 		mask_len = DIV_ROUND_UP(pat_len, 8);
14752 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14753 			return -EINVAL;
14754 		if (pat_len > coalesce->pattern_max_len ||
14755 		    pat_len < coalesce->pattern_min_len)
14756 			return -EINVAL;
14757 
14758 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
14759 						 0);
14760 		if (pkt_offset > coalesce->max_pkt_offset)
14761 			return -EINVAL;
14762 		new_rule->patterns[i].pkt_offset = pkt_offset;
14763 
14764 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14765 		if (!mask_pat)
14766 			return -ENOMEM;
14767 
14768 		new_rule->patterns[i].mask = mask_pat;
14769 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14770 		       mask_len);
14771 
14772 		mask_pat += mask_len;
14773 		new_rule->patterns[i].pattern = mask_pat;
14774 		new_rule->patterns[i].pattern_len = pat_len;
14775 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14776 		       pat_len);
14777 		i++;
14778 	}
14779 
14780 	return 0;
14781 }
14782 
14783 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14784 {
14785 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14786 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14787 	struct cfg80211_coalesce *new_coalesce;
14788 	int err, rem_rule, n_rules = 0, i;
14789 	struct nlattr *rule;
14790 
14791 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14792 		return -EOPNOTSUPP;
14793 
14794 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14795 		cfg80211_free_coalesce(rdev->coalesce);
14796 		rdev->coalesce = NULL;
14797 		rdev_set_coalesce(rdev, NULL);
14798 		return 0;
14799 	}
14800 
14801 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14802 			    rem_rule)
14803 		n_rules++;
14804 	if (n_rules > coalesce->n_rules)
14805 		return -EINVAL;
14806 
14807 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14808 			       GFP_KERNEL);
14809 	if (!new_coalesce)
14810 		return -ENOMEM;
14811 
14812 	new_coalesce->n_rules = n_rules;
14813 	i = 0;
14814 
14815 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14816 			    rem_rule) {
14817 		err = nl80211_parse_coalesce_rule(rdev, rule,
14818 						  &new_coalesce->rules[i]);
14819 		if (err)
14820 			goto error;
14821 
14822 		i++;
14823 	}
14824 
14825 	err = rdev_set_coalesce(rdev, new_coalesce);
14826 	if (err)
14827 		goto error;
14828 
14829 	cfg80211_free_coalesce(rdev->coalesce);
14830 	rdev->coalesce = new_coalesce;
14831 
14832 	return 0;
14833 error:
14834 	cfg80211_free_coalesce(new_coalesce);
14835 
14836 	return err;
14837 }
14838 
14839 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14840 {
14841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14842 	struct net_device *dev = info->user_ptr[1];
14843 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14844 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14845 	struct cfg80211_gtk_rekey_data rekey_data = {};
14846 	int err;
14847 
14848 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14849 		return -EINVAL;
14850 
14851 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14852 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14853 					  nl80211_rekey_policy, info->extack);
14854 	if (err)
14855 		return err;
14856 
14857 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14858 	    !tb[NL80211_REKEY_DATA_KCK])
14859 		return -EINVAL;
14860 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14861 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14862 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14863 		return -ERANGE;
14864 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14865 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14866 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14867 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14868 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14869 		return -ERANGE;
14870 
14871 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14872 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14873 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14874 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14875 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14876 	if (tb[NL80211_REKEY_DATA_AKM])
14877 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14878 
14879 	if (!wdev->connected)
14880 		return -ENOTCONN;
14881 
14882 	if (!rdev->ops->set_rekey_data)
14883 		return -EOPNOTSUPP;
14884 
14885 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14886 }
14887 
14888 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14889 					     struct genl_info *info)
14890 {
14891 	struct net_device *dev = info->user_ptr[1];
14892 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14893 
14894 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14895 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14896 		return -EINVAL;
14897 
14898 	if (wdev->ap_unexpected_nlportid)
14899 		return -EBUSY;
14900 
14901 	wdev->ap_unexpected_nlportid = info->snd_portid;
14902 	return 0;
14903 }
14904 
14905 static int nl80211_probe_client(struct sk_buff *skb,
14906 				struct genl_info *info)
14907 {
14908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14909 	struct net_device *dev = info->user_ptr[1];
14910 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14911 	struct sk_buff *msg;
14912 	void *hdr;
14913 	const u8 *addr;
14914 	u64 cookie;
14915 	int err;
14916 
14917 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14918 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14919 		return -EOPNOTSUPP;
14920 
14921 	if (!info->attrs[NL80211_ATTR_MAC])
14922 		return -EINVAL;
14923 
14924 	if (!rdev->ops->probe_client)
14925 		return -EOPNOTSUPP;
14926 
14927 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14928 	if (!msg)
14929 		return -ENOMEM;
14930 
14931 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14932 			     NL80211_CMD_PROBE_CLIENT);
14933 	if (!hdr) {
14934 		err = -ENOBUFS;
14935 		goto free_msg;
14936 	}
14937 
14938 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14939 
14940 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14941 	if (err)
14942 		goto free_msg;
14943 
14944 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14945 			      NL80211_ATTR_PAD))
14946 		goto nla_put_failure;
14947 
14948 	genlmsg_end(msg, hdr);
14949 
14950 	return genlmsg_reply(msg, info);
14951 
14952  nla_put_failure:
14953 	err = -ENOBUFS;
14954  free_msg:
14955 	nlmsg_free(msg);
14956 	return err;
14957 }
14958 
14959 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14960 {
14961 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14962 	struct cfg80211_beacon_registration *reg, *nreg;
14963 	int rv;
14964 
14965 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14966 		return -EOPNOTSUPP;
14967 
14968 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14969 	if (!nreg)
14970 		return -ENOMEM;
14971 
14972 	/* First, check if already registered. */
14973 	spin_lock_bh(&rdev->beacon_registrations_lock);
14974 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14975 		if (reg->nlportid == info->snd_portid) {
14976 			rv = -EALREADY;
14977 			goto out_err;
14978 		}
14979 	}
14980 	/* Add it to the list */
14981 	nreg->nlportid = info->snd_portid;
14982 	list_add(&nreg->list, &rdev->beacon_registrations);
14983 
14984 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14985 
14986 	return 0;
14987 out_err:
14988 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14989 	kfree(nreg);
14990 	return rv;
14991 }
14992 
14993 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14994 {
14995 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14996 	struct wireless_dev *wdev = info->user_ptr[1];
14997 	int err;
14998 
14999 	if (!rdev->ops->start_p2p_device)
15000 		return -EOPNOTSUPP;
15001 
15002 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15003 		return -EOPNOTSUPP;
15004 
15005 	if (wdev_running(wdev))
15006 		return 0;
15007 
15008 	if (rfkill_blocked(rdev->wiphy.rfkill))
15009 		return -ERFKILL;
15010 
15011 	err = rdev_start_p2p_device(rdev, wdev);
15012 	if (err)
15013 		return err;
15014 
15015 	wdev->is_running = true;
15016 	rdev->opencount++;
15017 
15018 	return 0;
15019 }
15020 
15021 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15022 {
15023 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15024 	struct wireless_dev *wdev = info->user_ptr[1];
15025 
15026 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15027 		return -EOPNOTSUPP;
15028 
15029 	if (!rdev->ops->stop_p2p_device)
15030 		return -EOPNOTSUPP;
15031 
15032 	cfg80211_stop_p2p_device(rdev, wdev);
15033 
15034 	return 0;
15035 }
15036 
15037 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
15038 {
15039 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15040 	struct wireless_dev *wdev = info->user_ptr[1];
15041 	struct cfg80211_nan_conf conf = {};
15042 	int err;
15043 
15044 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15045 		return -EOPNOTSUPP;
15046 
15047 	if (wdev_running(wdev))
15048 		return -EEXIST;
15049 
15050 	if (rfkill_blocked(rdev->wiphy.rfkill))
15051 		return -ERFKILL;
15052 
15053 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
15054 		return -EINVAL;
15055 
15056 	conf.master_pref =
15057 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15058 
15059 	if (info->attrs[NL80211_ATTR_BANDS]) {
15060 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15061 
15062 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
15063 			return -EOPNOTSUPP;
15064 
15065 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15066 			return -EINVAL;
15067 
15068 		conf.bands = bands;
15069 	}
15070 
15071 	err = rdev_start_nan(rdev, wdev, &conf);
15072 	if (err)
15073 		return err;
15074 
15075 	wdev->is_running = true;
15076 	rdev->opencount++;
15077 
15078 	return 0;
15079 }
15080 
15081 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
15082 {
15083 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15084 	struct wireless_dev *wdev = info->user_ptr[1];
15085 
15086 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15087 		return -EOPNOTSUPP;
15088 
15089 	cfg80211_stop_nan(rdev, wdev);
15090 
15091 	return 0;
15092 }
15093 
15094 static int validate_nan_filter(struct nlattr *filter_attr)
15095 {
15096 	struct nlattr *attr;
15097 	int len = 0, n_entries = 0, rem;
15098 
15099 	nla_for_each_nested(attr, filter_attr, rem) {
15100 		len += nla_len(attr);
15101 		n_entries++;
15102 	}
15103 
15104 	if (len >= U8_MAX)
15105 		return -EINVAL;
15106 
15107 	return n_entries;
15108 }
15109 
15110 static int handle_nan_filter(struct nlattr *attr_filter,
15111 			     struct cfg80211_nan_func *func,
15112 			     bool tx)
15113 {
15114 	struct nlattr *attr;
15115 	int n_entries, rem, i;
15116 	struct cfg80211_nan_func_filter *filter;
15117 
15118 	n_entries = validate_nan_filter(attr_filter);
15119 	if (n_entries < 0)
15120 		return n_entries;
15121 
15122 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
15123 
15124 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
15125 	if (!filter)
15126 		return -ENOMEM;
15127 
15128 	i = 0;
15129 	nla_for_each_nested(attr, attr_filter, rem) {
15130 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
15131 		if (!filter[i].filter)
15132 			goto err;
15133 
15134 		filter[i].len = nla_len(attr);
15135 		i++;
15136 	}
15137 	if (tx) {
15138 		func->num_tx_filters = n_entries;
15139 		func->tx_filters = filter;
15140 	} else {
15141 		func->num_rx_filters = n_entries;
15142 		func->rx_filters = filter;
15143 	}
15144 
15145 	return 0;
15146 
15147 err:
15148 	i = 0;
15149 	nla_for_each_nested(attr, attr_filter, rem) {
15150 		kfree(filter[i].filter);
15151 		i++;
15152 	}
15153 	kfree(filter);
15154 	return -ENOMEM;
15155 }
15156 
15157 static int nl80211_nan_add_func(struct sk_buff *skb,
15158 				struct genl_info *info)
15159 {
15160 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15161 	struct wireless_dev *wdev = info->user_ptr[1];
15162 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
15163 	struct cfg80211_nan_func *func;
15164 	struct sk_buff *msg = NULL;
15165 	void *hdr = NULL;
15166 	int err = 0;
15167 
15168 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15169 		return -EOPNOTSUPP;
15170 
15171 	if (!wdev_running(wdev))
15172 		return -ENOTCONN;
15173 
15174 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
15175 		return -EINVAL;
15176 
15177 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
15178 					  info->attrs[NL80211_ATTR_NAN_FUNC],
15179 					  nl80211_nan_func_policy,
15180 					  info->extack);
15181 	if (err)
15182 		return err;
15183 
15184 	func = kzalloc(sizeof(*func), GFP_KERNEL);
15185 	if (!func)
15186 		return -ENOMEM;
15187 
15188 	func->cookie = cfg80211_assign_cookie(rdev);
15189 
15190 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
15191 		err = -EINVAL;
15192 		goto out;
15193 	}
15194 
15195 
15196 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
15197 
15198 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
15199 		err = -EINVAL;
15200 		goto out;
15201 	}
15202 
15203 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
15204 	       sizeof(func->service_id));
15205 
15206 	func->close_range =
15207 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
15208 
15209 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
15210 		func->serv_spec_info_len =
15211 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
15212 		func->serv_spec_info =
15213 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
15214 				func->serv_spec_info_len,
15215 				GFP_KERNEL);
15216 		if (!func->serv_spec_info) {
15217 			err = -ENOMEM;
15218 			goto out;
15219 		}
15220 	}
15221 
15222 	if (tb[NL80211_NAN_FUNC_TTL])
15223 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
15224 
15225 	switch (func->type) {
15226 	case NL80211_NAN_FUNC_PUBLISH:
15227 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
15228 			err = -EINVAL;
15229 			goto out;
15230 		}
15231 
15232 		func->publish_type =
15233 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
15234 		func->publish_bcast =
15235 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
15236 
15237 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
15238 			func->publish_bcast) {
15239 			err = -EINVAL;
15240 			goto out;
15241 		}
15242 		break;
15243 	case NL80211_NAN_FUNC_SUBSCRIBE:
15244 		func->subscribe_active =
15245 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
15246 		break;
15247 	case NL80211_NAN_FUNC_FOLLOW_UP:
15248 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
15249 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
15250 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
15251 			err = -EINVAL;
15252 			goto out;
15253 		}
15254 
15255 		func->followup_id =
15256 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
15257 		func->followup_reqid =
15258 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
15259 		memcpy(func->followup_dest.addr,
15260 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
15261 		       sizeof(func->followup_dest.addr));
15262 		if (func->ttl) {
15263 			err = -EINVAL;
15264 			goto out;
15265 		}
15266 		break;
15267 	default:
15268 		err = -EINVAL;
15269 		goto out;
15270 	}
15271 
15272 	if (tb[NL80211_NAN_FUNC_SRF]) {
15273 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
15274 
15275 		err = nla_parse_nested_deprecated(srf_tb,
15276 						  NL80211_NAN_SRF_ATTR_MAX,
15277 						  tb[NL80211_NAN_FUNC_SRF],
15278 						  nl80211_nan_srf_policy,
15279 						  info->extack);
15280 		if (err)
15281 			goto out;
15282 
15283 		func->srf_include =
15284 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
15285 
15286 		if (srf_tb[NL80211_NAN_SRF_BF]) {
15287 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
15288 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
15289 				err = -EINVAL;
15290 				goto out;
15291 			}
15292 
15293 			func->srf_bf_len =
15294 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
15295 			func->srf_bf =
15296 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
15297 					func->srf_bf_len, GFP_KERNEL);
15298 			if (!func->srf_bf) {
15299 				err = -ENOMEM;
15300 				goto out;
15301 			}
15302 
15303 			func->srf_bf_idx =
15304 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
15305 		} else {
15306 			struct nlattr *attr, *mac_attr =
15307 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
15308 			int n_entries, rem, i = 0;
15309 
15310 			if (!mac_attr) {
15311 				err = -EINVAL;
15312 				goto out;
15313 			}
15314 
15315 			n_entries = validate_acl_mac_addrs(mac_attr);
15316 			if (n_entries <= 0) {
15317 				err = -EINVAL;
15318 				goto out;
15319 			}
15320 
15321 			func->srf_num_macs = n_entries;
15322 			func->srf_macs =
15323 				kcalloc(n_entries, sizeof(*func->srf_macs),
15324 					GFP_KERNEL);
15325 			if (!func->srf_macs) {
15326 				err = -ENOMEM;
15327 				goto out;
15328 			}
15329 
15330 			nla_for_each_nested(attr, mac_attr, rem)
15331 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
15332 				       sizeof(*func->srf_macs));
15333 		}
15334 	}
15335 
15336 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
15337 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
15338 					func, true);
15339 		if (err)
15340 			goto out;
15341 	}
15342 
15343 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
15344 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
15345 					func, false);
15346 		if (err)
15347 			goto out;
15348 	}
15349 
15350 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15351 	if (!msg) {
15352 		err = -ENOMEM;
15353 		goto out;
15354 	}
15355 
15356 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15357 			     NL80211_CMD_ADD_NAN_FUNCTION);
15358 	/* This can't really happen - we just allocated 4KB */
15359 	if (WARN_ON(!hdr)) {
15360 		err = -ENOMEM;
15361 		goto out;
15362 	}
15363 
15364 	err = rdev_add_nan_func(rdev, wdev, func);
15365 out:
15366 	if (err < 0) {
15367 		cfg80211_free_nan_func(func);
15368 		nlmsg_free(msg);
15369 		return err;
15370 	}
15371 
15372 	/* propagate the instance id and cookie to userspace  */
15373 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
15374 			      NL80211_ATTR_PAD))
15375 		goto nla_put_failure;
15376 
15377 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
15378 	if (!func_attr)
15379 		goto nla_put_failure;
15380 
15381 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
15382 		       func->instance_id))
15383 		goto nla_put_failure;
15384 
15385 	nla_nest_end(msg, func_attr);
15386 
15387 	genlmsg_end(msg, hdr);
15388 	return genlmsg_reply(msg, info);
15389 
15390 nla_put_failure:
15391 	nlmsg_free(msg);
15392 	return -ENOBUFS;
15393 }
15394 
15395 static int nl80211_nan_del_func(struct sk_buff *skb,
15396 			       struct genl_info *info)
15397 {
15398 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15399 	struct wireless_dev *wdev = info->user_ptr[1];
15400 	u64 cookie;
15401 
15402 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15403 		return -EOPNOTSUPP;
15404 
15405 	if (!wdev_running(wdev))
15406 		return -ENOTCONN;
15407 
15408 	if (!info->attrs[NL80211_ATTR_COOKIE])
15409 		return -EINVAL;
15410 
15411 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
15412 
15413 	rdev_del_nan_func(rdev, wdev, cookie);
15414 
15415 	return 0;
15416 }
15417 
15418 static int nl80211_nan_change_config(struct sk_buff *skb,
15419 				     struct genl_info *info)
15420 {
15421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15422 	struct wireless_dev *wdev = info->user_ptr[1];
15423 	struct cfg80211_nan_conf conf = {};
15424 	u32 changed = 0;
15425 
15426 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15427 		return -EOPNOTSUPP;
15428 
15429 	if (!wdev_running(wdev))
15430 		return -ENOTCONN;
15431 
15432 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
15433 		conf.master_pref =
15434 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15435 		if (conf.master_pref <= 1 || conf.master_pref == 255)
15436 			return -EINVAL;
15437 
15438 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
15439 	}
15440 
15441 	if (info->attrs[NL80211_ATTR_BANDS]) {
15442 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15443 
15444 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
15445 			return -EOPNOTSUPP;
15446 
15447 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15448 			return -EINVAL;
15449 
15450 		conf.bands = bands;
15451 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
15452 	}
15453 
15454 	if (!changed)
15455 		return -EINVAL;
15456 
15457 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
15458 }
15459 
15460 void cfg80211_nan_match(struct wireless_dev *wdev,
15461 			struct cfg80211_nan_match_params *match, gfp_t gfp)
15462 {
15463 	struct wiphy *wiphy = wdev->wiphy;
15464 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15465 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
15466 	struct sk_buff *msg;
15467 	void *hdr;
15468 
15469 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
15470 		return;
15471 
15472 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15473 	if (!msg)
15474 		return;
15475 
15476 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
15477 	if (!hdr) {
15478 		nlmsg_free(msg);
15479 		return;
15480 	}
15481 
15482 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15483 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15484 					 wdev->netdev->ifindex)) ||
15485 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15486 			      NL80211_ATTR_PAD))
15487 		goto nla_put_failure;
15488 
15489 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
15490 			      NL80211_ATTR_PAD) ||
15491 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
15492 		goto nla_put_failure;
15493 
15494 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
15495 	if (!match_attr)
15496 		goto nla_put_failure;
15497 
15498 	local_func_attr = nla_nest_start_noflag(msg,
15499 						NL80211_NAN_MATCH_FUNC_LOCAL);
15500 	if (!local_func_attr)
15501 		goto nla_put_failure;
15502 
15503 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
15504 		goto nla_put_failure;
15505 
15506 	nla_nest_end(msg, local_func_attr);
15507 
15508 	peer_func_attr = nla_nest_start_noflag(msg,
15509 					       NL80211_NAN_MATCH_FUNC_PEER);
15510 	if (!peer_func_attr)
15511 		goto nla_put_failure;
15512 
15513 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
15514 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
15515 		goto nla_put_failure;
15516 
15517 	if (match->info && match->info_len &&
15518 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
15519 		    match->info))
15520 		goto nla_put_failure;
15521 
15522 	nla_nest_end(msg, peer_func_attr);
15523 	nla_nest_end(msg, match_attr);
15524 	genlmsg_end(msg, hdr);
15525 
15526 	if (!wdev->owner_nlportid)
15527 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
15528 					msg, 0, NL80211_MCGRP_NAN, gfp);
15529 	else
15530 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
15531 				wdev->owner_nlportid);
15532 
15533 	return;
15534 
15535 nla_put_failure:
15536 	nlmsg_free(msg);
15537 }
15538 EXPORT_SYMBOL(cfg80211_nan_match);
15539 
15540 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
15541 				  u8 inst_id,
15542 				  enum nl80211_nan_func_term_reason reason,
15543 				  u64 cookie, gfp_t gfp)
15544 {
15545 	struct wiphy *wiphy = wdev->wiphy;
15546 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15547 	struct sk_buff *msg;
15548 	struct nlattr *func_attr;
15549 	void *hdr;
15550 
15551 	if (WARN_ON(!inst_id))
15552 		return;
15553 
15554 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15555 	if (!msg)
15556 		return;
15557 
15558 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
15559 	if (!hdr) {
15560 		nlmsg_free(msg);
15561 		return;
15562 	}
15563 
15564 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15565 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15566 					 wdev->netdev->ifindex)) ||
15567 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15568 			      NL80211_ATTR_PAD))
15569 		goto nla_put_failure;
15570 
15571 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15572 			      NL80211_ATTR_PAD))
15573 		goto nla_put_failure;
15574 
15575 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
15576 	if (!func_attr)
15577 		goto nla_put_failure;
15578 
15579 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
15580 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
15581 		goto nla_put_failure;
15582 
15583 	nla_nest_end(msg, func_attr);
15584 	genlmsg_end(msg, hdr);
15585 
15586 	if (!wdev->owner_nlportid)
15587 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
15588 					msg, 0, NL80211_MCGRP_NAN, gfp);
15589 	else
15590 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
15591 				wdev->owner_nlportid);
15592 
15593 	return;
15594 
15595 nla_put_failure:
15596 	nlmsg_free(msg);
15597 }
15598 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
15599 
15600 static int nl80211_get_protocol_features(struct sk_buff *skb,
15601 					 struct genl_info *info)
15602 {
15603 	void *hdr;
15604 	struct sk_buff *msg;
15605 
15606 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15607 	if (!msg)
15608 		return -ENOMEM;
15609 
15610 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15611 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
15612 	if (!hdr)
15613 		goto nla_put_failure;
15614 
15615 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
15616 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
15617 		goto nla_put_failure;
15618 
15619 	genlmsg_end(msg, hdr);
15620 	return genlmsg_reply(msg, info);
15621 
15622  nla_put_failure:
15623 	kfree_skb(msg);
15624 	return -ENOBUFS;
15625 }
15626 
15627 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
15628 {
15629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15630 	struct cfg80211_update_ft_ies_params ft_params;
15631 	struct net_device *dev = info->user_ptr[1];
15632 
15633 	if (!rdev->ops->update_ft_ies)
15634 		return -EOPNOTSUPP;
15635 
15636 	if (!info->attrs[NL80211_ATTR_MDID] ||
15637 	    !info->attrs[NL80211_ATTR_IE])
15638 		return -EINVAL;
15639 
15640 	memset(&ft_params, 0, sizeof(ft_params));
15641 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
15642 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15643 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15644 
15645 	return rdev_update_ft_ies(rdev, dev, &ft_params);
15646 }
15647 
15648 static int nl80211_crit_protocol_start(struct sk_buff *skb,
15649 				       struct genl_info *info)
15650 {
15651 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15652 	struct wireless_dev *wdev = info->user_ptr[1];
15653 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
15654 	u16 duration;
15655 	int ret;
15656 
15657 	if (!rdev->ops->crit_proto_start)
15658 		return -EOPNOTSUPP;
15659 
15660 	if (WARN_ON(!rdev->ops->crit_proto_stop))
15661 		return -EINVAL;
15662 
15663 	if (rdev->crit_proto_nlportid)
15664 		return -EBUSY;
15665 
15666 	/* determine protocol if provided */
15667 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
15668 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
15669 
15670 	if (proto >= NUM_NL80211_CRIT_PROTO)
15671 		return -EINVAL;
15672 
15673 	/* timeout must be provided */
15674 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
15675 		return -EINVAL;
15676 
15677 	duration =
15678 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
15679 
15680 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
15681 	if (!ret)
15682 		rdev->crit_proto_nlportid = info->snd_portid;
15683 
15684 	return ret;
15685 }
15686 
15687 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
15688 				      struct genl_info *info)
15689 {
15690 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15691 	struct wireless_dev *wdev = info->user_ptr[1];
15692 
15693 	if (!rdev->ops->crit_proto_stop)
15694 		return -EOPNOTSUPP;
15695 
15696 	if (rdev->crit_proto_nlportid) {
15697 		rdev->crit_proto_nlportid = 0;
15698 		rdev_crit_proto_stop(rdev, wdev);
15699 	}
15700 	return 0;
15701 }
15702 
15703 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
15704 				       struct nlattr *attr,
15705 				       struct netlink_ext_ack *extack)
15706 {
15707 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
15708 		if (attr->nla_type & NLA_F_NESTED) {
15709 			NL_SET_ERR_MSG_ATTR(extack, attr,
15710 					    "unexpected nested data");
15711 			return -EINVAL;
15712 		}
15713 
15714 		return 0;
15715 	}
15716 
15717 	if (!(attr->nla_type & NLA_F_NESTED)) {
15718 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
15719 		return -EINVAL;
15720 	}
15721 
15722 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
15723 }
15724 
15725 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
15726 {
15727 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15728 	struct wireless_dev *wdev =
15729 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
15730 					   info->attrs);
15731 	int i, err;
15732 	u32 vid, subcmd;
15733 
15734 	if (!rdev->wiphy.vendor_commands)
15735 		return -EOPNOTSUPP;
15736 
15737 	if (IS_ERR(wdev)) {
15738 		err = PTR_ERR(wdev);
15739 		if (err != -EINVAL)
15740 			return err;
15741 		wdev = NULL;
15742 	} else if (wdev->wiphy != &rdev->wiphy) {
15743 		return -EINVAL;
15744 	}
15745 
15746 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15747 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15748 		return -EINVAL;
15749 
15750 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15751 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15752 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15753 		const struct wiphy_vendor_command *vcmd;
15754 		void *data = NULL;
15755 		int len = 0;
15756 
15757 		vcmd = &rdev->wiphy.vendor_commands[i];
15758 
15759 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15760 			continue;
15761 
15762 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15763 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15764 			if (!wdev)
15765 				return -EINVAL;
15766 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15767 			    !wdev->netdev)
15768 				return -EINVAL;
15769 
15770 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15771 				if (!wdev_running(wdev))
15772 					return -ENETDOWN;
15773 			}
15774 		} else {
15775 			wdev = NULL;
15776 		}
15777 
15778 		if (!vcmd->doit)
15779 			return -EOPNOTSUPP;
15780 
15781 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15782 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15783 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15784 
15785 			err = nl80211_vendor_check_policy(vcmd,
15786 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15787 					info->extack);
15788 			if (err)
15789 				return err;
15790 		}
15791 
15792 		rdev->cur_cmd_info = info;
15793 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15794 		rdev->cur_cmd_info = NULL;
15795 		return err;
15796 	}
15797 
15798 	return -EOPNOTSUPP;
15799 }
15800 
15801 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15802 				       struct netlink_callback *cb,
15803 				       struct cfg80211_registered_device **rdev,
15804 				       struct wireless_dev **wdev)
15805 {
15806 	struct nlattr **attrbuf;
15807 	u32 vid, subcmd;
15808 	unsigned int i;
15809 	int vcmd_idx = -1;
15810 	int err;
15811 	void *data = NULL;
15812 	unsigned int data_len = 0;
15813 
15814 	if (cb->args[0]) {
15815 		/* subtract the 1 again here */
15816 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15817 		struct wireless_dev *tmp;
15818 
15819 		if (!wiphy)
15820 			return -ENODEV;
15821 		*rdev = wiphy_to_rdev(wiphy);
15822 		*wdev = NULL;
15823 
15824 		if (cb->args[1]) {
15825 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15826 				if (tmp->identifier == cb->args[1] - 1) {
15827 					*wdev = tmp;
15828 					break;
15829 				}
15830 			}
15831 		}
15832 
15833 		/* keep rtnl locked in successful case */
15834 		return 0;
15835 	}
15836 
15837 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15838 	if (!attrbuf)
15839 		return -ENOMEM;
15840 
15841 	err = nlmsg_parse_deprecated(cb->nlh,
15842 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15843 				     attrbuf, nl80211_fam.maxattr,
15844 				     nl80211_policy, NULL);
15845 	if (err)
15846 		goto out;
15847 
15848 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15849 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15850 		err = -EINVAL;
15851 		goto out;
15852 	}
15853 
15854 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15855 	if (IS_ERR(*wdev))
15856 		*wdev = NULL;
15857 
15858 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15859 	if (IS_ERR(*rdev)) {
15860 		err = PTR_ERR(*rdev);
15861 		goto out;
15862 	}
15863 
15864 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15865 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15866 
15867 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15868 		const struct wiphy_vendor_command *vcmd;
15869 
15870 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15871 
15872 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15873 			continue;
15874 
15875 		if (!vcmd->dumpit) {
15876 			err = -EOPNOTSUPP;
15877 			goto out;
15878 		}
15879 
15880 		vcmd_idx = i;
15881 		break;
15882 	}
15883 
15884 	if (vcmd_idx < 0) {
15885 		err = -EOPNOTSUPP;
15886 		goto out;
15887 	}
15888 
15889 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15890 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15891 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15892 
15893 		err = nl80211_vendor_check_policy(
15894 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15895 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15896 				cb->extack);
15897 		if (err)
15898 			goto out;
15899 	}
15900 
15901 	/* 0 is the first index - add 1 to parse only once */
15902 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15903 	/* add 1 to know if it was NULL */
15904 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15905 	cb->args[2] = vcmd_idx;
15906 	cb->args[3] = (unsigned long)data;
15907 	cb->args[4] = data_len;
15908 
15909 	/* keep rtnl locked in successful case */
15910 	err = 0;
15911 out:
15912 	kfree(attrbuf);
15913 	return err;
15914 }
15915 
15916 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15917 				   struct netlink_callback *cb)
15918 {
15919 	struct cfg80211_registered_device *rdev;
15920 	struct wireless_dev *wdev;
15921 	unsigned int vcmd_idx;
15922 	const struct wiphy_vendor_command *vcmd;
15923 	void *data;
15924 	int data_len;
15925 	int err;
15926 	struct nlattr *vendor_data;
15927 
15928 	rtnl_lock();
15929 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15930 	if (err)
15931 		goto out;
15932 
15933 	vcmd_idx = cb->args[2];
15934 	data = (void *)cb->args[3];
15935 	data_len = cb->args[4];
15936 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15937 
15938 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15939 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15940 		if (!wdev) {
15941 			err = -EINVAL;
15942 			goto out;
15943 		}
15944 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15945 		    !wdev->netdev) {
15946 			err = -EINVAL;
15947 			goto out;
15948 		}
15949 
15950 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15951 			if (!wdev_running(wdev)) {
15952 				err = -ENETDOWN;
15953 				goto out;
15954 			}
15955 		}
15956 	}
15957 
15958 	while (1) {
15959 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15960 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15961 					   NL80211_CMD_VENDOR);
15962 		if (!hdr)
15963 			break;
15964 
15965 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15966 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15967 					       wdev_id(wdev),
15968 					       NL80211_ATTR_PAD))) {
15969 			genlmsg_cancel(skb, hdr);
15970 			break;
15971 		}
15972 
15973 		vendor_data = nla_nest_start_noflag(skb,
15974 						    NL80211_ATTR_VENDOR_DATA);
15975 		if (!vendor_data) {
15976 			genlmsg_cancel(skb, hdr);
15977 			break;
15978 		}
15979 
15980 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15981 				   (unsigned long *)&cb->args[5]);
15982 		nla_nest_end(skb, vendor_data);
15983 
15984 		if (err == -ENOBUFS || err == -ENOENT) {
15985 			genlmsg_cancel(skb, hdr);
15986 			break;
15987 		} else if (err <= 0) {
15988 			genlmsg_cancel(skb, hdr);
15989 			goto out;
15990 		}
15991 
15992 		genlmsg_end(skb, hdr);
15993 	}
15994 
15995 	err = skb->len;
15996  out:
15997 	rtnl_unlock();
15998 	return err;
15999 }
16000 
16001 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
16002 					   enum nl80211_commands cmd,
16003 					   enum nl80211_attrs attr,
16004 					   int approxlen)
16005 {
16006 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16007 
16008 	if (WARN_ON(!rdev->cur_cmd_info))
16009 		return NULL;
16010 
16011 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
16012 					   rdev->cur_cmd_info->snd_portid,
16013 					   rdev->cur_cmd_info->snd_seq,
16014 					   cmd, attr, NULL, GFP_KERNEL);
16015 }
16016 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
16017 
16018 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
16019 {
16020 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
16021 	void *hdr = ((void **)skb->cb)[1];
16022 	struct nlattr *data = ((void **)skb->cb)[2];
16023 
16024 	/* clear CB data for netlink core to own from now on */
16025 	memset(skb->cb, 0, sizeof(skb->cb));
16026 
16027 	if (WARN_ON(!rdev->cur_cmd_info)) {
16028 		kfree_skb(skb);
16029 		return -EINVAL;
16030 	}
16031 
16032 	nla_nest_end(skb, data);
16033 	genlmsg_end(skb, hdr);
16034 	return genlmsg_reply(skb, rdev->cur_cmd_info);
16035 }
16036 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
16037 
16038 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
16039 {
16040 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16041 
16042 	if (WARN_ON(!rdev->cur_cmd_info))
16043 		return 0;
16044 
16045 	return rdev->cur_cmd_info->snd_portid;
16046 }
16047 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
16048 
16049 static int nl80211_set_qos_map(struct sk_buff *skb,
16050 			       struct genl_info *info)
16051 {
16052 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16053 	struct cfg80211_qos_map *qos_map = NULL;
16054 	struct net_device *dev = info->user_ptr[1];
16055 	u8 *pos, len, num_des, des_len, des;
16056 	int ret;
16057 
16058 	if (!rdev->ops->set_qos_map)
16059 		return -EOPNOTSUPP;
16060 
16061 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
16062 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
16063 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
16064 
16065 		if (len % 2)
16066 			return -EINVAL;
16067 
16068 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
16069 		if (!qos_map)
16070 			return -ENOMEM;
16071 
16072 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
16073 		if (num_des) {
16074 			des_len = num_des *
16075 				sizeof(struct cfg80211_dscp_exception);
16076 			memcpy(qos_map->dscp_exception, pos, des_len);
16077 			qos_map->num_des = num_des;
16078 			for (des = 0; des < num_des; des++) {
16079 				if (qos_map->dscp_exception[des].up > 7) {
16080 					kfree(qos_map);
16081 					return -EINVAL;
16082 				}
16083 			}
16084 			pos += des_len;
16085 		}
16086 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
16087 	}
16088 
16089 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
16090 	if (!ret)
16091 		ret = rdev_set_qos_map(rdev, dev, qos_map);
16092 
16093 	kfree(qos_map);
16094 	return ret;
16095 }
16096 
16097 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
16098 {
16099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16100 	struct net_device *dev = info->user_ptr[1];
16101 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16102 	const u8 *peer;
16103 	u8 tsid, up;
16104 	u16 admitted_time = 0;
16105 
16106 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
16107 		return -EOPNOTSUPP;
16108 
16109 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
16110 	    !info->attrs[NL80211_ATTR_USER_PRIO])
16111 		return -EINVAL;
16112 
16113 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16114 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
16115 
16116 	/* WMM uses TIDs 0-7 even for TSPEC */
16117 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
16118 		/* TODO: handle 802.11 TSPEC/admission control
16119 		 * need more attributes for that (e.g. BA session requirement);
16120 		 * change the WMM admission test above to allow both then
16121 		 */
16122 		return -EINVAL;
16123 	}
16124 
16125 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16126 
16127 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
16128 		admitted_time =
16129 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
16130 		if (!admitted_time)
16131 			return -EINVAL;
16132 	}
16133 
16134 	switch (wdev->iftype) {
16135 	case NL80211_IFTYPE_STATION:
16136 	case NL80211_IFTYPE_P2P_CLIENT:
16137 		if (wdev->connected)
16138 			break;
16139 		return -ENOTCONN;
16140 	default:
16141 		return -EOPNOTSUPP;
16142 	}
16143 
16144 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
16145 }
16146 
16147 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
16148 {
16149 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16150 	struct net_device *dev = info->user_ptr[1];
16151 	const u8 *peer;
16152 	u8 tsid;
16153 
16154 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
16155 		return -EINVAL;
16156 
16157 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16158 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16159 
16160 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
16161 }
16162 
16163 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
16164 				       struct genl_info *info)
16165 {
16166 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16167 	struct net_device *dev = info->user_ptr[1];
16168 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16169 	struct cfg80211_chan_def chandef = {};
16170 	const u8 *addr;
16171 	u8 oper_class;
16172 	int err;
16173 
16174 	if (!rdev->ops->tdls_channel_switch ||
16175 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16176 		return -EOPNOTSUPP;
16177 
16178 	switch (dev->ieee80211_ptr->iftype) {
16179 	case NL80211_IFTYPE_STATION:
16180 	case NL80211_IFTYPE_P2P_CLIENT:
16181 		break;
16182 	default:
16183 		return -EOPNOTSUPP;
16184 	}
16185 
16186 	if (!info->attrs[NL80211_ATTR_MAC] ||
16187 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
16188 		return -EINVAL;
16189 
16190 	err = nl80211_parse_chandef(rdev, info, &chandef);
16191 	if (err)
16192 		return err;
16193 
16194 	/*
16195 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
16196 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
16197 	 * specification is not defined for them.
16198 	 */
16199 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
16200 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
16201 	    chandef.width != NL80211_CHAN_WIDTH_20)
16202 		return -EINVAL;
16203 
16204 	/* we will be active on the TDLS link */
16205 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
16206 					   wdev->iftype))
16207 		return -EINVAL;
16208 
16209 	/* don't allow switching to DFS channels */
16210 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
16211 		return -EINVAL;
16212 
16213 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16214 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
16215 
16216 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
16217 }
16218 
16219 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
16220 					      struct genl_info *info)
16221 {
16222 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16223 	struct net_device *dev = info->user_ptr[1];
16224 	const u8 *addr;
16225 
16226 	if (!rdev->ops->tdls_channel_switch ||
16227 	    !rdev->ops->tdls_cancel_channel_switch ||
16228 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16229 		return -EOPNOTSUPP;
16230 
16231 	switch (dev->ieee80211_ptr->iftype) {
16232 	case NL80211_IFTYPE_STATION:
16233 	case NL80211_IFTYPE_P2P_CLIENT:
16234 		break;
16235 	default:
16236 		return -EOPNOTSUPP;
16237 	}
16238 
16239 	if (!info->attrs[NL80211_ATTR_MAC])
16240 		return -EINVAL;
16241 
16242 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16243 
16244 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
16245 
16246 	return 0;
16247 }
16248 
16249 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
16250 					    struct genl_info *info)
16251 {
16252 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16253 	struct net_device *dev = info->user_ptr[1];
16254 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16255 	const struct nlattr *nla;
16256 	bool enabled;
16257 
16258 	if (!rdev->ops->set_multicast_to_unicast)
16259 		return -EOPNOTSUPP;
16260 
16261 	if (wdev->iftype != NL80211_IFTYPE_AP &&
16262 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
16263 		return -EOPNOTSUPP;
16264 
16265 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
16266 	enabled = nla_get_flag(nla);
16267 
16268 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
16269 }
16270 
16271 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
16272 {
16273 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16274 	struct net_device *dev = info->user_ptr[1];
16275 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16276 	struct cfg80211_pmk_conf pmk_conf = {};
16277 
16278 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16279 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16280 		return -EOPNOTSUPP;
16281 
16282 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16283 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
16284 		return -EOPNOTSUPP;
16285 
16286 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
16287 		return -EINVAL;
16288 
16289 	if (!wdev->connected)
16290 		return -ENOTCONN;
16291 
16292 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
16293 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
16294 		return -EINVAL;
16295 
16296 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
16297 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
16298 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
16299 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
16300 		return -EINVAL;
16301 
16302 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
16303 		pmk_conf.pmk_r0_name =
16304 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
16305 
16306 	return rdev_set_pmk(rdev, dev, &pmk_conf);
16307 }
16308 
16309 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
16310 {
16311 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16312 	struct net_device *dev = info->user_ptr[1];
16313 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16314 	const u8 *aa;
16315 
16316 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16317 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16318 		return -EOPNOTSUPP;
16319 
16320 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16321 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
16322 		return -EOPNOTSUPP;
16323 
16324 	if (!info->attrs[NL80211_ATTR_MAC])
16325 		return -EINVAL;
16326 
16327 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
16328 	return rdev_del_pmk(rdev, dev, aa);
16329 }
16330 
16331 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
16332 {
16333 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16334 	struct net_device *dev = info->user_ptr[1];
16335 	struct cfg80211_external_auth_params params;
16336 
16337 	if (!rdev->ops->external_auth)
16338 		return -EOPNOTSUPP;
16339 
16340 	if (!info->attrs[NL80211_ATTR_SSID] &&
16341 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
16342 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
16343 		return -EINVAL;
16344 
16345 	if (!info->attrs[NL80211_ATTR_BSSID])
16346 		return -EINVAL;
16347 
16348 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
16349 		return -EINVAL;
16350 
16351 	memset(&params, 0, sizeof(params));
16352 
16353 	if (info->attrs[NL80211_ATTR_SSID]) {
16354 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
16355 		if (params.ssid.ssid_len == 0)
16356 			return -EINVAL;
16357 		memcpy(params.ssid.ssid,
16358 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
16359 		       params.ssid.ssid_len);
16360 	}
16361 
16362 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
16363 	       ETH_ALEN);
16364 
16365 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
16366 
16367 	if (info->attrs[NL80211_ATTR_PMKID])
16368 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
16369 
16370 	return rdev_external_auth(rdev, dev, &params);
16371 }
16372 
16373 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
16374 {
16375 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
16376 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16377 	struct net_device *dev = info->user_ptr[1];
16378 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16379 	const u8 *buf;
16380 	size_t len;
16381 	u8 *dest;
16382 	u16 proto;
16383 	bool noencrypt;
16384 	u64 cookie = 0;
16385 	int link_id;
16386 	int err;
16387 
16388 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16389 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
16390 		return -EOPNOTSUPP;
16391 
16392 	if (!rdev->ops->tx_control_port)
16393 		return -EOPNOTSUPP;
16394 
16395 	if (!info->attrs[NL80211_ATTR_FRAME] ||
16396 	    !info->attrs[NL80211_ATTR_MAC] ||
16397 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
16398 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
16399 		return -EINVAL;
16400 	}
16401 
16402 	switch (wdev->iftype) {
16403 	case NL80211_IFTYPE_AP:
16404 	case NL80211_IFTYPE_P2P_GO:
16405 	case NL80211_IFTYPE_MESH_POINT:
16406 		break;
16407 	case NL80211_IFTYPE_ADHOC:
16408 		if (wdev->u.ibss.current_bss)
16409 			break;
16410 		return -ENOTCONN;
16411 	case NL80211_IFTYPE_STATION:
16412 	case NL80211_IFTYPE_P2P_CLIENT:
16413 		if (wdev->connected)
16414 			break;
16415 		return -ENOTCONN;
16416 	default:
16417 		return -EOPNOTSUPP;
16418 	}
16419 
16420 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
16421 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
16422 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
16423 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
16424 	noencrypt =
16425 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
16426 
16427 	link_id = nl80211_link_id_or_invalid(info->attrs);
16428 
16429 	err = rdev_tx_control_port(rdev, dev, buf, len,
16430 				   dest, cpu_to_be16(proto), noencrypt, link_id,
16431 				   dont_wait_for_ack ? NULL : &cookie);
16432 	if (!err && !dont_wait_for_ack)
16433 		nl_set_extack_cookie_u64(info->extack, cookie);
16434 	return err;
16435 }
16436 
16437 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
16438 					   struct genl_info *info)
16439 {
16440 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16441 	struct net_device *dev = info->user_ptr[1];
16442 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16443 	struct cfg80211_ftm_responder_stats ftm_stats = {};
16444 	unsigned int link_id = nl80211_link_id(info->attrs);
16445 	struct sk_buff *msg;
16446 	void *hdr;
16447 	struct nlattr *ftm_stats_attr;
16448 	int err;
16449 
16450 	if (wdev->iftype != NL80211_IFTYPE_AP ||
16451 	    !wdev->links[link_id].ap.beacon_interval)
16452 		return -EOPNOTSUPP;
16453 
16454 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
16455 	if (err)
16456 		return err;
16457 
16458 	if (!ftm_stats.filled)
16459 		return -ENODATA;
16460 
16461 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16462 	if (!msg)
16463 		return -ENOMEM;
16464 
16465 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16466 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
16467 	if (!hdr)
16468 		goto nla_put_failure;
16469 
16470 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16471 		goto nla_put_failure;
16472 
16473 	ftm_stats_attr = nla_nest_start_noflag(msg,
16474 					       NL80211_ATTR_FTM_RESPONDER_STATS);
16475 	if (!ftm_stats_attr)
16476 		goto nla_put_failure;
16477 
16478 #define SET_FTM(field, name, type)					 \
16479 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
16480 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
16481 			     ftm_stats.field))				 \
16482 		goto nla_put_failure; } while (0)
16483 #define SET_FTM_U64(field, name)					 \
16484 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
16485 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
16486 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
16487 		goto nla_put_failure; } while (0)
16488 
16489 	SET_FTM(success_num, SUCCESS_NUM, u32);
16490 	SET_FTM(partial_num, PARTIAL_NUM, u32);
16491 	SET_FTM(failed_num, FAILED_NUM, u32);
16492 	SET_FTM(asap_num, ASAP_NUM, u32);
16493 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
16494 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
16495 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
16496 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
16497 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
16498 #undef SET_FTM
16499 
16500 	nla_nest_end(msg, ftm_stats_attr);
16501 
16502 	genlmsg_end(msg, hdr);
16503 	return genlmsg_reply(msg, info);
16504 
16505 nla_put_failure:
16506 	nlmsg_free(msg);
16507 	return -ENOBUFS;
16508 }
16509 
16510 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
16511 {
16512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16513 	struct cfg80211_update_owe_info owe_info;
16514 	struct net_device *dev = info->user_ptr[1];
16515 
16516 	if (!rdev->ops->update_owe_info)
16517 		return -EOPNOTSUPP;
16518 
16519 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
16520 	    !info->attrs[NL80211_ATTR_MAC])
16521 		return -EINVAL;
16522 
16523 	memset(&owe_info, 0, sizeof(owe_info));
16524 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
16525 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
16526 
16527 	if (info->attrs[NL80211_ATTR_IE]) {
16528 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
16529 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
16530 	}
16531 
16532 	return rdev_update_owe_info(rdev, dev, &owe_info);
16533 }
16534 
16535 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
16536 {
16537 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16538 	struct net_device *dev = info->user_ptr[1];
16539 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16540 	struct station_info sinfo = {};
16541 	const u8 *buf;
16542 	size_t len;
16543 	u8 *dest;
16544 	int err;
16545 
16546 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
16547 		return -EOPNOTSUPP;
16548 
16549 	if (!info->attrs[NL80211_ATTR_MAC] ||
16550 	    !info->attrs[NL80211_ATTR_FRAME]) {
16551 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
16552 		return -EINVAL;
16553 	}
16554 
16555 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
16556 		return -EOPNOTSUPP;
16557 
16558 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
16559 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
16560 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
16561 
16562 	if (len < sizeof(struct ethhdr))
16563 		return -EINVAL;
16564 
16565 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
16566 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
16567 		return -EINVAL;
16568 
16569 	err = rdev_get_station(rdev, dev, dest, &sinfo);
16570 	if (err)
16571 		return err;
16572 
16573 	cfg80211_sinfo_release_content(&sinfo);
16574 
16575 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
16576 }
16577 
16578 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
16579 			  struct nlattr *attrs[], struct net_device *dev,
16580 			  struct cfg80211_tid_cfg *tid_conf,
16581 			  struct genl_info *info, const u8 *peer,
16582 			  unsigned int link_id)
16583 {
16584 	struct netlink_ext_ack *extack = info->extack;
16585 	u64 mask;
16586 	int err;
16587 
16588 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
16589 		return -EINVAL;
16590 
16591 	tid_conf->config_override =
16592 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
16593 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
16594 
16595 	if (tid_conf->config_override) {
16596 		if (rdev->ops->reset_tid_config) {
16597 			err = rdev_reset_tid_config(rdev, dev, peer,
16598 						    tid_conf->tids);
16599 			if (err)
16600 				return err;
16601 		} else {
16602 			return -EINVAL;
16603 		}
16604 	}
16605 
16606 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
16607 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
16608 		tid_conf->noack =
16609 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
16610 	}
16611 
16612 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
16613 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
16614 		tid_conf->retry_short =
16615 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
16616 
16617 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
16618 			return -EINVAL;
16619 	}
16620 
16621 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
16622 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
16623 		tid_conf->retry_long =
16624 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
16625 
16626 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
16627 			return -EINVAL;
16628 	}
16629 
16630 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
16631 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
16632 		tid_conf->ampdu =
16633 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
16634 	}
16635 
16636 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
16637 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
16638 		tid_conf->rtscts =
16639 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
16640 	}
16641 
16642 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
16643 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
16644 		tid_conf->amsdu =
16645 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
16646 	}
16647 
16648 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
16649 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
16650 
16651 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
16652 
16653 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
16654 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
16655 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
16656 						    &tid_conf->txrate_mask, dev,
16657 						    true, link_id);
16658 			if (err)
16659 				return err;
16660 
16661 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
16662 		}
16663 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
16664 	}
16665 
16666 	if (peer)
16667 		mask = rdev->wiphy.tid_config_support.peer;
16668 	else
16669 		mask = rdev->wiphy.tid_config_support.vif;
16670 
16671 	if (tid_conf->mask & ~mask) {
16672 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
16673 		return -EOPNOTSUPP;
16674 	}
16675 
16676 	return 0;
16677 }
16678 
16679 static int nl80211_set_tid_config(struct sk_buff *skb,
16680 				  struct genl_info *info)
16681 {
16682 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16683 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
16684 	unsigned int link_id = nl80211_link_id(info->attrs);
16685 	struct net_device *dev = info->user_ptr[1];
16686 	struct cfg80211_tid_config *tid_config;
16687 	struct nlattr *tid;
16688 	int conf_idx = 0, rem_conf;
16689 	int ret = -EINVAL;
16690 	u32 num_conf = 0;
16691 
16692 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
16693 		return -EINVAL;
16694 
16695 	if (!rdev->ops->set_tid_config)
16696 		return -EOPNOTSUPP;
16697 
16698 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16699 			    rem_conf)
16700 		num_conf++;
16701 
16702 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16703 			     GFP_KERNEL);
16704 	if (!tid_config)
16705 		return -ENOMEM;
16706 
16707 	tid_config->n_tid_conf = num_conf;
16708 
16709 	if (info->attrs[NL80211_ATTR_MAC])
16710 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16711 
16712 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16713 			    rem_conf) {
16714 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16715 				       tid, NULL, NULL);
16716 
16717 		if (ret)
16718 			goto bad_tid_conf;
16719 
16720 		ret = parse_tid_conf(rdev, attrs, dev,
16721 				     &tid_config->tid_conf[conf_idx],
16722 				     info, tid_config->peer, link_id);
16723 		if (ret)
16724 			goto bad_tid_conf;
16725 
16726 		conf_idx++;
16727 	}
16728 
16729 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16730 
16731 bad_tid_conf:
16732 	kfree(tid_config);
16733 	return ret;
16734 }
16735 
16736 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16737 {
16738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16739 	struct cfg80211_color_change_settings params = {};
16740 	struct net_device *dev = info->user_ptr[1];
16741 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16742 	struct nlattr **tb;
16743 	u16 offset;
16744 	int err;
16745 
16746 	if (!rdev->ops->color_change)
16747 		return -EOPNOTSUPP;
16748 
16749 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16750 				     NL80211_EXT_FEATURE_BSS_COLOR))
16751 		return -EOPNOTSUPP;
16752 
16753 	if (wdev->iftype != NL80211_IFTYPE_AP)
16754 		return -EOPNOTSUPP;
16755 
16756 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16757 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16758 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16759 		return -EINVAL;
16760 
16761 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16762 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16763 
16764 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16765 				   info->extack);
16766 	if (err)
16767 		return err;
16768 
16769 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16770 	if (!tb)
16771 		return -ENOMEM;
16772 
16773 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16774 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16775 			       nl80211_policy, info->extack);
16776 	if (err)
16777 		goto out;
16778 
16779 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16780 				   info->extack);
16781 	if (err)
16782 		goto out;
16783 
16784 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16785 		err = -EINVAL;
16786 		goto out;
16787 	}
16788 
16789 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16790 		err = -EINVAL;
16791 		goto out;
16792 	}
16793 
16794 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16795 	if (offset >= params.beacon_color_change.tail_len) {
16796 		err = -EINVAL;
16797 		goto out;
16798 	}
16799 
16800 	if (params.beacon_color_change.tail[offset] != params.count) {
16801 		err = -EINVAL;
16802 		goto out;
16803 	}
16804 
16805 	params.counter_offset_beacon = offset;
16806 
16807 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16808 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16809 		    sizeof(u16)) {
16810 			err = -EINVAL;
16811 			goto out;
16812 		}
16813 
16814 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16815 		if (offset >= params.beacon_color_change.probe_resp_len) {
16816 			err = -EINVAL;
16817 			goto out;
16818 		}
16819 
16820 		if (params.beacon_color_change.probe_resp[offset] !=
16821 		    params.count) {
16822 			err = -EINVAL;
16823 			goto out;
16824 		}
16825 
16826 		params.counter_offset_presp = offset;
16827 	}
16828 
16829 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
16830 		err = nl80211_parse_unsol_bcast_probe_resp(
16831 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
16832 			&params.unsol_bcast_probe_resp);
16833 		if (err)
16834 			goto out;
16835 	}
16836 
16837 	params.link_id = nl80211_link_id(info->attrs);
16838 	err = rdev_color_change(rdev, dev, &params);
16839 
16840 out:
16841 	kfree(params.beacon_next.mbssid_ies);
16842 	kfree(params.beacon_color_change.mbssid_ies);
16843 	kfree(params.beacon_next.rnr_ies);
16844 	kfree(params.beacon_color_change.rnr_ies);
16845 	kfree(tb);
16846 	return err;
16847 }
16848 
16849 static int nl80211_set_fils_aad(struct sk_buff *skb,
16850 				struct genl_info *info)
16851 {
16852 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16853 	struct net_device *dev = info->user_ptr[1];
16854 	struct cfg80211_fils_aad fils_aad = {};
16855 	u8 *nonces;
16856 
16857 	if (!info->attrs[NL80211_ATTR_MAC] ||
16858 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16859 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16860 		return -EINVAL;
16861 
16862 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16863 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16864 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16865 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16866 	fils_aad.snonce = nonces;
16867 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16868 
16869 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16870 }
16871 
16872 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16873 {
16874 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16875 	unsigned int link_id = nl80211_link_id(info->attrs);
16876 	struct net_device *dev = info->user_ptr[1];
16877 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16878 	int ret;
16879 
16880 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16881 		return -EINVAL;
16882 
16883 	switch (wdev->iftype) {
16884 	case NL80211_IFTYPE_AP:
16885 		break;
16886 	default:
16887 		return -EINVAL;
16888 	}
16889 
16890 	if (!info->attrs[NL80211_ATTR_MAC] ||
16891 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16892 		return -EINVAL;
16893 
16894 	wdev->valid_links |= BIT(link_id);
16895 	ether_addr_copy(wdev->links[link_id].addr,
16896 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16897 
16898 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16899 	if (ret) {
16900 		wdev->valid_links &= ~BIT(link_id);
16901 		eth_zero_addr(wdev->links[link_id].addr);
16902 	}
16903 
16904 	return ret;
16905 }
16906 
16907 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16908 {
16909 	unsigned int link_id = nl80211_link_id(info->attrs);
16910 	struct net_device *dev = info->user_ptr[1];
16911 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16912 
16913 	/* cannot remove if there's no link */
16914 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16915 		return -EINVAL;
16916 
16917 	switch (wdev->iftype) {
16918 	case NL80211_IFTYPE_AP:
16919 		break;
16920 	default:
16921 		return -EINVAL;
16922 	}
16923 
16924 	cfg80211_remove_link(wdev, link_id);
16925 
16926 	return 0;
16927 }
16928 
16929 static int
16930 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16931 			     bool add)
16932 {
16933 	struct link_station_parameters params = {};
16934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16935 	struct net_device *dev = info->user_ptr[1];
16936 	int err;
16937 
16938 	if ((add && !rdev->ops->add_link_station) ||
16939 	    (!add && !rdev->ops->mod_link_station))
16940 		return -EOPNOTSUPP;
16941 
16942 	if (add && !info->attrs[NL80211_ATTR_MAC])
16943 		return -EINVAL;
16944 
16945 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16946 		return -EINVAL;
16947 
16948 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16949 		return -EINVAL;
16950 
16951 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16952 
16953 	if (info->attrs[NL80211_ATTR_MAC]) {
16954 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16955 		if (!is_valid_ether_addr(params.link_mac))
16956 			return -EINVAL;
16957 	}
16958 
16959 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16960 		return -EINVAL;
16961 
16962 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16963 
16964 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16965 		params.supported_rates =
16966 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16967 		params.supported_rates_len =
16968 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16969 	}
16970 
16971 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16972 		params.ht_capa =
16973 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16974 
16975 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16976 		params.vht_capa =
16977 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16978 
16979 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16980 		params.he_capa =
16981 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16982 		params.he_capa_len =
16983 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16984 
16985 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16986 			params.eht_capa =
16987 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16988 			params.eht_capa_len =
16989 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16990 
16991 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16992 							(const u8 *)params.eht_capa,
16993 							params.eht_capa_len,
16994 							false))
16995 				return -EINVAL;
16996 		}
16997 	}
16998 
16999 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
17000 		params.he_6ghz_capa =
17001 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
17002 
17003 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
17004 		params.opmode_notif_used = true;
17005 		params.opmode_notif =
17006 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
17007 	}
17008 
17009 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
17010 						&params.txpwr_set);
17011 	if (err)
17012 		return err;
17013 
17014 	if (add)
17015 		return rdev_add_link_station(rdev, dev, &params);
17016 
17017 	return rdev_mod_link_station(rdev, dev, &params);
17018 }
17019 
17020 static int
17021 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
17022 {
17023 	return nl80211_add_mod_link_station(skb, info, true);
17024 }
17025 
17026 static int
17027 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
17028 {
17029 	return nl80211_add_mod_link_station(skb, info, false);
17030 }
17031 
17032 static int
17033 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
17034 {
17035 	struct link_station_del_parameters params = {};
17036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17037 	struct net_device *dev = info->user_ptr[1];
17038 
17039 	if (!rdev->ops->del_link_station)
17040 		return -EOPNOTSUPP;
17041 
17042 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
17043 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
17044 		return -EINVAL;
17045 
17046 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17047 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17048 
17049 	return rdev_del_link_station(rdev, dev, &params);
17050 }
17051 
17052 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
17053 				    struct genl_info *info)
17054 {
17055 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17056 	struct net_device *dev = info->user_ptr[1];
17057 	struct cfg80211_set_hw_timestamp hwts = {};
17058 
17059 	if (!rdev->wiphy.hw_timestamp_max_peers)
17060 		return -EOPNOTSUPP;
17061 
17062 	if (!info->attrs[NL80211_ATTR_MAC] &&
17063 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
17064 		return -EOPNOTSUPP;
17065 
17066 	if (info->attrs[NL80211_ATTR_MAC])
17067 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17068 
17069 	hwts.enable =
17070 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
17071 
17072 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
17073 }
17074 
17075 static int
17076 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
17077 {
17078 	struct cfg80211_ttlm_params params = {};
17079 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17080 	struct net_device *dev = info->user_ptr[1];
17081 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17082 
17083 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17084 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17085 		return -EOPNOTSUPP;
17086 
17087 	if (!wdev->connected)
17088 		return -ENOLINK;
17089 
17090 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
17091 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
17092 		return -EINVAL;
17093 
17094 	nla_memcpy(params.dlink,
17095 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
17096 		   sizeof(params.dlink));
17097 	nla_memcpy(params.ulink,
17098 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
17099 		   sizeof(params.ulink));
17100 
17101 	return rdev_set_ttlm(rdev, dev, &params);
17102 }
17103 
17104 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
17105 {
17106 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17107 	struct net_device *dev = info->user_ptr[1];
17108 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17109 	struct cfg80211_ml_reconf_req req = {};
17110 	unsigned int link_id;
17111 	u16 add_links;
17112 	int err;
17113 
17114 	if (!wdev->valid_links)
17115 		return -EINVAL;
17116 
17117 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
17118 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
17119 		return -EPERM;
17120 
17121 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
17122 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
17123 		return -EOPNOTSUPP;
17124 
17125 	add_links = 0;
17126 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
17127 		err = nl80211_process_links(rdev, req.add_links,
17128 					    /* mark as MLO, but not assoc */
17129 					    IEEE80211_MLD_MAX_NUM_LINKS,
17130 					    NULL, 0, info);
17131 		if (err)
17132 			return err;
17133 
17134 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
17135 		     link_id++) {
17136 			if (!req.add_links[link_id].bss)
17137 				continue;
17138 			add_links |= BIT(link_id);
17139 		}
17140 	}
17141 
17142 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
17143 		req.rem_links =
17144 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
17145 
17146 	/* Validate that existing links are not added, removed links are valid
17147 	 * and don't allow adding and removing the same links
17148 	 */
17149 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
17150 	    (wdev->valid_links & add_links) ||
17151 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
17152 		err = -EINVAL;
17153 		goto out;
17154 	}
17155 
17156 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
17157 		req.ext_mld_capa_ops =
17158 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
17159 
17160 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
17161 
17162 out:
17163 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
17164 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
17165 
17166 	return err;
17167 }
17168 
17169 static int
17170 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
17171 {
17172 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17173 	struct net_device *dev = info->user_ptr[1];
17174 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17175 	bool val;
17176 
17177 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17178 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17179 		return -EOPNOTSUPP;
17180 
17181 	if (!wdev->connected)
17182 		return -ENOLINK;
17183 
17184 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
17185 
17186 	return rdev_set_epcs(rdev, dev, val);
17187 }
17188 
17189 #define NL80211_FLAG_NEED_WIPHY		0x01
17190 #define NL80211_FLAG_NEED_NETDEV	0x02
17191 #define NL80211_FLAG_NEED_RTNL		0x04
17192 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
17193 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
17194 					 NL80211_FLAG_CHECK_NETDEV_UP)
17195 #define NL80211_FLAG_NEED_WDEV		0x10
17196 /* If a netdev is associated, it must be UP, P2P must be started */
17197 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
17198 					 NL80211_FLAG_CHECK_NETDEV_UP)
17199 #define NL80211_FLAG_CLEAR_SKB		0x20
17200 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
17201 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
17202 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
17203 
17204 #define INTERNAL_FLAG_SELECTORS(__sel)			\
17205 	SELECTOR(__sel, NONE, 0) /* must be first */	\
17206 	SELECTOR(__sel, WIPHY,				\
17207 		 NL80211_FLAG_NEED_WIPHY)		\
17208 	SELECTOR(__sel, WDEV,				\
17209 		 NL80211_FLAG_NEED_WDEV)		\
17210 	SELECTOR(__sel, NETDEV,				\
17211 		 NL80211_FLAG_NEED_NETDEV)		\
17212 	SELECTOR(__sel, NETDEV_LINK,			\
17213 		 NL80211_FLAG_NEED_NETDEV |		\
17214 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17215 	SELECTOR(__sel, NETDEV_NO_MLO,			\
17216 		 NL80211_FLAG_NEED_NETDEV |		\
17217 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
17218 	SELECTOR(__sel, WIPHY_RTNL,			\
17219 		 NL80211_FLAG_NEED_WIPHY |		\
17220 		 NL80211_FLAG_NEED_RTNL)		\
17221 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
17222 		 NL80211_FLAG_NEED_WIPHY |		\
17223 		 NL80211_FLAG_NEED_RTNL |		\
17224 		 NL80211_FLAG_NO_WIPHY_MTX)		\
17225 	SELECTOR(__sel, WDEV_RTNL,			\
17226 		 NL80211_FLAG_NEED_WDEV |		\
17227 		 NL80211_FLAG_NEED_RTNL)		\
17228 	SELECTOR(__sel, NETDEV_RTNL,			\
17229 		 NL80211_FLAG_NEED_NETDEV |		\
17230 		 NL80211_FLAG_NEED_RTNL)		\
17231 	SELECTOR(__sel, NETDEV_UP,			\
17232 		 NL80211_FLAG_NEED_NETDEV_UP)		\
17233 	SELECTOR(__sel, NETDEV_UP_LINK,			\
17234 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17235 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17236 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
17237 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17238 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
17239 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
17240 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17241 		 NL80211_FLAG_CLEAR_SKB |		\
17242 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
17243 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
17244 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17245 		 NL80211_FLAG_NO_WIPHY_MTX)		\
17246 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
17247 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17248 		 NL80211_FLAG_NO_WIPHY_MTX |		\
17249 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17250 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
17251 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17252 		 NL80211_FLAG_CLEAR_SKB)		\
17253 	SELECTOR(__sel, WDEV_UP,			\
17254 		 NL80211_FLAG_NEED_WDEV_UP)		\
17255 	SELECTOR(__sel, WDEV_UP_LINK,			\
17256 		 NL80211_FLAG_NEED_WDEV_UP |		\
17257 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17258 	SELECTOR(__sel, WDEV_UP_RTNL,			\
17259 		 NL80211_FLAG_NEED_WDEV_UP |		\
17260 		 NL80211_FLAG_NEED_RTNL)		\
17261 	SELECTOR(__sel, WIPHY_CLEAR,			\
17262 		 NL80211_FLAG_NEED_WIPHY |		\
17263 		 NL80211_FLAG_CLEAR_SKB)
17264 
17265 enum nl80211_internal_flags_selector {
17266 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
17267 	INTERNAL_FLAG_SELECTORS(_)
17268 #undef SELECTOR
17269 };
17270 
17271 static u32 nl80211_internal_flags[] = {
17272 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
17273 	INTERNAL_FLAG_SELECTORS(_)
17274 #undef SELECTOR
17275 };
17276 
17277 static int nl80211_pre_doit(const struct genl_split_ops *ops,
17278 			    struct sk_buff *skb,
17279 			    struct genl_info *info)
17280 {
17281 	struct cfg80211_registered_device *rdev = NULL;
17282 	struct wireless_dev *wdev = NULL;
17283 	struct net_device *dev = NULL;
17284 	u32 internal_flags;
17285 	int err;
17286 
17287 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
17288 		return -EINVAL;
17289 
17290 	internal_flags = nl80211_internal_flags[ops->internal_flags];
17291 
17292 	rtnl_lock();
17293 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
17294 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
17295 		if (IS_ERR(rdev)) {
17296 			err = PTR_ERR(rdev);
17297 			goto out_unlock;
17298 		}
17299 		info->user_ptr[0] = rdev;
17300 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
17301 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
17302 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
17303 						  info->attrs);
17304 		if (IS_ERR(wdev)) {
17305 			err = PTR_ERR(wdev);
17306 			goto out_unlock;
17307 		}
17308 
17309 		dev = wdev->netdev;
17310 		dev_hold(dev);
17311 		rdev = wiphy_to_rdev(wdev->wiphy);
17312 
17313 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
17314 			if (!dev) {
17315 				err = -EINVAL;
17316 				goto out_unlock;
17317 			}
17318 
17319 			info->user_ptr[1] = dev;
17320 		} else {
17321 			info->user_ptr[1] = wdev;
17322 		}
17323 
17324 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
17325 		    !wdev_running(wdev)) {
17326 			err = -ENETDOWN;
17327 			goto out_unlock;
17328 		}
17329 
17330 		info->user_ptr[0] = rdev;
17331 	}
17332 
17333 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
17334 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
17335 
17336 		if (!wdev) {
17337 			err = -EINVAL;
17338 			goto out_unlock;
17339 		}
17340 
17341 		/* MLO -> require valid link ID */
17342 		if (wdev->valid_links &&
17343 		    (!link_id ||
17344 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
17345 			err = -EINVAL;
17346 			goto out_unlock;
17347 		}
17348 
17349 		/* non-MLO -> no link ID attribute accepted */
17350 		if (!wdev->valid_links && link_id) {
17351 			err = -EINVAL;
17352 			goto out_unlock;
17353 		}
17354 	}
17355 
17356 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
17357 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
17358 		    (wdev && wdev->valid_links)) {
17359 			err = -EINVAL;
17360 			goto out_unlock;
17361 		}
17362 	}
17363 
17364 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
17365 		wiphy_lock(&rdev->wiphy);
17366 		/* we keep the mutex locked until post_doit */
17367 		__release(&rdev->wiphy.mtx);
17368 	}
17369 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
17370 		rtnl_unlock();
17371 
17372 	return 0;
17373 out_unlock:
17374 	rtnl_unlock();
17375 	dev_put(dev);
17376 	return err;
17377 }
17378 
17379 static void nl80211_post_doit(const struct genl_split_ops *ops,
17380 			      struct sk_buff *skb,
17381 			      struct genl_info *info)
17382 {
17383 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
17384 
17385 	if (info->user_ptr[1]) {
17386 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
17387 			struct wireless_dev *wdev = info->user_ptr[1];
17388 
17389 			dev_put(wdev->netdev);
17390 		} else {
17391 			dev_put(info->user_ptr[1]);
17392 		}
17393 	}
17394 
17395 	if (info->user_ptr[0] &&
17396 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
17397 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
17398 
17399 		/* we kept the mutex locked since pre_doit */
17400 		__acquire(&rdev->wiphy.mtx);
17401 		wiphy_unlock(&rdev->wiphy);
17402 	}
17403 
17404 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
17405 		rtnl_unlock();
17406 
17407 	/* If needed, clear the netlink message payload from the SKB
17408 	 * as it might contain key data that shouldn't stick around on
17409 	 * the heap after the SKB is freed. The netlink message header
17410 	 * is still needed for further processing, so leave it intact.
17411 	 */
17412 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
17413 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
17414 
17415 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
17416 	}
17417 }
17418 
17419 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
17420 				     struct cfg80211_sar_specs *sar_specs,
17421 				     struct nlattr *spec[], int index)
17422 {
17423 	u32 range_index, i;
17424 
17425 	if (!sar_specs || !spec)
17426 		return -EINVAL;
17427 
17428 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
17429 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
17430 		return -EINVAL;
17431 
17432 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
17433 
17434 	/* check if range_index exceeds num_freq_ranges */
17435 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
17436 		return -EINVAL;
17437 
17438 	/* check if range_index duplicates */
17439 	for (i = 0; i < index; i++) {
17440 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
17441 			return -EINVAL;
17442 	}
17443 
17444 	sar_specs->sub_specs[index].power =
17445 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
17446 
17447 	sar_specs->sub_specs[index].freq_range_index = range_index;
17448 
17449 	return 0;
17450 }
17451 
17452 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
17453 {
17454 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17455 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
17456 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
17457 	struct cfg80211_sar_specs *sar_spec;
17458 	enum nl80211_sar_type type;
17459 	struct nlattr *spec_list;
17460 	u32 specs;
17461 	int rem, err;
17462 
17463 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
17464 		return -EOPNOTSUPP;
17465 
17466 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
17467 		return -EINVAL;
17468 
17469 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
17470 			 info->attrs[NL80211_ATTR_SAR_SPEC],
17471 			 NULL, NULL);
17472 
17473 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
17474 		return -EINVAL;
17475 
17476 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
17477 	if (type != rdev->wiphy.sar_capa->type)
17478 		return -EINVAL;
17479 
17480 	specs = 0;
17481 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
17482 		specs++;
17483 
17484 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
17485 		return -EINVAL;
17486 
17487 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
17488 	if (!sar_spec)
17489 		return -ENOMEM;
17490 
17491 	sar_spec->type = type;
17492 	specs = 0;
17493 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
17494 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
17495 				 spec_list, NULL, NULL);
17496 
17497 		switch (type) {
17498 		case NL80211_SAR_TYPE_POWER:
17499 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
17500 						      spec, specs)) {
17501 				err = -EINVAL;
17502 				goto error;
17503 			}
17504 			break;
17505 		default:
17506 			err = -EINVAL;
17507 			goto error;
17508 		}
17509 		specs++;
17510 	}
17511 
17512 	sar_spec->num_sub_specs = specs;
17513 
17514 	rdev->cur_cmd_info = info;
17515 	err = rdev_set_sar_specs(rdev, sar_spec);
17516 	rdev->cur_cmd_info = NULL;
17517 error:
17518 	kfree(sar_spec);
17519 	return err;
17520 }
17521 
17522 #define SELECTOR(__sel, name, value) \
17523 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
17524 int __missing_selector(void);
17525 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
17526 
17527 static const struct genl_ops nl80211_ops[] = {
17528 	{
17529 		.cmd = NL80211_CMD_GET_WIPHY,
17530 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17531 		.doit = nl80211_get_wiphy,
17532 		.dumpit = nl80211_dump_wiphy,
17533 		.done = nl80211_dump_wiphy_done,
17534 		/* can be retrieved by unprivileged users */
17535 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17536 	},
17537 };
17538 
17539 static const struct genl_small_ops nl80211_small_ops[] = {
17540 	{
17541 		.cmd = NL80211_CMD_SET_WIPHY,
17542 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17543 		.doit = nl80211_set_wiphy,
17544 		.flags = GENL_UNS_ADMIN_PERM,
17545 	},
17546 	{
17547 		.cmd = NL80211_CMD_GET_INTERFACE,
17548 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17549 		.doit = nl80211_get_interface,
17550 		.dumpit = nl80211_dump_interface,
17551 		/* can be retrieved by unprivileged users */
17552 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17553 	},
17554 	{
17555 		.cmd = NL80211_CMD_SET_INTERFACE,
17556 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17557 		.doit = nl80211_set_interface,
17558 		.flags = GENL_UNS_ADMIN_PERM,
17559 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17560 					 NL80211_FLAG_NEED_RTNL),
17561 	},
17562 	{
17563 		.cmd = NL80211_CMD_NEW_INTERFACE,
17564 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17565 		.doit = nl80211_new_interface,
17566 		.flags = GENL_UNS_ADMIN_PERM,
17567 		.internal_flags =
17568 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
17569 			       NL80211_FLAG_NEED_RTNL |
17570 			       /* we take the wiphy mutex later ourselves */
17571 			       NL80211_FLAG_NO_WIPHY_MTX),
17572 	},
17573 	{
17574 		.cmd = NL80211_CMD_DEL_INTERFACE,
17575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17576 		.doit = nl80211_del_interface,
17577 		.flags = GENL_UNS_ADMIN_PERM,
17578 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17579 					 NL80211_FLAG_NEED_RTNL),
17580 	},
17581 	{
17582 		.cmd = NL80211_CMD_GET_KEY,
17583 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17584 		.doit = nl80211_get_key,
17585 		.flags = GENL_UNS_ADMIN_PERM,
17586 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17587 	},
17588 	{
17589 		.cmd = NL80211_CMD_SET_KEY,
17590 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17591 		.doit = nl80211_set_key,
17592 		.flags = GENL_UNS_ADMIN_PERM,
17593 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
17594 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17595 					 NL80211_FLAG_CLEAR_SKB),
17596 	},
17597 	{
17598 		.cmd = NL80211_CMD_NEW_KEY,
17599 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17600 		.doit = nl80211_new_key,
17601 		.flags = GENL_UNS_ADMIN_PERM,
17602 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17603 					 NL80211_FLAG_CLEAR_SKB),
17604 	},
17605 	{
17606 		.cmd = NL80211_CMD_DEL_KEY,
17607 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17608 		.doit = nl80211_del_key,
17609 		.flags = GENL_UNS_ADMIN_PERM,
17610 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17611 	},
17612 	{
17613 		.cmd = NL80211_CMD_SET_BEACON,
17614 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17615 		.flags = GENL_UNS_ADMIN_PERM,
17616 		.doit = nl80211_set_beacon,
17617 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17618 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17619 	},
17620 	{
17621 		.cmd = NL80211_CMD_START_AP,
17622 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17623 		.flags = GENL_UNS_ADMIN_PERM,
17624 		.doit = nl80211_start_ap,
17625 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17626 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17627 	},
17628 	{
17629 		.cmd = NL80211_CMD_STOP_AP,
17630 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17631 		.flags = GENL_UNS_ADMIN_PERM,
17632 		.doit = nl80211_stop_ap,
17633 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17634 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17635 	},
17636 	{
17637 		.cmd = NL80211_CMD_GET_STATION,
17638 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17639 		.doit = nl80211_get_station,
17640 		.dumpit = nl80211_dump_station,
17641 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17642 	},
17643 	{
17644 		.cmd = NL80211_CMD_SET_STATION,
17645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17646 		.doit = nl80211_set_station,
17647 		.flags = GENL_UNS_ADMIN_PERM,
17648 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17649 	},
17650 	{
17651 		.cmd = NL80211_CMD_NEW_STATION,
17652 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17653 		.doit = nl80211_new_station,
17654 		.flags = GENL_UNS_ADMIN_PERM,
17655 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17656 	},
17657 	{
17658 		.cmd = NL80211_CMD_DEL_STATION,
17659 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17660 		.doit = nl80211_del_station,
17661 		.flags = GENL_UNS_ADMIN_PERM,
17662 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
17663 		 * whether MAC address is passed or not. If MAC address is
17664 		 * passed, then even during MLO, link ID is not required.
17665 		 */
17666 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17667 	},
17668 	{
17669 		.cmd = NL80211_CMD_GET_MPATH,
17670 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17671 		.doit = nl80211_get_mpath,
17672 		.dumpit = nl80211_dump_mpath,
17673 		.flags = GENL_UNS_ADMIN_PERM,
17674 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17675 	},
17676 	{
17677 		.cmd = NL80211_CMD_GET_MPP,
17678 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17679 		.doit = nl80211_get_mpp,
17680 		.dumpit = nl80211_dump_mpp,
17681 		.flags = GENL_UNS_ADMIN_PERM,
17682 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17683 	},
17684 	{
17685 		.cmd = NL80211_CMD_SET_MPATH,
17686 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17687 		.doit = nl80211_set_mpath,
17688 		.flags = GENL_UNS_ADMIN_PERM,
17689 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17690 	},
17691 	{
17692 		.cmd = NL80211_CMD_NEW_MPATH,
17693 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17694 		.doit = nl80211_new_mpath,
17695 		.flags = GENL_UNS_ADMIN_PERM,
17696 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17697 	},
17698 	{
17699 		.cmd = NL80211_CMD_DEL_MPATH,
17700 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17701 		.doit = nl80211_del_mpath,
17702 		.flags = GENL_UNS_ADMIN_PERM,
17703 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17704 	},
17705 	{
17706 		.cmd = NL80211_CMD_SET_BSS,
17707 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17708 		.doit = nl80211_set_bss,
17709 		.flags = GENL_UNS_ADMIN_PERM,
17710 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17711 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17712 	},
17713 	{
17714 		.cmd = NL80211_CMD_GET_REG,
17715 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17716 		.doit = nl80211_get_reg_do,
17717 		.dumpit = nl80211_get_reg_dump,
17718 		/* can be retrieved by unprivileged users */
17719 	},
17720 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
17721 	{
17722 		.cmd = NL80211_CMD_SET_REG,
17723 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17724 		.doit = nl80211_set_reg,
17725 		.flags = GENL_ADMIN_PERM,
17726 	},
17727 #endif
17728 	{
17729 		.cmd = NL80211_CMD_REQ_SET_REG,
17730 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17731 		.doit = nl80211_req_set_reg,
17732 		.flags = GENL_ADMIN_PERM,
17733 	},
17734 	{
17735 		.cmd = NL80211_CMD_RELOAD_REGDB,
17736 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17737 		.doit = nl80211_reload_regdb,
17738 		.flags = GENL_ADMIN_PERM,
17739 	},
17740 	{
17741 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
17742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17743 		.doit = nl80211_get_mesh_config,
17744 		/* can be retrieved by unprivileged users */
17745 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17746 	},
17747 	{
17748 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
17749 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17750 		.doit = nl80211_update_mesh_config,
17751 		.flags = GENL_UNS_ADMIN_PERM,
17752 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17753 	},
17754 	{
17755 		.cmd = NL80211_CMD_TRIGGER_SCAN,
17756 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17757 		.doit = nl80211_trigger_scan,
17758 		.flags = GENL_UNS_ADMIN_PERM,
17759 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17760 	},
17761 	{
17762 		.cmd = NL80211_CMD_ABORT_SCAN,
17763 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17764 		.doit = nl80211_abort_scan,
17765 		.flags = GENL_UNS_ADMIN_PERM,
17766 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17767 	},
17768 	{
17769 		.cmd = NL80211_CMD_GET_SCAN,
17770 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17771 		.dumpit = nl80211_dump_scan,
17772 	},
17773 	{
17774 		.cmd = NL80211_CMD_START_SCHED_SCAN,
17775 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17776 		.doit = nl80211_start_sched_scan,
17777 		.flags = GENL_UNS_ADMIN_PERM,
17778 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17779 	},
17780 	{
17781 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
17782 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17783 		.doit = nl80211_stop_sched_scan,
17784 		.flags = GENL_UNS_ADMIN_PERM,
17785 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17786 	},
17787 	{
17788 		.cmd = NL80211_CMD_AUTHENTICATE,
17789 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17790 		.doit = nl80211_authenticate,
17791 		.flags = GENL_UNS_ADMIN_PERM,
17792 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17793 					 NL80211_FLAG_CLEAR_SKB),
17794 	},
17795 	{
17796 		.cmd = NL80211_CMD_ASSOCIATE,
17797 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17798 		.doit = nl80211_associate,
17799 		.flags = GENL_UNS_ADMIN_PERM,
17800 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17801 					 NL80211_FLAG_CLEAR_SKB),
17802 	},
17803 	{
17804 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17805 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17806 		.doit = nl80211_deauthenticate,
17807 		.flags = GENL_UNS_ADMIN_PERM,
17808 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17809 	},
17810 	{
17811 		.cmd = NL80211_CMD_DISASSOCIATE,
17812 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17813 		.doit = nl80211_disassociate,
17814 		.flags = GENL_UNS_ADMIN_PERM,
17815 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17816 	},
17817 	{
17818 		.cmd = NL80211_CMD_JOIN_IBSS,
17819 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17820 		.doit = nl80211_join_ibss,
17821 		.flags = GENL_UNS_ADMIN_PERM,
17822 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17823 	},
17824 	{
17825 		.cmd = NL80211_CMD_LEAVE_IBSS,
17826 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17827 		.doit = nl80211_leave_ibss,
17828 		.flags = GENL_UNS_ADMIN_PERM,
17829 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17830 	},
17831 #ifdef CONFIG_NL80211_TESTMODE
17832 	{
17833 		.cmd = NL80211_CMD_TESTMODE,
17834 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17835 		.doit = nl80211_testmode_do,
17836 		.dumpit = nl80211_testmode_dump,
17837 		.flags = GENL_UNS_ADMIN_PERM,
17838 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17839 	},
17840 #endif
17841 	{
17842 		.cmd = NL80211_CMD_CONNECT,
17843 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17844 		.doit = nl80211_connect,
17845 		.flags = GENL_UNS_ADMIN_PERM,
17846 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17847 					 NL80211_FLAG_CLEAR_SKB),
17848 	},
17849 	{
17850 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17851 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17852 		.doit = nl80211_update_connect_params,
17853 		.flags = GENL_ADMIN_PERM,
17854 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17855 					 NL80211_FLAG_CLEAR_SKB),
17856 	},
17857 	{
17858 		.cmd = NL80211_CMD_DISCONNECT,
17859 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17860 		.doit = nl80211_disconnect,
17861 		.flags = GENL_UNS_ADMIN_PERM,
17862 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17863 	},
17864 	{
17865 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17867 		.doit = nl80211_wiphy_netns,
17868 		.flags = GENL_UNS_ADMIN_PERM,
17869 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17870 					 NL80211_FLAG_NEED_RTNL |
17871 					 NL80211_FLAG_NO_WIPHY_MTX),
17872 	},
17873 	{
17874 		.cmd = NL80211_CMD_GET_SURVEY,
17875 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17876 		.dumpit = nl80211_dump_survey,
17877 	},
17878 	{
17879 		.cmd = NL80211_CMD_SET_PMKSA,
17880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17881 		.doit = nl80211_set_pmksa,
17882 		.flags = GENL_UNS_ADMIN_PERM,
17883 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17884 					 NL80211_FLAG_CLEAR_SKB),
17885 	},
17886 	{
17887 		.cmd = NL80211_CMD_DEL_PMKSA,
17888 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17889 		.doit = nl80211_del_pmksa,
17890 		.flags = GENL_UNS_ADMIN_PERM,
17891 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17892 	},
17893 	{
17894 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17896 		.doit = nl80211_flush_pmksa,
17897 		.flags = GENL_UNS_ADMIN_PERM,
17898 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17899 	},
17900 	{
17901 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17902 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17903 		.doit = nl80211_remain_on_channel,
17904 		.flags = GENL_UNS_ADMIN_PERM,
17905 		/* FIXME: requiring a link ID here is probably not good */
17906 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17907 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17908 	},
17909 	{
17910 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17911 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17912 		.doit = nl80211_cancel_remain_on_channel,
17913 		.flags = GENL_UNS_ADMIN_PERM,
17914 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17915 	},
17916 	{
17917 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17918 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17919 		.doit = nl80211_set_tx_bitrate_mask,
17920 		.flags = GENL_UNS_ADMIN_PERM,
17921 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17922 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17923 	},
17924 	{
17925 		.cmd = NL80211_CMD_REGISTER_FRAME,
17926 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17927 		.doit = nl80211_register_mgmt,
17928 		.flags = GENL_UNS_ADMIN_PERM,
17929 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17930 	},
17931 	{
17932 		.cmd = NL80211_CMD_FRAME,
17933 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17934 		.doit = nl80211_tx_mgmt,
17935 		.flags = GENL_UNS_ADMIN_PERM,
17936 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17937 	},
17938 	{
17939 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17940 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17941 		.doit = nl80211_tx_mgmt_cancel_wait,
17942 		.flags = GENL_UNS_ADMIN_PERM,
17943 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17944 	},
17945 	{
17946 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17947 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17948 		.doit = nl80211_set_power_save,
17949 		.flags = GENL_UNS_ADMIN_PERM,
17950 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17951 	},
17952 	{
17953 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17954 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17955 		.doit = nl80211_get_power_save,
17956 		/* can be retrieved by unprivileged users */
17957 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17958 	},
17959 	{
17960 		.cmd = NL80211_CMD_SET_CQM,
17961 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17962 		.doit = nl80211_set_cqm,
17963 		.flags = GENL_UNS_ADMIN_PERM,
17964 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17965 	},
17966 	{
17967 		.cmd = NL80211_CMD_SET_CHANNEL,
17968 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17969 		.doit = nl80211_set_channel,
17970 		.flags = GENL_UNS_ADMIN_PERM,
17971 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17972 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17973 	},
17974 	{
17975 		.cmd = NL80211_CMD_JOIN_MESH,
17976 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17977 		.doit = nl80211_join_mesh,
17978 		.flags = GENL_UNS_ADMIN_PERM,
17979 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17980 	},
17981 	{
17982 		.cmd = NL80211_CMD_LEAVE_MESH,
17983 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17984 		.doit = nl80211_leave_mesh,
17985 		.flags = GENL_UNS_ADMIN_PERM,
17986 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17987 	},
17988 	{
17989 		.cmd = NL80211_CMD_JOIN_OCB,
17990 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17991 		.doit = nl80211_join_ocb,
17992 		.flags = GENL_UNS_ADMIN_PERM,
17993 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17994 	},
17995 	{
17996 		.cmd = NL80211_CMD_LEAVE_OCB,
17997 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17998 		.doit = nl80211_leave_ocb,
17999 		.flags = GENL_UNS_ADMIN_PERM,
18000 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18001 	},
18002 #ifdef CONFIG_PM
18003 	{
18004 		.cmd = NL80211_CMD_GET_WOWLAN,
18005 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18006 		.doit = nl80211_get_wowlan,
18007 		/* can be retrieved by unprivileged users */
18008 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18009 	},
18010 	{
18011 		.cmd = NL80211_CMD_SET_WOWLAN,
18012 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18013 		.doit = nl80211_set_wowlan,
18014 		.flags = GENL_UNS_ADMIN_PERM,
18015 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18016 	},
18017 #endif
18018 	{
18019 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
18020 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18021 		.doit = nl80211_set_rekey_data,
18022 		.flags = GENL_UNS_ADMIN_PERM,
18023 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18024 					 NL80211_FLAG_CLEAR_SKB),
18025 	},
18026 	{
18027 		.cmd = NL80211_CMD_TDLS_MGMT,
18028 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18029 		.doit = nl80211_tdls_mgmt,
18030 		.flags = GENL_UNS_ADMIN_PERM,
18031 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18032 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18033 	},
18034 	{
18035 		.cmd = NL80211_CMD_TDLS_OPER,
18036 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18037 		.doit = nl80211_tdls_oper,
18038 		.flags = GENL_UNS_ADMIN_PERM,
18039 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18040 	},
18041 	{
18042 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
18043 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18044 		.doit = nl80211_register_unexpected_frame,
18045 		.flags = GENL_UNS_ADMIN_PERM,
18046 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18047 	},
18048 	{
18049 		.cmd = NL80211_CMD_PROBE_CLIENT,
18050 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18051 		.doit = nl80211_probe_client,
18052 		.flags = GENL_UNS_ADMIN_PERM,
18053 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18054 	},
18055 	{
18056 		.cmd = NL80211_CMD_REGISTER_BEACONS,
18057 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18058 		.doit = nl80211_register_beacons,
18059 		.flags = GENL_UNS_ADMIN_PERM,
18060 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18061 	},
18062 	{
18063 		.cmd = NL80211_CMD_SET_NOACK_MAP,
18064 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18065 		.doit = nl80211_set_noack_map,
18066 		.flags = GENL_UNS_ADMIN_PERM,
18067 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18068 	},
18069 	{
18070 		.cmd = NL80211_CMD_START_P2P_DEVICE,
18071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18072 		.doit = nl80211_start_p2p_device,
18073 		.flags = GENL_UNS_ADMIN_PERM,
18074 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18075 					 NL80211_FLAG_NEED_RTNL),
18076 	},
18077 	{
18078 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
18079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18080 		.doit = nl80211_stop_p2p_device,
18081 		.flags = GENL_UNS_ADMIN_PERM,
18082 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18083 					 NL80211_FLAG_NEED_RTNL),
18084 	},
18085 	{
18086 		.cmd = NL80211_CMD_START_NAN,
18087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18088 		.doit = nl80211_start_nan,
18089 		.flags = GENL_ADMIN_PERM,
18090 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18091 					 NL80211_FLAG_NEED_RTNL),
18092 	},
18093 	{
18094 		.cmd = NL80211_CMD_STOP_NAN,
18095 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18096 		.doit = nl80211_stop_nan,
18097 		.flags = GENL_ADMIN_PERM,
18098 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18099 					 NL80211_FLAG_NEED_RTNL),
18100 	},
18101 	{
18102 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
18103 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18104 		.doit = nl80211_nan_add_func,
18105 		.flags = GENL_ADMIN_PERM,
18106 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18107 	},
18108 	{
18109 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
18110 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18111 		.doit = nl80211_nan_del_func,
18112 		.flags = GENL_ADMIN_PERM,
18113 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18114 	},
18115 	{
18116 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
18117 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18118 		.doit = nl80211_nan_change_config,
18119 		.flags = GENL_ADMIN_PERM,
18120 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18121 	},
18122 	{
18123 		.cmd = NL80211_CMD_SET_MCAST_RATE,
18124 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18125 		.doit = nl80211_set_mcast_rate,
18126 		.flags = GENL_UNS_ADMIN_PERM,
18127 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18128 	},
18129 	{
18130 		.cmd = NL80211_CMD_SET_MAC_ACL,
18131 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18132 		.doit = nl80211_set_mac_acl,
18133 		.flags = GENL_UNS_ADMIN_PERM,
18134 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18135 					 NL80211_FLAG_MLO_UNSUPPORTED),
18136 	},
18137 	{
18138 		.cmd = NL80211_CMD_RADAR_DETECT,
18139 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18140 		.doit = nl80211_start_radar_detection,
18141 		.flags = GENL_UNS_ADMIN_PERM,
18142 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18143 					 NL80211_FLAG_NO_WIPHY_MTX |
18144 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18145 	},
18146 	{
18147 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
18148 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18149 		.doit = nl80211_get_protocol_features,
18150 	},
18151 	{
18152 		.cmd = NL80211_CMD_UPDATE_FT_IES,
18153 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18154 		.doit = nl80211_update_ft_ies,
18155 		.flags = GENL_UNS_ADMIN_PERM,
18156 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18157 	},
18158 	{
18159 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
18160 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18161 		.doit = nl80211_crit_protocol_start,
18162 		.flags = GENL_UNS_ADMIN_PERM,
18163 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18164 	},
18165 	{
18166 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
18167 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18168 		.doit = nl80211_crit_protocol_stop,
18169 		.flags = GENL_UNS_ADMIN_PERM,
18170 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18171 	},
18172 	{
18173 		.cmd = NL80211_CMD_GET_COALESCE,
18174 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18175 		.doit = nl80211_get_coalesce,
18176 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18177 	},
18178 	{
18179 		.cmd = NL80211_CMD_SET_COALESCE,
18180 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18181 		.doit = nl80211_set_coalesce,
18182 		.flags = GENL_UNS_ADMIN_PERM,
18183 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18184 	},
18185 	{
18186 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
18187 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18188 		.doit = nl80211_channel_switch,
18189 		.flags = GENL_UNS_ADMIN_PERM,
18190 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18191 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18192 	},
18193 	{
18194 		.cmd = NL80211_CMD_VENDOR,
18195 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18196 		.doit = nl80211_vendor_cmd,
18197 		.dumpit = nl80211_vendor_cmd_dump,
18198 		.flags = GENL_UNS_ADMIN_PERM,
18199 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18200 					 NL80211_FLAG_CLEAR_SKB),
18201 	},
18202 	{
18203 		.cmd = NL80211_CMD_SET_QOS_MAP,
18204 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18205 		.doit = nl80211_set_qos_map,
18206 		.flags = GENL_UNS_ADMIN_PERM,
18207 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18208 	},
18209 	{
18210 		.cmd = NL80211_CMD_ADD_TX_TS,
18211 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18212 		.doit = nl80211_add_tx_ts,
18213 		.flags = GENL_UNS_ADMIN_PERM,
18214 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18215 					 NL80211_FLAG_MLO_UNSUPPORTED),
18216 	},
18217 	{
18218 		.cmd = NL80211_CMD_DEL_TX_TS,
18219 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18220 		.doit = nl80211_del_tx_ts,
18221 		.flags = GENL_UNS_ADMIN_PERM,
18222 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18223 	},
18224 	{
18225 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
18226 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18227 		.doit = nl80211_tdls_channel_switch,
18228 		.flags = GENL_UNS_ADMIN_PERM,
18229 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18230 	},
18231 	{
18232 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
18233 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18234 		.doit = nl80211_tdls_cancel_channel_switch,
18235 		.flags = GENL_UNS_ADMIN_PERM,
18236 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18237 	},
18238 	{
18239 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
18240 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18241 		.doit = nl80211_set_multicast_to_unicast,
18242 		.flags = GENL_UNS_ADMIN_PERM,
18243 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18244 	},
18245 	{
18246 		.cmd = NL80211_CMD_SET_PMK,
18247 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18248 		.doit = nl80211_set_pmk,
18249 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18250 					 NL80211_FLAG_CLEAR_SKB),
18251 	},
18252 	{
18253 		.cmd = NL80211_CMD_DEL_PMK,
18254 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18255 		.doit = nl80211_del_pmk,
18256 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18257 	},
18258 	{
18259 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
18260 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18261 		.doit = nl80211_external_auth,
18262 		.flags = GENL_ADMIN_PERM,
18263 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18264 	},
18265 	{
18266 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
18267 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18268 		.doit = nl80211_tx_control_port,
18269 		.flags = GENL_UNS_ADMIN_PERM,
18270 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18271 	},
18272 	{
18273 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
18274 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18275 		.doit = nl80211_get_ftm_responder_stats,
18276 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18277 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18278 	},
18279 	{
18280 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
18281 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18282 		.doit = nl80211_pmsr_start,
18283 		.flags = GENL_UNS_ADMIN_PERM,
18284 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18285 	},
18286 	{
18287 		.cmd = NL80211_CMD_NOTIFY_RADAR,
18288 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18289 		.doit = nl80211_notify_radar_detection,
18290 		.flags = GENL_UNS_ADMIN_PERM,
18291 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18292 	},
18293 	{
18294 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
18295 		.doit = nl80211_update_owe_info,
18296 		.flags = GENL_ADMIN_PERM,
18297 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18298 	},
18299 	{
18300 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
18301 		.doit = nl80211_probe_mesh_link,
18302 		.flags = GENL_UNS_ADMIN_PERM,
18303 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18304 	},
18305 	{
18306 		.cmd = NL80211_CMD_SET_TID_CONFIG,
18307 		.doit = nl80211_set_tid_config,
18308 		.flags = GENL_UNS_ADMIN_PERM,
18309 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18310 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18311 	},
18312 	{
18313 		.cmd = NL80211_CMD_SET_SAR_SPECS,
18314 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18315 		.doit = nl80211_set_sar_specs,
18316 		.flags = GENL_UNS_ADMIN_PERM,
18317 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18318 					 NL80211_FLAG_NEED_RTNL),
18319 	},
18320 	{
18321 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
18322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18323 		.doit = nl80211_color_change,
18324 		.flags = GENL_UNS_ADMIN_PERM,
18325 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18326 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18327 	},
18328 	{
18329 		.cmd = NL80211_CMD_SET_FILS_AAD,
18330 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18331 		.doit = nl80211_set_fils_aad,
18332 		.flags = GENL_UNS_ADMIN_PERM,
18333 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18334 	},
18335 	{
18336 		.cmd = NL80211_CMD_ADD_LINK,
18337 		.doit = nl80211_add_link,
18338 		.flags = GENL_UNS_ADMIN_PERM,
18339 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18340 	},
18341 	{
18342 		.cmd = NL80211_CMD_REMOVE_LINK,
18343 		.doit = nl80211_remove_link,
18344 		.flags = GENL_UNS_ADMIN_PERM,
18345 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18346 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18347 	},
18348 	{
18349 		.cmd = NL80211_CMD_ADD_LINK_STA,
18350 		.doit = nl80211_add_link_station,
18351 		.flags = GENL_UNS_ADMIN_PERM,
18352 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18353 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18354 	},
18355 	{
18356 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
18357 		.doit = nl80211_modify_link_station,
18358 		.flags = GENL_UNS_ADMIN_PERM,
18359 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18360 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18361 	},
18362 	{
18363 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
18364 		.doit = nl80211_remove_link_station,
18365 		.flags = GENL_UNS_ADMIN_PERM,
18366 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18367 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18368 	},
18369 	{
18370 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
18371 		.doit = nl80211_set_hw_timestamp,
18372 		.flags = GENL_UNS_ADMIN_PERM,
18373 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18374 	},
18375 	{
18376 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
18377 		.doit = nl80211_set_ttlm,
18378 		.flags = GENL_UNS_ADMIN_PERM,
18379 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18380 	},
18381 	{
18382 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
18383 		.doit = nl80211_assoc_ml_reconf,
18384 		.flags = GENL_UNS_ADMIN_PERM,
18385 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18386 	},
18387 	{
18388 		.cmd = NL80211_CMD_EPCS_CFG,
18389 		.doit = nl80211_epcs_cfg,
18390 		.flags = GENL_UNS_ADMIN_PERM,
18391 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18392 	},
18393 };
18394 
18395 static struct genl_family nl80211_fam __ro_after_init = {
18396 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
18397 	.hdrsize = 0,			/* no private header */
18398 	.version = 1,			/* no particular meaning now */
18399 	.maxattr = NL80211_ATTR_MAX,
18400 	.policy = nl80211_policy,
18401 	.netnsok = true,
18402 	.pre_doit = nl80211_pre_doit,
18403 	.post_doit = nl80211_post_doit,
18404 	.module = THIS_MODULE,
18405 	.ops = nl80211_ops,
18406 	.n_ops = ARRAY_SIZE(nl80211_ops),
18407 	.small_ops = nl80211_small_ops,
18408 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
18409 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
18410 	.mcgrps = nl80211_mcgrps,
18411 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
18412 	.parallel_ops = true,
18413 };
18414 
18415 /* notification functions */
18416 
18417 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
18418 			  enum nl80211_commands cmd)
18419 {
18420 	struct sk_buff *msg;
18421 	struct nl80211_dump_wiphy_state state = {};
18422 
18423 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
18424 		cmd != NL80211_CMD_DEL_WIPHY);
18425 
18426 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18427 	if (!msg)
18428 		return;
18429 
18430 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
18431 		nlmsg_free(msg);
18432 		return;
18433 	}
18434 
18435 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18436 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
18437 }
18438 
18439 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
18440 				struct wireless_dev *wdev,
18441 				enum nl80211_commands cmd)
18442 {
18443 	struct sk_buff *msg;
18444 
18445 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18446 	if (!msg)
18447 		return;
18448 
18449 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
18450 		nlmsg_free(msg);
18451 		return;
18452 	}
18453 
18454 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18455 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
18456 }
18457 
18458 static int nl80211_add_scan_req(struct sk_buff *msg,
18459 				struct cfg80211_registered_device *rdev)
18460 {
18461 	struct cfg80211_scan_request_int *req = rdev->scan_req;
18462 	struct nlattr *nest;
18463 	int i;
18464 	struct cfg80211_scan_info *info;
18465 
18466 	if (WARN_ON(!req))
18467 		return 0;
18468 
18469 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
18470 	if (!nest)
18471 		goto nla_put_failure;
18472 	for (i = 0; i < req->req.n_ssids; i++) {
18473 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
18474 			    req->req.ssids[i].ssid))
18475 			goto nla_put_failure;
18476 	}
18477 	nla_nest_end(msg, nest);
18478 
18479 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
18480 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
18481 		if (!nest)
18482 			goto nla_put_failure;
18483 		for (i = 0; i < req->req.n_channels; i++) {
18484 			if (nla_put_u32(msg, i,
18485 					ieee80211_channel_to_khz(req->req.channels[i])))
18486 				goto nla_put_failure;
18487 		}
18488 		nla_nest_end(msg, nest);
18489 	} else {
18490 		nest = nla_nest_start_noflag(msg,
18491 					     NL80211_ATTR_SCAN_FREQUENCIES);
18492 		if (!nest)
18493 			goto nla_put_failure;
18494 		for (i = 0; i < req->req.n_channels; i++) {
18495 			if (nla_put_u32(msg, i,
18496 					req->req.channels[i]->center_freq))
18497 				goto nla_put_failure;
18498 		}
18499 		nla_nest_end(msg, nest);
18500 	}
18501 
18502 	if (req->req.ie &&
18503 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
18504 		goto nla_put_failure;
18505 
18506 	if (req->req.flags &&
18507 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
18508 		goto nla_put_failure;
18509 
18510 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
18511 		&rdev->scan_req->info;
18512 	if (info->scan_start_tsf &&
18513 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
18514 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
18515 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
18516 		     info->tsf_bssid)))
18517 		goto nla_put_failure;
18518 
18519 	return 0;
18520  nla_put_failure:
18521 	return -ENOBUFS;
18522 }
18523 
18524 static int nl80211_prep_scan_msg(struct sk_buff *msg,
18525 				 struct cfg80211_registered_device *rdev,
18526 				 struct wireless_dev *wdev,
18527 				 u32 portid, u32 seq, int flags,
18528 				 u32 cmd)
18529 {
18530 	void *hdr;
18531 
18532 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
18533 	if (!hdr)
18534 		return -1;
18535 
18536 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18537 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18538 					 wdev->netdev->ifindex)) ||
18539 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18540 			      NL80211_ATTR_PAD))
18541 		goto nla_put_failure;
18542 
18543 	/* ignore errors and send incomplete event anyway */
18544 	nl80211_add_scan_req(msg, rdev);
18545 
18546 	genlmsg_end(msg, hdr);
18547 	return 0;
18548 
18549  nla_put_failure:
18550 	genlmsg_cancel(msg, hdr);
18551 	return -EMSGSIZE;
18552 }
18553 
18554 static int
18555 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
18556 			    struct cfg80211_sched_scan_request *req, u32 cmd)
18557 {
18558 	void *hdr;
18559 
18560 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18561 	if (!hdr)
18562 		return -1;
18563 
18564 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
18565 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
18566 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
18567 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
18568 			      NL80211_ATTR_PAD))
18569 		goto nla_put_failure;
18570 
18571 	genlmsg_end(msg, hdr);
18572 	return 0;
18573 
18574  nla_put_failure:
18575 	genlmsg_cancel(msg, hdr);
18576 	return -EMSGSIZE;
18577 }
18578 
18579 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
18580 			     struct wireless_dev *wdev)
18581 {
18582 	struct sk_buff *msg;
18583 
18584 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18585 	if (!msg)
18586 		return;
18587 
18588 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
18589 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
18590 		nlmsg_free(msg);
18591 		return;
18592 	}
18593 
18594 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18595 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18596 }
18597 
18598 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
18599 				       struct wireless_dev *wdev, bool aborted)
18600 {
18601 	struct sk_buff *msg;
18602 
18603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18604 	if (!msg)
18605 		return NULL;
18606 
18607 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
18608 				  aborted ? NL80211_CMD_SCAN_ABORTED :
18609 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
18610 		nlmsg_free(msg);
18611 		return NULL;
18612 	}
18613 
18614 	return msg;
18615 }
18616 
18617 /* send message created by nl80211_build_scan_msg() */
18618 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
18619 			   struct sk_buff *msg)
18620 {
18621 	if (!msg)
18622 		return;
18623 
18624 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18625 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18626 }
18627 
18628 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
18629 {
18630 	struct sk_buff *msg;
18631 
18632 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18633 	if (!msg)
18634 		return;
18635 
18636 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
18637 		nlmsg_free(msg);
18638 		return;
18639 	}
18640 
18641 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
18642 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18643 }
18644 
18645 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
18646 					  struct regulatory_request *request)
18647 {
18648 	/* Userspace can always count this one always being set */
18649 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
18650 		goto nla_put_failure;
18651 
18652 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
18653 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18654 			       NL80211_REGDOM_TYPE_WORLD))
18655 			goto nla_put_failure;
18656 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
18657 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18658 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
18659 			goto nla_put_failure;
18660 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
18661 		   request->intersect) {
18662 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18663 			       NL80211_REGDOM_TYPE_INTERSECTION))
18664 			goto nla_put_failure;
18665 	} else {
18666 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18667 			       NL80211_REGDOM_TYPE_COUNTRY) ||
18668 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
18669 				   request->alpha2))
18670 			goto nla_put_failure;
18671 	}
18672 
18673 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
18674 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
18675 
18676 		if (wiphy &&
18677 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
18678 			goto nla_put_failure;
18679 
18680 		if (wiphy &&
18681 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
18682 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
18683 			goto nla_put_failure;
18684 	}
18685 
18686 	return true;
18687 
18688 nla_put_failure:
18689 	return false;
18690 }
18691 
18692 /*
18693  * This can happen on global regulatory changes or device specific settings
18694  * based on custom regulatory domains.
18695  */
18696 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
18697 				     struct regulatory_request *request)
18698 {
18699 	struct sk_buff *msg;
18700 	void *hdr;
18701 
18702 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18703 	if (!msg)
18704 		return;
18705 
18706 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
18707 	if (!hdr)
18708 		goto nla_put_failure;
18709 
18710 	if (!nl80211_reg_change_event_fill(msg, request))
18711 		goto nla_put_failure;
18712 
18713 	genlmsg_end(msg, hdr);
18714 
18715 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18716 				NL80211_MCGRP_REGULATORY);
18717 
18718 	return;
18719 
18720 nla_put_failure:
18721 	nlmsg_free(msg);
18722 }
18723 
18724 struct nl80211_mlme_event {
18725 	enum nl80211_commands cmd;
18726 	const u8 *buf;
18727 	size_t buf_len;
18728 	int uapsd_queues;
18729 	const u8 *req_ies;
18730 	size_t req_ies_len;
18731 	bool reconnect;
18732 };
18733 
18734 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
18735 				    struct net_device *netdev,
18736 				    const struct nl80211_mlme_event *event,
18737 				    gfp_t gfp)
18738 {
18739 	struct sk_buff *msg;
18740 	void *hdr;
18741 
18742 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
18743 	if (!msg)
18744 		return;
18745 
18746 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
18747 	if (!hdr) {
18748 		nlmsg_free(msg);
18749 		return;
18750 	}
18751 
18752 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18753 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18754 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
18755 	    (event->req_ies &&
18756 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
18757 		     event->req_ies)))
18758 		goto nla_put_failure;
18759 
18760 	if (event->reconnect &&
18761 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
18762 		goto nla_put_failure;
18763 
18764 	if (event->uapsd_queues >= 0) {
18765 		struct nlattr *nla_wmm =
18766 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
18767 		if (!nla_wmm)
18768 			goto nla_put_failure;
18769 
18770 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
18771 			       event->uapsd_queues))
18772 			goto nla_put_failure;
18773 
18774 		nla_nest_end(msg, nla_wmm);
18775 	}
18776 
18777 	genlmsg_end(msg, hdr);
18778 
18779 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18780 				NL80211_MCGRP_MLME, gfp);
18781 	return;
18782 
18783  nla_put_failure:
18784 	nlmsg_free(msg);
18785 }
18786 
18787 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
18788 			  struct net_device *netdev, const u8 *buf,
18789 			  size_t len, gfp_t gfp)
18790 {
18791 	struct nl80211_mlme_event event = {
18792 		.cmd = NL80211_CMD_AUTHENTICATE,
18793 		.buf = buf,
18794 		.buf_len = len,
18795 		.uapsd_queues = -1,
18796 	};
18797 
18798 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18799 }
18800 
18801 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
18802 			   struct net_device *netdev,
18803 			   const struct cfg80211_rx_assoc_resp_data *data)
18804 {
18805 	struct nl80211_mlme_event event = {
18806 		.cmd = NL80211_CMD_ASSOCIATE,
18807 		.buf = data->buf,
18808 		.buf_len = data->len,
18809 		.uapsd_queues = data->uapsd_queues,
18810 		.req_ies = data->req_ies,
18811 		.req_ies_len = data->req_ies_len,
18812 	};
18813 
18814 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
18815 }
18816 
18817 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
18818 			 struct net_device *netdev, const u8 *buf,
18819 			 size_t len, bool reconnect, gfp_t gfp)
18820 {
18821 	struct nl80211_mlme_event event = {
18822 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18823 		.buf = buf,
18824 		.buf_len = len,
18825 		.reconnect = reconnect,
18826 		.uapsd_queues = -1,
18827 	};
18828 
18829 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18830 }
18831 
18832 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
18833 			   struct net_device *netdev, const u8 *buf,
18834 			   size_t len, bool reconnect, gfp_t gfp)
18835 {
18836 	struct nl80211_mlme_event event = {
18837 		.cmd = NL80211_CMD_DISASSOCIATE,
18838 		.buf = buf,
18839 		.buf_len = len,
18840 		.reconnect = reconnect,
18841 		.uapsd_queues = -1,
18842 	};
18843 
18844 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18845 }
18846 
18847 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
18848 				  size_t len)
18849 {
18850 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18851 	struct wiphy *wiphy = wdev->wiphy;
18852 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18853 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18854 	struct nl80211_mlme_event event = {
18855 		.buf = buf,
18856 		.buf_len = len,
18857 		.uapsd_queues = -1,
18858 	};
18859 
18860 	if (WARN_ON(len < 2))
18861 		return;
18862 
18863 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18864 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18865 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18866 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18867 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18868 		if (wdev->unprot_beacon_reported &&
18869 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18870 			return;
18871 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18872 		wdev->unprot_beacon_reported = jiffies;
18873 	} else {
18874 		return;
18875 	}
18876 
18877 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18878 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18879 }
18880 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18881 
18882 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18883 				      struct net_device *netdev, int cmd,
18884 				      const u8 *addr, gfp_t gfp)
18885 {
18886 	struct sk_buff *msg;
18887 	void *hdr;
18888 
18889 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18890 	if (!msg)
18891 		return;
18892 
18893 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18894 	if (!hdr) {
18895 		nlmsg_free(msg);
18896 		return;
18897 	}
18898 
18899 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18900 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18901 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18902 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18903 		goto nla_put_failure;
18904 
18905 	genlmsg_end(msg, hdr);
18906 
18907 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18908 				NL80211_MCGRP_MLME, gfp);
18909 	return;
18910 
18911  nla_put_failure:
18912 	nlmsg_free(msg);
18913 }
18914 
18915 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18916 			       struct net_device *netdev, const u8 *addr,
18917 			       gfp_t gfp)
18918 {
18919 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18920 				  addr, gfp);
18921 }
18922 
18923 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18924 				struct net_device *netdev, const u8 *addr,
18925 				gfp_t gfp)
18926 {
18927 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18928 				  addr, gfp);
18929 }
18930 
18931 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18932 				 struct net_device *netdev,
18933 				 struct cfg80211_connect_resp_params *cr,
18934 				 gfp_t gfp)
18935 {
18936 	struct sk_buff *msg;
18937 	void *hdr;
18938 	unsigned int link;
18939 	size_t link_info_size = 0;
18940 	const u8 *connected_addr = cr->valid_links ?
18941 				   cr->ap_mld_addr : cr->links[0].bssid;
18942 
18943 	if (cr->valid_links) {
18944 		for_each_valid_link(cr, link) {
18945 			/* Nested attribute header */
18946 			link_info_size += NLA_HDRLEN;
18947 			/* Link ID */
18948 			link_info_size += nla_total_size(sizeof(u8));
18949 			link_info_size += cr->links[link].addr ?
18950 					  nla_total_size(ETH_ALEN) : 0;
18951 			link_info_size += (cr->links[link].bssid ||
18952 					   cr->links[link].bss) ?
18953 					  nla_total_size(ETH_ALEN) : 0;
18954 			link_info_size += nla_total_size(sizeof(u16));
18955 		}
18956 	}
18957 
18958 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18959 			cr->fils.kek_len + cr->fils.pmk_len +
18960 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18961 			gfp);
18962 	if (!msg)
18963 		return;
18964 
18965 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18966 	if (!hdr) {
18967 		nlmsg_free(msg);
18968 		return;
18969 	}
18970 
18971 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18972 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18973 	    (connected_addr &&
18974 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18975 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18976 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18977 			cr->status) ||
18978 	    (cr->status < 0 &&
18979 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18980 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18981 			  cr->timeout_reason))) ||
18982 	    (cr->req_ie &&
18983 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18984 	    (cr->resp_ie &&
18985 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18986 		     cr->resp_ie)) ||
18987 	    (cr->fils.update_erp_next_seq_num &&
18988 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18989 			 cr->fils.erp_next_seq_num)) ||
18990 	    (cr->status == WLAN_STATUS_SUCCESS &&
18991 	     ((cr->fils.kek &&
18992 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18993 		       cr->fils.kek)) ||
18994 	      (cr->fils.pmk &&
18995 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18996 	      (cr->fils.pmkid &&
18997 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18998 		goto nla_put_failure;
18999 
19000 	if (cr->valid_links) {
19001 		int i = 1;
19002 		struct nlattr *nested;
19003 
19004 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19005 		if (!nested)
19006 			goto nla_put_failure;
19007 
19008 		for_each_valid_link(cr, link) {
19009 			struct nlattr *nested_mlo_links;
19010 			const u8 *bssid = cr->links[link].bss ?
19011 					  cr->links[link].bss->bssid :
19012 					  cr->links[link].bssid;
19013 
19014 			nested_mlo_links = nla_nest_start(msg, i);
19015 			if (!nested_mlo_links)
19016 				goto nla_put_failure;
19017 
19018 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19019 			    (bssid &&
19020 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19021 			    (cr->links[link].addr &&
19022 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19023 				     cr->links[link].addr)) ||
19024 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19025 					cr->links[link].status))
19026 				goto nla_put_failure;
19027 
19028 			nla_nest_end(msg, nested_mlo_links);
19029 			i++;
19030 		}
19031 		nla_nest_end(msg, nested);
19032 	}
19033 
19034 	genlmsg_end(msg, hdr);
19035 
19036 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19037 				NL80211_MCGRP_MLME, gfp);
19038 	return;
19039 
19040  nla_put_failure:
19041 	nlmsg_free(msg);
19042 }
19043 
19044 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
19045 			 struct net_device *netdev,
19046 			 struct cfg80211_roam_info *info, gfp_t gfp)
19047 {
19048 	struct sk_buff *msg;
19049 	void *hdr;
19050 	size_t link_info_size = 0;
19051 	unsigned int link;
19052 	const u8 *connected_addr = info->ap_mld_addr ?
19053 				   info->ap_mld_addr :
19054 				   (info->links[0].bss ?
19055 				    info->links[0].bss->bssid :
19056 				    info->links[0].bssid);
19057 
19058 	if (info->valid_links) {
19059 		for_each_valid_link(info, link) {
19060 			/* Nested attribute header */
19061 			link_info_size += NLA_HDRLEN;
19062 			/* Link ID */
19063 			link_info_size += nla_total_size(sizeof(u8));
19064 			link_info_size += info->links[link].addr ?
19065 					  nla_total_size(ETH_ALEN) : 0;
19066 			link_info_size += (info->links[link].bssid ||
19067 					   info->links[link].bss) ?
19068 					  nla_total_size(ETH_ALEN) : 0;
19069 		}
19070 	}
19071 
19072 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
19073 			info->fils.kek_len + info->fils.pmk_len +
19074 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
19075 			link_info_size, gfp);
19076 	if (!msg)
19077 		return;
19078 
19079 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
19080 	if (!hdr) {
19081 		nlmsg_free(msg);
19082 		return;
19083 	}
19084 
19085 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19086 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19087 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
19088 	    (info->req_ie &&
19089 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
19090 		     info->req_ie)) ||
19091 	    (info->resp_ie &&
19092 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
19093 		     info->resp_ie)) ||
19094 	    (info->fils.update_erp_next_seq_num &&
19095 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19096 			 info->fils.erp_next_seq_num)) ||
19097 	    (info->fils.kek &&
19098 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
19099 		     info->fils.kek)) ||
19100 	    (info->fils.pmk &&
19101 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
19102 	    (info->fils.pmkid &&
19103 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
19104 		goto nla_put_failure;
19105 
19106 	if (info->valid_links) {
19107 		int i = 1;
19108 		struct nlattr *nested;
19109 
19110 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19111 		if (!nested)
19112 			goto nla_put_failure;
19113 
19114 		for_each_valid_link(info, link) {
19115 			struct nlattr *nested_mlo_links;
19116 			const u8 *bssid = info->links[link].bss ?
19117 					  info->links[link].bss->bssid :
19118 					  info->links[link].bssid;
19119 
19120 			nested_mlo_links = nla_nest_start(msg, i);
19121 			if (!nested_mlo_links)
19122 				goto nla_put_failure;
19123 
19124 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19125 			    (bssid &&
19126 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19127 			    (info->links[link].addr &&
19128 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19129 				     info->links[link].addr)))
19130 				goto nla_put_failure;
19131 
19132 			nla_nest_end(msg, nested_mlo_links);
19133 			i++;
19134 		}
19135 		nla_nest_end(msg, nested);
19136 	}
19137 
19138 	genlmsg_end(msg, hdr);
19139 
19140 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19141 				NL80211_MCGRP_MLME, gfp);
19142 	return;
19143 
19144  nla_put_failure:
19145 	nlmsg_free(msg);
19146 }
19147 
19148 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
19149 				  struct net_device *netdev, const u8 *peer_addr,
19150 				  const u8 *td_bitmap, u8 td_bitmap_len)
19151 {
19152 	struct sk_buff *msg;
19153 	void *hdr;
19154 
19155 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19156 	if (!msg)
19157 		return;
19158 
19159 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
19160 	if (!hdr) {
19161 		nlmsg_free(msg);
19162 		return;
19163 	}
19164 
19165 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19166 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19167 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
19168 		goto nla_put_failure;
19169 
19170 	if (td_bitmap_len > 0 && td_bitmap &&
19171 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
19172 		goto nla_put_failure;
19173 
19174 	genlmsg_end(msg, hdr);
19175 
19176 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19177 				NL80211_MCGRP_MLME, GFP_KERNEL);
19178 	return;
19179 
19180  nla_put_failure:
19181 	nlmsg_free(msg);
19182 }
19183 
19184 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
19185 			       struct net_device *netdev, u16 reason,
19186 			       const u8 *ie, size_t ie_len, bool from_ap)
19187 {
19188 	struct sk_buff *msg;
19189 	void *hdr;
19190 
19191 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
19192 	if (!msg)
19193 		return;
19194 
19195 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
19196 	if (!hdr) {
19197 		nlmsg_free(msg);
19198 		return;
19199 	}
19200 
19201 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19202 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19203 	    (reason &&
19204 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
19205 	    (from_ap &&
19206 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
19207 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
19208 		goto nla_put_failure;
19209 
19210 	genlmsg_end(msg, hdr);
19211 
19212 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19213 				NL80211_MCGRP_MLME, GFP_KERNEL);
19214 	return;
19215 
19216  nla_put_failure:
19217 	nlmsg_free(msg);
19218 }
19219 
19220 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
19221 {
19222 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19223 	struct wiphy *wiphy = wdev->wiphy;
19224 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19225 	struct sk_buff *msg;
19226 	struct nlattr *links;
19227 	void *hdr;
19228 
19229 	lockdep_assert_wiphy(wdev->wiphy);
19230 	trace_cfg80211_links_removed(dev, link_mask);
19231 
19232 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
19233 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
19234 		return;
19235 
19236 	if (WARN_ON(!wdev->valid_links || !link_mask ||
19237 		    (wdev->valid_links & link_mask) != link_mask ||
19238 		    wdev->valid_links == link_mask))
19239 		return;
19240 
19241 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
19242 	wdev->valid_links &= ~link_mask;
19243 
19244 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19245 	if (!msg)
19246 		return;
19247 
19248 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
19249 	if (!hdr) {
19250 		nlmsg_free(msg);
19251 		return;
19252 	}
19253 
19254 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19255 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19256 		goto nla_put_failure;
19257 
19258 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19259 	if (!links)
19260 		goto nla_put_failure;
19261 
19262 	while (link_mask) {
19263 		struct nlattr *link;
19264 		int link_id = __ffs(link_mask);
19265 
19266 		link = nla_nest_start(msg, link_id + 1);
19267 		if (!link)
19268 			goto nla_put_failure;
19269 
19270 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19271 			goto nla_put_failure;
19272 
19273 		nla_nest_end(msg, link);
19274 		link_mask &= ~(1 << link_id);
19275 	}
19276 
19277 	nla_nest_end(msg, links);
19278 
19279 	genlmsg_end(msg, hdr);
19280 
19281 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19282 				NL80211_MCGRP_MLME, GFP_KERNEL);
19283 	return;
19284 
19285  nla_put_failure:
19286 	nlmsg_free(msg);
19287 }
19288 EXPORT_SYMBOL(cfg80211_links_removed);
19289 
19290 void nl80211_mlo_reconf_add_done(struct net_device *dev,
19291 				 struct cfg80211_mlo_reconf_done_data *data)
19292 {
19293 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19294 	struct wiphy *wiphy = wdev->wiphy;
19295 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19296 	struct nl80211_mlme_event event = {
19297 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19298 		.buf = data->buf,
19299 		.buf_len = data->len,
19300 		.uapsd_queues = -1,
19301 	};
19302 
19303 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
19304 }
19305 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
19306 
19307 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
19308 			     struct net_device *netdev, const u8 *bssid,
19309 			     gfp_t gfp)
19310 {
19311 	struct sk_buff *msg;
19312 	void *hdr;
19313 
19314 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19315 	if (!msg)
19316 		return;
19317 
19318 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
19319 	if (!hdr) {
19320 		nlmsg_free(msg);
19321 		return;
19322 	}
19323 
19324 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19325 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19326 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19327 		goto nla_put_failure;
19328 
19329 	genlmsg_end(msg, hdr);
19330 
19331 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19332 				NL80211_MCGRP_MLME, gfp);
19333 	return;
19334 
19335  nla_put_failure:
19336 	nlmsg_free(msg);
19337 }
19338 
19339 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
19340 					const u8 *ie, u8 ie_len,
19341 					int sig_dbm, gfp_t gfp)
19342 {
19343 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19344 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19345 	struct sk_buff *msg;
19346 	void *hdr;
19347 
19348 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
19349 		return;
19350 
19351 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
19352 
19353 	msg = nlmsg_new(100 + ie_len, gfp);
19354 	if (!msg)
19355 		return;
19356 
19357 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
19358 	if (!hdr) {
19359 		nlmsg_free(msg);
19360 		return;
19361 	}
19362 
19363 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19364 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19365 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19366 	    (ie_len && ie &&
19367 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
19368 	    (sig_dbm &&
19369 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
19370 		goto nla_put_failure;
19371 
19372 	genlmsg_end(msg, hdr);
19373 
19374 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19375 				NL80211_MCGRP_MLME, gfp);
19376 	return;
19377 
19378  nla_put_failure:
19379 	nlmsg_free(msg);
19380 }
19381 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
19382 
19383 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
19384 				 struct net_device *netdev, const u8 *addr,
19385 				 enum nl80211_key_type key_type, int key_id,
19386 				 const u8 *tsc, gfp_t gfp)
19387 {
19388 	struct sk_buff *msg;
19389 	void *hdr;
19390 
19391 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19392 	if (!msg)
19393 		return;
19394 
19395 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
19396 	if (!hdr) {
19397 		nlmsg_free(msg);
19398 		return;
19399 	}
19400 
19401 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19402 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19403 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
19404 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
19405 	    (key_id != -1 &&
19406 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
19407 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
19408 		goto nla_put_failure;
19409 
19410 	genlmsg_end(msg, hdr);
19411 
19412 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19413 				NL80211_MCGRP_MLME, gfp);
19414 	return;
19415 
19416  nla_put_failure:
19417 	nlmsg_free(msg);
19418 }
19419 
19420 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
19421 				    struct ieee80211_channel *channel_before,
19422 				    struct ieee80211_channel *channel_after)
19423 {
19424 	struct sk_buff *msg;
19425 	void *hdr;
19426 	struct nlattr *nl_freq;
19427 
19428 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
19429 	if (!msg)
19430 		return;
19431 
19432 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
19433 	if (!hdr) {
19434 		nlmsg_free(msg);
19435 		return;
19436 	}
19437 
19438 	/*
19439 	 * Since we are applying the beacon hint to a wiphy we know its
19440 	 * wiphy_idx is valid
19441 	 */
19442 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
19443 		goto nla_put_failure;
19444 
19445 	/* Before */
19446 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
19447 	if (!nl_freq)
19448 		goto nla_put_failure;
19449 
19450 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
19451 		goto nla_put_failure;
19452 	nla_nest_end(msg, nl_freq);
19453 
19454 	/* After */
19455 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
19456 	if (!nl_freq)
19457 		goto nla_put_failure;
19458 
19459 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
19460 		goto nla_put_failure;
19461 	nla_nest_end(msg, nl_freq);
19462 
19463 	genlmsg_end(msg, hdr);
19464 
19465 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
19466 				NL80211_MCGRP_REGULATORY);
19467 
19468 	return;
19469 
19470 nla_put_failure:
19471 	nlmsg_free(msg);
19472 }
19473 
19474 static void nl80211_send_remain_on_chan_event(
19475 	int cmd, struct cfg80211_registered_device *rdev,
19476 	struct wireless_dev *wdev, u64 cookie,
19477 	struct ieee80211_channel *chan,
19478 	unsigned int duration, gfp_t gfp)
19479 {
19480 	struct sk_buff *msg;
19481 	void *hdr;
19482 
19483 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19484 	if (!msg)
19485 		return;
19486 
19487 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19488 	if (!hdr) {
19489 		nlmsg_free(msg);
19490 		return;
19491 	}
19492 
19493 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19494 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19495 					 wdev->netdev->ifindex)) ||
19496 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19497 			      NL80211_ATTR_PAD) ||
19498 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
19499 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
19500 			NL80211_CHAN_NO_HT) ||
19501 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19502 			      NL80211_ATTR_PAD))
19503 		goto nla_put_failure;
19504 
19505 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
19506 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
19507 		goto nla_put_failure;
19508 
19509 	genlmsg_end(msg, hdr);
19510 
19511 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19512 				NL80211_MCGRP_MLME, gfp);
19513 	return;
19514 
19515  nla_put_failure:
19516 	nlmsg_free(msg);
19517 }
19518 
19519 void cfg80211_assoc_comeback(struct net_device *netdev,
19520 			     const u8 *ap_addr, u32 timeout)
19521 {
19522 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19523 	struct wiphy *wiphy = wdev->wiphy;
19524 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19525 	struct sk_buff *msg;
19526 	void *hdr;
19527 
19528 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
19529 
19530 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19531 	if (!msg)
19532 		return;
19533 
19534 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
19535 	if (!hdr) {
19536 		nlmsg_free(msg);
19537 		return;
19538 	}
19539 
19540 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19541 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19542 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
19543 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
19544 		goto nla_put_failure;
19545 
19546 	genlmsg_end(msg, hdr);
19547 
19548 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19549 				NL80211_MCGRP_MLME, GFP_KERNEL);
19550 	return;
19551 
19552  nla_put_failure:
19553 	nlmsg_free(msg);
19554 }
19555 EXPORT_SYMBOL(cfg80211_assoc_comeback);
19556 
19557 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
19558 			       struct ieee80211_channel *chan,
19559 			       unsigned int duration, gfp_t gfp)
19560 {
19561 	struct wiphy *wiphy = wdev->wiphy;
19562 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19563 
19564 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
19565 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
19566 					  rdev, wdev, cookie, chan,
19567 					  duration, gfp);
19568 }
19569 EXPORT_SYMBOL(cfg80211_ready_on_channel);
19570 
19571 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
19572 					struct ieee80211_channel *chan,
19573 					gfp_t gfp)
19574 {
19575 	struct wiphy *wiphy = wdev->wiphy;
19576 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19577 
19578 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
19579 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
19580 					  rdev, wdev, cookie, chan, 0, gfp);
19581 }
19582 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
19583 
19584 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
19585 					struct ieee80211_channel *chan,
19586 					gfp_t gfp)
19587 {
19588 	struct wiphy *wiphy = wdev->wiphy;
19589 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19590 
19591 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
19592 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
19593 					  rdev, wdev, cookie, chan, 0, gfp);
19594 }
19595 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
19596 
19597 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
19598 		      struct station_info *sinfo, gfp_t gfp)
19599 {
19600 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19601 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19602 	struct sk_buff *msg;
19603 
19604 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
19605 
19606 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19607 	if (!msg)
19608 		return;
19609 
19610 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
19611 				 rdev, dev, mac_addr, sinfo) < 0) {
19612 		nlmsg_free(msg);
19613 		return;
19614 	}
19615 
19616 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19617 				NL80211_MCGRP_MLME, gfp);
19618 }
19619 EXPORT_SYMBOL(cfg80211_new_sta);
19620 
19621 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
19622 			    struct station_info *sinfo, gfp_t gfp)
19623 {
19624 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19625 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19626 	struct sk_buff *msg;
19627 	struct station_info empty_sinfo = {};
19628 
19629 	if (!sinfo)
19630 		sinfo = &empty_sinfo;
19631 
19632 	trace_cfg80211_del_sta(dev, mac_addr);
19633 
19634 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19635 	if (!msg) {
19636 		cfg80211_sinfo_release_content(sinfo);
19637 		return;
19638 	}
19639 
19640 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
19641 				 rdev, dev, mac_addr, sinfo) < 0) {
19642 		nlmsg_free(msg);
19643 		return;
19644 	}
19645 
19646 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19647 				NL80211_MCGRP_MLME, gfp);
19648 }
19649 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
19650 
19651 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
19652 			  enum nl80211_connect_failed_reason reason,
19653 			  gfp_t gfp)
19654 {
19655 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19656 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19657 	struct sk_buff *msg;
19658 	void *hdr;
19659 
19660 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
19661 	if (!msg)
19662 		return;
19663 
19664 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
19665 	if (!hdr) {
19666 		nlmsg_free(msg);
19667 		return;
19668 	}
19669 
19670 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19671 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
19672 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
19673 		goto nla_put_failure;
19674 
19675 	genlmsg_end(msg, hdr);
19676 
19677 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19678 				NL80211_MCGRP_MLME, gfp);
19679 	return;
19680 
19681  nla_put_failure:
19682 	nlmsg_free(msg);
19683 }
19684 EXPORT_SYMBOL(cfg80211_conn_failed);
19685 
19686 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
19687 				       const u8 *addr, gfp_t gfp)
19688 {
19689 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19690 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19691 	struct sk_buff *msg;
19692 	void *hdr;
19693 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
19694 
19695 	if (!nlportid)
19696 		return false;
19697 
19698 	msg = nlmsg_new(100, gfp);
19699 	if (!msg)
19700 		return true;
19701 
19702 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19703 	if (!hdr) {
19704 		nlmsg_free(msg);
19705 		return true;
19706 	}
19707 
19708 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19709 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19710 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19711 		goto nla_put_failure;
19712 
19713 	genlmsg_end(msg, hdr);
19714 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19715 	return true;
19716 
19717  nla_put_failure:
19718 	nlmsg_free(msg);
19719 	return true;
19720 }
19721 
19722 bool cfg80211_rx_spurious_frame(struct net_device *dev,
19723 				const u8 *addr, gfp_t gfp)
19724 {
19725 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19726 	bool ret;
19727 
19728 	trace_cfg80211_rx_spurious_frame(dev, addr);
19729 
19730 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19731 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
19732 		trace_cfg80211_return_bool(false);
19733 		return false;
19734 	}
19735 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
19736 					 addr, gfp);
19737 	trace_cfg80211_return_bool(ret);
19738 	return ret;
19739 }
19740 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
19741 
19742 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
19743 					const u8 *addr, gfp_t gfp)
19744 {
19745 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19746 	bool ret;
19747 
19748 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
19749 
19750 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19751 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
19752 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
19753 		trace_cfg80211_return_bool(false);
19754 		return false;
19755 	}
19756 	ret = __nl80211_unexpected_frame(dev,
19757 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
19758 					 addr, gfp);
19759 	trace_cfg80211_return_bool(ret);
19760 	return ret;
19761 }
19762 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
19763 
19764 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
19765 		      struct wireless_dev *wdev, u32 nlportid,
19766 		      struct cfg80211_rx_info *info, gfp_t gfp)
19767 {
19768 	struct net_device *netdev = wdev->netdev;
19769 	struct sk_buff *msg;
19770 	void *hdr;
19771 
19772 	msg = nlmsg_new(100 + info->len, gfp);
19773 	if (!msg)
19774 		return -ENOMEM;
19775 
19776 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19777 	if (!hdr) {
19778 		nlmsg_free(msg);
19779 		return -ENOMEM;
19780 	}
19781 
19782 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19783 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19784 					netdev->ifindex)) ||
19785 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19786 			      NL80211_ATTR_PAD) ||
19787 	    (info->have_link_id &&
19788 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
19789 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
19790 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
19791 	    (info->sig_dbm &&
19792 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
19793 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
19794 	    (info->flags &&
19795 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
19796 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
19797 						  NL80211_ATTR_RX_HW_TIMESTAMP,
19798 						  info->rx_tstamp,
19799 						  NL80211_ATTR_PAD)) ||
19800 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
19801 						   NL80211_ATTR_TX_HW_TIMESTAMP,
19802 						   info->ack_tstamp,
19803 						   NL80211_ATTR_PAD)))
19804 		goto nla_put_failure;
19805 
19806 	genlmsg_end(msg, hdr);
19807 
19808 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19809 
19810  nla_put_failure:
19811 	nlmsg_free(msg);
19812 	return -ENOBUFS;
19813 }
19814 
19815 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
19816 				    struct cfg80211_tx_status *status,
19817 				    gfp_t gfp, enum nl80211_commands command)
19818 {
19819 	struct wiphy *wiphy = wdev->wiphy;
19820 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19821 	struct net_device *netdev = wdev->netdev;
19822 	struct sk_buff *msg;
19823 	void *hdr;
19824 
19825 	if (command == NL80211_CMD_FRAME_TX_STATUS)
19826 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
19827 					      status->ack);
19828 	else
19829 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
19830 						      status->ack);
19831 
19832 	msg = nlmsg_new(100 + status->len, gfp);
19833 	if (!msg)
19834 		return;
19835 
19836 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
19837 	if (!hdr) {
19838 		nlmsg_free(msg);
19839 		return;
19840 	}
19841 
19842 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19843 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19844 				   netdev->ifindex)) ||
19845 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19846 			      NL80211_ATTR_PAD) ||
19847 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
19848 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
19849 			      NL80211_ATTR_PAD) ||
19850 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19851 	    (status->tx_tstamp &&
19852 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
19853 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
19854 	    (status->ack_tstamp &&
19855 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
19856 			       status->ack_tstamp, NL80211_ATTR_PAD)))
19857 		goto nla_put_failure;
19858 
19859 	genlmsg_end(msg, hdr);
19860 
19861 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19862 				NL80211_MCGRP_MLME, gfp);
19863 	return;
19864 
19865 nla_put_failure:
19866 	nlmsg_free(msg);
19867 }
19868 
19869 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19870 				     const u8 *buf, size_t len, bool ack,
19871 				     gfp_t gfp)
19872 {
19873 	struct cfg80211_tx_status status = {
19874 		.cookie = cookie,
19875 		.buf = buf,
19876 		.len = len,
19877 		.ack = ack
19878 	};
19879 
19880 	nl80211_frame_tx_status(wdev, &status, gfp,
19881 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19882 }
19883 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19884 
19885 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19886 				 struct cfg80211_tx_status *status, gfp_t gfp)
19887 {
19888 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19889 }
19890 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19891 
19892 static int __nl80211_rx_control_port(struct net_device *dev,
19893 				     struct sk_buff *skb,
19894 				     bool unencrypted,
19895 				     int link_id,
19896 				     gfp_t gfp)
19897 {
19898 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19899 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19900 	struct ethhdr *ehdr = eth_hdr(skb);
19901 	const u8 *addr = ehdr->h_source;
19902 	u16 proto = be16_to_cpu(skb->protocol);
19903 	struct sk_buff *msg;
19904 	void *hdr;
19905 	struct nlattr *frame;
19906 
19907 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19908 
19909 	if (!nlportid)
19910 		return -ENOENT;
19911 
19912 	msg = nlmsg_new(100 + skb->len, gfp);
19913 	if (!msg)
19914 		return -ENOMEM;
19915 
19916 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19917 	if (!hdr) {
19918 		nlmsg_free(msg);
19919 		return -ENOBUFS;
19920 	}
19921 
19922 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19923 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19924 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19925 			      NL80211_ATTR_PAD) ||
19926 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19927 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19928 	    (link_id >= 0 &&
19929 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19930 	    (unencrypted && nla_put_flag(msg,
19931 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19932 		goto nla_put_failure;
19933 
19934 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19935 	if (!frame)
19936 		goto nla_put_failure;
19937 
19938 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19939 	genlmsg_end(msg, hdr);
19940 
19941 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19942 
19943  nla_put_failure:
19944 	nlmsg_free(msg);
19945 	return -ENOBUFS;
19946 }
19947 
19948 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19949 			      bool unencrypted, int link_id)
19950 {
19951 	int ret;
19952 
19953 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19954 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19955 					GFP_ATOMIC);
19956 	trace_cfg80211_return_bool(ret == 0);
19957 	return ret == 0;
19958 }
19959 EXPORT_SYMBOL(cfg80211_rx_control_port);
19960 
19961 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19962 					    const char *mac, gfp_t gfp)
19963 {
19964 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19965 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19966 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19967 	void **cb;
19968 
19969 	if (!msg)
19970 		return NULL;
19971 
19972 	cb = (void **)msg->cb;
19973 
19974 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19975 	if (!cb[0]) {
19976 		nlmsg_free(msg);
19977 		return NULL;
19978 	}
19979 
19980 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19981 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19982 		goto nla_put_failure;
19983 
19984 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19985 		goto nla_put_failure;
19986 
19987 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19988 	if (!cb[1])
19989 		goto nla_put_failure;
19990 
19991 	cb[2] = rdev;
19992 
19993 	return msg;
19994  nla_put_failure:
19995 	nlmsg_free(msg);
19996 	return NULL;
19997 }
19998 
19999 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
20000 {
20001 	void **cb = (void **)msg->cb;
20002 	struct cfg80211_registered_device *rdev = cb[2];
20003 
20004 	nla_nest_end(msg, cb[1]);
20005 	genlmsg_end(msg, cb[0]);
20006 
20007 	memset(msg->cb, 0, sizeof(msg->cb));
20008 
20009 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20010 				NL80211_MCGRP_MLME, gfp);
20011 }
20012 
20013 void cfg80211_cqm_rssi_notify(struct net_device *dev,
20014 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
20015 			      s32 rssi_level, gfp_t gfp)
20016 {
20017 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20018 	struct cfg80211_cqm_config *cqm_config;
20019 
20020 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
20021 
20022 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
20023 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
20024 		return;
20025 
20026 	rcu_read_lock();
20027 	cqm_config = rcu_dereference(wdev->cqm_config);
20028 	if (cqm_config) {
20029 		cqm_config->last_rssi_event_value = rssi_level;
20030 		cqm_config->last_rssi_event_type = rssi_event;
20031 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
20032 	}
20033 	rcu_read_unlock();
20034 }
20035 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
20036 
20037 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
20038 {
20039 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
20040 						 cqm_rssi_work);
20041 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20042 	enum nl80211_cqm_rssi_threshold_event rssi_event;
20043 	struct cfg80211_cqm_config *cqm_config;
20044 	struct sk_buff *msg;
20045 	s32 rssi_level;
20046 
20047 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
20048 	if (!cqm_config)
20049 		return;
20050 
20051 	if (cqm_config->use_range_api)
20052 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
20053 
20054 	rssi_level = cqm_config->last_rssi_event_value;
20055 	rssi_event = cqm_config->last_rssi_event_type;
20056 
20057 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
20058 	if (!msg)
20059 		return;
20060 
20061 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
20062 			rssi_event))
20063 		goto nla_put_failure;
20064 
20065 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
20066 				      rssi_level))
20067 		goto nla_put_failure;
20068 
20069 	cfg80211_send_cqm(msg, GFP_KERNEL);
20070 
20071 	return;
20072 
20073  nla_put_failure:
20074 	nlmsg_free(msg);
20075 }
20076 
20077 void cfg80211_cqm_txe_notify(struct net_device *dev,
20078 			     const u8 *peer, u32 num_packets,
20079 			     u32 rate, u32 intvl, gfp_t gfp)
20080 {
20081 	struct sk_buff *msg;
20082 
20083 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20084 	if (!msg)
20085 		return;
20086 
20087 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
20088 		goto nla_put_failure;
20089 
20090 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
20091 		goto nla_put_failure;
20092 
20093 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
20094 		goto nla_put_failure;
20095 
20096 	cfg80211_send_cqm(msg, gfp);
20097 	return;
20098 
20099  nla_put_failure:
20100 	nlmsg_free(msg);
20101 }
20102 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
20103 
20104 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
20105 				 const u8 *peer, u32 num_packets, gfp_t gfp)
20106 {
20107 	struct sk_buff *msg;
20108 
20109 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
20110 
20111 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20112 	if (!msg)
20113 		return;
20114 
20115 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
20116 		goto nla_put_failure;
20117 
20118 	cfg80211_send_cqm(msg, gfp);
20119 	return;
20120 
20121  nla_put_failure:
20122 	nlmsg_free(msg);
20123 }
20124 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
20125 
20126 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
20127 {
20128 	struct sk_buff *msg;
20129 
20130 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
20131 	if (!msg)
20132 		return;
20133 
20134 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
20135 		goto nla_put_failure;
20136 
20137 	cfg80211_send_cqm(msg, gfp);
20138 	return;
20139 
20140  nla_put_failure:
20141 	nlmsg_free(msg);
20142 }
20143 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
20144 
20145 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
20146 				     struct net_device *netdev, const u8 *bssid,
20147 				     const u8 *replay_ctr, gfp_t gfp)
20148 {
20149 	struct sk_buff *msg;
20150 	struct nlattr *rekey_attr;
20151 	void *hdr;
20152 
20153 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20154 	if (!msg)
20155 		return;
20156 
20157 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
20158 	if (!hdr) {
20159 		nlmsg_free(msg);
20160 		return;
20161 	}
20162 
20163 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20164 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20165 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20166 		goto nla_put_failure;
20167 
20168 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
20169 	if (!rekey_attr)
20170 		goto nla_put_failure;
20171 
20172 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
20173 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
20174 		goto nla_put_failure;
20175 
20176 	nla_nest_end(msg, rekey_attr);
20177 
20178 	genlmsg_end(msg, hdr);
20179 
20180 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20181 				NL80211_MCGRP_MLME, gfp);
20182 	return;
20183 
20184  nla_put_failure:
20185 	nlmsg_free(msg);
20186 }
20187 
20188 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
20189 			       const u8 *replay_ctr, gfp_t gfp)
20190 {
20191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20192 	struct wiphy *wiphy = wdev->wiphy;
20193 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20194 
20195 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
20196 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
20197 }
20198 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
20199 
20200 static void
20201 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
20202 			       struct net_device *netdev, int index,
20203 			       const u8 *bssid, bool preauth, gfp_t gfp)
20204 {
20205 	struct sk_buff *msg;
20206 	struct nlattr *attr;
20207 	void *hdr;
20208 
20209 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20210 	if (!msg)
20211 		return;
20212 
20213 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
20214 	if (!hdr) {
20215 		nlmsg_free(msg);
20216 		return;
20217 	}
20218 
20219 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20220 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
20221 		goto nla_put_failure;
20222 
20223 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
20224 	if (!attr)
20225 		goto nla_put_failure;
20226 
20227 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
20228 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
20229 	    (preauth &&
20230 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
20231 		goto nla_put_failure;
20232 
20233 	nla_nest_end(msg, attr);
20234 
20235 	genlmsg_end(msg, hdr);
20236 
20237 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20238 				NL80211_MCGRP_MLME, gfp);
20239 	return;
20240 
20241  nla_put_failure:
20242 	nlmsg_free(msg);
20243 }
20244 
20245 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
20246 				     const u8 *bssid, bool preauth, gfp_t gfp)
20247 {
20248 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20249 	struct wiphy *wiphy = wdev->wiphy;
20250 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20251 
20252 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
20253 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
20254 }
20255 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
20256 
20257 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
20258 				     struct net_device *netdev,
20259 				     unsigned int link_id,
20260 				     struct cfg80211_chan_def *chandef,
20261 				     gfp_t gfp,
20262 				     enum nl80211_commands notif,
20263 				     u8 count, bool quiet)
20264 {
20265 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20266 	struct sk_buff *msg;
20267 	void *hdr;
20268 
20269 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20270 	if (!msg)
20271 		return;
20272 
20273 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
20274 	if (!hdr) {
20275 		nlmsg_free(msg);
20276 		return;
20277 	}
20278 
20279 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
20280 		goto nla_put_failure;
20281 
20282 	if (wdev->valid_links &&
20283 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20284 		goto nla_put_failure;
20285 
20286 	if (nl80211_send_chandef(msg, chandef))
20287 		goto nla_put_failure;
20288 
20289 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
20290 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
20291 			goto nla_put_failure;
20292 		if (quiet &&
20293 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
20294 			goto nla_put_failure;
20295 	}
20296 
20297 	genlmsg_end(msg, hdr);
20298 
20299 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20300 				NL80211_MCGRP_MLME, gfp);
20301 	return;
20302 
20303  nla_put_failure:
20304 	nlmsg_free(msg);
20305 }
20306 
20307 void cfg80211_ch_switch_notify(struct net_device *dev,
20308 			       struct cfg80211_chan_def *chandef,
20309 			       unsigned int link_id)
20310 {
20311 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20312 	struct wiphy *wiphy = wdev->wiphy;
20313 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20314 
20315 	lockdep_assert_wiphy(wdev->wiphy);
20316 	WARN_INVALID_LINK_ID(wdev, link_id);
20317 
20318 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
20319 
20320 	switch (wdev->iftype) {
20321 	case NL80211_IFTYPE_STATION:
20322 	case NL80211_IFTYPE_P2P_CLIENT:
20323 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
20324 			cfg80211_update_assoc_bss_entry(wdev, link_id,
20325 							chandef->chan);
20326 		break;
20327 	case NL80211_IFTYPE_MESH_POINT:
20328 		wdev->u.mesh.chandef = *chandef;
20329 		wdev->u.mesh.preset_chandef = *chandef;
20330 		break;
20331 	case NL80211_IFTYPE_AP:
20332 	case NL80211_IFTYPE_P2P_GO:
20333 		wdev->links[link_id].ap.chandef = *chandef;
20334 		break;
20335 	case NL80211_IFTYPE_ADHOC:
20336 		wdev->u.ibss.chandef = *chandef;
20337 		break;
20338 	default:
20339 		WARN_ON(1);
20340 		break;
20341 	}
20342 
20343 	cfg80211_schedule_channels_check(wdev);
20344 	cfg80211_sched_dfs_chan_update(rdev);
20345 
20346 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
20347 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
20348 }
20349 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
20350 
20351 void cfg80211_ch_switch_started_notify(struct net_device *dev,
20352 				       struct cfg80211_chan_def *chandef,
20353 				       unsigned int link_id, u8 count,
20354 				       bool quiet)
20355 {
20356 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20357 	struct wiphy *wiphy = wdev->wiphy;
20358 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20359 
20360 	lockdep_assert_wiphy(wdev->wiphy);
20361 	WARN_INVALID_LINK_ID(wdev, link_id);
20362 
20363 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
20364 
20365 
20366 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
20367 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
20368 				 count, quiet);
20369 }
20370 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
20371 
20372 int cfg80211_bss_color_notify(struct net_device *dev,
20373 			      enum nl80211_commands cmd, u8 count,
20374 			      u64 color_bitmap, u8 link_id)
20375 {
20376 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20377 	struct wiphy *wiphy = wdev->wiphy;
20378 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20379 	struct sk_buff *msg;
20380 	void *hdr;
20381 
20382 	lockdep_assert_wiphy(wdev->wiphy);
20383 
20384 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
20385 
20386 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20387 	if (!msg)
20388 		return -ENOMEM;
20389 
20390 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20391 	if (!hdr)
20392 		goto nla_put_failure;
20393 
20394 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20395 		goto nla_put_failure;
20396 
20397 	if (wdev->valid_links &&
20398 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20399 		goto nla_put_failure;
20400 
20401 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
20402 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
20403 		goto nla_put_failure;
20404 
20405 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
20406 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
20407 			      color_bitmap, NL80211_ATTR_PAD))
20408 		goto nla_put_failure;
20409 
20410 	genlmsg_end(msg, hdr);
20411 
20412 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
20413 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
20414 
20415 nla_put_failure:
20416 	nlmsg_free(msg);
20417 	return -EINVAL;
20418 }
20419 EXPORT_SYMBOL(cfg80211_bss_color_notify);
20420 
20421 void
20422 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
20423 		     const struct cfg80211_chan_def *chandef,
20424 		     enum nl80211_radar_event event,
20425 		     struct net_device *netdev, gfp_t gfp)
20426 {
20427 	struct sk_buff *msg;
20428 	void *hdr;
20429 
20430 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20431 	if (!msg)
20432 		return;
20433 
20434 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
20435 	if (!hdr) {
20436 		nlmsg_free(msg);
20437 		return;
20438 	}
20439 
20440 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
20441 		goto nla_put_failure;
20442 
20443 	/* NOP and radar events don't need a netdev parameter */
20444 	if (netdev) {
20445 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
20446 
20447 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20448 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20449 				      NL80211_ATTR_PAD))
20450 			goto nla_put_failure;
20451 	}
20452 
20453 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
20454 		goto nla_put_failure;
20455 
20456 	if (nl80211_send_chandef(msg, chandef))
20457 		goto nla_put_failure;
20458 
20459 	genlmsg_end(msg, hdr);
20460 
20461 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20462 				NL80211_MCGRP_MLME, gfp);
20463 	return;
20464 
20465  nla_put_failure:
20466 	nlmsg_free(msg);
20467 }
20468 
20469 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
20470 				       struct sta_opmode_info *sta_opmode,
20471 				       gfp_t gfp)
20472 {
20473 	struct sk_buff *msg;
20474 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20475 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20476 	void *hdr;
20477 
20478 	if (WARN_ON(!mac))
20479 		return;
20480 
20481 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20482 	if (!msg)
20483 		return;
20484 
20485 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
20486 	if (!hdr) {
20487 		nlmsg_free(msg);
20488 		return;
20489 	}
20490 
20491 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
20492 		goto nla_put_failure;
20493 
20494 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20495 		goto nla_put_failure;
20496 
20497 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
20498 		goto nla_put_failure;
20499 
20500 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
20501 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
20502 		goto nla_put_failure;
20503 
20504 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
20505 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
20506 		goto nla_put_failure;
20507 
20508 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
20509 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
20510 		goto nla_put_failure;
20511 
20512 	genlmsg_end(msg, hdr);
20513 
20514 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20515 				NL80211_MCGRP_MLME, gfp);
20516 
20517 	return;
20518 
20519 nla_put_failure:
20520 	nlmsg_free(msg);
20521 }
20522 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
20523 
20524 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
20525 			   u64 cookie, bool acked, s32 ack_signal,
20526 			   bool is_valid_ack_signal, gfp_t gfp)
20527 {
20528 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20529 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20530 	struct sk_buff *msg;
20531 	void *hdr;
20532 
20533 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
20534 
20535 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20536 
20537 	if (!msg)
20538 		return;
20539 
20540 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
20541 	if (!hdr) {
20542 		nlmsg_free(msg);
20543 		return;
20544 	}
20545 
20546 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20547 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20548 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20549 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
20550 			      NL80211_ATTR_PAD) ||
20551 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
20552 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
20553 						ack_signal)))
20554 		goto nla_put_failure;
20555 
20556 	genlmsg_end(msg, hdr);
20557 
20558 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20559 				NL80211_MCGRP_MLME, gfp);
20560 	return;
20561 
20562  nla_put_failure:
20563 	nlmsg_free(msg);
20564 }
20565 EXPORT_SYMBOL(cfg80211_probe_status);
20566 
20567 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
20568 				     size_t len, int freq, int sig_dbm)
20569 {
20570 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20571 	struct sk_buff *msg;
20572 	void *hdr;
20573 	struct cfg80211_beacon_registration *reg;
20574 
20575 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
20576 
20577 	spin_lock_bh(&rdev->beacon_registrations_lock);
20578 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
20579 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
20580 		if (!msg) {
20581 			spin_unlock_bh(&rdev->beacon_registrations_lock);
20582 			return;
20583 		}
20584 
20585 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
20586 		if (!hdr)
20587 			goto nla_put_failure;
20588 
20589 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20590 		    (freq &&
20591 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
20592 				  KHZ_TO_MHZ(freq)) ||
20593 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
20594 				  freq % 1000))) ||
20595 		    (sig_dbm &&
20596 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
20597 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
20598 			goto nla_put_failure;
20599 
20600 		genlmsg_end(msg, hdr);
20601 
20602 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
20603 	}
20604 	spin_unlock_bh(&rdev->beacon_registrations_lock);
20605 	return;
20606 
20607  nla_put_failure:
20608 	spin_unlock_bh(&rdev->beacon_registrations_lock);
20609 	nlmsg_free(msg);
20610 }
20611 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
20612 
20613 #ifdef CONFIG_PM
20614 static int cfg80211_net_detect_results(struct sk_buff *msg,
20615 				       struct cfg80211_wowlan_wakeup *wakeup)
20616 {
20617 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
20618 	struct nlattr *nl_results, *nl_match, *nl_freqs;
20619 	int i, j;
20620 
20621 	nl_results = nla_nest_start_noflag(msg,
20622 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
20623 	if (!nl_results)
20624 		return -EMSGSIZE;
20625 
20626 	for (i = 0; i < nd->n_matches; i++) {
20627 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
20628 
20629 		nl_match = nla_nest_start_noflag(msg, i);
20630 		if (!nl_match)
20631 			break;
20632 
20633 		/* The SSID attribute is optional in nl80211, but for
20634 		 * simplicity reasons it's always present in the
20635 		 * cfg80211 structure.  If a driver can't pass the
20636 		 * SSID, that needs to be changed.  A zero length SSID
20637 		 * is still a valid SSID (wildcard), so it cannot be
20638 		 * used for this purpose.
20639 		 */
20640 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
20641 			    match->ssid.ssid)) {
20642 			nla_nest_cancel(msg, nl_match);
20643 			goto out;
20644 		}
20645 
20646 		if (match->n_channels) {
20647 			nl_freqs = nla_nest_start_noflag(msg,
20648 							 NL80211_ATTR_SCAN_FREQUENCIES);
20649 			if (!nl_freqs) {
20650 				nla_nest_cancel(msg, nl_match);
20651 				goto out;
20652 			}
20653 
20654 			for (j = 0; j < match->n_channels; j++) {
20655 				if (nla_put_u32(msg, j, match->channels[j])) {
20656 					nla_nest_cancel(msg, nl_freqs);
20657 					nla_nest_cancel(msg, nl_match);
20658 					goto out;
20659 				}
20660 			}
20661 
20662 			nla_nest_end(msg, nl_freqs);
20663 		}
20664 
20665 		nla_nest_end(msg, nl_match);
20666 	}
20667 
20668 out:
20669 	nla_nest_end(msg, nl_results);
20670 	return 0;
20671 }
20672 
20673 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
20674 				   struct cfg80211_wowlan_wakeup *wakeup,
20675 				   gfp_t gfp)
20676 {
20677 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20678 	struct sk_buff *msg;
20679 	void *hdr;
20680 	int size = 200;
20681 
20682 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
20683 
20684 	if (wakeup)
20685 		size += wakeup->packet_present_len;
20686 
20687 	msg = nlmsg_new(size, gfp);
20688 	if (!msg)
20689 		return;
20690 
20691 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
20692 	if (!hdr)
20693 		goto free_msg;
20694 
20695 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20696 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20697 			      NL80211_ATTR_PAD))
20698 		goto free_msg;
20699 
20700 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20701 					wdev->netdev->ifindex))
20702 		goto free_msg;
20703 
20704 	if (wakeup) {
20705 		struct nlattr *reasons;
20706 
20707 		reasons = nla_nest_start_noflag(msg,
20708 						NL80211_ATTR_WOWLAN_TRIGGERS);
20709 		if (!reasons)
20710 			goto free_msg;
20711 
20712 		if (wakeup->disconnect &&
20713 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
20714 			goto free_msg;
20715 		if (wakeup->magic_pkt &&
20716 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
20717 			goto free_msg;
20718 		if (wakeup->gtk_rekey_failure &&
20719 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
20720 			goto free_msg;
20721 		if (wakeup->eap_identity_req &&
20722 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
20723 			goto free_msg;
20724 		if (wakeup->four_way_handshake &&
20725 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
20726 			goto free_msg;
20727 		if (wakeup->rfkill_release &&
20728 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
20729 			goto free_msg;
20730 
20731 		if (wakeup->pattern_idx >= 0 &&
20732 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
20733 				wakeup->pattern_idx))
20734 			goto free_msg;
20735 
20736 		if (wakeup->tcp_match &&
20737 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
20738 			goto free_msg;
20739 
20740 		if (wakeup->tcp_connlost &&
20741 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
20742 			goto free_msg;
20743 
20744 		if (wakeup->tcp_nomoretokens &&
20745 		    nla_put_flag(msg,
20746 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
20747 			goto free_msg;
20748 
20749 		if (wakeup->unprot_deauth_disassoc &&
20750 		    nla_put_flag(msg,
20751 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
20752 			goto free_msg;
20753 
20754 		if (wakeup->packet) {
20755 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
20756 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
20757 
20758 			if (!wakeup->packet_80211) {
20759 				pkt_attr =
20760 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
20761 				len_attr =
20762 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
20763 			}
20764 
20765 			if (wakeup->packet_len &&
20766 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
20767 				goto free_msg;
20768 
20769 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
20770 				    wakeup->packet))
20771 				goto free_msg;
20772 		}
20773 
20774 		if (wakeup->net_detect &&
20775 		    cfg80211_net_detect_results(msg, wakeup))
20776 				goto free_msg;
20777 
20778 		nla_nest_end(msg, reasons);
20779 	}
20780 
20781 	genlmsg_end(msg, hdr);
20782 
20783 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20784 				NL80211_MCGRP_MLME, gfp);
20785 	return;
20786 
20787  free_msg:
20788 	nlmsg_free(msg);
20789 }
20790 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
20791 #endif
20792 
20793 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
20794 				enum nl80211_tdls_operation oper,
20795 				u16 reason_code, gfp_t gfp)
20796 {
20797 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20798 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20799 	struct sk_buff *msg;
20800 	void *hdr;
20801 
20802 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
20803 					 reason_code);
20804 
20805 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20806 	if (!msg)
20807 		return;
20808 
20809 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
20810 	if (!hdr) {
20811 		nlmsg_free(msg);
20812 		return;
20813 	}
20814 
20815 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20816 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20817 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
20818 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
20819 	    (reason_code > 0 &&
20820 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
20821 		goto nla_put_failure;
20822 
20823 	genlmsg_end(msg, hdr);
20824 
20825 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20826 				NL80211_MCGRP_MLME, gfp);
20827 	return;
20828 
20829  nla_put_failure:
20830 	nlmsg_free(msg);
20831 }
20832 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
20833 
20834 static int nl80211_netlink_notify(struct notifier_block * nb,
20835 				  unsigned long state,
20836 				  void *_notify)
20837 {
20838 	struct netlink_notify *notify = _notify;
20839 	struct cfg80211_registered_device *rdev;
20840 	struct wireless_dev *wdev;
20841 	struct cfg80211_beacon_registration *reg, *tmp;
20842 
20843 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
20844 		return NOTIFY_DONE;
20845 
20846 	rcu_read_lock();
20847 
20848 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
20849 		struct cfg80211_sched_scan_request *sched_scan_req;
20850 
20851 		list_for_each_entry_rcu(sched_scan_req,
20852 					&rdev->sched_scan_req_list,
20853 					list) {
20854 			if (sched_scan_req->owner_nlportid == notify->portid) {
20855 				sched_scan_req->nl_owner_dead = true;
20856 				wiphy_work_queue(&rdev->wiphy,
20857 						 &rdev->sched_scan_stop_wk);
20858 			}
20859 		}
20860 
20861 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
20862 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
20863 
20864 			if (wdev->owner_nlportid == notify->portid) {
20865 				wdev->nl_owner_dead = true;
20866 				schedule_work(&rdev->destroy_work);
20867 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20868 				schedule_work(&wdev->disconnect_wk);
20869 			}
20870 
20871 			cfg80211_release_pmsr(wdev, notify->portid);
20872 		}
20873 
20874 		spin_lock_bh(&rdev->beacon_registrations_lock);
20875 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20876 					 list) {
20877 			if (reg->nlportid == notify->portid) {
20878 				list_del(&reg->list);
20879 				kfree(reg);
20880 				break;
20881 			}
20882 		}
20883 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20884 	}
20885 
20886 	rcu_read_unlock();
20887 
20888 	/*
20889 	 * It is possible that the user space process that is controlling the
20890 	 * indoor setting disappeared, so notify the regulatory core.
20891 	 */
20892 	regulatory_netlink_notify(notify->portid);
20893 	return NOTIFY_OK;
20894 }
20895 
20896 static struct notifier_block nl80211_netlink_notifier = {
20897 	.notifier_call = nl80211_netlink_notify,
20898 };
20899 
20900 void cfg80211_ft_event(struct net_device *netdev,
20901 		       struct cfg80211_ft_event_params *ft_event)
20902 {
20903 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20904 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20905 	struct sk_buff *msg;
20906 	void *hdr;
20907 
20908 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20909 
20910 	if (!ft_event->target_ap)
20911 		return;
20912 
20913 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20914 			GFP_KERNEL);
20915 	if (!msg)
20916 		return;
20917 
20918 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20919 	if (!hdr)
20920 		goto out;
20921 
20922 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20923 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20924 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20925 		goto out;
20926 
20927 	if (ft_event->ies &&
20928 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20929 		goto out;
20930 	if (ft_event->ric_ies &&
20931 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20932 		    ft_event->ric_ies))
20933 		goto out;
20934 
20935 	genlmsg_end(msg, hdr);
20936 
20937 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20938 				NL80211_MCGRP_MLME, GFP_KERNEL);
20939 	return;
20940  out:
20941 	nlmsg_free(msg);
20942 }
20943 EXPORT_SYMBOL(cfg80211_ft_event);
20944 
20945 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20946 {
20947 	struct cfg80211_registered_device *rdev;
20948 	struct sk_buff *msg;
20949 	void *hdr;
20950 	u32 nlportid;
20951 
20952 	rdev = wiphy_to_rdev(wdev->wiphy);
20953 	if (!rdev->crit_proto_nlportid)
20954 		return;
20955 
20956 	nlportid = rdev->crit_proto_nlportid;
20957 	rdev->crit_proto_nlportid = 0;
20958 
20959 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20960 	if (!msg)
20961 		return;
20962 
20963 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20964 	if (!hdr)
20965 		goto nla_put_failure;
20966 
20967 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20968 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20969 			      NL80211_ATTR_PAD))
20970 		goto nla_put_failure;
20971 
20972 	genlmsg_end(msg, hdr);
20973 
20974 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20975 	return;
20976 
20977  nla_put_failure:
20978 	nlmsg_free(msg);
20979 }
20980 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20981 
20982 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20983 {
20984 	struct wiphy *wiphy = wdev->wiphy;
20985 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20986 	struct sk_buff *msg;
20987 	void *hdr;
20988 
20989 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20990 	if (!msg)
20991 		return;
20992 
20993 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20994 	if (!hdr)
20995 		goto out;
20996 
20997 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20998 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20999 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21000 			      NL80211_ATTR_PAD) ||
21001 	    (wdev->valid_links &&
21002 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21003 		goto out;
21004 
21005 	genlmsg_end(msg, hdr);
21006 
21007 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
21008 				NL80211_MCGRP_MLME, GFP_KERNEL);
21009 	return;
21010  out:
21011 	nlmsg_free(msg);
21012 }
21013 
21014 int cfg80211_external_auth_request(struct net_device *dev,
21015 				   struct cfg80211_external_auth_params *params,
21016 				   gfp_t gfp)
21017 {
21018 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21019 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21020 	struct sk_buff *msg;
21021 	void *hdr;
21022 
21023 	if (!wdev->conn_owner_nlportid)
21024 		return -EINVAL;
21025 
21026 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21027 	if (!msg)
21028 		return -ENOMEM;
21029 
21030 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
21031 	if (!hdr)
21032 		goto nla_put_failure;
21033 
21034 	/* Some historical mistakes in drivers <-> userspace interface (notably
21035 	 * between drivers and wpa_supplicant) led to a big-endian conversion
21036 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
21037 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
21038 	 * benefit of older wpa_supplicant versions, send this particular value
21039 	 * in big-endian. Note that newer wpa_supplicant will also detect this
21040 	 * particular value in big endian still, so it all continues to work.
21041 	 */
21042 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
21043 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
21044 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
21045 			goto nla_put_failure;
21046 	} else {
21047 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
21048 				params->key_mgmt_suite))
21049 			goto nla_put_failure;
21050 	}
21051 
21052 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21053 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21054 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
21055 			params->action) ||
21056 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
21057 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
21058 		    params->ssid.ssid) ||
21059 	    (!is_zero_ether_addr(params->mld_addr) &&
21060 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
21061 		goto nla_put_failure;
21062 
21063 	genlmsg_end(msg, hdr);
21064 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
21065 			wdev->conn_owner_nlportid);
21066 	return 0;
21067 
21068  nla_put_failure:
21069 	nlmsg_free(msg);
21070 	return -ENOBUFS;
21071 }
21072 EXPORT_SYMBOL(cfg80211_external_auth_request);
21073 
21074 void cfg80211_update_owe_info_event(struct net_device *netdev,
21075 				    struct cfg80211_update_owe_info *owe_info,
21076 				    gfp_t gfp)
21077 {
21078 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21079 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21080 	struct sk_buff *msg;
21081 	void *hdr;
21082 
21083 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
21084 
21085 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21086 	if (!msg)
21087 		return;
21088 
21089 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
21090 	if (!hdr)
21091 		goto nla_put_failure;
21092 
21093 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21094 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21095 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
21096 		goto nla_put_failure;
21097 
21098 	if (!owe_info->ie_len ||
21099 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
21100 		goto nla_put_failure;
21101 
21102 	if (owe_info->assoc_link_id != -1) {
21103 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
21104 			       owe_info->assoc_link_id))
21105 			goto nla_put_failure;
21106 
21107 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
21108 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
21109 			    owe_info->peer_mld_addr))
21110 			goto nla_put_failure;
21111 	}
21112 
21113 	genlmsg_end(msg, hdr);
21114 
21115 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21116 				NL80211_MCGRP_MLME, gfp);
21117 	return;
21118 
21119 nla_put_failure:
21120 	genlmsg_cancel(msg, hdr);
21121 	nlmsg_free(msg);
21122 }
21123 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
21124 
21125 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
21126 {
21127 	struct wiphy *wiphy = wdev->wiphy;
21128 
21129 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
21130 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
21131 	    (wiphy_ext_feature_isset(wiphy,
21132 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
21133 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
21134 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
21135 		reg_check_channels();
21136 }
21137 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
21138 
21139 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
21140 {
21141 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21142 	struct wiphy *wiphy = wdev->wiphy;
21143 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21144 	struct sk_buff *msg;
21145 	void *hdr;
21146 
21147 	trace_cfg80211_epcs_changed(wdev, enabled);
21148 
21149 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21150 	if (!msg)
21151 		return;
21152 
21153 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
21154 	if (!hdr) {
21155 		nlmsg_free(msg);
21156 		return;
21157 	}
21158 
21159 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
21160 		goto nla_put_failure;
21161 
21162 	genlmsg_end(msg, hdr);
21163 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21164 				NL80211_MCGRP_MLME, GFP_KERNEL);
21165 	return;
21166 
21167  nla_put_failure:
21168 	nlmsg_free(msg);
21169 }
21170 EXPORT_SYMBOL(cfg80211_epcs_changed);
21171 
21172 /* initialisation/exit functions */
21173 
21174 int __init nl80211_init(void)
21175 {
21176 	int err;
21177 
21178 	err = genl_register_family(&nl80211_fam);
21179 	if (err)
21180 		return err;
21181 
21182 	err = netlink_register_notifier(&nl80211_netlink_notifier);
21183 	if (err)
21184 		goto err_out;
21185 
21186 	return 0;
21187  err_out:
21188 	genl_unregister_family(&nl80211_fam);
21189 	return err;
21190 }
21191 
21192 void nl80211_exit(void)
21193 {
21194 	netlink_unregister_notifier(&nl80211_netlink_notifier);
21195 	genl_unregister_family(&nl80211_fam);
21196 }
21197