xref: /linux/net/wireless/nl80211.c (revision 9e7c9b8eb719835638ee74d93dccc2173581324c) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
460 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
461 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
462 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
463 				      .len = 20-1 },
464 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
465 
466 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
467 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
469 						NL80211_EDMG_CHANNELS_MIN,
470 						NL80211_EDMG_CHANNELS_MAX),
471 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
472 						NL80211_EDMG_BW_CONFIG_MIN,
473 						NL80211_EDMG_BW_CONFIG_MAX),
474 
475 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
476 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
477 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
478 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
479 
480 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
481 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
482 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
484 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
485 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
486 
487 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
488 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
489 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
490 
491 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
492 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
493 
494 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
495 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
496 				    .len = WLAN_MAX_KEY_LEN },
497 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
498 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
499 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
501 	[NL80211_ATTR_KEY_TYPE] =
502 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
503 
504 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
505 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
506 	[NL80211_ATTR_BEACON_HEAD] =
507 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
508 				       IEEE80211_MAX_DATA_LEN),
509 	[NL80211_ATTR_BEACON_TAIL] =
510 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
511 				       IEEE80211_MAX_DATA_LEN),
512 	[NL80211_ATTR_STA_AID] =
513 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
514 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
515 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
516 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
517 					       .len = NL80211_MAX_SUPP_RATES },
518 	[NL80211_ATTR_STA_PLINK_ACTION] =
519 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
520 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
521 		NLA_POLICY_RANGE(NLA_U8,
522 				 NL80211_TX_POWER_AUTOMATIC,
523 				 NL80211_TX_POWER_FIXED),
524 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
525 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
526 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
527 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
528 				   .len = IEEE80211_MAX_MESH_ID_LEN },
529 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
530 
531 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
532 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
533 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
534 
535 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
536 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
537 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
538 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
539 					   .len = NL80211_MAX_SUPP_RATES },
540 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
541 
542 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
543 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
544 
545 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
546 
547 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
548 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
549 						   validate_ie_attr,
550 						   IEEE80211_MAX_DATA_LEN),
551 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
552 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
553 
554 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
555 				.len = IEEE80211_MAX_SSID_LEN },
556 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
557 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
558 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
561 						  NL80211_MFP_NO,
562 						  NL80211_MFP_OPTIONAL),
563 	[NL80211_ATTR_STA_FLAGS2] = {
564 		.len = sizeof(struct nl80211_sta_flag_update),
565 	},
566 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
568 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
569 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
572 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
573 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
574 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
575 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
576 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
577 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
578 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
579 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
580 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
581 				 .len = IEEE80211_MAX_DATA_LEN },
582 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
583 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
584 						   NL80211_PS_DISABLED,
585 						   NL80211_PS_ENABLED),
586 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
587 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
588 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
589 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
590 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
591 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
592 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
593 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
594 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
595 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
596 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_STA_PLINK_STATE] =
599 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
600 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
601 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_MESH_PEER_AID] =
603 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
604 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
605 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
606 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
607 	[NL80211_ATTR_HIDDEN_SSID] =
608 		NLA_POLICY_RANGE(NLA_U32,
609 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
610 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
611 	[NL80211_ATTR_IE_PROBE_RESP] =
612 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
613 				       IEEE80211_MAX_DATA_LEN),
614 	[NL80211_ATTR_IE_ASSOC_RESP] =
615 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
616 				       IEEE80211_MAX_DATA_LEN),
617 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
618 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
619 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
621 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
622 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
623 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
624 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
625 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
627 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
628 				      .len = IEEE80211_MAX_DATA_LEN },
629 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
630 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
632 		.len = NL80211_HT_CAPABILITY_LEN
633 	},
634 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
635 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
636 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
637 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
638 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
639 
640 	/* need to include at least Auth Transaction and Status Code */
641 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
642 
643 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
644 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
645 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
646 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
647 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
648 		NLA_POLICY_RANGE(NLA_U32,
649 				 NL80211_MESH_POWER_UNKNOWN + 1,
650 				 NL80211_MESH_POWER_MAX),
651 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
652 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
654 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
655 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
656 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
657 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
658 		.len = NL80211_VHT_CAPABILITY_LEN,
659 	},
660 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
661 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
662 				  .len = IEEE80211_MAX_DATA_LEN },
663 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
664 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
665 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
666 	[NL80211_ATTR_PEER_AID] =
667 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
668 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
669 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
670 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
671 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
672 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
673 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
674 	/*
675 	 * The value of the Length field of the Supported Operating
676 	 * Classes element is between 2 and 253.
677 	 */
678 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
679 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
680 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
682 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
683 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
684 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
685 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
686 						  IEEE80211_QOS_MAP_LEN_MIN,
687 						  IEEE80211_QOS_MAP_LEN_MAX),
688 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
689 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
690 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
691 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
693 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
694 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
695 	[NL80211_ATTR_USER_PRIO] =
696 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
697 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
698 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
699 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
700 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
702 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
704 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
706 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
707 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
708 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
709 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
710 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
711 	},
712 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
713 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
714 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
715 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
716 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
717 				    .len = FILS_MAX_KEK_LEN },
718 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
719 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
720 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
721 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
722 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
723 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
724 	},
725 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
726 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
727 					     .len = FILS_ERP_MAX_USERNAME_LEN },
728 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
729 					  .len = FILS_ERP_MAX_REALM_LEN },
730 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
731 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
732 					.len = FILS_ERP_MAX_RRK_LEN },
733 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
734 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
735 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
736 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
737 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
738 
739 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
740 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
741 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
742 	[NL80211_ATTR_HE_CAPABILITY] =
743 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
744 				       NL80211_HE_MAX_CAPABILITY_LEN),
745 	[NL80211_ATTR_FTM_RESPONDER] =
746 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
747 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
748 	[NL80211_ATTR_PEER_MEASUREMENTS] =
749 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
750 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
751 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
752 					.len = SAE_PASSWORD_MAX_LEN },
753 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
754 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
755 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
756 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
757 	[NL80211_ATTR_TID_CONFIG] =
758 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
759 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
760 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
761 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
762 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
763 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
764 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
765 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
766 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
767 	[NL80211_ATTR_FILS_DISCOVERY] =
768 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
769 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
770 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
771 	[NL80211_ATTR_S1G_CAPABILITY] =
772 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
773 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
774 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
775 	[NL80211_ATTR_SAE_PWE] =
776 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
777 				 NL80211_SAE_PWE_BOTH),
778 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
779 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
780 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
781 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
782 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
783 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
784 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
785 	[NL80211_ATTR_MBSSID_CONFIG] =
786 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
787 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
788 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
789 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
790 	[NL80211_ATTR_EHT_CAPABILITY] =
791 		NLA_POLICY_RANGE(NLA_BINARY,
792 				 NL80211_EHT_MIN_CAPABILITY_LEN,
793 				 NL80211_EHT_MAX_CAPABILITY_LEN),
794 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
795 	[NL80211_ATTR_MLO_LINKS] =
796 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
797 	[NL80211_ATTR_MLO_LINK_ID] =
798 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
799 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
800 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
801 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
802 };
803 
804 /* policy for the key attributes */
805 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
806 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
807 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
808 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
809 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
810 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
811 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
812 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
813 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
814 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
815 };
816 
817 /* policy for the key default flags */
818 static const struct nla_policy
819 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
820 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
821 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
822 };
823 
824 #ifdef CONFIG_PM
825 /* policy for WoWLAN attributes */
826 static const struct nla_policy
827 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
828 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
829 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
830 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
831 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
832 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
833 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
834 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
835 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
836 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
837 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
838 };
839 
840 static const struct nla_policy
841 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
842 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
843 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
844 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
845 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
846 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
847 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
848 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
849 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
850 	},
851 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
852 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
853 	},
854 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
855 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
856 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
857 };
858 #endif /* CONFIG_PM */
859 
860 /* policy for coalesce rule attributes */
861 static const struct nla_policy
862 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
863 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
864 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
865 		NLA_POLICY_RANGE(NLA_U32,
866 				 NL80211_COALESCE_CONDITION_MATCH,
867 				 NL80211_COALESCE_CONDITION_NO_MATCH),
868 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
869 };
870 
871 /* policy for GTK rekey offload attributes */
872 static const struct nla_policy
873 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
874 	[NL80211_REKEY_DATA_KEK] = {
875 		.type = NLA_BINARY,
876 		.len = NL80211_KEK_EXT_LEN
877 	},
878 	[NL80211_REKEY_DATA_KCK] = {
879 		.type = NLA_BINARY,
880 		.len = NL80211_KCK_EXT_LEN
881 	},
882 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
883 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
884 };
885 
886 static const struct nla_policy
887 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
888 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
889 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
890 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
891 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
892 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
893 };
894 
895 static const struct nla_policy
896 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
897 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
898 						 .len = IEEE80211_MAX_SSID_LEN },
899 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
900 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
901 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
902 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
903 };
904 
905 static const struct nla_policy
906 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
907 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
908 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
909 };
910 
911 static const struct nla_policy
912 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
913 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
914 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
915 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
916 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
917 	},
918 };
919 
920 /* policy for NAN function attributes */
921 static const struct nla_policy
922 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
923 	[NL80211_NAN_FUNC_TYPE] =
924 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
925 	[NL80211_NAN_FUNC_SERVICE_ID] = {
926 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
927 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
928 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
929 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
930 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
931 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
932 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
933 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
934 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
935 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
936 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
937 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
938 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
939 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
940 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
941 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
942 };
943 
944 /* policy for Service Response Filter attributes */
945 static const struct nla_policy
946 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
947 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
948 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
949 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
950 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
951 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
952 };
953 
954 /* policy for packet pattern attributes */
955 static const struct nla_policy
956 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
957 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
958 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
959 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
960 };
961 
962 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
963 				     struct cfg80211_registered_device **rdev,
964 				     struct wireless_dev **wdev,
965 				     struct nlattr **attrbuf)
966 {
967 	int err;
968 
969 	if (!cb->args[0]) {
970 		struct nlattr **attrbuf_free = NULL;
971 
972 		if (!attrbuf) {
973 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
974 					  GFP_KERNEL);
975 			if (!attrbuf)
976 				return -ENOMEM;
977 			attrbuf_free = attrbuf;
978 		}
979 
980 		err = nlmsg_parse_deprecated(cb->nlh,
981 					     GENL_HDRLEN + nl80211_fam.hdrsize,
982 					     attrbuf, nl80211_fam.maxattr,
983 					     nl80211_policy, NULL);
984 		if (err) {
985 			kfree(attrbuf_free);
986 			return err;
987 		}
988 
989 		rtnl_lock();
990 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
991 						   attrbuf);
992 		kfree(attrbuf_free);
993 		if (IS_ERR(*wdev)) {
994 			rtnl_unlock();
995 			return PTR_ERR(*wdev);
996 		}
997 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
998 		mutex_lock(&(*rdev)->wiphy.mtx);
999 		rtnl_unlock();
1000 		/* 0 is the first index - add 1 to parse only once */
1001 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1002 		cb->args[1] = (*wdev)->identifier;
1003 	} else {
1004 		/* subtract the 1 again here */
1005 		struct wiphy *wiphy;
1006 		struct wireless_dev *tmp;
1007 
1008 		rtnl_lock();
1009 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1010 		if (!wiphy) {
1011 			rtnl_unlock();
1012 			return -ENODEV;
1013 		}
1014 		*rdev = wiphy_to_rdev(wiphy);
1015 		*wdev = NULL;
1016 
1017 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1018 			if (tmp->identifier == cb->args[1]) {
1019 				*wdev = tmp;
1020 				break;
1021 			}
1022 		}
1023 
1024 		if (!*wdev) {
1025 			rtnl_unlock();
1026 			return -ENODEV;
1027 		}
1028 		mutex_lock(&(*rdev)->wiphy.mtx);
1029 		rtnl_unlock();
1030 	}
1031 
1032 	return 0;
1033 }
1034 
1035 /* message building helper */
1036 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1037 		     int flags, u8 cmd)
1038 {
1039 	/* since there is no private header just add the generic one */
1040 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1041 }
1042 
1043 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1044 				     const struct ieee80211_reg_rule *rule)
1045 {
1046 	int j;
1047 	struct nlattr *nl_wmm_rules =
1048 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1049 
1050 	if (!nl_wmm_rules)
1051 		goto nla_put_failure;
1052 
1053 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1054 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1055 
1056 		if (!nl_wmm_rule)
1057 			goto nla_put_failure;
1058 
1059 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1060 				rule->wmm_rule.client[j].cw_min) ||
1061 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1062 				rule->wmm_rule.client[j].cw_max) ||
1063 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1064 			       rule->wmm_rule.client[j].aifsn) ||
1065 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1066 			        rule->wmm_rule.client[j].cot))
1067 			goto nla_put_failure;
1068 
1069 		nla_nest_end(msg, nl_wmm_rule);
1070 	}
1071 	nla_nest_end(msg, nl_wmm_rules);
1072 
1073 	return 0;
1074 
1075 nla_put_failure:
1076 	return -ENOBUFS;
1077 }
1078 
1079 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1080 				   struct ieee80211_channel *chan,
1081 				   bool large)
1082 {
1083 	/* Some channels must be completely excluded from the
1084 	 * list to protect old user-space tools from breaking
1085 	 */
1086 	if (!large && chan->flags &
1087 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1088 		return 0;
1089 	if (!large && chan->freq_offset)
1090 		return 0;
1091 
1092 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1093 			chan->center_freq))
1094 		goto nla_put_failure;
1095 
1096 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1097 		goto nla_put_failure;
1098 
1099 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1100 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1101 		goto nla_put_failure;
1102 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1103 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1104 			goto nla_put_failure;
1105 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1106 			goto nla_put_failure;
1107 	}
1108 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1109 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1110 			goto nla_put_failure;
1111 		if (large) {
1112 			u32 time;
1113 
1114 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1115 
1116 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1117 					chan->dfs_state))
1118 				goto nla_put_failure;
1119 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1120 					time))
1121 				goto nla_put_failure;
1122 			if (nla_put_u32(msg,
1123 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1124 					chan->dfs_cac_ms))
1125 				goto nla_put_failure;
1126 		}
1127 	}
1128 
1129 	if (large) {
1130 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1131 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1132 			goto nla_put_failure;
1133 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1134 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1135 			goto nla_put_failure;
1136 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1137 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1138 			goto nla_put_failure;
1139 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1140 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1141 			goto nla_put_failure;
1142 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1143 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1144 			goto nla_put_failure;
1145 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1146 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1147 			goto nla_put_failure;
1148 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1149 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1150 			goto nla_put_failure;
1151 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1152 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1153 			goto nla_put_failure;
1154 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1155 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1156 			goto nla_put_failure;
1157 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1158 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1159 			goto nla_put_failure;
1160 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1161 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1162 			goto nla_put_failure;
1163 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1164 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1165 			goto nla_put_failure;
1166 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1167 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1168 			goto nla_put_failure;
1169 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1170 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1171 			goto nla_put_failure;
1172 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1173 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1174 			goto nla_put_failure;
1175 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1176 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1177 			goto nla_put_failure;
1178 	}
1179 
1180 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1181 			DBM_TO_MBM(chan->max_power)))
1182 		goto nla_put_failure;
1183 
1184 	if (large) {
1185 		const struct ieee80211_reg_rule *rule =
1186 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1187 
1188 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1189 			if (nl80211_msg_put_wmm_rules(msg, rule))
1190 				goto nla_put_failure;
1191 		}
1192 	}
1193 
1194 	return 0;
1195 
1196  nla_put_failure:
1197 	return -ENOBUFS;
1198 }
1199 
1200 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1201 				  struct cfg80211_txq_stats *txqstats,
1202 				  int attrtype)
1203 {
1204 	struct nlattr *txqattr;
1205 
1206 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1207 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1208 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1209 		return false;						  \
1210 	} while (0)
1211 
1212 	txqattr = nla_nest_start_noflag(msg, attrtype);
1213 	if (!txqattr)
1214 		return false;
1215 
1216 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1217 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1218 	PUT_TXQVAL_U32(FLOWS, flows);
1219 	PUT_TXQVAL_U32(DROPS, drops);
1220 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1221 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1222 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1223 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1224 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1225 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1226 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1227 	nla_nest_end(msg, txqattr);
1228 
1229 #undef PUT_TXQVAL_U32
1230 	return true;
1231 }
1232 
1233 /* netlink command implementations */
1234 
1235 /**
1236  * nl80211_link_id - return link ID
1237  * @attrs: attributes to look at
1238  *
1239  * Returns: the link ID or 0 if not given
1240  *
1241  * Note this function doesn't do any validation of the link
1242  * ID validity wrt. links that were actually added, so it must
1243  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1244  * or if additional validation is done.
1245  */
1246 static unsigned int nl80211_link_id(struct nlattr **attrs)
1247 {
1248 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1249 
1250 	if (!linkid)
1251 		return 0;
1252 
1253 	return nla_get_u8(linkid);
1254 }
1255 
1256 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1257 {
1258 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1259 
1260 	if (!linkid)
1261 		return -1;
1262 
1263 	return nla_get_u8(linkid);
1264 }
1265 
1266 struct key_parse {
1267 	struct key_params p;
1268 	int idx;
1269 	int type;
1270 	bool def, defmgmt, defbeacon;
1271 	bool def_uni, def_multi;
1272 };
1273 
1274 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1275 				 struct key_parse *k)
1276 {
1277 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1278 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1279 					      nl80211_key_policy,
1280 					      info->extack);
1281 	if (err)
1282 		return err;
1283 
1284 	k->def = !!tb[NL80211_KEY_DEFAULT];
1285 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1286 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1287 
1288 	if (k->def) {
1289 		k->def_uni = true;
1290 		k->def_multi = true;
1291 	}
1292 	if (k->defmgmt || k->defbeacon)
1293 		k->def_multi = true;
1294 
1295 	if (tb[NL80211_KEY_IDX])
1296 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1297 
1298 	if (tb[NL80211_KEY_DATA]) {
1299 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1300 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1301 	}
1302 
1303 	if (tb[NL80211_KEY_SEQ]) {
1304 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1305 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1306 	}
1307 
1308 	if (tb[NL80211_KEY_CIPHER])
1309 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1310 
1311 	if (tb[NL80211_KEY_TYPE])
1312 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1313 
1314 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1315 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1316 
1317 		err = nla_parse_nested_deprecated(kdt,
1318 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1319 						  tb[NL80211_KEY_DEFAULT_TYPES],
1320 						  nl80211_key_default_policy,
1321 						  info->extack);
1322 		if (err)
1323 			return err;
1324 
1325 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1326 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1327 	}
1328 
1329 	if (tb[NL80211_KEY_MODE])
1330 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1331 
1332 	return 0;
1333 }
1334 
1335 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1336 {
1337 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1338 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1339 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1340 	}
1341 
1342 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1343 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1344 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1345 	}
1346 
1347 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1348 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1349 
1350 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1351 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1352 
1353 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1354 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1355 
1356 	if (k->def) {
1357 		k->def_uni = true;
1358 		k->def_multi = true;
1359 	}
1360 	if (k->defmgmt)
1361 		k->def_multi = true;
1362 
1363 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1364 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1365 
1366 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1367 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1368 		int err = nla_parse_nested_deprecated(kdt,
1369 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1370 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1371 						      nl80211_key_default_policy,
1372 						      info->extack);
1373 		if (err)
1374 			return err;
1375 
1376 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1377 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1378 	}
1379 
1380 	return 0;
1381 }
1382 
1383 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1384 {
1385 	int err;
1386 
1387 	memset(k, 0, sizeof(*k));
1388 	k->idx = -1;
1389 	k->type = -1;
1390 
1391 	if (info->attrs[NL80211_ATTR_KEY])
1392 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1393 	else
1394 		err = nl80211_parse_key_old(info, k);
1395 
1396 	if (err)
1397 		return err;
1398 
1399 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1400 	    (k->defbeacon ? 1 : 0) > 1) {
1401 		GENL_SET_ERR_MSG(info,
1402 				 "key with multiple default flags is invalid");
1403 		return -EINVAL;
1404 	}
1405 
1406 	if (k->defmgmt || k->defbeacon) {
1407 		if (k->def_uni || !k->def_multi) {
1408 			GENL_SET_ERR_MSG(info,
1409 					 "defmgmt/defbeacon key must be mcast");
1410 			return -EINVAL;
1411 		}
1412 	}
1413 
1414 	if (k->idx != -1) {
1415 		if (k->defmgmt) {
1416 			if (k->idx < 4 || k->idx > 5) {
1417 				GENL_SET_ERR_MSG(info,
1418 						 "defmgmt key idx not 4 or 5");
1419 				return -EINVAL;
1420 			}
1421 		} else if (k->defbeacon) {
1422 			if (k->idx < 6 || k->idx > 7) {
1423 				GENL_SET_ERR_MSG(info,
1424 						 "defbeacon key idx not 6 or 7");
1425 				return -EINVAL;
1426 			}
1427 		} else if (k->def) {
1428 			if (k->idx < 0 || k->idx > 3) {
1429 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1430 				return -EINVAL;
1431 			}
1432 		} else {
1433 			if (k->idx < 0 || k->idx > 7) {
1434 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1435 				return -EINVAL;
1436 			}
1437 		}
1438 	}
1439 
1440 	return 0;
1441 }
1442 
1443 static struct cfg80211_cached_keys *
1444 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1445 		       struct genl_info *info, bool *no_ht)
1446 {
1447 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1448 	struct key_parse parse;
1449 	struct nlattr *key;
1450 	struct cfg80211_cached_keys *result;
1451 	int rem, err, def = 0;
1452 	bool have_key = false;
1453 
1454 	nla_for_each_nested(key, keys, rem) {
1455 		have_key = true;
1456 		break;
1457 	}
1458 
1459 	if (!have_key)
1460 		return NULL;
1461 
1462 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1463 	if (!result)
1464 		return ERR_PTR(-ENOMEM);
1465 
1466 	result->def = -1;
1467 
1468 	nla_for_each_nested(key, keys, rem) {
1469 		memset(&parse, 0, sizeof(parse));
1470 		parse.idx = -1;
1471 
1472 		err = nl80211_parse_key_new(info, key, &parse);
1473 		if (err)
1474 			goto error;
1475 		err = -EINVAL;
1476 		if (!parse.p.key)
1477 			goto error;
1478 		if (parse.idx < 0 || parse.idx > 3) {
1479 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1480 			goto error;
1481 		}
1482 		if (parse.def) {
1483 			if (def) {
1484 				GENL_SET_ERR_MSG(info,
1485 						 "only one key can be default");
1486 				goto error;
1487 			}
1488 			def = 1;
1489 			result->def = parse.idx;
1490 			if (!parse.def_uni || !parse.def_multi)
1491 				goto error;
1492 		} else if (parse.defmgmt)
1493 			goto error;
1494 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1495 						     parse.idx, false, NULL);
1496 		if (err)
1497 			goto error;
1498 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1499 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1500 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1501 			err = -EINVAL;
1502 			goto error;
1503 		}
1504 		result->params[parse.idx].cipher = parse.p.cipher;
1505 		result->params[parse.idx].key_len = parse.p.key_len;
1506 		result->params[parse.idx].key = result->data[parse.idx];
1507 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1508 
1509 		/* must be WEP key if we got here */
1510 		if (no_ht)
1511 			*no_ht = true;
1512 	}
1513 
1514 	if (result->def < 0) {
1515 		err = -EINVAL;
1516 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1517 		goto error;
1518 	}
1519 
1520 	return result;
1521  error:
1522 	kfree(result);
1523 	return ERR_PTR(err);
1524 }
1525 
1526 static int nl80211_key_allowed(struct wireless_dev *wdev)
1527 {
1528 	ASSERT_WDEV_LOCK(wdev);
1529 
1530 	switch (wdev->iftype) {
1531 	case NL80211_IFTYPE_AP:
1532 	case NL80211_IFTYPE_AP_VLAN:
1533 	case NL80211_IFTYPE_P2P_GO:
1534 	case NL80211_IFTYPE_MESH_POINT:
1535 		break;
1536 	case NL80211_IFTYPE_ADHOC:
1537 		if (wdev->u.ibss.current_bss)
1538 			return 0;
1539 		return -ENOLINK;
1540 	case NL80211_IFTYPE_STATION:
1541 	case NL80211_IFTYPE_P2P_CLIENT:
1542 		/* for MLO, require driver validation of the link ID */
1543 		if (wdev->connected)
1544 			return 0;
1545 		return -ENOLINK;
1546 	case NL80211_IFTYPE_UNSPECIFIED:
1547 	case NL80211_IFTYPE_OCB:
1548 	case NL80211_IFTYPE_MONITOR:
1549 	case NL80211_IFTYPE_NAN:
1550 	case NL80211_IFTYPE_P2P_DEVICE:
1551 	case NL80211_IFTYPE_WDS:
1552 	case NUM_NL80211_IFTYPES:
1553 		return -EINVAL;
1554 	}
1555 
1556 	return 0;
1557 }
1558 
1559 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1560 							u32 freq)
1561 {
1562 	struct ieee80211_channel *chan;
1563 
1564 	chan = ieee80211_get_channel_khz(wiphy, freq);
1565 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1566 		return NULL;
1567 	return chan;
1568 }
1569 
1570 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1571 {
1572 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1573 	int i;
1574 
1575 	if (!nl_modes)
1576 		goto nla_put_failure;
1577 
1578 	i = 0;
1579 	while (ifmodes) {
1580 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1581 			goto nla_put_failure;
1582 		ifmodes >>= 1;
1583 		i++;
1584 	}
1585 
1586 	nla_nest_end(msg, nl_modes);
1587 	return 0;
1588 
1589 nla_put_failure:
1590 	return -ENOBUFS;
1591 }
1592 
1593 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1594 					  struct sk_buff *msg,
1595 					  bool large)
1596 {
1597 	struct nlattr *nl_combis;
1598 	int i, j;
1599 
1600 	nl_combis = nla_nest_start_noflag(msg,
1601 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1602 	if (!nl_combis)
1603 		goto nla_put_failure;
1604 
1605 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1606 		const struct ieee80211_iface_combination *c;
1607 		struct nlattr *nl_combi, *nl_limits;
1608 
1609 		c = &wiphy->iface_combinations[i];
1610 
1611 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1612 		if (!nl_combi)
1613 			goto nla_put_failure;
1614 
1615 		nl_limits = nla_nest_start_noflag(msg,
1616 						  NL80211_IFACE_COMB_LIMITS);
1617 		if (!nl_limits)
1618 			goto nla_put_failure;
1619 
1620 		for (j = 0; j < c->n_limits; j++) {
1621 			struct nlattr *nl_limit;
1622 
1623 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1624 			if (!nl_limit)
1625 				goto nla_put_failure;
1626 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1627 					c->limits[j].max))
1628 				goto nla_put_failure;
1629 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1630 						c->limits[j].types))
1631 				goto nla_put_failure;
1632 			nla_nest_end(msg, nl_limit);
1633 		}
1634 
1635 		nla_nest_end(msg, nl_limits);
1636 
1637 		if (c->beacon_int_infra_match &&
1638 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1639 			goto nla_put_failure;
1640 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1641 				c->num_different_channels) ||
1642 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1643 				c->max_interfaces))
1644 			goto nla_put_failure;
1645 		if (large &&
1646 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1647 				c->radar_detect_widths) ||
1648 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1649 				c->radar_detect_regions)))
1650 			goto nla_put_failure;
1651 		if (c->beacon_int_min_gcd &&
1652 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1653 				c->beacon_int_min_gcd))
1654 			goto nla_put_failure;
1655 
1656 		nla_nest_end(msg, nl_combi);
1657 	}
1658 
1659 	nla_nest_end(msg, nl_combis);
1660 
1661 	return 0;
1662 nla_put_failure:
1663 	return -ENOBUFS;
1664 }
1665 
1666 #ifdef CONFIG_PM
1667 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1668 					struct sk_buff *msg)
1669 {
1670 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1671 	struct nlattr *nl_tcp;
1672 
1673 	if (!tcp)
1674 		return 0;
1675 
1676 	nl_tcp = nla_nest_start_noflag(msg,
1677 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1678 	if (!nl_tcp)
1679 		return -ENOBUFS;
1680 
1681 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1682 			tcp->data_payload_max))
1683 		return -ENOBUFS;
1684 
1685 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1686 			tcp->data_payload_max))
1687 		return -ENOBUFS;
1688 
1689 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1690 		return -ENOBUFS;
1691 
1692 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1693 				sizeof(*tcp->tok), tcp->tok))
1694 		return -ENOBUFS;
1695 
1696 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1697 			tcp->data_interval_max))
1698 		return -ENOBUFS;
1699 
1700 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1701 			tcp->wake_payload_max))
1702 		return -ENOBUFS;
1703 
1704 	nla_nest_end(msg, nl_tcp);
1705 	return 0;
1706 }
1707 
1708 static int nl80211_send_wowlan(struct sk_buff *msg,
1709 			       struct cfg80211_registered_device *rdev,
1710 			       bool large)
1711 {
1712 	struct nlattr *nl_wowlan;
1713 
1714 	if (!rdev->wiphy.wowlan)
1715 		return 0;
1716 
1717 	nl_wowlan = nla_nest_start_noflag(msg,
1718 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1719 	if (!nl_wowlan)
1720 		return -ENOBUFS;
1721 
1722 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1723 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1724 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1725 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1726 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1727 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1728 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1729 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1730 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1731 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1732 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1733 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1734 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1735 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1736 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1737 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1738 		return -ENOBUFS;
1739 
1740 	if (rdev->wiphy.wowlan->n_patterns) {
1741 		struct nl80211_pattern_support pat = {
1742 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1743 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1744 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1745 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1746 		};
1747 
1748 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1749 			    sizeof(pat), &pat))
1750 			return -ENOBUFS;
1751 	}
1752 
1753 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1754 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1755 			rdev->wiphy.wowlan->max_nd_match_sets))
1756 		return -ENOBUFS;
1757 
1758 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1759 		return -ENOBUFS;
1760 
1761 	nla_nest_end(msg, nl_wowlan);
1762 
1763 	return 0;
1764 }
1765 #endif
1766 
1767 static int nl80211_send_coalesce(struct sk_buff *msg,
1768 				 struct cfg80211_registered_device *rdev)
1769 {
1770 	struct nl80211_coalesce_rule_support rule;
1771 
1772 	if (!rdev->wiphy.coalesce)
1773 		return 0;
1774 
1775 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1776 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1777 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1778 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1779 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1780 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1781 
1782 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1783 		return -ENOBUFS;
1784 
1785 	return 0;
1786 }
1787 
1788 static int
1789 nl80211_send_iftype_data(struct sk_buff *msg,
1790 			 const struct ieee80211_supported_band *sband,
1791 			 const struct ieee80211_sband_iftype_data *iftdata)
1792 {
1793 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1794 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1795 
1796 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1797 				iftdata->types_mask))
1798 		return -ENOBUFS;
1799 
1800 	if (he_cap->has_he) {
1801 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1802 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1803 			    he_cap->he_cap_elem.mac_cap_info) ||
1804 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1805 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1806 			    he_cap->he_cap_elem.phy_cap_info) ||
1807 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1808 			    sizeof(he_cap->he_mcs_nss_supp),
1809 			    &he_cap->he_mcs_nss_supp) ||
1810 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1811 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1812 			return -ENOBUFS;
1813 	}
1814 
1815 	if (eht_cap->has_eht && he_cap->has_he) {
1816 		u8 mcs_nss_size, ppe_thresh_size;
1817 		u16 ppe_thres_hdr;
1818 
1819 		mcs_nss_size =
1820 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1821 						   &eht_cap->eht_cap_elem);
1822 
1823 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1824 		ppe_thresh_size =
1825 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1826 					       eht_cap->eht_cap_elem.phy_cap_info);
1827 
1828 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1829 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1830 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1831 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1832 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1833 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1834 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1835 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1836 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1837 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1838 			return -ENOBUFS;
1839 	}
1840 
1841 	if (sband->band == NL80211_BAND_6GHZ &&
1842 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1843 		    sizeof(iftdata->he_6ghz_capa),
1844 		    &iftdata->he_6ghz_capa))
1845 		return -ENOBUFS;
1846 
1847 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1848 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1849 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1850 		return -ENOBUFS;
1851 
1852 	return 0;
1853 }
1854 
1855 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1856 				      struct ieee80211_supported_band *sband,
1857 				      bool large)
1858 {
1859 	struct nlattr *nl_rates, *nl_rate;
1860 	struct ieee80211_rate *rate;
1861 	int i;
1862 
1863 	/* add HT info */
1864 	if (sband->ht_cap.ht_supported &&
1865 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1866 		     sizeof(sband->ht_cap.mcs),
1867 		     &sband->ht_cap.mcs) ||
1868 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1869 			 sband->ht_cap.cap) ||
1870 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1871 			sband->ht_cap.ampdu_factor) ||
1872 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1873 			sband->ht_cap.ampdu_density)))
1874 		return -ENOBUFS;
1875 
1876 	/* add VHT info */
1877 	if (sband->vht_cap.vht_supported &&
1878 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1879 		     sizeof(sband->vht_cap.vht_mcs),
1880 		     &sband->vht_cap.vht_mcs) ||
1881 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1882 			 sband->vht_cap.cap)))
1883 		return -ENOBUFS;
1884 
1885 	if (large && sband->n_iftype_data) {
1886 		struct nlattr *nl_iftype_data =
1887 			nla_nest_start_noflag(msg,
1888 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1889 		int err;
1890 
1891 		if (!nl_iftype_data)
1892 			return -ENOBUFS;
1893 
1894 		for (i = 0; i < sband->n_iftype_data; i++) {
1895 			struct nlattr *iftdata;
1896 
1897 			iftdata = nla_nest_start_noflag(msg, i + 1);
1898 			if (!iftdata)
1899 				return -ENOBUFS;
1900 
1901 			err = nl80211_send_iftype_data(msg, sband,
1902 						       &sband->iftype_data[i]);
1903 			if (err)
1904 				return err;
1905 
1906 			nla_nest_end(msg, iftdata);
1907 		}
1908 
1909 		nla_nest_end(msg, nl_iftype_data);
1910 	}
1911 
1912 	/* add EDMG info */
1913 	if (large && sband->edmg_cap.channels &&
1914 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1915 		       sband->edmg_cap.channels) ||
1916 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1917 		       sband->edmg_cap.bw_config)))
1918 
1919 		return -ENOBUFS;
1920 
1921 	/* add bitrates */
1922 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1923 	if (!nl_rates)
1924 		return -ENOBUFS;
1925 
1926 	for (i = 0; i < sband->n_bitrates; i++) {
1927 		nl_rate = nla_nest_start_noflag(msg, i);
1928 		if (!nl_rate)
1929 			return -ENOBUFS;
1930 
1931 		rate = &sband->bitrates[i];
1932 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1933 				rate->bitrate))
1934 			return -ENOBUFS;
1935 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1936 		    nla_put_flag(msg,
1937 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1938 			return -ENOBUFS;
1939 
1940 		nla_nest_end(msg, nl_rate);
1941 	}
1942 
1943 	nla_nest_end(msg, nl_rates);
1944 
1945 	return 0;
1946 }
1947 
1948 static int
1949 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1950 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1951 {
1952 	u16 stypes;
1953 	struct nlattr *nl_ftypes, *nl_ifs;
1954 	enum nl80211_iftype ift;
1955 	int i;
1956 
1957 	if (!mgmt_stypes)
1958 		return 0;
1959 
1960 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1961 	if (!nl_ifs)
1962 		return -ENOBUFS;
1963 
1964 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1965 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1966 		if (!nl_ftypes)
1967 			return -ENOBUFS;
1968 		i = 0;
1969 		stypes = mgmt_stypes[ift].tx;
1970 		while (stypes) {
1971 			if ((stypes & 1) &&
1972 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1973 					(i << 4) | IEEE80211_FTYPE_MGMT))
1974 				return -ENOBUFS;
1975 			stypes >>= 1;
1976 			i++;
1977 		}
1978 		nla_nest_end(msg, nl_ftypes);
1979 	}
1980 
1981 	nla_nest_end(msg, nl_ifs);
1982 
1983 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1984 	if (!nl_ifs)
1985 		return -ENOBUFS;
1986 
1987 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1988 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1989 		if (!nl_ftypes)
1990 			return -ENOBUFS;
1991 		i = 0;
1992 		stypes = mgmt_stypes[ift].rx;
1993 		while (stypes) {
1994 			if ((stypes & 1) &&
1995 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1996 					(i << 4) | IEEE80211_FTYPE_MGMT))
1997 				return -ENOBUFS;
1998 			stypes >>= 1;
1999 			i++;
2000 		}
2001 		nla_nest_end(msg, nl_ftypes);
2002 	}
2003 	nla_nest_end(msg, nl_ifs);
2004 
2005 	return 0;
2006 }
2007 
2008 #define CMD(op, n)							\
2009 	 do {								\
2010 		if (rdev->ops->op) {					\
2011 			i++;						\
2012 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2013 				goto nla_put_failure;			\
2014 		}							\
2015 	} while (0)
2016 
2017 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2018 					struct sk_buff *msg)
2019 {
2020 	int i = 0;
2021 
2022 	/*
2023 	 * do *NOT* add anything into this function, new things need to be
2024 	 * advertised only to new versions of userspace that can deal with
2025 	 * the split (and they can't possibly care about new features...
2026 	 */
2027 	CMD(add_virtual_intf, NEW_INTERFACE);
2028 	CMD(change_virtual_intf, SET_INTERFACE);
2029 	CMD(add_key, NEW_KEY);
2030 	CMD(start_ap, START_AP);
2031 	CMD(add_station, NEW_STATION);
2032 	CMD(add_mpath, NEW_MPATH);
2033 	CMD(update_mesh_config, SET_MESH_CONFIG);
2034 	CMD(change_bss, SET_BSS);
2035 	CMD(auth, AUTHENTICATE);
2036 	CMD(assoc, ASSOCIATE);
2037 	CMD(deauth, DEAUTHENTICATE);
2038 	CMD(disassoc, DISASSOCIATE);
2039 	CMD(join_ibss, JOIN_IBSS);
2040 	CMD(join_mesh, JOIN_MESH);
2041 	CMD(set_pmksa, SET_PMKSA);
2042 	CMD(del_pmksa, DEL_PMKSA);
2043 	CMD(flush_pmksa, FLUSH_PMKSA);
2044 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2045 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2046 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2047 	CMD(mgmt_tx, FRAME);
2048 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2049 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2050 		i++;
2051 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2052 			goto nla_put_failure;
2053 	}
2054 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2055 	    rdev->ops->join_mesh) {
2056 		i++;
2057 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2058 			goto nla_put_failure;
2059 	}
2060 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2061 		CMD(tdls_mgmt, TDLS_MGMT);
2062 		CMD(tdls_oper, TDLS_OPER);
2063 	}
2064 	if (rdev->wiphy.max_sched_scan_reqs)
2065 		CMD(sched_scan_start, START_SCHED_SCAN);
2066 	CMD(probe_client, PROBE_CLIENT);
2067 	CMD(set_noack_map, SET_NOACK_MAP);
2068 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2069 		i++;
2070 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2071 			goto nla_put_failure;
2072 	}
2073 	CMD(start_p2p_device, START_P2P_DEVICE);
2074 	CMD(set_mcast_rate, SET_MCAST_RATE);
2075 #ifdef CONFIG_NL80211_TESTMODE
2076 	CMD(testmode_cmd, TESTMODE);
2077 #endif
2078 
2079 	if (rdev->ops->connect || rdev->ops->auth) {
2080 		i++;
2081 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2082 			goto nla_put_failure;
2083 	}
2084 
2085 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2086 		i++;
2087 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2088 			goto nla_put_failure;
2089 	}
2090 
2091 	return i;
2092  nla_put_failure:
2093 	return -ENOBUFS;
2094 }
2095 
2096 static int
2097 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2098 			   struct sk_buff *msg)
2099 {
2100 	struct nlattr *ftm;
2101 
2102 	if (!cap->ftm.supported)
2103 		return 0;
2104 
2105 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2106 	if (!ftm)
2107 		return -ENOBUFS;
2108 
2109 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2110 		return -ENOBUFS;
2111 	if (cap->ftm.non_asap &&
2112 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2113 		return -ENOBUFS;
2114 	if (cap->ftm.request_lci &&
2115 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2116 		return -ENOBUFS;
2117 	if (cap->ftm.request_civicloc &&
2118 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2119 		return -ENOBUFS;
2120 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2121 			cap->ftm.preambles))
2122 		return -ENOBUFS;
2123 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2124 			cap->ftm.bandwidths))
2125 		return -ENOBUFS;
2126 	if (cap->ftm.max_bursts_exponent >= 0 &&
2127 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2128 			cap->ftm.max_bursts_exponent))
2129 		return -ENOBUFS;
2130 	if (cap->ftm.max_ftms_per_burst &&
2131 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2132 			cap->ftm.max_ftms_per_burst))
2133 		return -ENOBUFS;
2134 	if (cap->ftm.trigger_based &&
2135 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2136 		return -ENOBUFS;
2137 	if (cap->ftm.non_trigger_based &&
2138 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2139 		return -ENOBUFS;
2140 
2141 	nla_nest_end(msg, ftm);
2142 	return 0;
2143 }
2144 
2145 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2146 				  struct sk_buff *msg)
2147 {
2148 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2149 	struct nlattr *pmsr, *caps;
2150 
2151 	if (!cap)
2152 		return 0;
2153 
2154 	/*
2155 	 * we don't need to clean up anything here since the caller
2156 	 * will genlmsg_cancel() if we fail
2157 	 */
2158 
2159 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2160 	if (!pmsr)
2161 		return -ENOBUFS;
2162 
2163 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2164 		return -ENOBUFS;
2165 
2166 	if (cap->report_ap_tsf &&
2167 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2168 		return -ENOBUFS;
2169 
2170 	if (cap->randomize_mac_addr &&
2171 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2172 		return -ENOBUFS;
2173 
2174 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2175 	if (!caps)
2176 		return -ENOBUFS;
2177 
2178 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2179 		return -ENOBUFS;
2180 
2181 	nla_nest_end(msg, caps);
2182 	nla_nest_end(msg, pmsr);
2183 
2184 	return 0;
2185 }
2186 
2187 static int
2188 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2189 			      struct sk_buff *msg)
2190 {
2191 	int i;
2192 	struct nlattr *nested, *nested_akms;
2193 	const struct wiphy_iftype_akm_suites *iftype_akms;
2194 
2195 	if (!rdev->wiphy.num_iftype_akm_suites ||
2196 	    !rdev->wiphy.iftype_akm_suites)
2197 		return 0;
2198 
2199 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2200 	if (!nested)
2201 		return -ENOBUFS;
2202 
2203 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2204 		nested_akms = nla_nest_start(msg, i + 1);
2205 		if (!nested_akms)
2206 			return -ENOBUFS;
2207 
2208 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2209 
2210 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2211 					iftype_akms->iftypes_mask))
2212 			return -ENOBUFS;
2213 
2214 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2215 			    sizeof(u32) * iftype_akms->n_akm_suites,
2216 			    iftype_akms->akm_suites)) {
2217 			return -ENOBUFS;
2218 		}
2219 		nla_nest_end(msg, nested_akms);
2220 	}
2221 
2222 	nla_nest_end(msg, nested);
2223 
2224 	return 0;
2225 }
2226 
2227 static int
2228 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2229 			       struct sk_buff *msg)
2230 {
2231 	struct nlattr *supp;
2232 
2233 	if (!rdev->wiphy.tid_config_support.vif &&
2234 	    !rdev->wiphy.tid_config_support.peer)
2235 		return 0;
2236 
2237 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2238 	if (!supp)
2239 		return -ENOSPC;
2240 
2241 	if (rdev->wiphy.tid_config_support.vif &&
2242 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2243 			      rdev->wiphy.tid_config_support.vif,
2244 			      NL80211_TID_CONFIG_ATTR_PAD))
2245 		goto fail;
2246 
2247 	if (rdev->wiphy.tid_config_support.peer &&
2248 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2249 			      rdev->wiphy.tid_config_support.peer,
2250 			      NL80211_TID_CONFIG_ATTR_PAD))
2251 		goto fail;
2252 
2253 	/* for now we just use the same value ... makes more sense */
2254 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2255 		       rdev->wiphy.tid_config_support.max_retry))
2256 		goto fail;
2257 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2258 		       rdev->wiphy.tid_config_support.max_retry))
2259 		goto fail;
2260 
2261 	nla_nest_end(msg, supp);
2262 
2263 	return 0;
2264 fail:
2265 	nla_nest_cancel(msg, supp);
2266 	return -ENOBUFS;
2267 }
2268 
2269 static int
2270 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2271 		      struct sk_buff *msg)
2272 {
2273 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2274 	u8 num_freq_ranges;
2275 	int i;
2276 
2277 	if (!rdev->wiphy.sar_capa)
2278 		return 0;
2279 
2280 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2281 
2282 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2283 	if (!sar_capa)
2284 		return -ENOSPC;
2285 
2286 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2287 		goto fail;
2288 
2289 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2290 	if (!specs)
2291 		goto fail;
2292 
2293 	/* report supported freq_ranges */
2294 	for (i = 0; i < num_freq_ranges; i++) {
2295 		sub_freq_range = nla_nest_start(msg, i + 1);
2296 		if (!sub_freq_range)
2297 			goto fail;
2298 
2299 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2300 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2301 			goto fail;
2302 
2303 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2304 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2305 			goto fail;
2306 
2307 		nla_nest_end(msg, sub_freq_range);
2308 	}
2309 
2310 	nla_nest_end(msg, specs);
2311 	nla_nest_end(msg, sar_capa);
2312 
2313 	return 0;
2314 fail:
2315 	nla_nest_cancel(msg, sar_capa);
2316 	return -ENOBUFS;
2317 }
2318 
2319 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2320 {
2321 	struct nlattr *config;
2322 
2323 	if (!wiphy->mbssid_max_interfaces)
2324 		return 0;
2325 
2326 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2327 	if (!config)
2328 		return -ENOBUFS;
2329 
2330 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2331 		       wiphy->mbssid_max_interfaces))
2332 		goto fail;
2333 
2334 	if (wiphy->ema_max_profile_periodicity &&
2335 	    nla_put_u8(msg,
2336 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2337 		       wiphy->ema_max_profile_periodicity))
2338 		goto fail;
2339 
2340 	nla_nest_end(msg, config);
2341 	return 0;
2342 
2343 fail:
2344 	nla_nest_cancel(msg, config);
2345 	return -ENOBUFS;
2346 }
2347 
2348 struct nl80211_dump_wiphy_state {
2349 	s64 filter_wiphy;
2350 	long start;
2351 	long split_start, band_start, chan_start, capa_start;
2352 	bool split;
2353 };
2354 
2355 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2356 			      enum nl80211_commands cmd,
2357 			      struct sk_buff *msg, u32 portid, u32 seq,
2358 			      int flags, struct nl80211_dump_wiphy_state *state)
2359 {
2360 	void *hdr;
2361 	struct nlattr *nl_bands, *nl_band;
2362 	struct nlattr *nl_freqs, *nl_freq;
2363 	struct nlattr *nl_cmds;
2364 	enum nl80211_band band;
2365 	struct ieee80211_channel *chan;
2366 	int i;
2367 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2368 				rdev->wiphy.mgmt_stypes;
2369 	u32 features;
2370 
2371 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2372 	if (!hdr)
2373 		return -ENOBUFS;
2374 
2375 	if (WARN_ON(!state))
2376 		return -EINVAL;
2377 
2378 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2379 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2380 			   wiphy_name(&rdev->wiphy)) ||
2381 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2382 			cfg80211_rdev_list_generation))
2383 		goto nla_put_failure;
2384 
2385 	if (cmd != NL80211_CMD_NEW_WIPHY)
2386 		goto finish;
2387 
2388 	switch (state->split_start) {
2389 	case 0:
2390 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2391 			       rdev->wiphy.retry_short) ||
2392 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2393 			       rdev->wiphy.retry_long) ||
2394 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2395 				rdev->wiphy.frag_threshold) ||
2396 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2397 				rdev->wiphy.rts_threshold) ||
2398 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2399 			       rdev->wiphy.coverage_class) ||
2400 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2401 			       rdev->wiphy.max_scan_ssids) ||
2402 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2403 			       rdev->wiphy.max_sched_scan_ssids) ||
2404 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2405 				rdev->wiphy.max_scan_ie_len) ||
2406 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2407 				rdev->wiphy.max_sched_scan_ie_len) ||
2408 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2409 			       rdev->wiphy.max_match_sets))
2410 			goto nla_put_failure;
2411 
2412 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2413 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2414 			goto nla_put_failure;
2415 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2416 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2417 			goto nla_put_failure;
2418 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2419 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2420 			goto nla_put_failure;
2421 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2422 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2423 			goto nla_put_failure;
2424 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2425 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2426 			goto nla_put_failure;
2427 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2428 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2429 			goto nla_put_failure;
2430 		state->split_start++;
2431 		if (state->split)
2432 			break;
2433 		fallthrough;
2434 	case 1:
2435 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2436 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2437 			    rdev->wiphy.cipher_suites))
2438 			goto nla_put_failure;
2439 
2440 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2441 			       rdev->wiphy.max_num_pmkids))
2442 			goto nla_put_failure;
2443 
2444 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2445 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2446 			goto nla_put_failure;
2447 
2448 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2449 				rdev->wiphy.available_antennas_tx) ||
2450 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2451 				rdev->wiphy.available_antennas_rx))
2452 			goto nla_put_failure;
2453 
2454 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2455 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2456 				rdev->wiphy.probe_resp_offload))
2457 			goto nla_put_failure;
2458 
2459 		if ((rdev->wiphy.available_antennas_tx ||
2460 		     rdev->wiphy.available_antennas_rx) &&
2461 		    rdev->ops->get_antenna) {
2462 			u32 tx_ant = 0, rx_ant = 0;
2463 			int res;
2464 
2465 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2466 			if (!res) {
2467 				if (nla_put_u32(msg,
2468 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2469 						tx_ant) ||
2470 				    nla_put_u32(msg,
2471 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2472 						rx_ant))
2473 					goto nla_put_failure;
2474 			}
2475 		}
2476 
2477 		state->split_start++;
2478 		if (state->split)
2479 			break;
2480 		fallthrough;
2481 	case 2:
2482 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2483 					rdev->wiphy.interface_modes))
2484 				goto nla_put_failure;
2485 		state->split_start++;
2486 		if (state->split)
2487 			break;
2488 		fallthrough;
2489 	case 3:
2490 		nl_bands = nla_nest_start_noflag(msg,
2491 						 NL80211_ATTR_WIPHY_BANDS);
2492 		if (!nl_bands)
2493 			goto nla_put_failure;
2494 
2495 		for (band = state->band_start;
2496 		     band < (state->split ?
2497 				NUM_NL80211_BANDS :
2498 				NL80211_BAND_60GHZ + 1);
2499 		     band++) {
2500 			struct ieee80211_supported_band *sband;
2501 
2502 			/* omit higher bands for ancient software */
2503 			if (band > NL80211_BAND_5GHZ && !state->split)
2504 				break;
2505 
2506 			sband = rdev->wiphy.bands[band];
2507 
2508 			if (!sband)
2509 				continue;
2510 
2511 			nl_band = nla_nest_start_noflag(msg, band);
2512 			if (!nl_band)
2513 				goto nla_put_failure;
2514 
2515 			switch (state->chan_start) {
2516 			case 0:
2517 				if (nl80211_send_band_rateinfo(msg, sband,
2518 							       state->split))
2519 					goto nla_put_failure;
2520 				state->chan_start++;
2521 				if (state->split)
2522 					break;
2523 				fallthrough;
2524 			default:
2525 				/* add frequencies */
2526 				nl_freqs = nla_nest_start_noflag(msg,
2527 								 NL80211_BAND_ATTR_FREQS);
2528 				if (!nl_freqs)
2529 					goto nla_put_failure;
2530 
2531 				for (i = state->chan_start - 1;
2532 				     i < sband->n_channels;
2533 				     i++) {
2534 					nl_freq = nla_nest_start_noflag(msg,
2535 									i);
2536 					if (!nl_freq)
2537 						goto nla_put_failure;
2538 
2539 					chan = &sband->channels[i];
2540 
2541 					if (nl80211_msg_put_channel(
2542 							msg, &rdev->wiphy, chan,
2543 							state->split))
2544 						goto nla_put_failure;
2545 
2546 					nla_nest_end(msg, nl_freq);
2547 					if (state->split)
2548 						break;
2549 				}
2550 				if (i < sband->n_channels)
2551 					state->chan_start = i + 2;
2552 				else
2553 					state->chan_start = 0;
2554 				nla_nest_end(msg, nl_freqs);
2555 			}
2556 
2557 			nla_nest_end(msg, nl_band);
2558 
2559 			if (state->split) {
2560 				/* start again here */
2561 				if (state->chan_start)
2562 					band--;
2563 				break;
2564 			}
2565 		}
2566 		nla_nest_end(msg, nl_bands);
2567 
2568 		if (band < NUM_NL80211_BANDS)
2569 			state->band_start = band + 1;
2570 		else
2571 			state->band_start = 0;
2572 
2573 		/* if bands & channels are done, continue outside */
2574 		if (state->band_start == 0 && state->chan_start == 0)
2575 			state->split_start++;
2576 		if (state->split)
2577 			break;
2578 		fallthrough;
2579 	case 4:
2580 		nl_cmds = nla_nest_start_noflag(msg,
2581 						NL80211_ATTR_SUPPORTED_COMMANDS);
2582 		if (!nl_cmds)
2583 			goto nla_put_failure;
2584 
2585 		i = nl80211_add_commands_unsplit(rdev, msg);
2586 		if (i < 0)
2587 			goto nla_put_failure;
2588 		if (state->split) {
2589 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2590 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2591 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2592 				CMD(channel_switch, CHANNEL_SWITCH);
2593 			CMD(set_qos_map, SET_QOS_MAP);
2594 			if (rdev->wiphy.features &
2595 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2596 				CMD(add_tx_ts, ADD_TX_TS);
2597 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2598 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2599 			CMD(update_ft_ies, UPDATE_FT_IES);
2600 			if (rdev->wiphy.sar_capa)
2601 				CMD(set_sar_specs, SET_SAR_SPECS);
2602 		}
2603 #undef CMD
2604 
2605 		nla_nest_end(msg, nl_cmds);
2606 		state->split_start++;
2607 		if (state->split)
2608 			break;
2609 		fallthrough;
2610 	case 5:
2611 		if (rdev->ops->remain_on_channel &&
2612 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2613 		    nla_put_u32(msg,
2614 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2615 				rdev->wiphy.max_remain_on_channel_duration))
2616 			goto nla_put_failure;
2617 
2618 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2619 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2620 			goto nla_put_failure;
2621 
2622 		state->split_start++;
2623 		if (state->split)
2624 			break;
2625 		fallthrough;
2626 	case 6:
2627 #ifdef CONFIG_PM
2628 		if (nl80211_send_wowlan(msg, rdev, state->split))
2629 			goto nla_put_failure;
2630 		state->split_start++;
2631 		if (state->split)
2632 			break;
2633 #else
2634 		state->split_start++;
2635 #endif
2636 		fallthrough;
2637 	case 7:
2638 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2639 					rdev->wiphy.software_iftypes))
2640 			goto nla_put_failure;
2641 
2642 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2643 						   state->split))
2644 			goto nla_put_failure;
2645 
2646 		state->split_start++;
2647 		if (state->split)
2648 			break;
2649 		fallthrough;
2650 	case 8:
2651 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2652 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2653 				rdev->wiphy.ap_sme_capa))
2654 			goto nla_put_failure;
2655 
2656 		features = rdev->wiphy.features;
2657 		/*
2658 		 * We can only add the per-channel limit information if the
2659 		 * dump is split, otherwise it makes it too big. Therefore
2660 		 * only advertise it in that case.
2661 		 */
2662 		if (state->split)
2663 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2664 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2665 			goto nla_put_failure;
2666 
2667 		if (rdev->wiphy.ht_capa_mod_mask &&
2668 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2669 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2670 			    rdev->wiphy.ht_capa_mod_mask))
2671 			goto nla_put_failure;
2672 
2673 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2674 		    rdev->wiphy.max_acl_mac_addrs &&
2675 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2676 				rdev->wiphy.max_acl_mac_addrs))
2677 			goto nla_put_failure;
2678 
2679 		/*
2680 		 * Any information below this point is only available to
2681 		 * applications that can deal with it being split. This
2682 		 * helps ensure that newly added capabilities don't break
2683 		 * older tools by overrunning their buffers.
2684 		 *
2685 		 * We still increment split_start so that in the split
2686 		 * case we'll continue with more data in the next round,
2687 		 * but break unconditionally so unsplit data stops here.
2688 		 */
2689 		if (state->split)
2690 			state->split_start++;
2691 		else
2692 			state->split_start = 0;
2693 		break;
2694 	case 9:
2695 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2696 			goto nla_put_failure;
2697 
2698 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2699 				rdev->wiphy.max_sched_scan_plans) ||
2700 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2701 				rdev->wiphy.max_sched_scan_plan_interval) ||
2702 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2703 				rdev->wiphy.max_sched_scan_plan_iterations))
2704 			goto nla_put_failure;
2705 
2706 		if (rdev->wiphy.extended_capabilities &&
2707 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2708 			     rdev->wiphy.extended_capabilities_len,
2709 			     rdev->wiphy.extended_capabilities) ||
2710 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2711 			     rdev->wiphy.extended_capabilities_len,
2712 			     rdev->wiphy.extended_capabilities_mask)))
2713 			goto nla_put_failure;
2714 
2715 		if (rdev->wiphy.vht_capa_mod_mask &&
2716 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2717 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2718 			    rdev->wiphy.vht_capa_mod_mask))
2719 			goto nla_put_failure;
2720 
2721 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2722 			    rdev->wiphy.perm_addr))
2723 			goto nla_put_failure;
2724 
2725 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2726 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2727 			    rdev->wiphy.addr_mask))
2728 			goto nla_put_failure;
2729 
2730 		if (rdev->wiphy.n_addresses > 1) {
2731 			void *attr;
2732 
2733 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2734 			if (!attr)
2735 				goto nla_put_failure;
2736 
2737 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2738 				if (nla_put(msg, i + 1, ETH_ALEN,
2739 					    rdev->wiphy.addresses[i].addr))
2740 					goto nla_put_failure;
2741 
2742 			nla_nest_end(msg, attr);
2743 		}
2744 
2745 		state->split_start++;
2746 		break;
2747 	case 10:
2748 		if (nl80211_send_coalesce(msg, rdev))
2749 			goto nla_put_failure;
2750 
2751 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2752 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2753 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2754 			goto nla_put_failure;
2755 
2756 		if (rdev->wiphy.max_ap_assoc_sta &&
2757 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2758 				rdev->wiphy.max_ap_assoc_sta))
2759 			goto nla_put_failure;
2760 
2761 		state->split_start++;
2762 		break;
2763 	case 11:
2764 		if (rdev->wiphy.n_vendor_commands) {
2765 			const struct nl80211_vendor_cmd_info *info;
2766 			struct nlattr *nested;
2767 
2768 			nested = nla_nest_start_noflag(msg,
2769 						       NL80211_ATTR_VENDOR_DATA);
2770 			if (!nested)
2771 				goto nla_put_failure;
2772 
2773 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2774 				info = &rdev->wiphy.vendor_commands[i].info;
2775 				if (nla_put(msg, i + 1, sizeof(*info), info))
2776 					goto nla_put_failure;
2777 			}
2778 			nla_nest_end(msg, nested);
2779 		}
2780 
2781 		if (rdev->wiphy.n_vendor_events) {
2782 			const struct nl80211_vendor_cmd_info *info;
2783 			struct nlattr *nested;
2784 
2785 			nested = nla_nest_start_noflag(msg,
2786 						       NL80211_ATTR_VENDOR_EVENTS);
2787 			if (!nested)
2788 				goto nla_put_failure;
2789 
2790 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2791 				info = &rdev->wiphy.vendor_events[i];
2792 				if (nla_put(msg, i + 1, sizeof(*info), info))
2793 					goto nla_put_failure;
2794 			}
2795 			nla_nest_end(msg, nested);
2796 		}
2797 		state->split_start++;
2798 		break;
2799 	case 12:
2800 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2801 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2802 			       rdev->wiphy.max_num_csa_counters))
2803 			goto nla_put_failure;
2804 
2805 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2806 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2807 			goto nla_put_failure;
2808 
2809 		if (rdev->wiphy.max_sched_scan_reqs &&
2810 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2811 				rdev->wiphy.max_sched_scan_reqs))
2812 			goto nla_put_failure;
2813 
2814 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2815 			    sizeof(rdev->wiphy.ext_features),
2816 			    rdev->wiphy.ext_features))
2817 			goto nla_put_failure;
2818 
2819 		if (rdev->wiphy.bss_select_support) {
2820 			struct nlattr *nested;
2821 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2822 
2823 			nested = nla_nest_start_noflag(msg,
2824 						       NL80211_ATTR_BSS_SELECT);
2825 			if (!nested)
2826 				goto nla_put_failure;
2827 
2828 			i = 0;
2829 			while (bss_select_support) {
2830 				if ((bss_select_support & 1) &&
2831 				    nla_put_flag(msg, i))
2832 					goto nla_put_failure;
2833 				i++;
2834 				bss_select_support >>= 1;
2835 			}
2836 			nla_nest_end(msg, nested);
2837 		}
2838 
2839 		state->split_start++;
2840 		break;
2841 	case 13:
2842 		if (rdev->wiphy.num_iftype_ext_capab &&
2843 		    rdev->wiphy.iftype_ext_capab) {
2844 			struct nlattr *nested_ext_capab, *nested;
2845 
2846 			nested = nla_nest_start_noflag(msg,
2847 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2848 			if (!nested)
2849 				goto nla_put_failure;
2850 
2851 			for (i = state->capa_start;
2852 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2853 				const struct wiphy_iftype_ext_capab *capab;
2854 
2855 				capab = &rdev->wiphy.iftype_ext_capab[i];
2856 
2857 				nested_ext_capab = nla_nest_start_noflag(msg,
2858 									 i);
2859 				if (!nested_ext_capab ||
2860 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2861 						capab->iftype) ||
2862 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2863 					    capab->extended_capabilities_len,
2864 					    capab->extended_capabilities) ||
2865 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2866 					    capab->extended_capabilities_len,
2867 					    capab->extended_capabilities_mask))
2868 					goto nla_put_failure;
2869 
2870 				nla_nest_end(msg, nested_ext_capab);
2871 				if (state->split)
2872 					break;
2873 			}
2874 			nla_nest_end(msg, nested);
2875 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2876 				state->capa_start = i + 1;
2877 				break;
2878 			}
2879 		}
2880 
2881 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2882 				rdev->wiphy.nan_supported_bands))
2883 			goto nla_put_failure;
2884 
2885 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2886 					    NL80211_EXT_FEATURE_TXQS)) {
2887 			struct cfg80211_txq_stats txqstats = {};
2888 			int res;
2889 
2890 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2891 			if (!res &&
2892 			    !nl80211_put_txq_stats(msg, &txqstats,
2893 						   NL80211_ATTR_TXQ_STATS))
2894 				goto nla_put_failure;
2895 
2896 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2897 					rdev->wiphy.txq_limit))
2898 				goto nla_put_failure;
2899 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2900 					rdev->wiphy.txq_memory_limit))
2901 				goto nla_put_failure;
2902 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2903 					rdev->wiphy.txq_quantum))
2904 				goto nla_put_failure;
2905 		}
2906 
2907 		state->split_start++;
2908 		break;
2909 	case 14:
2910 		if (nl80211_send_pmsr_capa(rdev, msg))
2911 			goto nla_put_failure;
2912 
2913 		state->split_start++;
2914 		break;
2915 	case 15:
2916 		if (rdev->wiphy.akm_suites &&
2917 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2918 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2919 			    rdev->wiphy.akm_suites))
2920 			goto nla_put_failure;
2921 
2922 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2923 			goto nla_put_failure;
2924 
2925 		if (nl80211_put_tid_config_support(rdev, msg))
2926 			goto nla_put_failure;
2927 		state->split_start++;
2928 		break;
2929 	case 16:
2930 		if (nl80211_put_sar_specs(rdev, msg))
2931 			goto nla_put_failure;
2932 
2933 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2934 			goto nla_put_failure;
2935 
2936 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2937 				rdev->wiphy.max_num_akm_suites))
2938 			goto nla_put_failure;
2939 
2940 		/* done */
2941 		state->split_start = 0;
2942 		break;
2943 	}
2944  finish:
2945 	genlmsg_end(msg, hdr);
2946 	return 0;
2947 
2948  nla_put_failure:
2949 	genlmsg_cancel(msg, hdr);
2950 	return -EMSGSIZE;
2951 }
2952 
2953 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2954 				    struct netlink_callback *cb,
2955 				    struct nl80211_dump_wiphy_state *state)
2956 {
2957 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2958 	int ret;
2959 
2960 	if (!tb)
2961 		return -ENOMEM;
2962 
2963 	ret = nlmsg_parse_deprecated(cb->nlh,
2964 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2965 				     tb, nl80211_fam.maxattr,
2966 				     nl80211_policy, NULL);
2967 	/* ignore parse errors for backward compatibility */
2968 	if (ret) {
2969 		ret = 0;
2970 		goto out;
2971 	}
2972 
2973 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2974 	if (tb[NL80211_ATTR_WIPHY])
2975 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2976 	if (tb[NL80211_ATTR_WDEV])
2977 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2978 	if (tb[NL80211_ATTR_IFINDEX]) {
2979 		struct net_device *netdev;
2980 		struct cfg80211_registered_device *rdev;
2981 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2982 
2983 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2984 		if (!netdev) {
2985 			ret = -ENODEV;
2986 			goto out;
2987 		}
2988 		if (netdev->ieee80211_ptr) {
2989 			rdev = wiphy_to_rdev(
2990 				netdev->ieee80211_ptr->wiphy);
2991 			state->filter_wiphy = rdev->wiphy_idx;
2992 		}
2993 	}
2994 
2995 	ret = 0;
2996 out:
2997 	kfree(tb);
2998 	return ret;
2999 }
3000 
3001 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3002 {
3003 	int idx = 0, ret;
3004 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3005 	struct cfg80211_registered_device *rdev;
3006 
3007 	rtnl_lock();
3008 	if (!state) {
3009 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3010 		if (!state) {
3011 			rtnl_unlock();
3012 			return -ENOMEM;
3013 		}
3014 		state->filter_wiphy = -1;
3015 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3016 		if (ret) {
3017 			kfree(state);
3018 			rtnl_unlock();
3019 			return ret;
3020 		}
3021 		cb->args[0] = (long)state;
3022 	}
3023 
3024 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3025 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3026 			continue;
3027 		if (++idx <= state->start)
3028 			continue;
3029 		if (state->filter_wiphy != -1 &&
3030 		    state->filter_wiphy != rdev->wiphy_idx)
3031 			continue;
3032 		/* attempt to fit multiple wiphy data chunks into the skb */
3033 		do {
3034 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3035 						 skb,
3036 						 NETLINK_CB(cb->skb).portid,
3037 						 cb->nlh->nlmsg_seq,
3038 						 NLM_F_MULTI, state);
3039 			if (ret < 0) {
3040 				/*
3041 				 * If sending the wiphy data didn't fit (ENOBUFS
3042 				 * or EMSGSIZE returned), this SKB is still
3043 				 * empty (so it's not too big because another
3044 				 * wiphy dataset is already in the skb) and
3045 				 * we've not tried to adjust the dump allocation
3046 				 * yet ... then adjust the alloc size to be
3047 				 * bigger, and return 1 but with the empty skb.
3048 				 * This results in an empty message being RX'ed
3049 				 * in userspace, but that is ignored.
3050 				 *
3051 				 * We can then retry with the larger buffer.
3052 				 */
3053 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3054 				    !skb->len && !state->split &&
3055 				    cb->min_dump_alloc < 4096) {
3056 					cb->min_dump_alloc = 4096;
3057 					state->split_start = 0;
3058 					rtnl_unlock();
3059 					return 1;
3060 				}
3061 				idx--;
3062 				break;
3063 			}
3064 		} while (state->split_start > 0);
3065 		break;
3066 	}
3067 	rtnl_unlock();
3068 
3069 	state->start = idx;
3070 
3071 	return skb->len;
3072 }
3073 
3074 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3075 {
3076 	kfree((void *)cb->args[0]);
3077 	return 0;
3078 }
3079 
3080 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3081 {
3082 	struct sk_buff *msg;
3083 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3084 	struct nl80211_dump_wiphy_state state = {};
3085 
3086 	msg = nlmsg_new(4096, GFP_KERNEL);
3087 	if (!msg)
3088 		return -ENOMEM;
3089 
3090 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3091 			       info->snd_portid, info->snd_seq, 0,
3092 			       &state) < 0) {
3093 		nlmsg_free(msg);
3094 		return -ENOBUFS;
3095 	}
3096 
3097 	return genlmsg_reply(msg, info);
3098 }
3099 
3100 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3101 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3102 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3103 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3104 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3105 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3106 };
3107 
3108 static int parse_txq_params(struct nlattr *tb[],
3109 			    struct ieee80211_txq_params *txq_params)
3110 {
3111 	u8 ac;
3112 
3113 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3114 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3115 	    !tb[NL80211_TXQ_ATTR_AIFS])
3116 		return -EINVAL;
3117 
3118 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3119 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3120 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3121 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3122 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3123 
3124 	if (ac >= NL80211_NUM_ACS)
3125 		return -EINVAL;
3126 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3127 	return 0;
3128 }
3129 
3130 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3131 {
3132 	/*
3133 	 * You can only set the channel explicitly for some interfaces,
3134 	 * most have their channel managed via their respective
3135 	 * "establish a connection" command (connect, join, ...)
3136 	 *
3137 	 * For AP/GO and mesh mode, the channel can be set with the
3138 	 * channel userspace API, but is only stored and passed to the
3139 	 * low-level driver when the AP starts or the mesh is joined.
3140 	 * This is for backward compatibility, userspace can also give
3141 	 * the channel in the start-ap or join-mesh commands instead.
3142 	 *
3143 	 * Monitors are special as they are normally slaved to
3144 	 * whatever else is going on, so they have their own special
3145 	 * operation to set the monitor channel if possible.
3146 	 */
3147 	return !wdev ||
3148 		wdev->iftype == NL80211_IFTYPE_AP ||
3149 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3150 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3151 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3152 }
3153 
3154 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3155 			  struct genl_info *info,
3156 			  struct cfg80211_chan_def *chandef)
3157 {
3158 	struct netlink_ext_ack *extack = info->extack;
3159 	struct nlattr **attrs = info->attrs;
3160 	u32 control_freq;
3161 
3162 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3163 		return -EINVAL;
3164 
3165 	control_freq = MHZ_TO_KHZ(
3166 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3167 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3168 		control_freq +=
3169 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3170 
3171 	memset(chandef, 0, sizeof(*chandef));
3172 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3173 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3174 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3175 	chandef->freq1_offset = control_freq % 1000;
3176 	chandef->center_freq2 = 0;
3177 
3178 	/* Primary channel not allowed */
3179 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3180 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3181 				    "Channel is disabled");
3182 		return -EINVAL;
3183 	}
3184 
3185 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3186 		enum nl80211_channel_type chantype;
3187 
3188 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3189 
3190 		switch (chantype) {
3191 		case NL80211_CHAN_NO_HT:
3192 		case NL80211_CHAN_HT20:
3193 		case NL80211_CHAN_HT40PLUS:
3194 		case NL80211_CHAN_HT40MINUS:
3195 			cfg80211_chandef_create(chandef, chandef->chan,
3196 						chantype);
3197 			/* user input for center_freq is incorrect */
3198 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3199 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3200 				NL_SET_ERR_MSG_ATTR(extack,
3201 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3202 						    "bad center frequency 1");
3203 				return -EINVAL;
3204 			}
3205 			/* center_freq2 must be zero */
3206 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3207 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3208 				NL_SET_ERR_MSG_ATTR(extack,
3209 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3210 						    "center frequency 2 can't be used");
3211 				return -EINVAL;
3212 			}
3213 			break;
3214 		default:
3215 			NL_SET_ERR_MSG_ATTR(extack,
3216 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3217 					    "invalid channel type");
3218 			return -EINVAL;
3219 		}
3220 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3221 		chandef->width =
3222 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3223 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3224 			/* User input error for channel width doesn't match channel  */
3225 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3226 				NL_SET_ERR_MSG_ATTR(extack,
3227 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3228 						    "bad channel width");
3229 				return -EINVAL;
3230 			}
3231 		}
3232 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3233 			chandef->center_freq1 =
3234 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3235 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3236 				chandef->freq1_offset = nla_get_u32(
3237 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3238 			else
3239 				chandef->freq1_offset = 0;
3240 		}
3241 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3242 			chandef->center_freq2 =
3243 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3244 	}
3245 
3246 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3247 		chandef->edmg.channels =
3248 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3249 
3250 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3251 			chandef->edmg.bw_config =
3252 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3253 	} else {
3254 		chandef->edmg.bw_config = 0;
3255 		chandef->edmg.channels = 0;
3256 	}
3257 
3258 	if (!cfg80211_chandef_valid(chandef)) {
3259 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3260 		return -EINVAL;
3261 	}
3262 
3263 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3264 				     IEEE80211_CHAN_DISABLED)) {
3265 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3266 		return -EINVAL;
3267 	}
3268 
3269 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3270 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3271 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3272 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3273 		return -EINVAL;
3274 	}
3275 
3276 	return 0;
3277 }
3278 
3279 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3280 				 struct net_device *dev,
3281 				 struct genl_info *info,
3282 				 int _link_id)
3283 {
3284 	struct cfg80211_chan_def chandef;
3285 	int result;
3286 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3287 	struct wireless_dev *wdev = NULL;
3288 	int link_id = _link_id;
3289 
3290 	if (dev)
3291 		wdev = dev->ieee80211_ptr;
3292 	if (!nl80211_can_set_dev_channel(wdev))
3293 		return -EOPNOTSUPP;
3294 	if (wdev)
3295 		iftype = wdev->iftype;
3296 
3297 	if (link_id < 0) {
3298 		if (wdev && wdev->valid_links)
3299 			return -EINVAL;
3300 		link_id = 0;
3301 	}
3302 
3303 	result = nl80211_parse_chandef(rdev, info, &chandef);
3304 	if (result)
3305 		return result;
3306 
3307 	switch (iftype) {
3308 	case NL80211_IFTYPE_AP:
3309 	case NL80211_IFTYPE_P2P_GO:
3310 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3311 						   iftype))
3312 			return -EINVAL;
3313 		if (wdev->links[link_id].ap.beacon_interval) {
3314 			struct ieee80211_channel *cur_chan;
3315 
3316 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3317 			    !(rdev->wiphy.features &
3318 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3319 				return -EBUSY;
3320 
3321 			/* Only allow dynamic channel width changes */
3322 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3323 			if (chandef.chan != cur_chan)
3324 				return -EBUSY;
3325 
3326 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3327 						       &chandef);
3328 			if (result)
3329 				return result;
3330 			wdev->links[link_id].ap.chandef = chandef;
3331 		} else {
3332 			wdev->u.ap.preset_chandef = chandef;
3333 		}
3334 		return 0;
3335 	case NL80211_IFTYPE_MESH_POINT:
3336 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3337 	case NL80211_IFTYPE_MONITOR:
3338 		return cfg80211_set_monitor_channel(rdev, &chandef);
3339 	default:
3340 		break;
3341 	}
3342 
3343 	return -EINVAL;
3344 }
3345 
3346 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3347 {
3348 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3349 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3350 	struct net_device *netdev = info->user_ptr[1];
3351 
3352 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3353 }
3354 
3355 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3356 {
3357 	struct cfg80211_registered_device *rdev = NULL;
3358 	struct net_device *netdev = NULL;
3359 	struct wireless_dev *wdev;
3360 	int result = 0, rem_txq_params = 0;
3361 	struct nlattr *nl_txq_params;
3362 	u32 changed;
3363 	u8 retry_short = 0, retry_long = 0;
3364 	u32 frag_threshold = 0, rts_threshold = 0;
3365 	u8 coverage_class = 0;
3366 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3367 
3368 	rtnl_lock();
3369 	/*
3370 	 * Try to find the wiphy and netdev. Normally this
3371 	 * function shouldn't need the netdev, but this is
3372 	 * done for backward compatibility -- previously
3373 	 * setting the channel was done per wiphy, but now
3374 	 * it is per netdev. Previous userland like hostapd
3375 	 * also passed a netdev to set_wiphy, so that it is
3376 	 * possible to let that go to the right netdev!
3377 	 */
3378 
3379 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3380 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3381 
3382 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3383 		if (netdev && netdev->ieee80211_ptr)
3384 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3385 		else
3386 			netdev = NULL;
3387 	}
3388 
3389 	if (!netdev) {
3390 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3391 						  info->attrs);
3392 		if (IS_ERR(rdev)) {
3393 			rtnl_unlock();
3394 			return PTR_ERR(rdev);
3395 		}
3396 		wdev = NULL;
3397 		netdev = NULL;
3398 		result = 0;
3399 	} else
3400 		wdev = netdev->ieee80211_ptr;
3401 
3402 	wiphy_lock(&rdev->wiphy);
3403 
3404 	/*
3405 	 * end workaround code, by now the rdev is available
3406 	 * and locked, and wdev may or may not be NULL.
3407 	 */
3408 
3409 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3410 		result = cfg80211_dev_rename(
3411 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3412 	rtnl_unlock();
3413 
3414 	if (result)
3415 		goto out;
3416 
3417 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3418 		struct ieee80211_txq_params txq_params;
3419 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3420 
3421 		if (!rdev->ops->set_txq_params) {
3422 			result = -EOPNOTSUPP;
3423 			goto out;
3424 		}
3425 
3426 		if (!netdev) {
3427 			result = -EINVAL;
3428 			goto out;
3429 		}
3430 
3431 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3432 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3433 			result = -EINVAL;
3434 			goto out;
3435 		}
3436 
3437 		if (!netif_running(netdev)) {
3438 			result = -ENETDOWN;
3439 			goto out;
3440 		}
3441 
3442 		nla_for_each_nested(nl_txq_params,
3443 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3444 				    rem_txq_params) {
3445 			result = nla_parse_nested_deprecated(tb,
3446 							     NL80211_TXQ_ATTR_MAX,
3447 							     nl_txq_params,
3448 							     txq_params_policy,
3449 							     info->extack);
3450 			if (result)
3451 				goto out;
3452 			result = parse_txq_params(tb, &txq_params);
3453 			if (result)
3454 				goto out;
3455 
3456 			result = rdev_set_txq_params(rdev, netdev,
3457 						     &txq_params);
3458 			if (result)
3459 				goto out;
3460 		}
3461 	}
3462 
3463 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3464 		result = __nl80211_set_channel(
3465 			rdev,
3466 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3467 			info, -1);
3468 		if (result)
3469 			goto out;
3470 	}
3471 
3472 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3473 		struct wireless_dev *txp_wdev = wdev;
3474 		enum nl80211_tx_power_setting type;
3475 		int idx, mbm = 0;
3476 
3477 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3478 			txp_wdev = NULL;
3479 
3480 		if (!rdev->ops->set_tx_power) {
3481 			result = -EOPNOTSUPP;
3482 			goto out;
3483 		}
3484 
3485 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3486 		type = nla_get_u32(info->attrs[idx]);
3487 
3488 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3489 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3490 			result = -EINVAL;
3491 			goto out;
3492 		}
3493 
3494 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3495 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3496 			mbm = nla_get_u32(info->attrs[idx]);
3497 		}
3498 
3499 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3500 		if (result)
3501 			goto out;
3502 	}
3503 
3504 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3505 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3506 		u32 tx_ant, rx_ant;
3507 
3508 		if ((!rdev->wiphy.available_antennas_tx &&
3509 		     !rdev->wiphy.available_antennas_rx) ||
3510 		    !rdev->ops->set_antenna) {
3511 			result = -EOPNOTSUPP;
3512 			goto out;
3513 		}
3514 
3515 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3516 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3517 
3518 		/* reject antenna configurations which don't match the
3519 		 * available antenna masks, except for the "all" mask */
3520 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3521 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3522 			result = -EINVAL;
3523 			goto out;
3524 		}
3525 
3526 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3527 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3528 
3529 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3530 		if (result)
3531 			goto out;
3532 	}
3533 
3534 	changed = 0;
3535 
3536 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3537 		retry_short = nla_get_u8(
3538 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3539 
3540 		changed |= WIPHY_PARAM_RETRY_SHORT;
3541 	}
3542 
3543 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3544 		retry_long = nla_get_u8(
3545 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3546 
3547 		changed |= WIPHY_PARAM_RETRY_LONG;
3548 	}
3549 
3550 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3551 		frag_threshold = nla_get_u32(
3552 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3553 		if (frag_threshold < 256) {
3554 			result = -EINVAL;
3555 			goto out;
3556 		}
3557 
3558 		if (frag_threshold != (u32) -1) {
3559 			/*
3560 			 * Fragments (apart from the last one) are required to
3561 			 * have even length. Make the fragmentation code
3562 			 * simpler by stripping LSB should someone try to use
3563 			 * odd threshold value.
3564 			 */
3565 			frag_threshold &= ~0x1;
3566 		}
3567 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3568 	}
3569 
3570 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3571 		rts_threshold = nla_get_u32(
3572 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3573 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3574 	}
3575 
3576 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3577 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3578 			result = -EINVAL;
3579 			goto out;
3580 		}
3581 
3582 		coverage_class = nla_get_u8(
3583 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3584 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3585 	}
3586 
3587 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3588 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3589 			result = -EOPNOTSUPP;
3590 			goto out;
3591 		}
3592 
3593 		changed |= WIPHY_PARAM_DYN_ACK;
3594 	}
3595 
3596 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3597 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3598 					     NL80211_EXT_FEATURE_TXQS)) {
3599 			result = -EOPNOTSUPP;
3600 			goto out;
3601 		}
3602 		txq_limit = nla_get_u32(
3603 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3604 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3605 	}
3606 
3607 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3608 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3609 					     NL80211_EXT_FEATURE_TXQS)) {
3610 			result = -EOPNOTSUPP;
3611 			goto out;
3612 		}
3613 		txq_memory_limit = nla_get_u32(
3614 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3615 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3616 	}
3617 
3618 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3619 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3620 					     NL80211_EXT_FEATURE_TXQS)) {
3621 			result = -EOPNOTSUPP;
3622 			goto out;
3623 		}
3624 		txq_quantum = nla_get_u32(
3625 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3626 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3627 	}
3628 
3629 	if (changed) {
3630 		u8 old_retry_short, old_retry_long;
3631 		u32 old_frag_threshold, old_rts_threshold;
3632 		u8 old_coverage_class;
3633 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3634 
3635 		if (!rdev->ops->set_wiphy_params) {
3636 			result = -EOPNOTSUPP;
3637 			goto out;
3638 		}
3639 
3640 		old_retry_short = rdev->wiphy.retry_short;
3641 		old_retry_long = rdev->wiphy.retry_long;
3642 		old_frag_threshold = rdev->wiphy.frag_threshold;
3643 		old_rts_threshold = rdev->wiphy.rts_threshold;
3644 		old_coverage_class = rdev->wiphy.coverage_class;
3645 		old_txq_limit = rdev->wiphy.txq_limit;
3646 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3647 		old_txq_quantum = rdev->wiphy.txq_quantum;
3648 
3649 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3650 			rdev->wiphy.retry_short = retry_short;
3651 		if (changed & WIPHY_PARAM_RETRY_LONG)
3652 			rdev->wiphy.retry_long = retry_long;
3653 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3654 			rdev->wiphy.frag_threshold = frag_threshold;
3655 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3656 			rdev->wiphy.rts_threshold = rts_threshold;
3657 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3658 			rdev->wiphy.coverage_class = coverage_class;
3659 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3660 			rdev->wiphy.txq_limit = txq_limit;
3661 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3662 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3663 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3664 			rdev->wiphy.txq_quantum = txq_quantum;
3665 
3666 		result = rdev_set_wiphy_params(rdev, changed);
3667 		if (result) {
3668 			rdev->wiphy.retry_short = old_retry_short;
3669 			rdev->wiphy.retry_long = old_retry_long;
3670 			rdev->wiphy.frag_threshold = old_frag_threshold;
3671 			rdev->wiphy.rts_threshold = old_rts_threshold;
3672 			rdev->wiphy.coverage_class = old_coverage_class;
3673 			rdev->wiphy.txq_limit = old_txq_limit;
3674 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3675 			rdev->wiphy.txq_quantum = old_txq_quantum;
3676 			goto out;
3677 		}
3678 	}
3679 
3680 	result = 0;
3681 
3682 out:
3683 	wiphy_unlock(&rdev->wiphy);
3684 	return result;
3685 }
3686 
3687 static int nl80211_send_chandef(struct sk_buff *msg,
3688 				const struct cfg80211_chan_def *chandef)
3689 {
3690 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3691 		return -EINVAL;
3692 
3693 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3694 			chandef->chan->center_freq))
3695 		return -ENOBUFS;
3696 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3697 			chandef->chan->freq_offset))
3698 		return -ENOBUFS;
3699 	switch (chandef->width) {
3700 	case NL80211_CHAN_WIDTH_20_NOHT:
3701 	case NL80211_CHAN_WIDTH_20:
3702 	case NL80211_CHAN_WIDTH_40:
3703 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3704 				cfg80211_get_chandef_type(chandef)))
3705 			return -ENOBUFS;
3706 		break;
3707 	default:
3708 		break;
3709 	}
3710 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3711 		return -ENOBUFS;
3712 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3713 		return -ENOBUFS;
3714 	if (chandef->center_freq2 &&
3715 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3716 		return -ENOBUFS;
3717 	return 0;
3718 }
3719 
3720 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3721 			      struct cfg80211_registered_device *rdev,
3722 			      struct wireless_dev *wdev,
3723 			      enum nl80211_commands cmd)
3724 {
3725 	struct net_device *dev = wdev->netdev;
3726 	void *hdr;
3727 
3728 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3729 		cmd != NL80211_CMD_DEL_INTERFACE &&
3730 		cmd != NL80211_CMD_SET_INTERFACE);
3731 
3732 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3733 	if (!hdr)
3734 		return -1;
3735 
3736 	if (dev &&
3737 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3738 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3739 		goto nla_put_failure;
3740 
3741 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3742 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3743 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3744 			      NL80211_ATTR_PAD) ||
3745 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3746 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3747 			rdev->devlist_generation ^
3748 			(cfg80211_rdev_list_generation << 2)) ||
3749 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3750 		goto nla_put_failure;
3751 
3752 	if (rdev->ops->get_channel && !wdev->valid_links) {
3753 		struct cfg80211_chan_def chandef = {};
3754 		int ret;
3755 
3756 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3757 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3758 			goto nla_put_failure;
3759 	}
3760 
3761 	if (rdev->ops->get_tx_power) {
3762 		int dbm, ret;
3763 
3764 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3765 		if (ret == 0 &&
3766 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3767 				DBM_TO_MBM(dbm)))
3768 			goto nla_put_failure;
3769 	}
3770 
3771 	wdev_lock(wdev);
3772 	switch (wdev->iftype) {
3773 	case NL80211_IFTYPE_AP:
3774 	case NL80211_IFTYPE_P2P_GO:
3775 		if (wdev->u.ap.ssid_len &&
3776 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3777 			    wdev->u.ap.ssid))
3778 			goto nla_put_failure_locked;
3779 		break;
3780 	case NL80211_IFTYPE_STATION:
3781 	case NL80211_IFTYPE_P2P_CLIENT:
3782 		if (wdev->u.client.ssid_len &&
3783 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3784 			    wdev->u.client.ssid))
3785 			goto nla_put_failure_locked;
3786 		break;
3787 	case NL80211_IFTYPE_ADHOC:
3788 		if (wdev->u.ibss.ssid_len &&
3789 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3790 			    wdev->u.ibss.ssid))
3791 			goto nla_put_failure_locked;
3792 		break;
3793 	default:
3794 		/* nothing */
3795 		break;
3796 	}
3797 	wdev_unlock(wdev);
3798 
3799 	if (rdev->ops->get_txq_stats) {
3800 		struct cfg80211_txq_stats txqstats = {};
3801 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3802 
3803 		if (ret == 0 &&
3804 		    !nl80211_put_txq_stats(msg, &txqstats,
3805 					   NL80211_ATTR_TXQ_STATS))
3806 			goto nla_put_failure;
3807 	}
3808 
3809 	if (wdev->valid_links) {
3810 		unsigned int link_id;
3811 		struct nlattr *links = nla_nest_start(msg,
3812 						      NL80211_ATTR_MLO_LINKS);
3813 
3814 		if (!links)
3815 			goto nla_put_failure;
3816 
3817 		for_each_valid_link(wdev, link_id) {
3818 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3819 
3820 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3821 				goto nla_put_failure;
3822 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3823 				    wdev->links[link_id].addr))
3824 				goto nla_put_failure;
3825 			nla_nest_end(msg, link);
3826 		}
3827 
3828 		nla_nest_end(msg, links);
3829 	}
3830 
3831 	genlmsg_end(msg, hdr);
3832 	return 0;
3833 
3834  nla_put_failure_locked:
3835 	wdev_unlock(wdev);
3836  nla_put_failure:
3837 	genlmsg_cancel(msg, hdr);
3838 	return -EMSGSIZE;
3839 }
3840 
3841 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3842 {
3843 	int wp_idx = 0;
3844 	int if_idx = 0;
3845 	int wp_start = cb->args[0];
3846 	int if_start = cb->args[1];
3847 	int filter_wiphy = -1;
3848 	struct cfg80211_registered_device *rdev;
3849 	struct wireless_dev *wdev;
3850 	int ret;
3851 
3852 	rtnl_lock();
3853 	if (!cb->args[2]) {
3854 		struct nl80211_dump_wiphy_state state = {
3855 			.filter_wiphy = -1,
3856 		};
3857 
3858 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3859 		if (ret)
3860 			goto out_unlock;
3861 
3862 		filter_wiphy = state.filter_wiphy;
3863 
3864 		/*
3865 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3866 		 * value needed to determine that parsing is necessary.
3867 		 */
3868 		if (filter_wiphy >= 0)
3869 			cb->args[2] = filter_wiphy + 1;
3870 		else
3871 			cb->args[2] = -1;
3872 	} else if (cb->args[2] > 0) {
3873 		filter_wiphy = cb->args[2] - 1;
3874 	}
3875 
3876 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3877 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3878 			continue;
3879 		if (wp_idx < wp_start) {
3880 			wp_idx++;
3881 			continue;
3882 		}
3883 
3884 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3885 			continue;
3886 
3887 		if_idx = 0;
3888 
3889 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3890 			if (if_idx < if_start) {
3891 				if_idx++;
3892 				continue;
3893 			}
3894 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3895 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3896 					       rdev, wdev,
3897 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3898 				goto out;
3899 			}
3900 			if_idx++;
3901 		}
3902 
3903 		wp_idx++;
3904 	}
3905  out:
3906 	cb->args[0] = wp_idx;
3907 	cb->args[1] = if_idx;
3908 
3909 	ret = skb->len;
3910  out_unlock:
3911 	rtnl_unlock();
3912 
3913 	return ret;
3914 }
3915 
3916 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3917 {
3918 	struct sk_buff *msg;
3919 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3920 	struct wireless_dev *wdev = info->user_ptr[1];
3921 
3922 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3923 	if (!msg)
3924 		return -ENOMEM;
3925 
3926 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3927 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3928 		nlmsg_free(msg);
3929 		return -ENOBUFS;
3930 	}
3931 
3932 	return genlmsg_reply(msg, info);
3933 }
3934 
3935 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3936 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3937 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3938 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3939 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3940 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3941 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3942 };
3943 
3944 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3945 {
3946 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3947 	int flag;
3948 
3949 	*mntrflags = 0;
3950 
3951 	if (!nla)
3952 		return -EINVAL;
3953 
3954 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3955 		return -EINVAL;
3956 
3957 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3958 		if (flags[flag])
3959 			*mntrflags |= (1<<flag);
3960 
3961 	*mntrflags |= MONITOR_FLAG_CHANGED;
3962 
3963 	return 0;
3964 }
3965 
3966 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3967 				     enum nl80211_iftype type,
3968 				     struct genl_info *info,
3969 				     struct vif_params *params)
3970 {
3971 	bool change = false;
3972 	int err;
3973 
3974 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3975 		if (type != NL80211_IFTYPE_MONITOR)
3976 			return -EINVAL;
3977 
3978 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3979 					  &params->flags);
3980 		if (err)
3981 			return err;
3982 
3983 		change = true;
3984 	}
3985 
3986 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3987 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3988 		return -EOPNOTSUPP;
3989 
3990 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3991 		const u8 *mumimo_groups;
3992 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3993 
3994 		if (type != NL80211_IFTYPE_MONITOR)
3995 			return -EINVAL;
3996 
3997 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3998 			return -EOPNOTSUPP;
3999 
4000 		mumimo_groups =
4001 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4002 
4003 		/* bits 0 and 63 are reserved and must be zero */
4004 		if ((mumimo_groups[0] & BIT(0)) ||
4005 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4006 			return -EINVAL;
4007 
4008 		params->vht_mumimo_groups = mumimo_groups;
4009 		change = true;
4010 	}
4011 
4012 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4013 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4014 
4015 		if (type != NL80211_IFTYPE_MONITOR)
4016 			return -EINVAL;
4017 
4018 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4019 			return -EOPNOTSUPP;
4020 
4021 		params->vht_mumimo_follow_addr =
4022 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4023 		change = true;
4024 	}
4025 
4026 	return change ? 1 : 0;
4027 }
4028 
4029 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4030 			       struct net_device *netdev, u8 use_4addr,
4031 			       enum nl80211_iftype iftype)
4032 {
4033 	if (!use_4addr) {
4034 		if (netdev && netif_is_bridge_port(netdev))
4035 			return -EBUSY;
4036 		return 0;
4037 	}
4038 
4039 	switch (iftype) {
4040 	case NL80211_IFTYPE_AP_VLAN:
4041 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4042 			return 0;
4043 		break;
4044 	case NL80211_IFTYPE_STATION:
4045 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4046 			return 0;
4047 		break;
4048 	default:
4049 		break;
4050 	}
4051 
4052 	return -EOPNOTSUPP;
4053 }
4054 
4055 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4056 {
4057 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4058 	struct vif_params params;
4059 	int err;
4060 	enum nl80211_iftype otype, ntype;
4061 	struct net_device *dev = info->user_ptr[1];
4062 	bool change = false;
4063 
4064 	memset(&params, 0, sizeof(params));
4065 
4066 	otype = ntype = dev->ieee80211_ptr->iftype;
4067 
4068 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4069 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4070 		if (otype != ntype)
4071 			change = true;
4072 	}
4073 
4074 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4075 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4076 
4077 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4078 			return -EINVAL;
4079 		if (netif_running(dev))
4080 			return -EBUSY;
4081 
4082 		wdev_lock(wdev);
4083 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4084 			     IEEE80211_MAX_MESH_ID_LEN);
4085 		wdev->u.mesh.id_up_len =
4086 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4087 		memcpy(wdev->u.mesh.id,
4088 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4089 		       wdev->u.mesh.id_up_len);
4090 		wdev_unlock(wdev);
4091 	}
4092 
4093 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4094 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4095 		change = true;
4096 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4097 		if (err)
4098 			return err;
4099 	} else {
4100 		params.use_4addr = -1;
4101 	}
4102 
4103 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4104 	if (err < 0)
4105 		return err;
4106 	if (err > 0)
4107 		change = true;
4108 
4109 	if (change)
4110 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4111 	else
4112 		err = 0;
4113 
4114 	if (!err && params.use_4addr != -1)
4115 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4116 
4117 	if (change && !err) {
4118 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4119 
4120 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4121 	}
4122 
4123 	return err;
4124 }
4125 
4126 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4127 {
4128 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4129 	struct vif_params params;
4130 	struct wireless_dev *wdev;
4131 	struct sk_buff *msg;
4132 	int err;
4133 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4134 
4135 	memset(&params, 0, sizeof(params));
4136 
4137 	if (!info->attrs[NL80211_ATTR_IFNAME])
4138 		return -EINVAL;
4139 
4140 	if (info->attrs[NL80211_ATTR_IFTYPE])
4141 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4142 
4143 	if (!rdev->ops->add_virtual_intf)
4144 		return -EOPNOTSUPP;
4145 
4146 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4147 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4148 	    info->attrs[NL80211_ATTR_MAC]) {
4149 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4150 			   ETH_ALEN);
4151 		if (!is_valid_ether_addr(params.macaddr))
4152 			return -EADDRNOTAVAIL;
4153 	}
4154 
4155 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4156 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4157 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4158 		if (err)
4159 			return err;
4160 	}
4161 
4162 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4163 		return -EOPNOTSUPP;
4164 
4165 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4166 	if (err < 0)
4167 		return err;
4168 
4169 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4170 	if (!msg)
4171 		return -ENOMEM;
4172 
4173 	wdev = rdev_add_virtual_intf(rdev,
4174 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4175 				NET_NAME_USER, type, &params);
4176 	if (WARN_ON(!wdev)) {
4177 		nlmsg_free(msg);
4178 		return -EPROTO;
4179 	} else if (IS_ERR(wdev)) {
4180 		nlmsg_free(msg);
4181 		return PTR_ERR(wdev);
4182 	}
4183 
4184 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4185 		wdev->owner_nlportid = info->snd_portid;
4186 
4187 	switch (type) {
4188 	case NL80211_IFTYPE_MESH_POINT:
4189 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4190 			break;
4191 		wdev_lock(wdev);
4192 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4193 			     IEEE80211_MAX_MESH_ID_LEN);
4194 		wdev->u.mesh.id_up_len =
4195 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4196 		memcpy(wdev->u.mesh.id,
4197 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4198 		       wdev->u.mesh.id_up_len);
4199 		wdev_unlock(wdev);
4200 		break;
4201 	case NL80211_IFTYPE_NAN:
4202 	case NL80211_IFTYPE_P2P_DEVICE:
4203 		/*
4204 		 * P2P Device and NAN do not have a netdev, so don't go
4205 		 * through the netdev notifier and must be added here
4206 		 */
4207 		cfg80211_init_wdev(wdev);
4208 		cfg80211_register_wdev(rdev, wdev);
4209 		break;
4210 	default:
4211 		break;
4212 	}
4213 
4214 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4215 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4216 		nlmsg_free(msg);
4217 		return -ENOBUFS;
4218 	}
4219 
4220 	return genlmsg_reply(msg, info);
4221 }
4222 
4223 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4224 {
4225 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4226 	int ret;
4227 
4228 	/* to avoid failing a new interface creation due to pending removal */
4229 	cfg80211_destroy_ifaces(rdev);
4230 
4231 	wiphy_lock(&rdev->wiphy);
4232 	ret = _nl80211_new_interface(skb, info);
4233 	wiphy_unlock(&rdev->wiphy);
4234 
4235 	return ret;
4236 }
4237 
4238 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4239 {
4240 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4241 	struct wireless_dev *wdev = info->user_ptr[1];
4242 
4243 	if (!rdev->ops->del_virtual_intf)
4244 		return -EOPNOTSUPP;
4245 
4246 	/*
4247 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4248 	 * reach 0, and thus the rdev cannot be deleted.
4249 	 *
4250 	 * We need to do it for the dev_close(), since that will call
4251 	 * the netdev notifiers, and we need to acquire the mutex there
4252 	 * but don't know if we get there from here or from some other
4253 	 * place (e.g. "ip link set ... down").
4254 	 */
4255 	mutex_unlock(&rdev->wiphy.mtx);
4256 
4257 	/*
4258 	 * If we remove a wireless device without a netdev then clear
4259 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4260 	 * to check if it needs to do dev_put(). Otherwise it crashes
4261 	 * since the wdev has been freed, unlike with a netdev where
4262 	 * we need the dev_put() for the netdev to really be freed.
4263 	 */
4264 	if (!wdev->netdev)
4265 		info->user_ptr[1] = NULL;
4266 	else
4267 		dev_close(wdev->netdev);
4268 
4269 	mutex_lock(&rdev->wiphy.mtx);
4270 
4271 	return rdev_del_virtual_intf(rdev, wdev);
4272 }
4273 
4274 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4275 {
4276 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4277 	struct net_device *dev = info->user_ptr[1];
4278 	u16 noack_map;
4279 
4280 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4281 		return -EINVAL;
4282 
4283 	if (!rdev->ops->set_noack_map)
4284 		return -EOPNOTSUPP;
4285 
4286 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4287 
4288 	return rdev_set_noack_map(rdev, dev, noack_map);
4289 }
4290 
4291 struct get_key_cookie {
4292 	struct sk_buff *msg;
4293 	int error;
4294 	int idx;
4295 };
4296 
4297 static void get_key_callback(void *c, struct key_params *params)
4298 {
4299 	struct nlattr *key;
4300 	struct get_key_cookie *cookie = c;
4301 
4302 	if ((params->key &&
4303 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4304 		     params->key_len, params->key)) ||
4305 	    (params->seq &&
4306 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4307 		     params->seq_len, params->seq)) ||
4308 	    (params->cipher &&
4309 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4310 			 params->cipher)))
4311 		goto nla_put_failure;
4312 
4313 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4314 	if (!key)
4315 		goto nla_put_failure;
4316 
4317 	if ((params->key &&
4318 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4319 		     params->key_len, params->key)) ||
4320 	    (params->seq &&
4321 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4322 		     params->seq_len, params->seq)) ||
4323 	    (params->cipher &&
4324 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4325 			 params->cipher)))
4326 		goto nla_put_failure;
4327 
4328 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4329 		goto nla_put_failure;
4330 
4331 	nla_nest_end(cookie->msg, key);
4332 
4333 	return;
4334  nla_put_failure:
4335 	cookie->error = 1;
4336 }
4337 
4338 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4339 {
4340 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4341 	int err;
4342 	struct net_device *dev = info->user_ptr[1];
4343 	u8 key_idx = 0;
4344 	const u8 *mac_addr = NULL;
4345 	bool pairwise;
4346 	struct get_key_cookie cookie = {
4347 		.error = 0,
4348 	};
4349 	void *hdr;
4350 	struct sk_buff *msg;
4351 	bool bigtk_support = false;
4352 
4353 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4354 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4355 		bigtk_support = true;
4356 
4357 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4358 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4359 	    wiphy_ext_feature_isset(&rdev->wiphy,
4360 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4361 		bigtk_support = true;
4362 
4363 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4364 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4365 
4366 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4367 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4368 			return -EINVAL;
4369 		}
4370 	}
4371 
4372 	if (info->attrs[NL80211_ATTR_MAC])
4373 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4374 
4375 	pairwise = !!mac_addr;
4376 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4377 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4378 
4379 		if (kt != NL80211_KEYTYPE_GROUP &&
4380 		    kt != NL80211_KEYTYPE_PAIRWISE)
4381 			return -EINVAL;
4382 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4383 	}
4384 
4385 	if (!rdev->ops->get_key)
4386 		return -EOPNOTSUPP;
4387 
4388 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4389 		return -ENOENT;
4390 
4391 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4392 	if (!msg)
4393 		return -ENOMEM;
4394 
4395 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4396 			     NL80211_CMD_NEW_KEY);
4397 	if (!hdr)
4398 		goto nla_put_failure;
4399 
4400 	cookie.msg = msg;
4401 	cookie.idx = key_idx;
4402 
4403 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4404 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4405 		goto nla_put_failure;
4406 	if (mac_addr &&
4407 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4408 		goto nla_put_failure;
4409 
4410 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4411 			   get_key_callback);
4412 
4413 	if (err)
4414 		goto free_msg;
4415 
4416 	if (cookie.error)
4417 		goto nla_put_failure;
4418 
4419 	genlmsg_end(msg, hdr);
4420 	return genlmsg_reply(msg, info);
4421 
4422  nla_put_failure:
4423 	err = -ENOBUFS;
4424  free_msg:
4425 	nlmsg_free(msg);
4426 	return err;
4427 }
4428 
4429 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4430 {
4431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4432 	struct key_parse key;
4433 	int err;
4434 	struct net_device *dev = info->user_ptr[1];
4435 
4436 	err = nl80211_parse_key(info, &key);
4437 	if (err)
4438 		return err;
4439 
4440 	if (key.idx < 0)
4441 		return -EINVAL;
4442 
4443 	/* Only support setting default key and
4444 	 * Extended Key ID action NL80211_KEY_SET_TX.
4445 	 */
4446 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4447 	    !(key.p.mode == NL80211_KEY_SET_TX))
4448 		return -EINVAL;
4449 
4450 	wdev_lock(dev->ieee80211_ptr);
4451 
4452 	if (key.def) {
4453 		if (!rdev->ops->set_default_key) {
4454 			err = -EOPNOTSUPP;
4455 			goto out;
4456 		}
4457 
4458 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4459 		if (err)
4460 			goto out;
4461 
4462 		err = rdev_set_default_key(rdev, dev, key.idx,
4463 						 key.def_uni, key.def_multi);
4464 
4465 		if (err)
4466 			goto out;
4467 
4468 #ifdef CONFIG_CFG80211_WEXT
4469 		dev->ieee80211_ptr->wext.default_key = key.idx;
4470 #endif
4471 	} else if (key.defmgmt) {
4472 		if (key.def_uni || !key.def_multi) {
4473 			err = -EINVAL;
4474 			goto out;
4475 		}
4476 
4477 		if (!rdev->ops->set_default_mgmt_key) {
4478 			err = -EOPNOTSUPP;
4479 			goto out;
4480 		}
4481 
4482 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4483 		if (err)
4484 			goto out;
4485 
4486 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4487 		if (err)
4488 			goto out;
4489 
4490 #ifdef CONFIG_CFG80211_WEXT
4491 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4492 #endif
4493 	} else if (key.defbeacon) {
4494 		if (key.def_uni || !key.def_multi) {
4495 			err = -EINVAL;
4496 			goto out;
4497 		}
4498 
4499 		if (!rdev->ops->set_default_beacon_key) {
4500 			err = -EOPNOTSUPP;
4501 			goto out;
4502 		}
4503 
4504 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4505 		if (err)
4506 			goto out;
4507 
4508 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4509 		if (err)
4510 			goto out;
4511 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4512 		   wiphy_ext_feature_isset(&rdev->wiphy,
4513 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4514 		u8 *mac_addr = NULL;
4515 
4516 		if (info->attrs[NL80211_ATTR_MAC])
4517 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4518 
4519 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4520 			err = -EINVAL;
4521 			goto out;
4522 		}
4523 
4524 		err = rdev_add_key(rdev, dev, key.idx,
4525 				   NL80211_KEYTYPE_PAIRWISE,
4526 				   mac_addr, &key.p);
4527 	} else {
4528 		err = -EINVAL;
4529 	}
4530  out:
4531 	wdev_unlock(dev->ieee80211_ptr);
4532 
4533 	return err;
4534 }
4535 
4536 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4537 {
4538 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4539 	int err;
4540 	struct net_device *dev = info->user_ptr[1];
4541 	struct key_parse key;
4542 	const u8 *mac_addr = NULL;
4543 
4544 	err = nl80211_parse_key(info, &key);
4545 	if (err)
4546 		return err;
4547 
4548 	if (!key.p.key) {
4549 		GENL_SET_ERR_MSG(info, "no key");
4550 		return -EINVAL;
4551 	}
4552 
4553 	if (info->attrs[NL80211_ATTR_MAC])
4554 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4555 
4556 	if (key.type == -1) {
4557 		if (mac_addr)
4558 			key.type = NL80211_KEYTYPE_PAIRWISE;
4559 		else
4560 			key.type = NL80211_KEYTYPE_GROUP;
4561 	}
4562 
4563 	/* for now */
4564 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4565 	    key.type != NL80211_KEYTYPE_GROUP) {
4566 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4567 		return -EINVAL;
4568 	}
4569 
4570 	if (key.type == NL80211_KEYTYPE_GROUP &&
4571 	    info->attrs[NL80211_ATTR_VLAN_ID])
4572 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4573 
4574 	if (!rdev->ops->add_key)
4575 		return -EOPNOTSUPP;
4576 
4577 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4578 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4579 					   mac_addr)) {
4580 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4581 		return -EINVAL;
4582 	}
4583 
4584 	wdev_lock(dev->ieee80211_ptr);
4585 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4586 	if (err)
4587 		GENL_SET_ERR_MSG(info, "key not allowed");
4588 	if (!err) {
4589 		err = rdev_add_key(rdev, dev, key.idx,
4590 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4591 				    mac_addr, &key.p);
4592 		if (err)
4593 			GENL_SET_ERR_MSG(info, "key addition failed");
4594 	}
4595 	wdev_unlock(dev->ieee80211_ptr);
4596 
4597 	return err;
4598 }
4599 
4600 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4601 {
4602 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4603 	int err;
4604 	struct net_device *dev = info->user_ptr[1];
4605 	u8 *mac_addr = NULL;
4606 	struct key_parse key;
4607 
4608 	err = nl80211_parse_key(info, &key);
4609 	if (err)
4610 		return err;
4611 
4612 	if (info->attrs[NL80211_ATTR_MAC])
4613 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4614 
4615 	if (key.type == -1) {
4616 		if (mac_addr)
4617 			key.type = NL80211_KEYTYPE_PAIRWISE;
4618 		else
4619 			key.type = NL80211_KEYTYPE_GROUP;
4620 	}
4621 
4622 	/* for now */
4623 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4624 	    key.type != NL80211_KEYTYPE_GROUP)
4625 		return -EINVAL;
4626 
4627 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4628 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4629 		return -EINVAL;
4630 
4631 	if (!rdev->ops->del_key)
4632 		return -EOPNOTSUPP;
4633 
4634 	wdev_lock(dev->ieee80211_ptr);
4635 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4636 
4637 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4638 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4639 		err = -ENOENT;
4640 
4641 	if (!err)
4642 		err = rdev_del_key(rdev, dev, key.idx,
4643 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4644 				   mac_addr);
4645 
4646 #ifdef CONFIG_CFG80211_WEXT
4647 	if (!err) {
4648 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4649 			dev->ieee80211_ptr->wext.default_key = -1;
4650 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4651 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4652 	}
4653 #endif
4654 	wdev_unlock(dev->ieee80211_ptr);
4655 
4656 	return err;
4657 }
4658 
4659 /* This function returns an error or the number of nested attributes */
4660 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4661 {
4662 	struct nlattr *attr;
4663 	int n_entries = 0, tmp;
4664 
4665 	nla_for_each_nested(attr, nl_attr, tmp) {
4666 		if (nla_len(attr) != ETH_ALEN)
4667 			return -EINVAL;
4668 
4669 		n_entries++;
4670 	}
4671 
4672 	return n_entries;
4673 }
4674 
4675 /*
4676  * This function parses ACL information and allocates memory for ACL data.
4677  * On successful return, the calling function is responsible to free the
4678  * ACL buffer returned by this function.
4679  */
4680 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4681 						struct genl_info *info)
4682 {
4683 	enum nl80211_acl_policy acl_policy;
4684 	struct nlattr *attr;
4685 	struct cfg80211_acl_data *acl;
4686 	int i = 0, n_entries, tmp;
4687 
4688 	if (!wiphy->max_acl_mac_addrs)
4689 		return ERR_PTR(-EOPNOTSUPP);
4690 
4691 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4692 		return ERR_PTR(-EINVAL);
4693 
4694 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4695 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4696 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4697 		return ERR_PTR(-EINVAL);
4698 
4699 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4700 		return ERR_PTR(-EINVAL);
4701 
4702 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4703 	if (n_entries < 0)
4704 		return ERR_PTR(n_entries);
4705 
4706 	if (n_entries > wiphy->max_acl_mac_addrs)
4707 		return ERR_PTR(-ENOTSUPP);
4708 
4709 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4710 	if (!acl)
4711 		return ERR_PTR(-ENOMEM);
4712 
4713 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4714 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4715 		i++;
4716 	}
4717 
4718 	acl->n_acl_entries = n_entries;
4719 	acl->acl_policy = acl_policy;
4720 
4721 	return acl;
4722 }
4723 
4724 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4725 {
4726 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4727 	struct net_device *dev = info->user_ptr[1];
4728 	struct cfg80211_acl_data *acl;
4729 	int err;
4730 
4731 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4732 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4733 		return -EOPNOTSUPP;
4734 
4735 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4736 		return -EINVAL;
4737 
4738 	acl = parse_acl_data(&rdev->wiphy, info);
4739 	if (IS_ERR(acl))
4740 		return PTR_ERR(acl);
4741 
4742 	err = rdev_set_mac_acl(rdev, dev, acl);
4743 
4744 	kfree(acl);
4745 
4746 	return err;
4747 }
4748 
4749 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4750 			   u8 *rates, u8 rates_len)
4751 {
4752 	u8 i;
4753 	u32 mask = 0;
4754 
4755 	for (i = 0; i < rates_len; i++) {
4756 		int rate = (rates[i] & 0x7f) * 5;
4757 		int ridx;
4758 
4759 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4760 			struct ieee80211_rate *srate =
4761 				&sband->bitrates[ridx];
4762 			if (rate == srate->bitrate) {
4763 				mask |= 1 << ridx;
4764 				break;
4765 			}
4766 		}
4767 		if (ridx == sband->n_bitrates)
4768 			return 0; /* rate not found */
4769 	}
4770 
4771 	return mask;
4772 }
4773 
4774 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4775 			       u8 *rates, u8 rates_len,
4776 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4777 {
4778 	u8 i;
4779 
4780 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4781 
4782 	for (i = 0; i < rates_len; i++) {
4783 		int ridx, rbit;
4784 
4785 		ridx = rates[i] / 8;
4786 		rbit = BIT(rates[i] % 8);
4787 
4788 		/* check validity */
4789 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4790 			return false;
4791 
4792 		/* check availability */
4793 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4794 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4795 			mcs[ridx] |= rbit;
4796 		else
4797 			return false;
4798 	}
4799 
4800 	return true;
4801 }
4802 
4803 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4804 {
4805 	u16 mcs_mask = 0;
4806 
4807 	switch (vht_mcs_map) {
4808 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4809 		break;
4810 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4811 		mcs_mask = 0x00FF;
4812 		break;
4813 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4814 		mcs_mask = 0x01FF;
4815 		break;
4816 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4817 		mcs_mask = 0x03FF;
4818 		break;
4819 	default:
4820 		break;
4821 	}
4822 
4823 	return mcs_mask;
4824 }
4825 
4826 static void vht_build_mcs_mask(u16 vht_mcs_map,
4827 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4828 {
4829 	u8 nss;
4830 
4831 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4832 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4833 		vht_mcs_map >>= 2;
4834 	}
4835 }
4836 
4837 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4838 			     struct nl80211_txrate_vht *txrate,
4839 			     u16 mcs[NL80211_VHT_NSS_MAX])
4840 {
4841 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4842 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4843 	u8 i;
4844 
4845 	if (!sband->vht_cap.vht_supported)
4846 		return false;
4847 
4848 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4849 
4850 	/* Build vht_mcs_mask from VHT capabilities */
4851 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4852 
4853 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4854 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4855 			mcs[i] = txrate->mcs[i];
4856 		else
4857 			return false;
4858 	}
4859 
4860 	return true;
4861 }
4862 
4863 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4864 {
4865 	switch (he_mcs_map) {
4866 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4867 		return 0;
4868 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4869 		return 0x00FF;
4870 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4871 		return 0x03FF;
4872 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4873 		return 0xFFF;
4874 	default:
4875 		break;
4876 	}
4877 	return 0;
4878 }
4879 
4880 static void he_build_mcs_mask(u16 he_mcs_map,
4881 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4882 {
4883 	u8 nss;
4884 
4885 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4886 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4887 		he_mcs_map >>= 2;
4888 	}
4889 }
4890 
4891 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
4892 			   const struct ieee80211_sta_he_cap *he_cap)
4893 {
4894 	struct net_device *dev = info->user_ptr[1];
4895 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4896 	struct cfg80211_chan_def *chandef;
4897 	__le16 tx_mcs;
4898 
4899 	chandef = wdev_chandef(wdev, link_id);
4900 	if (!chandef) {
4901 		/*
4902 		 * This is probably broken, but we never maintained
4903 		 * a chandef in these cases, so it always was.
4904 		 */
4905 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
4906 	}
4907 
4908 	switch (chandef->width) {
4909 	case NL80211_CHAN_WIDTH_80P80:
4910 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4911 		break;
4912 	case NL80211_CHAN_WIDTH_160:
4913 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4914 		break;
4915 	default:
4916 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4917 		break;
4918 	}
4919 
4920 	return le16_to_cpu(tx_mcs);
4921 }
4922 
4923 static bool he_set_mcs_mask(struct genl_info *info,
4924 			    struct wireless_dev *wdev,
4925 			    struct ieee80211_supported_band *sband,
4926 			    struct nl80211_txrate_he *txrate,
4927 			    u16 mcs[NL80211_HE_NSS_MAX],
4928 			    unsigned int link_id)
4929 {
4930 	const struct ieee80211_sta_he_cap *he_cap;
4931 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4932 	u16 tx_mcs_map = 0;
4933 	u8 i;
4934 
4935 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4936 	if (!he_cap)
4937 		return false;
4938 
4939 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4940 
4941 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
4942 
4943 	/* Build he_mcs_mask from HE capabilities */
4944 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4945 
4946 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4947 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4948 			mcs[i] = txrate->mcs[i];
4949 		else
4950 			return false;
4951 	}
4952 
4953 	return true;
4954 }
4955 
4956 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4957 					 struct nlattr *attrs[],
4958 					 enum nl80211_attrs attr,
4959 					 struct cfg80211_bitrate_mask *mask,
4960 					 struct net_device *dev,
4961 					 bool default_all_enabled,
4962 					 unsigned int link_id)
4963 {
4964 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4965 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4966 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4967 	int rem, i;
4968 	struct nlattr *tx_rates;
4969 	struct ieee80211_supported_band *sband;
4970 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4971 
4972 	memset(mask, 0, sizeof(*mask));
4973 	/* Default to all rates enabled */
4974 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4975 		const struct ieee80211_sta_he_cap *he_cap;
4976 
4977 		if (!default_all_enabled)
4978 			break;
4979 
4980 		sband = rdev->wiphy.bands[i];
4981 
4982 		if (!sband)
4983 			continue;
4984 
4985 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4986 		memcpy(mask->control[i].ht_mcs,
4987 		       sband->ht_cap.mcs.rx_mask,
4988 		       sizeof(mask->control[i].ht_mcs));
4989 
4990 		if (sband->vht_cap.vht_supported) {
4991 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4992 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4993 		}
4994 
4995 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4996 		if (!he_cap)
4997 			continue;
4998 
4999 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5000 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5001 
5002 		mask->control[i].he_gi = 0xFF;
5003 		mask->control[i].he_ltf = 0xFF;
5004 	}
5005 
5006 	/* if no rates are given set it back to the defaults */
5007 	if (!attrs[attr])
5008 		goto out;
5009 
5010 	/* The nested attribute uses enum nl80211_band as the index. This maps
5011 	 * directly to the enum nl80211_band values used in cfg80211.
5012 	 */
5013 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5014 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5015 		enum nl80211_band band = nla_type(tx_rates);
5016 		int err;
5017 
5018 		if (band < 0 || band >= NUM_NL80211_BANDS)
5019 			return -EINVAL;
5020 		sband = rdev->wiphy.bands[band];
5021 		if (sband == NULL)
5022 			return -EINVAL;
5023 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5024 						  tx_rates,
5025 						  nl80211_txattr_policy,
5026 						  info->extack);
5027 		if (err)
5028 			return err;
5029 		if (tb[NL80211_TXRATE_LEGACY]) {
5030 			mask->control[band].legacy = rateset_to_mask(
5031 				sband,
5032 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5033 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5034 			if ((mask->control[band].legacy == 0) &&
5035 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5036 				return -EINVAL;
5037 		}
5038 		if (tb[NL80211_TXRATE_HT]) {
5039 			if (!ht_rateset_to_mask(
5040 					sband,
5041 					nla_data(tb[NL80211_TXRATE_HT]),
5042 					nla_len(tb[NL80211_TXRATE_HT]),
5043 					mask->control[band].ht_mcs))
5044 				return -EINVAL;
5045 		}
5046 
5047 		if (tb[NL80211_TXRATE_VHT]) {
5048 			if (!vht_set_mcs_mask(
5049 					sband,
5050 					nla_data(tb[NL80211_TXRATE_VHT]),
5051 					mask->control[band].vht_mcs))
5052 				return -EINVAL;
5053 		}
5054 
5055 		if (tb[NL80211_TXRATE_GI]) {
5056 			mask->control[band].gi =
5057 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5058 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5059 				return -EINVAL;
5060 		}
5061 		if (tb[NL80211_TXRATE_HE] &&
5062 		    !he_set_mcs_mask(info, wdev, sband,
5063 				     nla_data(tb[NL80211_TXRATE_HE]),
5064 				     mask->control[band].he_mcs,
5065 				     link_id))
5066 			return -EINVAL;
5067 
5068 		if (tb[NL80211_TXRATE_HE_GI])
5069 			mask->control[band].he_gi =
5070 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5071 		if (tb[NL80211_TXRATE_HE_LTF])
5072 			mask->control[band].he_ltf =
5073 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5074 
5075 		if (mask->control[band].legacy == 0) {
5076 			/* don't allow empty legacy rates if HT, VHT or HE
5077 			 * are not even supported.
5078 			 */
5079 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5080 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5081 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5082 				return -EINVAL;
5083 
5084 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5085 				if (mask->control[band].ht_mcs[i])
5086 					goto out;
5087 
5088 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5089 				if (mask->control[band].vht_mcs[i])
5090 					goto out;
5091 
5092 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5093 				if (mask->control[band].he_mcs[i])
5094 					goto out;
5095 
5096 			/* legacy and mcs rates may not be both empty */
5097 			return -EINVAL;
5098 		}
5099 	}
5100 
5101 out:
5102 	return 0;
5103 }
5104 
5105 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5106 				   enum nl80211_band band,
5107 				   struct cfg80211_bitrate_mask *beacon_rate)
5108 {
5109 	u32 count_ht, count_vht, count_he, i;
5110 	u32 rate = beacon_rate->control[band].legacy;
5111 
5112 	/* Allow only one rate */
5113 	if (hweight32(rate) > 1)
5114 		return -EINVAL;
5115 
5116 	count_ht = 0;
5117 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5118 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5119 			return -EINVAL;
5120 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5121 			count_ht++;
5122 			if (count_ht > 1)
5123 				return -EINVAL;
5124 		}
5125 		if (count_ht && rate)
5126 			return -EINVAL;
5127 	}
5128 
5129 	count_vht = 0;
5130 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5131 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5132 			return -EINVAL;
5133 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5134 			count_vht++;
5135 			if (count_vht > 1)
5136 				return -EINVAL;
5137 		}
5138 		if (count_vht && rate)
5139 			return -EINVAL;
5140 	}
5141 
5142 	count_he = 0;
5143 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5144 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5145 			return -EINVAL;
5146 		} else if (beacon_rate->control[band].he_mcs[i]) {
5147 			count_he++;
5148 			if (count_he > 1)
5149 				return -EINVAL;
5150 		}
5151 		if (count_he && rate)
5152 			return -EINVAL;
5153 	}
5154 
5155 	if ((count_ht && count_vht && count_he) ||
5156 	    (!rate && !count_ht && !count_vht && !count_he))
5157 		return -EINVAL;
5158 
5159 	if (rate &&
5160 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5161 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5162 		return -EINVAL;
5163 	if (count_ht &&
5164 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5165 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5166 		return -EINVAL;
5167 	if (count_vht &&
5168 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5169 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5170 		return -EINVAL;
5171 	if (count_he &&
5172 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5173 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5174 		return -EINVAL;
5175 
5176 	return 0;
5177 }
5178 
5179 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5180 				       struct net_device *dev,
5181 				       struct nlattr *attrs,
5182 				       struct cfg80211_mbssid_config *config,
5183 				       u8 num_elems)
5184 {
5185 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5186 
5187 	if (!wiphy->mbssid_max_interfaces)
5188 		return -EOPNOTSUPP;
5189 
5190 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5191 			     NULL) ||
5192 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5193 		return -EINVAL;
5194 
5195 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5196 	if (config->ema) {
5197 		if (!wiphy->ema_max_profile_periodicity)
5198 			return -EOPNOTSUPP;
5199 
5200 		if (num_elems > wiphy->ema_max_profile_periodicity)
5201 			return -EINVAL;
5202 	}
5203 
5204 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5205 	if (config->index >= wiphy->mbssid_max_interfaces ||
5206 	    (!config->index && !num_elems))
5207 		return -EINVAL;
5208 
5209 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5210 		u32 tx_ifindex =
5211 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5212 
5213 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5214 		    (config->index && tx_ifindex == dev->ifindex))
5215 			return -EINVAL;
5216 
5217 		if (tx_ifindex != dev->ifindex) {
5218 			struct net_device *tx_netdev =
5219 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5220 
5221 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5222 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5223 			    tx_netdev->ieee80211_ptr->iftype !=
5224 							NL80211_IFTYPE_AP) {
5225 				dev_put(tx_netdev);
5226 				return -EINVAL;
5227 			}
5228 
5229 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5230 		} else {
5231 			config->tx_wdev = dev->ieee80211_ptr;
5232 		}
5233 	} else if (!config->index) {
5234 		config->tx_wdev = dev->ieee80211_ptr;
5235 	} else {
5236 		return -EINVAL;
5237 	}
5238 
5239 	return 0;
5240 }
5241 
5242 static struct cfg80211_mbssid_elems *
5243 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5244 {
5245 	struct nlattr *nl_elems;
5246 	struct cfg80211_mbssid_elems *elems;
5247 	int rem_elems;
5248 	u8 i = 0, num_elems = 0;
5249 
5250 	if (!wiphy->mbssid_max_interfaces)
5251 		return ERR_PTR(-EINVAL);
5252 
5253 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5254 		num_elems++;
5255 
5256 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5257 	if (!elems)
5258 		return ERR_PTR(-ENOMEM);
5259 
5260 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5261 		elems->elem[i].data = nla_data(nl_elems);
5262 		elems->elem[i].len = nla_len(nl_elems);
5263 		i++;
5264 	}
5265 	elems->cnt = num_elems;
5266 	return elems;
5267 }
5268 
5269 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5270 				      struct cfg80211_he_bss_color *he_bss_color)
5271 {
5272 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5273 	int err;
5274 
5275 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5276 			       he_bss_color_policy, NULL);
5277 	if (err)
5278 		return err;
5279 
5280 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5281 		return -EINVAL;
5282 
5283 	he_bss_color->color =
5284 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5285 	he_bss_color->enabled =
5286 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5287 	he_bss_color->partial =
5288 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5289 
5290 	return 0;
5291 }
5292 
5293 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5294 				struct nlattr *attrs[],
5295 				struct cfg80211_beacon_data *bcn)
5296 {
5297 	bool haveinfo = false;
5298 	int err;
5299 
5300 	memset(bcn, 0, sizeof(*bcn));
5301 
5302 	bcn->link_id = nl80211_link_id(attrs);
5303 
5304 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5305 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5306 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5307 		if (!bcn->head_len)
5308 			return -EINVAL;
5309 		haveinfo = true;
5310 	}
5311 
5312 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5313 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5314 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5315 		haveinfo = true;
5316 	}
5317 
5318 	if (!haveinfo)
5319 		return -EINVAL;
5320 
5321 	if (attrs[NL80211_ATTR_IE]) {
5322 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5323 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5324 	}
5325 
5326 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5327 		bcn->proberesp_ies =
5328 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5329 		bcn->proberesp_ies_len =
5330 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5331 	}
5332 
5333 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5334 		bcn->assocresp_ies =
5335 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5336 		bcn->assocresp_ies_len =
5337 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5338 	}
5339 
5340 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5341 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5342 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5343 	}
5344 
5345 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5346 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5347 
5348 		err = nla_parse_nested_deprecated(tb,
5349 						  NL80211_FTM_RESP_ATTR_MAX,
5350 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5351 						  NULL, NULL);
5352 		if (err)
5353 			return err;
5354 
5355 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5356 		    wiphy_ext_feature_isset(&rdev->wiphy,
5357 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5358 			bcn->ftm_responder = 1;
5359 		else
5360 			return -EOPNOTSUPP;
5361 
5362 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5363 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5364 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5365 		}
5366 
5367 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5368 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5369 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5370 		}
5371 	} else {
5372 		bcn->ftm_responder = -1;
5373 	}
5374 
5375 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5376 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5377 						 &bcn->he_bss_color);
5378 		if (err)
5379 			return err;
5380 		bcn->he_bss_color_valid = true;
5381 	}
5382 
5383 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5384 		struct cfg80211_mbssid_elems *mbssid =
5385 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5386 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5387 
5388 		if (IS_ERR(mbssid))
5389 			return PTR_ERR(mbssid);
5390 
5391 		bcn->mbssid_ies = mbssid;
5392 	}
5393 
5394 	return 0;
5395 }
5396 
5397 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5398 				    struct ieee80211_he_obss_pd *he_obss_pd)
5399 {
5400 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5401 	int err;
5402 
5403 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5404 			       he_obss_pd_policy, NULL);
5405 	if (err)
5406 		return err;
5407 
5408 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5409 		return -EINVAL;
5410 
5411 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5412 
5413 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5414 		he_obss_pd->min_offset =
5415 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5416 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5417 		he_obss_pd->max_offset =
5418 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5419 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5420 		he_obss_pd->non_srg_max_offset =
5421 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5422 
5423 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5424 		return -EINVAL;
5425 
5426 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5427 		memcpy(he_obss_pd->bss_color_bitmap,
5428 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5429 		       sizeof(he_obss_pd->bss_color_bitmap));
5430 
5431 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5432 		memcpy(he_obss_pd->partial_bssid_bitmap,
5433 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5434 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5435 
5436 	he_obss_pd->enable = true;
5437 
5438 	return 0;
5439 }
5440 
5441 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5442 					struct nlattr *attrs,
5443 					struct cfg80211_ap_settings *params)
5444 {
5445 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5446 	int ret;
5447 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5448 
5449 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5450 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5451 		return -EINVAL;
5452 
5453 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5454 			       NULL, NULL);
5455 	if (ret)
5456 		return ret;
5457 
5458 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5459 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5460 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5461 		return -EINVAL;
5462 
5463 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5464 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5465 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5466 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5467 
5468 	return 0;
5469 }
5470 
5471 static int
5472 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5473 				     struct nlattr *attrs,
5474 				     struct cfg80211_ap_settings *params)
5475 {
5476 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5477 	int ret;
5478 	struct cfg80211_unsol_bcast_probe_resp *presp =
5479 					&params->unsol_bcast_probe_resp;
5480 
5481 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5482 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5483 		return -EINVAL;
5484 
5485 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5486 			       attrs, NULL, NULL);
5487 	if (ret)
5488 		return ret;
5489 
5490 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5491 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5492 		return -EINVAL;
5493 
5494 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5495 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5496 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5497 	return 0;
5498 }
5499 
5500 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5501 					    const struct element *rates)
5502 {
5503 	int i;
5504 
5505 	if (!rates)
5506 		return;
5507 
5508 	for (i = 0; i < rates->datalen; i++) {
5509 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5510 			params->ht_required = true;
5511 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5512 			params->vht_required = true;
5513 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5514 			params->he_required = true;
5515 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5516 			params->sae_h2e_required = true;
5517 	}
5518 }
5519 
5520 /*
5521  * Since the nl80211 API didn't include, from the beginning, attributes about
5522  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5523  * benefit of drivers that rebuild IEs in the firmware.
5524  */
5525 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5526 {
5527 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5528 	size_t ies_len = bcn->tail_len;
5529 	const u8 *ies = bcn->tail;
5530 	const struct element *rates;
5531 	const struct element *cap;
5532 
5533 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5534 	nl80211_check_ap_rate_selectors(params, rates);
5535 
5536 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5537 	nl80211_check_ap_rate_selectors(params, rates);
5538 
5539 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5540 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5541 		params->ht_cap = (void *)cap->data;
5542 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5543 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5544 		params->vht_cap = (void *)cap->data;
5545 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5546 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5547 		params->he_cap = (void *)(cap->data + 1);
5548 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5549 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5550 		params->he_oper = (void *)(cap->data + 1);
5551 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5552 	if (cap) {
5553 		if (!cap->datalen)
5554 			return -EINVAL;
5555 		params->eht_cap = (void *)(cap->data + 1);
5556 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5557 						(const u8 *)params->eht_cap,
5558 						cap->datalen - 1))
5559 			return -EINVAL;
5560 	}
5561 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5562 	if (cap) {
5563 		if (!cap->datalen)
5564 			return -EINVAL;
5565 		params->eht_oper = (void *)(cap->data + 1);
5566 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5567 						cap->datalen - 1))
5568 			return -EINVAL;
5569 	}
5570 	return 0;
5571 }
5572 
5573 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5574 				   struct cfg80211_ap_settings *params)
5575 {
5576 	struct wireless_dev *wdev;
5577 
5578 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5579 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5580 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5581 			continue;
5582 
5583 		if (!wdev->u.ap.preset_chandef.chan)
5584 			continue;
5585 
5586 		params->chandef = wdev->u.ap.preset_chandef;
5587 		return true;
5588 	}
5589 
5590 	return false;
5591 }
5592 
5593 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5594 				    enum nl80211_auth_type auth_type,
5595 				    enum nl80211_commands cmd)
5596 {
5597 	if (auth_type > NL80211_AUTHTYPE_MAX)
5598 		return false;
5599 
5600 	switch (cmd) {
5601 	case NL80211_CMD_AUTHENTICATE:
5602 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5603 		    auth_type == NL80211_AUTHTYPE_SAE)
5604 			return false;
5605 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5606 					     NL80211_EXT_FEATURE_FILS_STA) &&
5607 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5608 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5609 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5610 			return false;
5611 		return true;
5612 	case NL80211_CMD_CONNECT:
5613 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5614 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5615 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5616 		    auth_type == NL80211_AUTHTYPE_SAE)
5617 			return false;
5618 
5619 		/* FILS with SK PFS or PK not supported yet */
5620 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5621 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5622 			return false;
5623 		if (!wiphy_ext_feature_isset(
5624 			    &rdev->wiphy,
5625 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5626 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5627 			return false;
5628 		return true;
5629 	case NL80211_CMD_START_AP:
5630 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5631 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5632 		    auth_type == NL80211_AUTHTYPE_SAE)
5633 			return false;
5634 		/* FILS not supported yet */
5635 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5636 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5637 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5638 			return false;
5639 		return true;
5640 	default:
5641 		return false;
5642 	}
5643 }
5644 
5645 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5646 {
5647 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5648 	unsigned int link_id = nl80211_link_id(info->attrs);
5649 	struct net_device *dev = info->user_ptr[1];
5650 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5651 	struct cfg80211_ap_settings *params;
5652 	int err;
5653 
5654 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5655 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5656 		return -EOPNOTSUPP;
5657 
5658 	if (!rdev->ops->start_ap)
5659 		return -EOPNOTSUPP;
5660 
5661 	if (wdev->links[link_id].ap.beacon_interval)
5662 		return -EALREADY;
5663 
5664 	/* these are required for START_AP */
5665 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5666 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5667 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5668 		return -EINVAL;
5669 
5670 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5671 	if (!params)
5672 		return -ENOMEM;
5673 
5674 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5675 	if (err)
5676 		goto out;
5677 
5678 	params->beacon_interval =
5679 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5680 	params->dtim_period =
5681 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5682 
5683 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5684 					   params->beacon_interval);
5685 	if (err)
5686 		goto out;
5687 
5688 	/*
5689 	 * In theory, some of these attributes should be required here
5690 	 * but since they were not used when the command was originally
5691 	 * added, keep them optional for old user space programs to let
5692 	 * them continue to work with drivers that do not need the
5693 	 * additional information -- drivers must check!
5694 	 */
5695 	if (info->attrs[NL80211_ATTR_SSID]) {
5696 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5697 		params->ssid_len =
5698 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5699 		if (params->ssid_len == 0) {
5700 			err = -EINVAL;
5701 			goto out;
5702 		}
5703 
5704 		if (wdev->u.ap.ssid_len &&
5705 		    (wdev->u.ap.ssid_len != params->ssid_len ||
5706 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
5707 			/* require identical SSID for MLO */
5708 			err = -EINVAL;
5709 			goto out;
5710 		}
5711 	} else if (wdev->valid_links) {
5712 		/* require SSID for MLO */
5713 		err = -EINVAL;
5714 		goto out;
5715 	}
5716 
5717 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5718 		params->hidden_ssid = nla_get_u32(
5719 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5720 
5721 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5722 
5723 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5724 		params->auth_type = nla_get_u32(
5725 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5726 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5727 					     NL80211_CMD_START_AP)) {
5728 			err = -EINVAL;
5729 			goto out;
5730 		}
5731 	} else
5732 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5733 
5734 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5735 				      NL80211_MAX_NR_CIPHER_SUITES);
5736 	if (err)
5737 		goto out;
5738 
5739 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5740 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5741 			err = -EOPNOTSUPP;
5742 			goto out;
5743 		}
5744 		params->inactivity_timeout = nla_get_u16(
5745 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5746 	}
5747 
5748 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5749 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5750 			err = -EINVAL;
5751 			goto out;
5752 		}
5753 		params->p2p_ctwindow =
5754 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5755 		if (params->p2p_ctwindow != 0 &&
5756 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5757 			err = -EINVAL;
5758 			goto out;
5759 		}
5760 	}
5761 
5762 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5763 		u8 tmp;
5764 
5765 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5766 			err = -EINVAL;
5767 			goto out;
5768 		}
5769 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5770 		params->p2p_opp_ps = tmp;
5771 		if (params->p2p_opp_ps != 0 &&
5772 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5773 			err = -EINVAL;
5774 			goto out;
5775 		}
5776 	}
5777 
5778 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5779 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5780 		if (err)
5781 			goto out;
5782 	} else if (wdev->valid_links) {
5783 		/* with MLD need to specify the channel configuration */
5784 		err = -EINVAL;
5785 		goto out;
5786 	} else if (wdev->u.ap.preset_chandef.chan) {
5787 		params->chandef = wdev->u.ap.preset_chandef;
5788 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5789 		err = -EINVAL;
5790 		goto out;
5791 	}
5792 
5793 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5794 					   wdev->iftype)) {
5795 		err = -EINVAL;
5796 		goto out;
5797 	}
5798 
5799 	wdev_lock(wdev);
5800 
5801 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5802 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5803 						    NL80211_ATTR_TX_RATES,
5804 						    &params->beacon_rate,
5805 						    dev, false, link_id);
5806 		if (err)
5807 			goto out_unlock;
5808 
5809 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5810 					      &params->beacon_rate);
5811 		if (err)
5812 			goto out_unlock;
5813 	}
5814 
5815 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5816 		params->smps_mode =
5817 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5818 		switch (params->smps_mode) {
5819 		case NL80211_SMPS_OFF:
5820 			break;
5821 		case NL80211_SMPS_STATIC:
5822 			if (!(rdev->wiphy.features &
5823 			      NL80211_FEATURE_STATIC_SMPS)) {
5824 				err = -EINVAL;
5825 				goto out_unlock;
5826 			}
5827 			break;
5828 		case NL80211_SMPS_DYNAMIC:
5829 			if (!(rdev->wiphy.features &
5830 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5831 				err = -EINVAL;
5832 				goto out_unlock;
5833 			}
5834 			break;
5835 		default:
5836 			err = -EINVAL;
5837 			goto out_unlock;
5838 		}
5839 	} else {
5840 		params->smps_mode = NL80211_SMPS_OFF;
5841 	}
5842 
5843 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5844 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5845 		err = -EOPNOTSUPP;
5846 		goto out_unlock;
5847 	}
5848 
5849 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5850 		params->acl = parse_acl_data(&rdev->wiphy, info);
5851 		if (IS_ERR(params->acl)) {
5852 			err = PTR_ERR(params->acl);
5853 			params->acl = NULL;
5854 			goto out_unlock;
5855 		}
5856 	}
5857 
5858 	params->twt_responder =
5859 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5860 
5861 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5862 		err = nl80211_parse_he_obss_pd(
5863 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5864 					&params->he_obss_pd);
5865 		if (err)
5866 			goto out_unlock;
5867 	}
5868 
5869 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5870 		err = nl80211_parse_fils_discovery(rdev,
5871 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5872 						   params);
5873 		if (err)
5874 			goto out_unlock;
5875 	}
5876 
5877 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5878 		err = nl80211_parse_unsol_bcast_probe_resp(
5879 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5880 			params);
5881 		if (err)
5882 			goto out_unlock;
5883 	}
5884 
5885 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5886 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5887 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5888 						  &params->mbssid_config,
5889 						  params->beacon.mbssid_ies ?
5890 							params->beacon.mbssid_ies->cnt :
5891 							0);
5892 		if (err)
5893 			goto out_unlock;
5894 	}
5895 
5896 	err = nl80211_calculate_ap_params(params);
5897 	if (err)
5898 		goto out_unlock;
5899 
5900 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
5901 		params->flags = nla_get_u32(
5902 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
5903 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5904 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5905 
5906 	if (wdev->conn_owner_nlportid &&
5907 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
5908 	    wdev->conn_owner_nlportid != info->snd_portid) {
5909 		err = -EINVAL;
5910 		goto out_unlock;
5911 	}
5912 
5913 	/* FIXME: validate MLO/link-id against driver capabilities */
5914 
5915 	err = rdev_start_ap(rdev, dev, params);
5916 	if (!err) {
5917 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
5918 		wdev->links[link_id].ap.chandef = params->chandef;
5919 		wdev->u.ap.ssid_len = params->ssid_len;
5920 		memcpy(wdev->u.ap.ssid, params->ssid,
5921 		       params->ssid_len);
5922 
5923 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5924 			wdev->conn_owner_nlportid = info->snd_portid;
5925 	}
5926 out_unlock:
5927 	wdev_unlock(wdev);
5928 out:
5929 	kfree(params->acl);
5930 	kfree(params->beacon.mbssid_ies);
5931 	if (params->mbssid_config.tx_wdev &&
5932 	    params->mbssid_config.tx_wdev->netdev &&
5933 	    params->mbssid_config.tx_wdev->netdev != dev)
5934 		dev_put(params->mbssid_config.tx_wdev->netdev);
5935 	kfree(params);
5936 
5937 	return err;
5938 }
5939 
5940 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5941 {
5942 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5943 	unsigned int link_id = nl80211_link_id(info->attrs);
5944 	struct net_device *dev = info->user_ptr[1];
5945 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5946 	struct cfg80211_beacon_data params;
5947 	int err;
5948 
5949 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5950 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5951 		return -EOPNOTSUPP;
5952 
5953 	if (!rdev->ops->change_beacon)
5954 		return -EOPNOTSUPP;
5955 
5956 	if (!wdev->links[link_id].ap.beacon_interval)
5957 		return -EINVAL;
5958 
5959 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5960 	if (err)
5961 		goto out;
5962 
5963 	wdev_lock(wdev);
5964 	err = rdev_change_beacon(rdev, dev, &params);
5965 	wdev_unlock(wdev);
5966 
5967 out:
5968 	kfree(params.mbssid_ies);
5969 	return err;
5970 }
5971 
5972 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5973 {
5974 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5975 	unsigned int link_id = nl80211_link_id(info->attrs);
5976 	struct net_device *dev = info->user_ptr[1];
5977 
5978 	return cfg80211_stop_ap(rdev, dev, link_id, false);
5979 }
5980 
5981 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5982 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5983 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5984 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5985 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5986 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5987 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5988 };
5989 
5990 static int parse_station_flags(struct genl_info *info,
5991 			       enum nl80211_iftype iftype,
5992 			       struct station_parameters *params)
5993 {
5994 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5995 	struct nlattr *nla;
5996 	int flag;
5997 
5998 	/*
5999 	 * Try parsing the new attribute first so userspace
6000 	 * can specify both for older kernels.
6001 	 */
6002 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6003 	if (nla) {
6004 		struct nl80211_sta_flag_update *sta_flags;
6005 
6006 		sta_flags = nla_data(nla);
6007 		params->sta_flags_mask = sta_flags->mask;
6008 		params->sta_flags_set = sta_flags->set;
6009 		params->sta_flags_set &= params->sta_flags_mask;
6010 		if ((params->sta_flags_mask |
6011 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6012 			return -EINVAL;
6013 		return 0;
6014 	}
6015 
6016 	/* if present, parse the old attribute */
6017 
6018 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6019 	if (!nla)
6020 		return 0;
6021 
6022 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6023 		return -EINVAL;
6024 
6025 	/*
6026 	 * Only allow certain flags for interface types so that
6027 	 * other attributes are silently ignored. Remember that
6028 	 * this is backward compatibility code with old userspace
6029 	 * and shouldn't be hit in other cases anyway.
6030 	 */
6031 	switch (iftype) {
6032 	case NL80211_IFTYPE_AP:
6033 	case NL80211_IFTYPE_AP_VLAN:
6034 	case NL80211_IFTYPE_P2P_GO:
6035 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6036 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6037 					 BIT(NL80211_STA_FLAG_WME) |
6038 					 BIT(NL80211_STA_FLAG_MFP);
6039 		break;
6040 	case NL80211_IFTYPE_P2P_CLIENT:
6041 	case NL80211_IFTYPE_STATION:
6042 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6043 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6044 		break;
6045 	case NL80211_IFTYPE_MESH_POINT:
6046 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6047 					 BIT(NL80211_STA_FLAG_MFP) |
6048 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6049 		break;
6050 	default:
6051 		return -EINVAL;
6052 	}
6053 
6054 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6055 		if (flags[flag]) {
6056 			params->sta_flags_set |= (1<<flag);
6057 
6058 			/* no longer support new API additions in old API */
6059 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6060 				return -EINVAL;
6061 		}
6062 	}
6063 
6064 	return 0;
6065 }
6066 
6067 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6068 {
6069 	struct nlattr *rate;
6070 	u32 bitrate;
6071 	u16 bitrate_compat;
6072 	enum nl80211_rate_info rate_flg;
6073 
6074 	rate = nla_nest_start_noflag(msg, attr);
6075 	if (!rate)
6076 		return false;
6077 
6078 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6079 	bitrate = cfg80211_calculate_bitrate(info);
6080 	/* report 16-bit bitrate only if we can */
6081 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6082 	if (bitrate > 0 &&
6083 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6084 		return false;
6085 	if (bitrate_compat > 0 &&
6086 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6087 		return false;
6088 
6089 	switch (info->bw) {
6090 	case RATE_INFO_BW_5:
6091 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6092 		break;
6093 	case RATE_INFO_BW_10:
6094 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6095 		break;
6096 	default:
6097 		WARN_ON(1);
6098 		fallthrough;
6099 	case RATE_INFO_BW_20:
6100 		rate_flg = 0;
6101 		break;
6102 	case RATE_INFO_BW_40:
6103 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6104 		break;
6105 	case RATE_INFO_BW_80:
6106 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6107 		break;
6108 	case RATE_INFO_BW_160:
6109 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6110 		break;
6111 	case RATE_INFO_BW_HE_RU:
6112 		rate_flg = 0;
6113 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6114 		break;
6115 	case RATE_INFO_BW_320:
6116 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6117 		break;
6118 	case RATE_INFO_BW_EHT_RU:
6119 		rate_flg = 0;
6120 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6121 		break;
6122 	}
6123 
6124 	if (rate_flg && nla_put_flag(msg, rate_flg))
6125 		return false;
6126 
6127 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6128 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6129 			return false;
6130 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6131 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6132 			return false;
6133 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6134 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6135 			return false;
6136 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6137 			return false;
6138 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6139 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6140 			return false;
6141 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6142 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6143 			return false;
6144 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6145 			return false;
6146 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6147 			return false;
6148 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6149 			return false;
6150 		if (info->bw == RATE_INFO_BW_HE_RU &&
6151 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6152 			       info->he_ru_alloc))
6153 			return false;
6154 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6155 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6156 			return false;
6157 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6158 			return false;
6159 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6160 			return false;
6161 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6162 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6163 			       info->eht_ru_alloc))
6164 			return false;
6165 	}
6166 
6167 	nla_nest_end(msg, rate);
6168 	return true;
6169 }
6170 
6171 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6172 			       int id)
6173 {
6174 	void *attr;
6175 	int i = 0;
6176 
6177 	if (!mask)
6178 		return true;
6179 
6180 	attr = nla_nest_start_noflag(msg, id);
6181 	if (!attr)
6182 		return false;
6183 
6184 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6185 		if (!(mask & BIT(i)))
6186 			continue;
6187 
6188 		if (nla_put_u8(msg, i, signal[i]))
6189 			return false;
6190 	}
6191 
6192 	nla_nest_end(msg, attr);
6193 
6194 	return true;
6195 }
6196 
6197 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6198 				u32 seq, int flags,
6199 				struct cfg80211_registered_device *rdev,
6200 				struct net_device *dev,
6201 				const u8 *mac_addr, struct station_info *sinfo)
6202 {
6203 	void *hdr;
6204 	struct nlattr *sinfoattr, *bss_param;
6205 
6206 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6207 	if (!hdr) {
6208 		cfg80211_sinfo_release_content(sinfo);
6209 		return -1;
6210 	}
6211 
6212 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6213 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6214 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6215 		goto nla_put_failure;
6216 
6217 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6218 	if (!sinfoattr)
6219 		goto nla_put_failure;
6220 
6221 #define PUT_SINFO(attr, memb, type) do {				\
6222 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6223 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6224 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6225 			     sinfo->memb))				\
6226 		goto nla_put_failure;					\
6227 	} while (0)
6228 #define PUT_SINFO_U64(attr, memb) do {					\
6229 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6230 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6231 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6232 		goto nla_put_failure;					\
6233 	} while (0)
6234 
6235 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6236 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6237 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6238 
6239 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6240 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6241 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6242 			(u32)sinfo->rx_bytes))
6243 		goto nla_put_failure;
6244 
6245 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6246 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6247 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6248 			(u32)sinfo->tx_bytes))
6249 		goto nla_put_failure;
6250 
6251 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6252 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6253 	PUT_SINFO(LLID, llid, u16);
6254 	PUT_SINFO(PLID, plid, u16);
6255 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6256 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6257 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6258 
6259 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6260 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6261 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6262 
6263 	switch (rdev->wiphy.signal_type) {
6264 	case CFG80211_SIGNAL_TYPE_MBM:
6265 		PUT_SINFO(SIGNAL, signal, u8);
6266 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6267 		break;
6268 	default:
6269 		break;
6270 	}
6271 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6272 		if (!nl80211_put_signal(msg, sinfo->chains,
6273 					sinfo->chain_signal,
6274 					NL80211_STA_INFO_CHAIN_SIGNAL))
6275 			goto nla_put_failure;
6276 	}
6277 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6278 		if (!nl80211_put_signal(msg, sinfo->chains,
6279 					sinfo->chain_signal_avg,
6280 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6281 			goto nla_put_failure;
6282 	}
6283 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6284 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6285 					  NL80211_STA_INFO_TX_BITRATE))
6286 			goto nla_put_failure;
6287 	}
6288 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6289 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6290 					  NL80211_STA_INFO_RX_BITRATE))
6291 			goto nla_put_failure;
6292 	}
6293 
6294 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6295 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6296 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6297 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6298 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6299 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6300 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6301 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6302 	PUT_SINFO(PEER_PM, peer_pm, u32);
6303 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6304 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6305 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6306 
6307 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6308 		bss_param = nla_nest_start_noflag(msg,
6309 						  NL80211_STA_INFO_BSS_PARAM);
6310 		if (!bss_param)
6311 			goto nla_put_failure;
6312 
6313 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6314 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6315 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6316 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6317 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6318 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6319 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6320 			       sinfo->bss_param.dtim_period) ||
6321 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6322 				sinfo->bss_param.beacon_interval))
6323 			goto nla_put_failure;
6324 
6325 		nla_nest_end(msg, bss_param);
6326 	}
6327 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6328 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6329 		    sizeof(struct nl80211_sta_flag_update),
6330 		    &sinfo->sta_flags))
6331 		goto nla_put_failure;
6332 
6333 	PUT_SINFO_U64(T_OFFSET, t_offset);
6334 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6335 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6336 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6337 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6338 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6339 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6340 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6341 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6342 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6343 	}
6344 
6345 #undef PUT_SINFO
6346 #undef PUT_SINFO_U64
6347 
6348 	if (sinfo->pertid) {
6349 		struct nlattr *tidsattr;
6350 		int tid;
6351 
6352 		tidsattr = nla_nest_start_noflag(msg,
6353 						 NL80211_STA_INFO_TID_STATS);
6354 		if (!tidsattr)
6355 			goto nla_put_failure;
6356 
6357 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6358 			struct cfg80211_tid_stats *tidstats;
6359 			struct nlattr *tidattr;
6360 
6361 			tidstats = &sinfo->pertid[tid];
6362 
6363 			if (!tidstats->filled)
6364 				continue;
6365 
6366 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6367 			if (!tidattr)
6368 				goto nla_put_failure;
6369 
6370 #define PUT_TIDVAL_U64(attr, memb) do {					\
6371 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6372 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6373 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6374 		goto nla_put_failure;					\
6375 	} while (0)
6376 
6377 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6378 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6379 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6380 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6381 
6382 #undef PUT_TIDVAL_U64
6383 			if ((tidstats->filled &
6384 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6385 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6386 						   NL80211_TID_STATS_TXQ_STATS))
6387 				goto nla_put_failure;
6388 
6389 			nla_nest_end(msg, tidattr);
6390 		}
6391 
6392 		nla_nest_end(msg, tidsattr);
6393 	}
6394 
6395 	nla_nest_end(msg, sinfoattr);
6396 
6397 	if (sinfo->assoc_req_ies_len &&
6398 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6399 		    sinfo->assoc_req_ies))
6400 		goto nla_put_failure;
6401 
6402 	cfg80211_sinfo_release_content(sinfo);
6403 	genlmsg_end(msg, hdr);
6404 	return 0;
6405 
6406  nla_put_failure:
6407 	cfg80211_sinfo_release_content(sinfo);
6408 	genlmsg_cancel(msg, hdr);
6409 	return -EMSGSIZE;
6410 }
6411 
6412 static int nl80211_dump_station(struct sk_buff *skb,
6413 				struct netlink_callback *cb)
6414 {
6415 	struct station_info sinfo;
6416 	struct cfg80211_registered_device *rdev;
6417 	struct wireless_dev *wdev;
6418 	u8 mac_addr[ETH_ALEN];
6419 	int sta_idx = cb->args[2];
6420 	int err;
6421 
6422 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6423 	if (err)
6424 		return err;
6425 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6426 	__acquire(&rdev->wiphy.mtx);
6427 
6428 	if (!wdev->netdev) {
6429 		err = -EINVAL;
6430 		goto out_err;
6431 	}
6432 
6433 	if (!rdev->ops->dump_station) {
6434 		err = -EOPNOTSUPP;
6435 		goto out_err;
6436 	}
6437 
6438 	while (1) {
6439 		memset(&sinfo, 0, sizeof(sinfo));
6440 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6441 					mac_addr, &sinfo);
6442 		if (err == -ENOENT)
6443 			break;
6444 		if (err)
6445 			goto out_err;
6446 
6447 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6448 				NETLINK_CB(cb->skb).portid,
6449 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6450 				rdev, wdev->netdev, mac_addr,
6451 				&sinfo) < 0)
6452 			goto out;
6453 
6454 		sta_idx++;
6455 	}
6456 
6457  out:
6458 	cb->args[2] = sta_idx;
6459 	err = skb->len;
6460  out_err:
6461 	wiphy_unlock(&rdev->wiphy);
6462 
6463 	return err;
6464 }
6465 
6466 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6467 {
6468 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6469 	struct net_device *dev = info->user_ptr[1];
6470 	struct station_info sinfo;
6471 	struct sk_buff *msg;
6472 	u8 *mac_addr = NULL;
6473 	int err;
6474 
6475 	memset(&sinfo, 0, sizeof(sinfo));
6476 
6477 	if (!info->attrs[NL80211_ATTR_MAC])
6478 		return -EINVAL;
6479 
6480 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6481 
6482 	if (!rdev->ops->get_station)
6483 		return -EOPNOTSUPP;
6484 
6485 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6486 	if (err)
6487 		return err;
6488 
6489 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6490 	if (!msg) {
6491 		cfg80211_sinfo_release_content(&sinfo);
6492 		return -ENOMEM;
6493 	}
6494 
6495 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6496 				 info->snd_portid, info->snd_seq, 0,
6497 				 rdev, dev, mac_addr, &sinfo) < 0) {
6498 		nlmsg_free(msg);
6499 		return -ENOBUFS;
6500 	}
6501 
6502 	return genlmsg_reply(msg, info);
6503 }
6504 
6505 int cfg80211_check_station_change(struct wiphy *wiphy,
6506 				  struct station_parameters *params,
6507 				  enum cfg80211_station_type statype)
6508 {
6509 	if (params->listen_interval != -1 &&
6510 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6511 		return -EINVAL;
6512 
6513 	if (params->support_p2p_ps != -1 &&
6514 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6515 		return -EINVAL;
6516 
6517 	if (params->aid &&
6518 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6519 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6520 		return -EINVAL;
6521 
6522 	/* When you run into this, adjust the code below for the new flag */
6523 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6524 
6525 	switch (statype) {
6526 	case CFG80211_STA_MESH_PEER_KERNEL:
6527 	case CFG80211_STA_MESH_PEER_USER:
6528 		/*
6529 		 * No ignoring the TDLS flag here -- the userspace mesh
6530 		 * code doesn't have the bug of including TDLS in the
6531 		 * mask everywhere.
6532 		 */
6533 		if (params->sta_flags_mask &
6534 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6535 				  BIT(NL80211_STA_FLAG_MFP) |
6536 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6537 			return -EINVAL;
6538 		break;
6539 	case CFG80211_STA_TDLS_PEER_SETUP:
6540 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6541 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6542 			return -EINVAL;
6543 		/* ignore since it can't change */
6544 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6545 		break;
6546 	default:
6547 		/* disallow mesh-specific things */
6548 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6549 			return -EINVAL;
6550 		if (params->local_pm)
6551 			return -EINVAL;
6552 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6553 			return -EINVAL;
6554 	}
6555 
6556 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6557 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6558 		/* TDLS can't be set, ... */
6559 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6560 			return -EINVAL;
6561 		/*
6562 		 * ... but don't bother the driver with it. This works around
6563 		 * a hostapd/wpa_supplicant issue -- it always includes the
6564 		 * TLDS_PEER flag in the mask even for AP mode.
6565 		 */
6566 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6567 	}
6568 
6569 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6570 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6571 		/* reject other things that can't change */
6572 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6573 			return -EINVAL;
6574 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6575 			return -EINVAL;
6576 		if (params->supported_rates)
6577 			return -EINVAL;
6578 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6579 		    params->he_capa || params->eht_capa)
6580 			return -EINVAL;
6581 	}
6582 
6583 	if (statype != CFG80211_STA_AP_CLIENT &&
6584 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6585 		if (params->vlan)
6586 			return -EINVAL;
6587 	}
6588 
6589 	switch (statype) {
6590 	case CFG80211_STA_AP_MLME_CLIENT:
6591 		/* Use this only for authorizing/unauthorizing a station */
6592 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6593 			return -EOPNOTSUPP;
6594 		break;
6595 	case CFG80211_STA_AP_CLIENT:
6596 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6597 		/* accept only the listed bits */
6598 		if (params->sta_flags_mask &
6599 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6600 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6601 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6602 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6603 				  BIT(NL80211_STA_FLAG_WME) |
6604 				  BIT(NL80211_STA_FLAG_MFP)))
6605 			return -EINVAL;
6606 
6607 		/* but authenticated/associated only if driver handles it */
6608 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6609 		    params->sta_flags_mask &
6610 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6611 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6612 			return -EINVAL;
6613 		break;
6614 	case CFG80211_STA_IBSS:
6615 	case CFG80211_STA_AP_STA:
6616 		/* reject any changes other than AUTHORIZED */
6617 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6618 			return -EINVAL;
6619 		break;
6620 	case CFG80211_STA_TDLS_PEER_SETUP:
6621 		/* reject any changes other than AUTHORIZED or WME */
6622 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6623 					       BIT(NL80211_STA_FLAG_WME)))
6624 			return -EINVAL;
6625 		/* force (at least) rates when authorizing */
6626 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6627 		    !params->supported_rates)
6628 			return -EINVAL;
6629 		break;
6630 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6631 		/* reject any changes */
6632 		return -EINVAL;
6633 	case CFG80211_STA_MESH_PEER_KERNEL:
6634 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6635 			return -EINVAL;
6636 		break;
6637 	case CFG80211_STA_MESH_PEER_USER:
6638 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6639 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6640 			return -EINVAL;
6641 		break;
6642 	}
6643 
6644 	/*
6645 	 * Older kernel versions ignored this attribute entirely, so don't
6646 	 * reject attempts to update it but mark it as unused instead so the
6647 	 * driver won't look at the data.
6648 	 */
6649 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6650 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6651 		params->opmode_notif_used = false;
6652 
6653 	return 0;
6654 }
6655 EXPORT_SYMBOL(cfg80211_check_station_change);
6656 
6657 /*
6658  * Get vlan interface making sure it is running and on the right wiphy.
6659  */
6660 static struct net_device *get_vlan(struct genl_info *info,
6661 				   struct cfg80211_registered_device *rdev)
6662 {
6663 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6664 	struct net_device *v;
6665 	int ret;
6666 
6667 	if (!vlanattr)
6668 		return NULL;
6669 
6670 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6671 	if (!v)
6672 		return ERR_PTR(-ENODEV);
6673 
6674 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6675 		ret = -EINVAL;
6676 		goto error;
6677 	}
6678 
6679 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6680 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6681 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6682 		ret = -EINVAL;
6683 		goto error;
6684 	}
6685 
6686 	if (!netif_running(v)) {
6687 		ret = -ENETDOWN;
6688 		goto error;
6689 	}
6690 
6691 	return v;
6692  error:
6693 	dev_put(v);
6694 	return ERR_PTR(ret);
6695 }
6696 
6697 static const struct nla_policy
6698 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6699 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6700 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6701 };
6702 
6703 static int nl80211_parse_sta_wme(struct genl_info *info,
6704 				 struct station_parameters *params)
6705 {
6706 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6707 	struct nlattr *nla;
6708 	int err;
6709 
6710 	/* parse WME attributes if present */
6711 	if (!info->attrs[NL80211_ATTR_STA_WME])
6712 		return 0;
6713 
6714 	nla = info->attrs[NL80211_ATTR_STA_WME];
6715 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6716 					  nl80211_sta_wme_policy,
6717 					  info->extack);
6718 	if (err)
6719 		return err;
6720 
6721 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6722 		params->uapsd_queues = nla_get_u8(
6723 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6724 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6725 		return -EINVAL;
6726 
6727 	if (tb[NL80211_STA_WME_MAX_SP])
6728 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6729 
6730 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6731 		return -EINVAL;
6732 
6733 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6734 
6735 	return 0;
6736 }
6737 
6738 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6739 				      struct station_parameters *params)
6740 {
6741 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6742 		params->supported_channels =
6743 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6744 		params->supported_channels_len =
6745 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6746 		/*
6747 		 * Need to include at least one (first channel, number of
6748 		 * channels) tuple for each subband (checked in policy),
6749 		 * and must have proper tuples for the rest of the data as well.
6750 		 */
6751 		if (params->supported_channels_len % 2)
6752 			return -EINVAL;
6753 	}
6754 
6755 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6756 		params->supported_oper_classes =
6757 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6758 		params->supported_oper_classes_len =
6759 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6760 	}
6761 	return 0;
6762 }
6763 
6764 static int nl80211_set_station_tdls(struct genl_info *info,
6765 				    struct station_parameters *params)
6766 {
6767 	int err;
6768 	/* Dummy STA entry gets updated once the peer capabilities are known */
6769 	if (info->attrs[NL80211_ATTR_PEER_AID])
6770 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6771 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6772 		params->ht_capa =
6773 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6774 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6775 		params->vht_capa =
6776 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6777 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6778 		params->he_capa =
6779 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6780 		params->he_capa_len =
6781 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6782 
6783 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6784 			params->eht_capa =
6785 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6786 			params->eht_capa_len =
6787 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6788 
6789 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_capa,
6790 							(const u8 *)params->eht_capa,
6791 							params->eht_capa_len))
6792 				return -EINVAL;
6793 		}
6794 	}
6795 
6796 	err = nl80211_parse_sta_channel_info(info, params);
6797 	if (err)
6798 		return err;
6799 
6800 	return nl80211_parse_sta_wme(info, params);
6801 }
6802 
6803 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6804 					     struct station_parameters *params)
6805 {
6806 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6807 	int idx;
6808 
6809 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6810 		if (!rdev->ops->set_tx_power ||
6811 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6812 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6813 			return -EOPNOTSUPP;
6814 
6815 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6816 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6817 
6818 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6819 			idx = NL80211_ATTR_STA_TX_POWER;
6820 
6821 			if (info->attrs[idx])
6822 				params->txpwr.power =
6823 					nla_get_s16(info->attrs[idx]);
6824 			else
6825 				return -EINVAL;
6826 		}
6827 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6828 	}
6829 
6830 	return 0;
6831 }
6832 
6833 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6834 {
6835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6836 	struct net_device *dev = info->user_ptr[1];
6837 	struct station_parameters params;
6838 	u8 *mac_addr;
6839 	int err;
6840 
6841 	memset(&params, 0, sizeof(params));
6842 
6843 	if (!rdev->ops->change_station)
6844 		return -EOPNOTSUPP;
6845 
6846 	/*
6847 	 * AID and listen_interval properties can be set only for unassociated
6848 	 * station. Include these parameters here and will check them in
6849 	 * cfg80211_check_station_change().
6850 	 */
6851 	if (info->attrs[NL80211_ATTR_STA_AID])
6852 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6853 
6854 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6855 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6856 
6857 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6858 		params.listen_interval =
6859 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6860 	else
6861 		params.listen_interval = -1;
6862 
6863 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6864 		params.support_p2p_ps =
6865 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6866 	else
6867 		params.support_p2p_ps = -1;
6868 
6869 	if (!info->attrs[NL80211_ATTR_MAC])
6870 		return -EINVAL;
6871 
6872 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6873 
6874 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6875 		params.supported_rates =
6876 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6877 		params.supported_rates_len =
6878 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6879 	}
6880 
6881 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6882 		params.capability =
6883 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6884 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6885 	}
6886 
6887 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6888 		params.ext_capab =
6889 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6890 		params.ext_capab_len =
6891 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6892 	}
6893 
6894 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6895 		return -EINVAL;
6896 
6897 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6898 		params.plink_action =
6899 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6900 
6901 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6902 		params.plink_state =
6903 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6904 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6905 			params.peer_aid = nla_get_u16(
6906 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6907 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6908 	}
6909 
6910 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6911 		params.local_pm = nla_get_u32(
6912 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6913 
6914 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6915 		params.opmode_notif_used = true;
6916 		params.opmode_notif =
6917 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6918 	}
6919 
6920 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6921 		params.he_6ghz_capa =
6922 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6923 
6924 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6925 		params.airtime_weight =
6926 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6927 
6928 	if (params.airtime_weight &&
6929 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6930 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6931 		return -EOPNOTSUPP;
6932 
6933 	err = nl80211_parse_sta_txpower_setting(info, &params);
6934 	if (err)
6935 		return err;
6936 
6937 	/* Include parameters for TDLS peer (will check later) */
6938 	err = nl80211_set_station_tdls(info, &params);
6939 	if (err)
6940 		return err;
6941 
6942 	params.vlan = get_vlan(info, rdev);
6943 	if (IS_ERR(params.vlan))
6944 		return PTR_ERR(params.vlan);
6945 
6946 	switch (dev->ieee80211_ptr->iftype) {
6947 	case NL80211_IFTYPE_AP:
6948 	case NL80211_IFTYPE_AP_VLAN:
6949 	case NL80211_IFTYPE_P2P_GO:
6950 	case NL80211_IFTYPE_P2P_CLIENT:
6951 	case NL80211_IFTYPE_STATION:
6952 	case NL80211_IFTYPE_ADHOC:
6953 	case NL80211_IFTYPE_MESH_POINT:
6954 		break;
6955 	default:
6956 		err = -EOPNOTSUPP;
6957 		goto out_put_vlan;
6958 	}
6959 
6960 	/* driver will call cfg80211_check_station_change() */
6961 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6962 
6963  out_put_vlan:
6964 	dev_put(params.vlan);
6965 
6966 	return err;
6967 }
6968 
6969 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6970 {
6971 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6972 	int err;
6973 	struct net_device *dev = info->user_ptr[1];
6974 	struct station_parameters params;
6975 	u8 *mac_addr = NULL;
6976 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6977 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6978 
6979 	memset(&params, 0, sizeof(params));
6980 
6981 	if (!rdev->ops->add_station)
6982 		return -EOPNOTSUPP;
6983 
6984 	if (!info->attrs[NL80211_ATTR_MAC])
6985 		return -EINVAL;
6986 
6987 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6988 		return -EINVAL;
6989 
6990 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6991 		return -EINVAL;
6992 
6993 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6994 	    !info->attrs[NL80211_ATTR_PEER_AID])
6995 		return -EINVAL;
6996 
6997 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6998 	params.supported_rates =
6999 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7000 	params.supported_rates_len =
7001 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7002 	params.listen_interval =
7003 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7004 
7005 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7006 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7007 
7008 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7009 		params.support_p2p_ps =
7010 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7011 	} else {
7012 		/*
7013 		 * if not specified, assume it's supported for P2P GO interface,
7014 		 * and is NOT supported for AP interface
7015 		 */
7016 		params.support_p2p_ps =
7017 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7018 	}
7019 
7020 	if (info->attrs[NL80211_ATTR_PEER_AID])
7021 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7022 	else
7023 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7024 
7025 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7026 		params.capability =
7027 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7028 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7029 	}
7030 
7031 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7032 		params.ext_capab =
7033 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7034 		params.ext_capab_len =
7035 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7036 	}
7037 
7038 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7039 		params.ht_capa =
7040 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7041 
7042 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7043 		params.vht_capa =
7044 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7045 
7046 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7047 		params.he_capa =
7048 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7049 		params.he_capa_len =
7050 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7051 
7052 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7053 			params.eht_capa =
7054 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7055 			params.eht_capa_len =
7056 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7057 
7058 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
7059 							(const u8 *)params.eht_capa,
7060 							params.eht_capa_len))
7061 				return -EINVAL;
7062 		}
7063 	}
7064 
7065 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7066 		params.he_6ghz_capa =
7067 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7068 
7069 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7070 		params.opmode_notif_used = true;
7071 		params.opmode_notif =
7072 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7073 	}
7074 
7075 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7076 		params.plink_action =
7077 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7078 
7079 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7080 		params.airtime_weight =
7081 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7082 
7083 	if (params.airtime_weight &&
7084 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7085 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7086 		return -EOPNOTSUPP;
7087 
7088 	err = nl80211_parse_sta_txpower_setting(info, &params);
7089 	if (err)
7090 		return err;
7091 
7092 	err = nl80211_parse_sta_channel_info(info, &params);
7093 	if (err)
7094 		return err;
7095 
7096 	err = nl80211_parse_sta_wme(info, &params);
7097 	if (err)
7098 		return err;
7099 
7100 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7101 		return -EINVAL;
7102 
7103 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7104 	 * as userspace might just pass through the capabilities from the IEs
7105 	 * directly, rather than enforcing this restriction and returning an
7106 	 * error in this case.
7107 	 */
7108 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7109 		params.ht_capa = NULL;
7110 		params.vht_capa = NULL;
7111 
7112 		/* HE and EHT require WME */
7113 		if (params.he_capa_len || params.he_6ghz_capa ||
7114 		    params.eht_capa_len)
7115 			return -EINVAL;
7116 	}
7117 
7118 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7119 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
7120 		return -EINVAL;
7121 
7122 	/* When you run into this, adjust the code below for the new flag */
7123 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7124 
7125 	switch (dev->ieee80211_ptr->iftype) {
7126 	case NL80211_IFTYPE_AP:
7127 	case NL80211_IFTYPE_AP_VLAN:
7128 	case NL80211_IFTYPE_P2P_GO:
7129 		/* ignore WME attributes if iface/sta is not capable */
7130 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7131 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7132 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7133 
7134 		/* TDLS peers cannot be added */
7135 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7136 		    info->attrs[NL80211_ATTR_PEER_AID])
7137 			return -EINVAL;
7138 		/* but don't bother the driver with it */
7139 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7140 
7141 		/* allow authenticated/associated only if driver handles it */
7142 		if (!(rdev->wiphy.features &
7143 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7144 		    params.sta_flags_mask & auth_assoc)
7145 			return -EINVAL;
7146 
7147 		/* Older userspace, or userspace wanting to be compatible with
7148 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7149 		 * and assoc flags in the mask, but assumes the station will be
7150 		 * added as associated anyway since this was the required driver
7151 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7152 		 * introduced.
7153 		 * In order to not bother drivers with this quirk in the API
7154 		 * set the flags in both the mask and set for new stations in
7155 		 * this case.
7156 		 */
7157 		if (!(params.sta_flags_mask & auth_assoc)) {
7158 			params.sta_flags_mask |= auth_assoc;
7159 			params.sta_flags_set |= auth_assoc;
7160 		}
7161 
7162 		/* must be last in here for error handling */
7163 		params.vlan = get_vlan(info, rdev);
7164 		if (IS_ERR(params.vlan))
7165 			return PTR_ERR(params.vlan);
7166 		break;
7167 	case NL80211_IFTYPE_MESH_POINT:
7168 		/* ignore uAPSD data */
7169 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7170 
7171 		/* associated is disallowed */
7172 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7173 			return -EINVAL;
7174 		/* TDLS peers cannot be added */
7175 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7176 		    info->attrs[NL80211_ATTR_PEER_AID])
7177 			return -EINVAL;
7178 		break;
7179 	case NL80211_IFTYPE_STATION:
7180 	case NL80211_IFTYPE_P2P_CLIENT:
7181 		/* ignore uAPSD data */
7182 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7183 
7184 		/* these are disallowed */
7185 		if (params.sta_flags_mask &
7186 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7187 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7188 			return -EINVAL;
7189 		/* Only TDLS peers can be added */
7190 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7191 			return -EINVAL;
7192 		/* Can only add if TDLS ... */
7193 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7194 			return -EOPNOTSUPP;
7195 		/* ... with external setup is supported */
7196 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7197 			return -EOPNOTSUPP;
7198 		/*
7199 		 * Older wpa_supplicant versions always mark the TDLS peer
7200 		 * as authorized, but it shouldn't yet be.
7201 		 */
7202 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7203 		break;
7204 	default:
7205 		return -EOPNOTSUPP;
7206 	}
7207 
7208 	/* be aware of params.vlan when changing code here */
7209 
7210 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7211 
7212 	dev_put(params.vlan);
7213 	return err;
7214 }
7215 
7216 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7217 {
7218 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7219 	struct net_device *dev = info->user_ptr[1];
7220 	struct station_del_parameters params;
7221 
7222 	memset(&params, 0, sizeof(params));
7223 
7224 	if (info->attrs[NL80211_ATTR_MAC])
7225 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7226 
7227 	switch (dev->ieee80211_ptr->iftype) {
7228 	case NL80211_IFTYPE_AP:
7229 	case NL80211_IFTYPE_AP_VLAN:
7230 	case NL80211_IFTYPE_MESH_POINT:
7231 	case NL80211_IFTYPE_P2P_GO:
7232 		/* always accept these */
7233 		break;
7234 	case NL80211_IFTYPE_ADHOC:
7235 		/* conditionally accept */
7236 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7237 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7238 			break;
7239 		return -EINVAL;
7240 	default:
7241 		return -EINVAL;
7242 	}
7243 
7244 	if (!rdev->ops->del_station)
7245 		return -EOPNOTSUPP;
7246 
7247 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7248 		params.subtype =
7249 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7250 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7251 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7252 			return -EINVAL;
7253 	} else {
7254 		/* Default to Deauthentication frame */
7255 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7256 	}
7257 
7258 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7259 		params.reason_code =
7260 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7261 		if (params.reason_code == 0)
7262 			return -EINVAL; /* 0 is reserved */
7263 	} else {
7264 		/* Default to reason code 2 */
7265 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7266 	}
7267 
7268 	return rdev_del_station(rdev, dev, &params);
7269 }
7270 
7271 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7272 				int flags, struct net_device *dev,
7273 				u8 *dst, u8 *next_hop,
7274 				struct mpath_info *pinfo)
7275 {
7276 	void *hdr;
7277 	struct nlattr *pinfoattr;
7278 
7279 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7280 	if (!hdr)
7281 		return -1;
7282 
7283 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7284 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7285 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7286 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7287 		goto nla_put_failure;
7288 
7289 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7290 	if (!pinfoattr)
7291 		goto nla_put_failure;
7292 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7293 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7294 			pinfo->frame_qlen))
7295 		goto nla_put_failure;
7296 	if (((pinfo->filled & MPATH_INFO_SN) &&
7297 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7298 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7299 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7300 			 pinfo->metric)) ||
7301 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7302 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7303 			 pinfo->exptime)) ||
7304 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7305 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7306 			pinfo->flags)) ||
7307 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7308 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7309 			 pinfo->discovery_timeout)) ||
7310 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7311 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7312 			pinfo->discovery_retries)) ||
7313 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7314 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7315 			pinfo->hop_count)) ||
7316 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7317 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7318 			 pinfo->path_change_count)))
7319 		goto nla_put_failure;
7320 
7321 	nla_nest_end(msg, pinfoattr);
7322 
7323 	genlmsg_end(msg, hdr);
7324 	return 0;
7325 
7326  nla_put_failure:
7327 	genlmsg_cancel(msg, hdr);
7328 	return -EMSGSIZE;
7329 }
7330 
7331 static int nl80211_dump_mpath(struct sk_buff *skb,
7332 			      struct netlink_callback *cb)
7333 {
7334 	struct mpath_info pinfo;
7335 	struct cfg80211_registered_device *rdev;
7336 	struct wireless_dev *wdev;
7337 	u8 dst[ETH_ALEN];
7338 	u8 next_hop[ETH_ALEN];
7339 	int path_idx = cb->args[2];
7340 	int err;
7341 
7342 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7343 	if (err)
7344 		return err;
7345 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7346 	__acquire(&rdev->wiphy.mtx);
7347 
7348 	if (!rdev->ops->dump_mpath) {
7349 		err = -EOPNOTSUPP;
7350 		goto out_err;
7351 	}
7352 
7353 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7354 		err = -EOPNOTSUPP;
7355 		goto out_err;
7356 	}
7357 
7358 	while (1) {
7359 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7360 				      next_hop, &pinfo);
7361 		if (err == -ENOENT)
7362 			break;
7363 		if (err)
7364 			goto out_err;
7365 
7366 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7367 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7368 				       wdev->netdev, dst, next_hop,
7369 				       &pinfo) < 0)
7370 			goto out;
7371 
7372 		path_idx++;
7373 	}
7374 
7375  out:
7376 	cb->args[2] = path_idx;
7377 	err = skb->len;
7378  out_err:
7379 	wiphy_unlock(&rdev->wiphy);
7380 	return err;
7381 }
7382 
7383 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7384 {
7385 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7386 	int err;
7387 	struct net_device *dev = info->user_ptr[1];
7388 	struct mpath_info pinfo;
7389 	struct sk_buff *msg;
7390 	u8 *dst = NULL;
7391 	u8 next_hop[ETH_ALEN];
7392 
7393 	memset(&pinfo, 0, sizeof(pinfo));
7394 
7395 	if (!info->attrs[NL80211_ATTR_MAC])
7396 		return -EINVAL;
7397 
7398 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7399 
7400 	if (!rdev->ops->get_mpath)
7401 		return -EOPNOTSUPP;
7402 
7403 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7404 		return -EOPNOTSUPP;
7405 
7406 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7407 	if (err)
7408 		return err;
7409 
7410 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7411 	if (!msg)
7412 		return -ENOMEM;
7413 
7414 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7415 				 dev, dst, next_hop, &pinfo) < 0) {
7416 		nlmsg_free(msg);
7417 		return -ENOBUFS;
7418 	}
7419 
7420 	return genlmsg_reply(msg, info);
7421 }
7422 
7423 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7424 {
7425 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7426 	struct net_device *dev = info->user_ptr[1];
7427 	u8 *dst = NULL;
7428 	u8 *next_hop = NULL;
7429 
7430 	if (!info->attrs[NL80211_ATTR_MAC])
7431 		return -EINVAL;
7432 
7433 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7434 		return -EINVAL;
7435 
7436 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7437 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7438 
7439 	if (!rdev->ops->change_mpath)
7440 		return -EOPNOTSUPP;
7441 
7442 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7443 		return -EOPNOTSUPP;
7444 
7445 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7446 }
7447 
7448 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7449 {
7450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7451 	struct net_device *dev = info->user_ptr[1];
7452 	u8 *dst = NULL;
7453 	u8 *next_hop = NULL;
7454 
7455 	if (!info->attrs[NL80211_ATTR_MAC])
7456 		return -EINVAL;
7457 
7458 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7459 		return -EINVAL;
7460 
7461 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7462 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7463 
7464 	if (!rdev->ops->add_mpath)
7465 		return -EOPNOTSUPP;
7466 
7467 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7468 		return -EOPNOTSUPP;
7469 
7470 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7471 }
7472 
7473 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7474 {
7475 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7476 	struct net_device *dev = info->user_ptr[1];
7477 	u8 *dst = NULL;
7478 
7479 	if (info->attrs[NL80211_ATTR_MAC])
7480 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7481 
7482 	if (!rdev->ops->del_mpath)
7483 		return -EOPNOTSUPP;
7484 
7485 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7486 		return -EOPNOTSUPP;
7487 
7488 	return rdev_del_mpath(rdev, dev, dst);
7489 }
7490 
7491 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7492 {
7493 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7494 	int err;
7495 	struct net_device *dev = info->user_ptr[1];
7496 	struct mpath_info pinfo;
7497 	struct sk_buff *msg;
7498 	u8 *dst = NULL;
7499 	u8 mpp[ETH_ALEN];
7500 
7501 	memset(&pinfo, 0, sizeof(pinfo));
7502 
7503 	if (!info->attrs[NL80211_ATTR_MAC])
7504 		return -EINVAL;
7505 
7506 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7507 
7508 	if (!rdev->ops->get_mpp)
7509 		return -EOPNOTSUPP;
7510 
7511 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7512 		return -EOPNOTSUPP;
7513 
7514 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7515 	if (err)
7516 		return err;
7517 
7518 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7519 	if (!msg)
7520 		return -ENOMEM;
7521 
7522 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7523 			       dev, dst, mpp, &pinfo) < 0) {
7524 		nlmsg_free(msg);
7525 		return -ENOBUFS;
7526 	}
7527 
7528 	return genlmsg_reply(msg, info);
7529 }
7530 
7531 static int nl80211_dump_mpp(struct sk_buff *skb,
7532 			    struct netlink_callback *cb)
7533 {
7534 	struct mpath_info pinfo;
7535 	struct cfg80211_registered_device *rdev;
7536 	struct wireless_dev *wdev;
7537 	u8 dst[ETH_ALEN];
7538 	u8 mpp[ETH_ALEN];
7539 	int path_idx = cb->args[2];
7540 	int err;
7541 
7542 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7543 	if (err)
7544 		return err;
7545 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7546 	__acquire(&rdev->wiphy.mtx);
7547 
7548 	if (!rdev->ops->dump_mpp) {
7549 		err = -EOPNOTSUPP;
7550 		goto out_err;
7551 	}
7552 
7553 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7554 		err = -EOPNOTSUPP;
7555 		goto out_err;
7556 	}
7557 
7558 	while (1) {
7559 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7560 				    mpp, &pinfo);
7561 		if (err == -ENOENT)
7562 			break;
7563 		if (err)
7564 			goto out_err;
7565 
7566 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7567 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7568 				       wdev->netdev, dst, mpp,
7569 				       &pinfo) < 0)
7570 			goto out;
7571 
7572 		path_idx++;
7573 	}
7574 
7575  out:
7576 	cb->args[2] = path_idx;
7577 	err = skb->len;
7578  out_err:
7579 	wiphy_unlock(&rdev->wiphy);
7580 	return err;
7581 }
7582 
7583 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7584 {
7585 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7586 	struct net_device *dev = info->user_ptr[1];
7587 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7588 	struct bss_parameters params;
7589 	int err;
7590 
7591 	memset(&params, 0, sizeof(params));
7592 	/* default to not changing parameters */
7593 	params.use_cts_prot = -1;
7594 	params.use_short_preamble = -1;
7595 	params.use_short_slot_time = -1;
7596 	params.ap_isolate = -1;
7597 	params.ht_opmode = -1;
7598 	params.p2p_ctwindow = -1;
7599 	params.p2p_opp_ps = -1;
7600 
7601 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7602 		params.use_cts_prot =
7603 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7604 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7605 		params.use_short_preamble =
7606 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7607 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7608 		params.use_short_slot_time =
7609 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7610 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7611 		params.basic_rates =
7612 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7613 		params.basic_rates_len =
7614 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7615 	}
7616 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7617 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7618 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7619 		params.ht_opmode =
7620 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7621 
7622 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7623 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7624 			return -EINVAL;
7625 		params.p2p_ctwindow =
7626 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7627 		if (params.p2p_ctwindow != 0 &&
7628 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7629 			return -EINVAL;
7630 	}
7631 
7632 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7633 		u8 tmp;
7634 
7635 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7636 			return -EINVAL;
7637 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7638 		params.p2p_opp_ps = tmp;
7639 		if (params.p2p_opp_ps &&
7640 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7641 			return -EINVAL;
7642 	}
7643 
7644 	if (!rdev->ops->change_bss)
7645 		return -EOPNOTSUPP;
7646 
7647 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7648 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7649 		return -EOPNOTSUPP;
7650 
7651 	wdev_lock(wdev);
7652 	err = rdev_change_bss(rdev, dev, &params);
7653 	wdev_unlock(wdev);
7654 
7655 	return err;
7656 }
7657 
7658 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7659 {
7660 	char *data = NULL;
7661 	bool is_indoor;
7662 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7663 	u32 owner_nlportid;
7664 
7665 	/*
7666 	 * You should only get this when cfg80211 hasn't yet initialized
7667 	 * completely when built-in to the kernel right between the time
7668 	 * window between nl80211_init() and regulatory_init(), if that is
7669 	 * even possible.
7670 	 */
7671 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7672 		return -EINPROGRESS;
7673 
7674 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7675 		user_reg_hint_type =
7676 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7677 	else
7678 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7679 
7680 	switch (user_reg_hint_type) {
7681 	case NL80211_USER_REG_HINT_USER:
7682 	case NL80211_USER_REG_HINT_CELL_BASE:
7683 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7684 			return -EINVAL;
7685 
7686 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7687 		return regulatory_hint_user(data, user_reg_hint_type);
7688 	case NL80211_USER_REG_HINT_INDOOR:
7689 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7690 			owner_nlportid = info->snd_portid;
7691 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7692 		} else {
7693 			owner_nlportid = 0;
7694 			is_indoor = true;
7695 		}
7696 
7697 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7698 	default:
7699 		return -EINVAL;
7700 	}
7701 }
7702 
7703 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7704 {
7705 	return reg_reload_regdb();
7706 }
7707 
7708 static int nl80211_get_mesh_config(struct sk_buff *skb,
7709 				   struct genl_info *info)
7710 {
7711 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7712 	struct net_device *dev = info->user_ptr[1];
7713 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7714 	struct mesh_config cur_params;
7715 	int err = 0;
7716 	void *hdr;
7717 	struct nlattr *pinfoattr;
7718 	struct sk_buff *msg;
7719 
7720 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7721 		return -EOPNOTSUPP;
7722 
7723 	if (!rdev->ops->get_mesh_config)
7724 		return -EOPNOTSUPP;
7725 
7726 	wdev_lock(wdev);
7727 	/* If not connected, get default parameters */
7728 	if (!wdev->u.mesh.id_len)
7729 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7730 	else
7731 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7732 	wdev_unlock(wdev);
7733 
7734 	if (err)
7735 		return err;
7736 
7737 	/* Draw up a netlink message to send back */
7738 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7739 	if (!msg)
7740 		return -ENOMEM;
7741 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7742 			     NL80211_CMD_GET_MESH_CONFIG);
7743 	if (!hdr)
7744 		goto out;
7745 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7746 	if (!pinfoattr)
7747 		goto nla_put_failure;
7748 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7749 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7750 			cur_params.dot11MeshRetryTimeout) ||
7751 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7752 			cur_params.dot11MeshConfirmTimeout) ||
7753 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7754 			cur_params.dot11MeshHoldingTimeout) ||
7755 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7756 			cur_params.dot11MeshMaxPeerLinks) ||
7757 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7758 		       cur_params.dot11MeshMaxRetries) ||
7759 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7760 		       cur_params.dot11MeshTTL) ||
7761 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7762 		       cur_params.element_ttl) ||
7763 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7764 		       cur_params.auto_open_plinks) ||
7765 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7766 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7767 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7768 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7769 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7770 			cur_params.path_refresh_time) ||
7771 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7772 			cur_params.min_discovery_timeout) ||
7773 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7774 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7775 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7776 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7777 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7778 			cur_params.dot11MeshHWMPperrMinInterval) ||
7779 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7780 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7781 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7782 		       cur_params.dot11MeshHWMPRootMode) ||
7783 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7784 			cur_params.dot11MeshHWMPRannInterval) ||
7785 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7786 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7787 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7788 		       cur_params.dot11MeshForwarding) ||
7789 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7790 			cur_params.rssi_threshold) ||
7791 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7792 			cur_params.ht_opmode) ||
7793 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7794 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7795 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7796 			cur_params.dot11MeshHWMProotInterval) ||
7797 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7798 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7799 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7800 			cur_params.power_mode) ||
7801 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7802 			cur_params.dot11MeshAwakeWindowDuration) ||
7803 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7804 			cur_params.plink_timeout) ||
7805 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7806 		       cur_params.dot11MeshConnectedToMeshGate) ||
7807 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7808 		       cur_params.dot11MeshNolearn) ||
7809 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7810 		       cur_params.dot11MeshConnectedToAuthServer))
7811 		goto nla_put_failure;
7812 	nla_nest_end(msg, pinfoattr);
7813 	genlmsg_end(msg, hdr);
7814 	return genlmsg_reply(msg, info);
7815 
7816  nla_put_failure:
7817  out:
7818 	nlmsg_free(msg);
7819 	return -ENOBUFS;
7820 }
7821 
7822 static const struct nla_policy
7823 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7824 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7825 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7826 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7827 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7828 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7829 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7830 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7831 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7832 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7833 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7834 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7835 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7836 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7837 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7838 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7839 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7840 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7841 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7842 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7843 		NLA_POLICY_MIN(NLA_U16, 1),
7844 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7845 		NLA_POLICY_MIN(NLA_U16, 1),
7846 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7847 		NLA_POLICY_MIN(NLA_U16, 1),
7848 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7849 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7850 		NLA_POLICY_MIN(NLA_U16, 1),
7851 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7852 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7853 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7854 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7855 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7856 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7857 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7858 		NLA_POLICY_MIN(NLA_U16, 1),
7859 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7860 		NLA_POLICY_MIN(NLA_U16, 1),
7861 	[NL80211_MESHCONF_POWER_MODE] =
7862 		NLA_POLICY_RANGE(NLA_U32,
7863 				 NL80211_MESH_POWER_ACTIVE,
7864 				 NL80211_MESH_POWER_MAX),
7865 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7866 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7867 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7868 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7869 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7870 };
7871 
7872 static const struct nla_policy
7873 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7874 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7875 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7876 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7877 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7878 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7879 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7880 	[NL80211_MESH_SETUP_IE] =
7881 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7882 				       IEEE80211_MAX_DATA_LEN),
7883 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7884 };
7885 
7886 static int nl80211_parse_mesh_config(struct genl_info *info,
7887 				     struct mesh_config *cfg,
7888 				     u32 *mask_out)
7889 {
7890 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7891 	u32 mask = 0;
7892 	u16 ht_opmode;
7893 
7894 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7895 do {									\
7896 	if (tb[attr]) {							\
7897 		cfg->param = fn(tb[attr]);				\
7898 		mask |= BIT((attr) - 1);				\
7899 	}								\
7900 } while (0)
7901 
7902 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7903 		return -EINVAL;
7904 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7905 		return -EINVAL;
7906 
7907 	/* This makes sure that there aren't more than 32 mesh config
7908 	 * parameters (otherwise our bitfield scheme would not work.) */
7909 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7910 
7911 	/* Fill in the params struct */
7912 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7913 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7914 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7915 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7916 				  nla_get_u16);
7917 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7918 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7919 				  nla_get_u16);
7920 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7921 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7922 				  nla_get_u16);
7923 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7924 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7925 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7926 				  NL80211_MESHCONF_TTL, nla_get_u8);
7927 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7928 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7929 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7930 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7931 				  nla_get_u8);
7932 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7933 				  mask,
7934 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7935 				  nla_get_u32);
7936 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7937 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7938 				  nla_get_u8);
7939 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7940 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7941 				  nla_get_u32);
7942 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7943 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7944 		return -EINVAL;
7945 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7946 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7947 				  nla_get_u16);
7948 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7949 				  mask,
7950 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7951 				  nla_get_u32);
7952 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7953 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7954 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7955 		return -EINVAL;
7956 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7957 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7958 				  nla_get_u16);
7959 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7960 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7961 				  nla_get_u16);
7962 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7963 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7964 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7965 				  nla_get_u16);
7966 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7967 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7968 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7969 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7970 				  nla_get_u16);
7971 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7972 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7973 				  nla_get_u8);
7974 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7975 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7976 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7977 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7978 				  nla_get_s32);
7979 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7980 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7981 				  nla_get_u8);
7982 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7983 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7984 				  nla_get_u8);
7985 	/*
7986 	 * Check HT operation mode based on
7987 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7988 	 */
7989 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7990 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7991 
7992 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7993 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7994 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7995 			return -EINVAL;
7996 
7997 		/* NON_HT_STA bit is reserved, but some programs set it */
7998 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7999 
8000 		cfg->ht_opmode = ht_opmode;
8001 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8002 	}
8003 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8004 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8005 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8006 				  nla_get_u32);
8007 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8008 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8009 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8010 		return -EINVAL;
8011 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8012 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8013 				  nla_get_u16);
8014 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8015 				  mask,
8016 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8017 				  nla_get_u16);
8018 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8019 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8020 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8021 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8022 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8023 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8024 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8025 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8026 	if (mask_out)
8027 		*mask_out = mask;
8028 
8029 	return 0;
8030 
8031 #undef FILL_IN_MESH_PARAM_IF_SET
8032 }
8033 
8034 static int nl80211_parse_mesh_setup(struct genl_info *info,
8035 				     struct mesh_setup *setup)
8036 {
8037 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8038 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8039 
8040 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8041 		return -EINVAL;
8042 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8043 		return -EINVAL;
8044 
8045 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8046 		setup->sync_method =
8047 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8048 		 IEEE80211_SYNC_METHOD_VENDOR :
8049 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8050 
8051 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8052 		setup->path_sel_proto =
8053 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8054 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8055 		 IEEE80211_PATH_PROTOCOL_HWMP;
8056 
8057 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8058 		setup->path_metric =
8059 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8060 		 IEEE80211_PATH_METRIC_VENDOR :
8061 		 IEEE80211_PATH_METRIC_AIRTIME;
8062 
8063 	if (tb[NL80211_MESH_SETUP_IE]) {
8064 		struct nlattr *ieattr =
8065 			tb[NL80211_MESH_SETUP_IE];
8066 		setup->ie = nla_data(ieattr);
8067 		setup->ie_len = nla_len(ieattr);
8068 	}
8069 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8070 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8071 		return -EINVAL;
8072 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8073 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8074 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8075 	if (setup->is_secure)
8076 		setup->user_mpm = true;
8077 
8078 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8079 		if (!setup->user_mpm)
8080 			return -EINVAL;
8081 		setup->auth_id =
8082 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8083 	}
8084 
8085 	return 0;
8086 }
8087 
8088 static int nl80211_update_mesh_config(struct sk_buff *skb,
8089 				      struct genl_info *info)
8090 {
8091 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8092 	struct net_device *dev = info->user_ptr[1];
8093 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8094 	struct mesh_config cfg;
8095 	u32 mask;
8096 	int err;
8097 
8098 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8099 		return -EOPNOTSUPP;
8100 
8101 	if (!rdev->ops->update_mesh_config)
8102 		return -EOPNOTSUPP;
8103 
8104 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8105 	if (err)
8106 		return err;
8107 
8108 	wdev_lock(wdev);
8109 	if (!wdev->u.mesh.id_len)
8110 		err = -ENOLINK;
8111 
8112 	if (!err)
8113 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8114 
8115 	wdev_unlock(wdev);
8116 
8117 	return err;
8118 }
8119 
8120 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8121 			      struct sk_buff *msg)
8122 {
8123 	struct nlattr *nl_reg_rules;
8124 	unsigned int i;
8125 
8126 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8127 	    (regdom->dfs_region &&
8128 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8129 		goto nla_put_failure;
8130 
8131 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8132 	if (!nl_reg_rules)
8133 		goto nla_put_failure;
8134 
8135 	for (i = 0; i < regdom->n_reg_rules; i++) {
8136 		struct nlattr *nl_reg_rule;
8137 		const struct ieee80211_reg_rule *reg_rule;
8138 		const struct ieee80211_freq_range *freq_range;
8139 		const struct ieee80211_power_rule *power_rule;
8140 		unsigned int max_bandwidth_khz;
8141 
8142 		reg_rule = &regdom->reg_rules[i];
8143 		freq_range = &reg_rule->freq_range;
8144 		power_rule = &reg_rule->power_rule;
8145 
8146 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8147 		if (!nl_reg_rule)
8148 			goto nla_put_failure;
8149 
8150 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8151 		if (!max_bandwidth_khz)
8152 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8153 								  reg_rule);
8154 
8155 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8156 				reg_rule->flags) ||
8157 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8158 				freq_range->start_freq_khz) ||
8159 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8160 				freq_range->end_freq_khz) ||
8161 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8162 				max_bandwidth_khz) ||
8163 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8164 				power_rule->max_antenna_gain) ||
8165 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8166 				power_rule->max_eirp) ||
8167 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8168 				reg_rule->dfs_cac_ms))
8169 			goto nla_put_failure;
8170 
8171 		nla_nest_end(msg, nl_reg_rule);
8172 	}
8173 
8174 	nla_nest_end(msg, nl_reg_rules);
8175 	return 0;
8176 
8177 nla_put_failure:
8178 	return -EMSGSIZE;
8179 }
8180 
8181 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8182 {
8183 	const struct ieee80211_regdomain *regdom = NULL;
8184 	struct cfg80211_registered_device *rdev;
8185 	struct wiphy *wiphy = NULL;
8186 	struct sk_buff *msg;
8187 	int err = -EMSGSIZE;
8188 	void *hdr;
8189 
8190 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8191 	if (!msg)
8192 		return -ENOBUFS;
8193 
8194 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8195 			     NL80211_CMD_GET_REG);
8196 	if (!hdr)
8197 		goto put_failure;
8198 
8199 	rtnl_lock();
8200 
8201 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8202 		bool self_managed;
8203 
8204 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8205 		if (IS_ERR(rdev)) {
8206 			err = PTR_ERR(rdev);
8207 			goto nla_put_failure;
8208 		}
8209 
8210 		wiphy = &rdev->wiphy;
8211 		self_managed = wiphy->regulatory_flags &
8212 			       REGULATORY_WIPHY_SELF_MANAGED;
8213 
8214 		rcu_read_lock();
8215 
8216 		regdom = get_wiphy_regdom(wiphy);
8217 
8218 		/* a self-managed-reg device must have a private regdom */
8219 		if (WARN_ON(!regdom && self_managed)) {
8220 			err = -EINVAL;
8221 			goto nla_put_failure_rcu;
8222 		}
8223 
8224 		if (regdom &&
8225 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8226 			goto nla_put_failure_rcu;
8227 	} else {
8228 		rcu_read_lock();
8229 	}
8230 
8231 	if (!wiphy && reg_last_request_cell_base() &&
8232 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8233 			NL80211_USER_REG_HINT_CELL_BASE))
8234 		goto nla_put_failure_rcu;
8235 
8236 	if (!regdom)
8237 		regdom = rcu_dereference(cfg80211_regdomain);
8238 
8239 	if (nl80211_put_regdom(regdom, msg))
8240 		goto nla_put_failure_rcu;
8241 
8242 	rcu_read_unlock();
8243 
8244 	genlmsg_end(msg, hdr);
8245 	rtnl_unlock();
8246 	return genlmsg_reply(msg, info);
8247 
8248 nla_put_failure_rcu:
8249 	rcu_read_unlock();
8250 nla_put_failure:
8251 	rtnl_unlock();
8252 put_failure:
8253 	nlmsg_free(msg);
8254 	return err;
8255 }
8256 
8257 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8258 			       u32 seq, int flags, struct wiphy *wiphy,
8259 			       const struct ieee80211_regdomain *regdom)
8260 {
8261 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8262 				   NL80211_CMD_GET_REG);
8263 
8264 	if (!hdr)
8265 		return -1;
8266 
8267 	genl_dump_check_consistent(cb, hdr);
8268 
8269 	if (nl80211_put_regdom(regdom, msg))
8270 		goto nla_put_failure;
8271 
8272 	if (!wiphy && reg_last_request_cell_base() &&
8273 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8274 			NL80211_USER_REG_HINT_CELL_BASE))
8275 		goto nla_put_failure;
8276 
8277 	if (wiphy &&
8278 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8279 		goto nla_put_failure;
8280 
8281 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8282 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8283 		goto nla_put_failure;
8284 
8285 	genlmsg_end(msg, hdr);
8286 	return 0;
8287 
8288 nla_put_failure:
8289 	genlmsg_cancel(msg, hdr);
8290 	return -EMSGSIZE;
8291 }
8292 
8293 static int nl80211_get_reg_dump(struct sk_buff *skb,
8294 				struct netlink_callback *cb)
8295 {
8296 	const struct ieee80211_regdomain *regdom = NULL;
8297 	struct cfg80211_registered_device *rdev;
8298 	int err, reg_idx, start = cb->args[2];
8299 
8300 	rcu_read_lock();
8301 
8302 	if (cfg80211_regdomain && start == 0) {
8303 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8304 					  NLM_F_MULTI, NULL,
8305 					  rcu_dereference(cfg80211_regdomain));
8306 		if (err < 0)
8307 			goto out_err;
8308 	}
8309 
8310 	/* the global regdom is idx 0 */
8311 	reg_idx = 1;
8312 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8313 		regdom = get_wiphy_regdom(&rdev->wiphy);
8314 		if (!regdom)
8315 			continue;
8316 
8317 		if (++reg_idx <= start)
8318 			continue;
8319 
8320 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8321 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8322 		if (err < 0) {
8323 			reg_idx--;
8324 			break;
8325 		}
8326 	}
8327 
8328 	cb->args[2] = reg_idx;
8329 	err = skb->len;
8330 out_err:
8331 	rcu_read_unlock();
8332 	return err;
8333 }
8334 
8335 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8336 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8337 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8338 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8339 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8340 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8341 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8342 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8343 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8344 };
8345 
8346 static int parse_reg_rule(struct nlattr *tb[],
8347 	struct ieee80211_reg_rule *reg_rule)
8348 {
8349 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8350 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8351 
8352 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8353 		return -EINVAL;
8354 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8355 		return -EINVAL;
8356 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8357 		return -EINVAL;
8358 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8359 		return -EINVAL;
8360 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8361 		return -EINVAL;
8362 
8363 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8364 
8365 	freq_range->start_freq_khz =
8366 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8367 	freq_range->end_freq_khz =
8368 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8369 	freq_range->max_bandwidth_khz =
8370 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8371 
8372 	power_rule->max_eirp =
8373 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8374 
8375 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8376 		power_rule->max_antenna_gain =
8377 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8378 
8379 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8380 		reg_rule->dfs_cac_ms =
8381 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8382 
8383 	return 0;
8384 }
8385 
8386 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8387 {
8388 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8389 	struct nlattr *nl_reg_rule;
8390 	char *alpha2;
8391 	int rem_reg_rules, r;
8392 	u32 num_rules = 0, rule_idx = 0;
8393 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8394 	struct ieee80211_regdomain *rd;
8395 
8396 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8397 		return -EINVAL;
8398 
8399 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8400 		return -EINVAL;
8401 
8402 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8403 
8404 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8405 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8406 
8407 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8408 			    rem_reg_rules) {
8409 		num_rules++;
8410 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8411 			return -EINVAL;
8412 	}
8413 
8414 	rtnl_lock();
8415 	if (!reg_is_valid_request(alpha2)) {
8416 		r = -EINVAL;
8417 		goto out;
8418 	}
8419 
8420 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8421 	if (!rd) {
8422 		r = -ENOMEM;
8423 		goto out;
8424 	}
8425 
8426 	rd->n_reg_rules = num_rules;
8427 	rd->alpha2[0] = alpha2[0];
8428 	rd->alpha2[1] = alpha2[1];
8429 
8430 	/*
8431 	 * Disable DFS master mode if the DFS region was
8432 	 * not supported or known on this kernel.
8433 	 */
8434 	if (reg_supported_dfs_region(dfs_region))
8435 		rd->dfs_region = dfs_region;
8436 
8437 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8438 			    rem_reg_rules) {
8439 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8440 						nl_reg_rule, reg_rule_policy,
8441 						info->extack);
8442 		if (r)
8443 			goto bad_reg;
8444 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8445 		if (r)
8446 			goto bad_reg;
8447 
8448 		rule_idx++;
8449 
8450 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8451 			r = -EINVAL;
8452 			goto bad_reg;
8453 		}
8454 	}
8455 
8456 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8457 	/* set_regdom takes ownership of rd */
8458 	rd = NULL;
8459  bad_reg:
8460 	kfree(rd);
8461  out:
8462 	rtnl_unlock();
8463 	return r;
8464 }
8465 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8466 
8467 static int validate_scan_freqs(struct nlattr *freqs)
8468 {
8469 	struct nlattr *attr1, *attr2;
8470 	int n_channels = 0, tmp1, tmp2;
8471 
8472 	nla_for_each_nested(attr1, freqs, tmp1)
8473 		if (nla_len(attr1) != sizeof(u32))
8474 			return 0;
8475 
8476 	nla_for_each_nested(attr1, freqs, tmp1) {
8477 		n_channels++;
8478 		/*
8479 		 * Some hardware has a limited channel list for
8480 		 * scanning, and it is pretty much nonsensical
8481 		 * to scan for a channel twice, so disallow that
8482 		 * and don't require drivers to check that the
8483 		 * channel list they get isn't longer than what
8484 		 * they can scan, as long as they can scan all
8485 		 * the channels they registered at once.
8486 		 */
8487 		nla_for_each_nested(attr2, freqs, tmp2)
8488 			if (attr1 != attr2 &&
8489 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8490 				return 0;
8491 	}
8492 
8493 	return n_channels;
8494 }
8495 
8496 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8497 {
8498 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8499 }
8500 
8501 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8502 			    struct cfg80211_bss_selection *bss_select)
8503 {
8504 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8505 	struct nlattr *nest;
8506 	int err;
8507 	bool found = false;
8508 	int i;
8509 
8510 	/* only process one nested attribute */
8511 	nest = nla_data(nla);
8512 	if (!nla_ok(nest, nla_len(nest)))
8513 		return -EINVAL;
8514 
8515 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8516 					  nest, nl80211_bss_select_policy,
8517 					  NULL);
8518 	if (err)
8519 		return err;
8520 
8521 	/* only one attribute may be given */
8522 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8523 		if (attr[i]) {
8524 			if (found)
8525 				return -EINVAL;
8526 			found = true;
8527 		}
8528 	}
8529 
8530 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8531 
8532 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8533 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8534 
8535 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8536 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8537 		bss_select->param.band_pref =
8538 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8539 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8540 			return -EINVAL;
8541 	}
8542 
8543 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8544 		struct nl80211_bss_select_rssi_adjust *adj_param;
8545 
8546 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8547 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8548 		bss_select->param.adjust.band = adj_param->band;
8549 		bss_select->param.adjust.delta = adj_param->delta;
8550 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8551 			return -EINVAL;
8552 	}
8553 
8554 	/* user-space did not provide behaviour attribute */
8555 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8556 		return -EINVAL;
8557 
8558 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8559 		return -EINVAL;
8560 
8561 	return 0;
8562 }
8563 
8564 int nl80211_parse_random_mac(struct nlattr **attrs,
8565 			     u8 *mac_addr, u8 *mac_addr_mask)
8566 {
8567 	int i;
8568 
8569 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8570 		eth_zero_addr(mac_addr);
8571 		eth_zero_addr(mac_addr_mask);
8572 		mac_addr[0] = 0x2;
8573 		mac_addr_mask[0] = 0x3;
8574 
8575 		return 0;
8576 	}
8577 
8578 	/* need both or none */
8579 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8580 		return -EINVAL;
8581 
8582 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8583 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8584 
8585 	/* don't allow or configure an mcast address */
8586 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8587 	    is_multicast_ether_addr(mac_addr))
8588 		return -EINVAL;
8589 
8590 	/*
8591 	 * allow users to pass a MAC address that has bits set outside
8592 	 * of the mask, but don't bother drivers with having to deal
8593 	 * with such bits
8594 	 */
8595 	for (i = 0; i < ETH_ALEN; i++)
8596 		mac_addr[i] &= mac_addr_mask[i];
8597 
8598 	return 0;
8599 }
8600 
8601 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
8602 					      struct ieee80211_channel *chan)
8603 {
8604 	unsigned int link_id;
8605 	bool all_ok = true;
8606 
8607 	ASSERT_WDEV_LOCK(wdev);
8608 
8609 	if (!cfg80211_beaconing_iface_active(wdev))
8610 		return true;
8611 
8612 	/*
8613 	 * FIXME: check if we have a free HW resource/link for chan
8614 	 *
8615 	 * This, as well as the FIXME below, requires knowing the link
8616 	 * capabilities of the hardware.
8617 	 */
8618 
8619 	/* we cannot leave radar channels */
8620 	for_each_valid_link(wdev, link_id) {
8621 		struct cfg80211_chan_def *chandef;
8622 
8623 		chandef = wdev_chandef(wdev, link_id);
8624 		if (!chandef)
8625 			continue;
8626 
8627 		/*
8628 		 * FIXME: don't require all_ok, but rather check only the
8629 		 *	  correct HW resource/link onto which 'chan' falls,
8630 		 *	  as only that link leaves the channel for doing
8631 		 *	  the off-channel operation.
8632 		 */
8633 
8634 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
8635 			all_ok = false;
8636 	}
8637 
8638 	if (all_ok)
8639 		return true;
8640 
8641 	return regulatory_pre_cac_allowed(wdev->wiphy);
8642 }
8643 
8644 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8645 				    enum nl80211_ext_feature_index feat)
8646 {
8647 	if (!(flags & flag))
8648 		return true;
8649 	if (wiphy_ext_feature_isset(wiphy, feat))
8650 		return true;
8651 	return false;
8652 }
8653 
8654 static int
8655 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8656 			 void *request, struct nlattr **attrs,
8657 			 bool is_sched_scan)
8658 {
8659 	u8 *mac_addr, *mac_addr_mask;
8660 	u32 *flags;
8661 	enum nl80211_feature_flags randomness_flag;
8662 
8663 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8664 		return 0;
8665 
8666 	if (is_sched_scan) {
8667 		struct cfg80211_sched_scan_request *req = request;
8668 
8669 		randomness_flag = wdev ?
8670 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8671 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8672 		flags = &req->flags;
8673 		mac_addr = req->mac_addr;
8674 		mac_addr_mask = req->mac_addr_mask;
8675 	} else {
8676 		struct cfg80211_scan_request *req = request;
8677 
8678 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8679 		flags = &req->flags;
8680 		mac_addr = req->mac_addr;
8681 		mac_addr_mask = req->mac_addr_mask;
8682 	}
8683 
8684 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8685 
8686 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8687 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8688 	    !nl80211_check_scan_feat(wiphy, *flags,
8689 				     NL80211_SCAN_FLAG_LOW_SPAN,
8690 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8691 	    !nl80211_check_scan_feat(wiphy, *flags,
8692 				     NL80211_SCAN_FLAG_LOW_POWER,
8693 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8694 	    !nl80211_check_scan_feat(wiphy, *flags,
8695 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8696 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8697 	    !nl80211_check_scan_feat(wiphy, *flags,
8698 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8699 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8700 	    !nl80211_check_scan_feat(wiphy, *flags,
8701 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8702 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8703 	    !nl80211_check_scan_feat(wiphy, *flags,
8704 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8705 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8706 	    !nl80211_check_scan_feat(wiphy, *flags,
8707 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8708 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8709 	    !nl80211_check_scan_feat(wiphy, *flags,
8710 				     NL80211_SCAN_FLAG_RANDOM_SN,
8711 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8712 	    !nl80211_check_scan_feat(wiphy, *flags,
8713 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8714 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8715 		return -EOPNOTSUPP;
8716 
8717 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8718 		int err;
8719 
8720 		if (!(wiphy->features & randomness_flag) ||
8721 		    (wdev && wdev->connected))
8722 			return -EOPNOTSUPP;
8723 
8724 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8725 		if (err)
8726 			return err;
8727 	}
8728 
8729 	return 0;
8730 }
8731 
8732 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8733 {
8734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8735 	struct wireless_dev *wdev = info->user_ptr[1];
8736 	struct cfg80211_scan_request *request;
8737 	struct nlattr *scan_freqs = NULL;
8738 	bool scan_freqs_khz = false;
8739 	struct nlattr *attr;
8740 	struct wiphy *wiphy;
8741 	int err, tmp, n_ssids = 0, n_channels, i;
8742 	size_t ie_len;
8743 
8744 	wiphy = &rdev->wiphy;
8745 
8746 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8747 		return -EOPNOTSUPP;
8748 
8749 	if (!rdev->ops->scan)
8750 		return -EOPNOTSUPP;
8751 
8752 	if (rdev->scan_req || rdev->scan_msg)
8753 		return -EBUSY;
8754 
8755 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8756 		if (!wiphy_ext_feature_isset(wiphy,
8757 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8758 			return -EOPNOTSUPP;
8759 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8760 		scan_freqs_khz = true;
8761 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8762 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8763 
8764 	if (scan_freqs) {
8765 		n_channels = validate_scan_freqs(scan_freqs);
8766 		if (!n_channels)
8767 			return -EINVAL;
8768 	} else {
8769 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8770 	}
8771 
8772 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8773 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8774 			n_ssids++;
8775 
8776 	if (n_ssids > wiphy->max_scan_ssids)
8777 		return -EINVAL;
8778 
8779 	if (info->attrs[NL80211_ATTR_IE])
8780 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8781 	else
8782 		ie_len = 0;
8783 
8784 	if (ie_len > wiphy->max_scan_ie_len)
8785 		return -EINVAL;
8786 
8787 	request = kzalloc(sizeof(*request)
8788 			+ sizeof(*request->ssids) * n_ssids
8789 			+ sizeof(*request->channels) * n_channels
8790 			+ ie_len, GFP_KERNEL);
8791 	if (!request)
8792 		return -ENOMEM;
8793 
8794 	if (n_ssids)
8795 		request->ssids = (void *)&request->channels[n_channels];
8796 	request->n_ssids = n_ssids;
8797 	if (ie_len) {
8798 		if (n_ssids)
8799 			request->ie = (void *)(request->ssids + n_ssids);
8800 		else
8801 			request->ie = (void *)(request->channels + n_channels);
8802 	}
8803 
8804 	i = 0;
8805 	if (scan_freqs) {
8806 		/* user specified, bail out if channel not found */
8807 		nla_for_each_nested(attr, scan_freqs, tmp) {
8808 			struct ieee80211_channel *chan;
8809 			int freq = nla_get_u32(attr);
8810 
8811 			if (!scan_freqs_khz)
8812 				freq = MHZ_TO_KHZ(freq);
8813 
8814 			chan = ieee80211_get_channel_khz(wiphy, freq);
8815 			if (!chan) {
8816 				err = -EINVAL;
8817 				goto out_free;
8818 			}
8819 
8820 			/* ignore disabled channels */
8821 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8822 				continue;
8823 
8824 			request->channels[i] = chan;
8825 			i++;
8826 		}
8827 	} else {
8828 		enum nl80211_band band;
8829 
8830 		/* all channels */
8831 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8832 			int j;
8833 
8834 			if (!wiphy->bands[band])
8835 				continue;
8836 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8837 				struct ieee80211_channel *chan;
8838 
8839 				chan = &wiphy->bands[band]->channels[j];
8840 
8841 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8842 					continue;
8843 
8844 				request->channels[i] = chan;
8845 				i++;
8846 			}
8847 		}
8848 	}
8849 
8850 	if (!i) {
8851 		err = -EINVAL;
8852 		goto out_free;
8853 	}
8854 
8855 	request->n_channels = i;
8856 
8857 	wdev_lock(wdev);
8858 	for (i = 0; i < request->n_channels; i++) {
8859 		struct ieee80211_channel *chan = request->channels[i];
8860 
8861 		/* if we can go off-channel to the target channel we're good */
8862 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
8863 			continue;
8864 
8865 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
8866 			wdev_unlock(wdev);
8867 			err = -EBUSY;
8868 			goto out_free;
8869 		}
8870 	}
8871 	wdev_unlock(wdev);
8872 
8873 	i = 0;
8874 	if (n_ssids) {
8875 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8876 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8877 				err = -EINVAL;
8878 				goto out_free;
8879 			}
8880 			request->ssids[i].ssid_len = nla_len(attr);
8881 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8882 			i++;
8883 		}
8884 	}
8885 
8886 	if (info->attrs[NL80211_ATTR_IE]) {
8887 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8888 		memcpy((void *)request->ie,
8889 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8890 		       request->ie_len);
8891 	}
8892 
8893 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8894 		if (wiphy->bands[i])
8895 			request->rates[i] =
8896 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8897 
8898 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8899 		nla_for_each_nested(attr,
8900 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8901 				    tmp) {
8902 			enum nl80211_band band = nla_type(attr);
8903 
8904 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8905 				err = -EINVAL;
8906 				goto out_free;
8907 			}
8908 
8909 			if (!wiphy->bands[band])
8910 				continue;
8911 
8912 			err = ieee80211_get_ratemask(wiphy->bands[band],
8913 						     nla_data(attr),
8914 						     nla_len(attr),
8915 						     &request->rates[band]);
8916 			if (err)
8917 				goto out_free;
8918 		}
8919 	}
8920 
8921 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8922 		request->duration =
8923 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8924 		request->duration_mandatory =
8925 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8926 	}
8927 
8928 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8929 				       false);
8930 	if (err)
8931 		goto out_free;
8932 
8933 	request->no_cck =
8934 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8935 
8936 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8937 	 * BSSID to scan for. This was problematic because that same attribute
8938 	 * was already used for another purpose (local random MAC address). The
8939 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8940 	 * compatibility with older userspace components, also use the
8941 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8942 	 * the specific BSSID use case instead of the random MAC address
8943 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8944 	 */
8945 	if (info->attrs[NL80211_ATTR_BSSID])
8946 		memcpy(request->bssid,
8947 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8948 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8949 		 info->attrs[NL80211_ATTR_MAC])
8950 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8951 		       ETH_ALEN);
8952 	else
8953 		eth_broadcast_addr(request->bssid);
8954 
8955 	request->wdev = wdev;
8956 	request->wiphy = &rdev->wiphy;
8957 	request->scan_start = jiffies;
8958 
8959 	rdev->scan_req = request;
8960 	err = cfg80211_scan(rdev);
8961 
8962 	if (err)
8963 		goto out_free;
8964 
8965 	nl80211_send_scan_start(rdev, wdev);
8966 	dev_hold(wdev->netdev);
8967 
8968 	return 0;
8969 
8970  out_free:
8971 	rdev->scan_req = NULL;
8972 	kfree(request);
8973 
8974 	return err;
8975 }
8976 
8977 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8978 {
8979 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8980 	struct wireless_dev *wdev = info->user_ptr[1];
8981 
8982 	if (!rdev->ops->abort_scan)
8983 		return -EOPNOTSUPP;
8984 
8985 	if (rdev->scan_msg)
8986 		return 0;
8987 
8988 	if (!rdev->scan_req)
8989 		return -ENOENT;
8990 
8991 	rdev_abort_scan(rdev, wdev);
8992 	return 0;
8993 }
8994 
8995 static int
8996 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8997 			       struct cfg80211_sched_scan_request *request,
8998 			       struct nlattr **attrs)
8999 {
9000 	int tmp, err, i = 0;
9001 	struct nlattr *attr;
9002 
9003 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9004 		u32 interval;
9005 
9006 		/*
9007 		 * If scan plans are not specified,
9008 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9009 		 * case one scan plan will be set with the specified scan
9010 		 * interval and infinite number of iterations.
9011 		 */
9012 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9013 		if (!interval)
9014 			return -EINVAL;
9015 
9016 		request->scan_plans[0].interval =
9017 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9018 		if (!request->scan_plans[0].interval)
9019 			return -EINVAL;
9020 
9021 		if (request->scan_plans[0].interval >
9022 		    wiphy->max_sched_scan_plan_interval)
9023 			request->scan_plans[0].interval =
9024 				wiphy->max_sched_scan_plan_interval;
9025 
9026 		return 0;
9027 	}
9028 
9029 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9030 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9031 
9032 		if (WARN_ON(i >= n_plans))
9033 			return -EINVAL;
9034 
9035 		err = nla_parse_nested_deprecated(plan,
9036 						  NL80211_SCHED_SCAN_PLAN_MAX,
9037 						  attr, nl80211_plan_policy,
9038 						  NULL);
9039 		if (err)
9040 			return err;
9041 
9042 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9043 			return -EINVAL;
9044 
9045 		request->scan_plans[i].interval =
9046 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9047 		if (!request->scan_plans[i].interval ||
9048 		    request->scan_plans[i].interval >
9049 		    wiphy->max_sched_scan_plan_interval)
9050 			return -EINVAL;
9051 
9052 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9053 			request->scan_plans[i].iterations =
9054 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9055 			if (!request->scan_plans[i].iterations ||
9056 			    (request->scan_plans[i].iterations >
9057 			     wiphy->max_sched_scan_plan_iterations))
9058 				return -EINVAL;
9059 		} else if (i < n_plans - 1) {
9060 			/*
9061 			 * All scan plans but the last one must specify
9062 			 * a finite number of iterations
9063 			 */
9064 			return -EINVAL;
9065 		}
9066 
9067 		i++;
9068 	}
9069 
9070 	/*
9071 	 * The last scan plan must not specify the number of
9072 	 * iterations, it is supposed to run infinitely
9073 	 */
9074 	if (request->scan_plans[n_plans - 1].iterations)
9075 		return  -EINVAL;
9076 
9077 	return 0;
9078 }
9079 
9080 static int
9081 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9082 				       struct cfg80211_match_set *match_sets,
9083 				       struct nlattr *tb_band_rssi,
9084 				       s32 rssi_thold)
9085 {
9086 	struct nlattr *attr;
9087 	int i, tmp, ret = 0;
9088 
9089 	if (!wiphy_ext_feature_isset(wiphy,
9090 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9091 		if (tb_band_rssi)
9092 			ret = -EOPNOTSUPP;
9093 		else
9094 			for (i = 0; i < NUM_NL80211_BANDS; i++)
9095 				match_sets->per_band_rssi_thold[i] =
9096 					NL80211_SCAN_RSSI_THOLD_OFF;
9097 		return ret;
9098 	}
9099 
9100 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9101 		match_sets->per_band_rssi_thold[i] = rssi_thold;
9102 
9103 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9104 		enum nl80211_band band = nla_type(attr);
9105 
9106 		if (band < 0 || band >= NUM_NL80211_BANDS)
9107 			return -EINVAL;
9108 
9109 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9110 	}
9111 
9112 	return 0;
9113 }
9114 
9115 static struct cfg80211_sched_scan_request *
9116 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9117 			 struct nlattr **attrs, int max_match_sets)
9118 {
9119 	struct cfg80211_sched_scan_request *request;
9120 	struct nlattr *attr;
9121 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9122 	enum nl80211_band band;
9123 	size_t ie_len;
9124 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9125 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9126 
9127 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9128 		n_channels = validate_scan_freqs(
9129 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9130 		if (!n_channels)
9131 			return ERR_PTR(-EINVAL);
9132 	} else {
9133 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9134 	}
9135 
9136 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9137 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9138 				    tmp)
9139 			n_ssids++;
9140 
9141 	if (n_ssids > wiphy->max_sched_scan_ssids)
9142 		return ERR_PTR(-EINVAL);
9143 
9144 	/*
9145 	 * First, count the number of 'real' matchsets. Due to an issue with
9146 	 * the old implementation, matchsets containing only the RSSI attribute
9147 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9148 	 * RSSI for all matchsets, rather than their own matchset for reporting
9149 	 * all APs with a strong RSSI. This is needed to be compatible with
9150 	 * older userspace that treated a matchset with only the RSSI as the
9151 	 * global RSSI for all other matchsets - if there are other matchsets.
9152 	 */
9153 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9154 		nla_for_each_nested(attr,
9155 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9156 				    tmp) {
9157 			struct nlattr *rssi;
9158 
9159 			err = nla_parse_nested_deprecated(tb,
9160 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9161 							  attr,
9162 							  nl80211_match_policy,
9163 							  NULL);
9164 			if (err)
9165 				return ERR_PTR(err);
9166 
9167 			/* SSID and BSSID are mutually exclusive */
9168 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9169 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9170 				return ERR_PTR(-EINVAL);
9171 
9172 			/* add other standalone attributes here */
9173 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9174 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9175 				n_match_sets++;
9176 				continue;
9177 			}
9178 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9179 			if (rssi)
9180 				default_match_rssi = nla_get_s32(rssi);
9181 		}
9182 	}
9183 
9184 	/* However, if there's no other matchset, add the RSSI one */
9185 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9186 		n_match_sets = 1;
9187 
9188 	if (n_match_sets > max_match_sets)
9189 		return ERR_PTR(-EINVAL);
9190 
9191 	if (attrs[NL80211_ATTR_IE])
9192 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9193 	else
9194 		ie_len = 0;
9195 
9196 	if (ie_len > wiphy->max_sched_scan_ie_len)
9197 		return ERR_PTR(-EINVAL);
9198 
9199 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9200 		/*
9201 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9202 		 * each scan plan already specifies its own interval
9203 		 */
9204 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9205 			return ERR_PTR(-EINVAL);
9206 
9207 		nla_for_each_nested(attr,
9208 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9209 			n_plans++;
9210 	} else {
9211 		/*
9212 		 * The scan interval attribute is kept for backward
9213 		 * compatibility. If no scan plans are specified and sched scan
9214 		 * interval is specified, one scan plan will be set with this
9215 		 * scan interval and infinite number of iterations.
9216 		 */
9217 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9218 			return ERR_PTR(-EINVAL);
9219 
9220 		n_plans = 1;
9221 	}
9222 
9223 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9224 		return ERR_PTR(-EINVAL);
9225 
9226 	if (!wiphy_ext_feature_isset(
9227 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9228 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9229 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9230 		return ERR_PTR(-EINVAL);
9231 
9232 	request = kzalloc(sizeof(*request)
9233 			+ sizeof(*request->ssids) * n_ssids
9234 			+ sizeof(*request->match_sets) * n_match_sets
9235 			+ sizeof(*request->scan_plans) * n_plans
9236 			+ sizeof(*request->channels) * n_channels
9237 			+ ie_len, GFP_KERNEL);
9238 	if (!request)
9239 		return ERR_PTR(-ENOMEM);
9240 
9241 	if (n_ssids)
9242 		request->ssids = (void *)&request->channels[n_channels];
9243 	request->n_ssids = n_ssids;
9244 	if (ie_len) {
9245 		if (n_ssids)
9246 			request->ie = (void *)(request->ssids + n_ssids);
9247 		else
9248 			request->ie = (void *)(request->channels + n_channels);
9249 	}
9250 
9251 	if (n_match_sets) {
9252 		if (request->ie)
9253 			request->match_sets = (void *)(request->ie + ie_len);
9254 		else if (n_ssids)
9255 			request->match_sets =
9256 				(void *)(request->ssids + n_ssids);
9257 		else
9258 			request->match_sets =
9259 				(void *)(request->channels + n_channels);
9260 	}
9261 	request->n_match_sets = n_match_sets;
9262 
9263 	if (n_match_sets)
9264 		request->scan_plans = (void *)(request->match_sets +
9265 					       n_match_sets);
9266 	else if (request->ie)
9267 		request->scan_plans = (void *)(request->ie + ie_len);
9268 	else if (n_ssids)
9269 		request->scan_plans = (void *)(request->ssids + n_ssids);
9270 	else
9271 		request->scan_plans = (void *)(request->channels + n_channels);
9272 
9273 	request->n_scan_plans = n_plans;
9274 
9275 	i = 0;
9276 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9277 		/* user specified, bail out if channel not found */
9278 		nla_for_each_nested(attr,
9279 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9280 				    tmp) {
9281 			struct ieee80211_channel *chan;
9282 
9283 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9284 
9285 			if (!chan) {
9286 				err = -EINVAL;
9287 				goto out_free;
9288 			}
9289 
9290 			/* ignore disabled channels */
9291 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9292 				continue;
9293 
9294 			request->channels[i] = chan;
9295 			i++;
9296 		}
9297 	} else {
9298 		/* all channels */
9299 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9300 			int j;
9301 
9302 			if (!wiphy->bands[band])
9303 				continue;
9304 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9305 				struct ieee80211_channel *chan;
9306 
9307 				chan = &wiphy->bands[band]->channels[j];
9308 
9309 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9310 					continue;
9311 
9312 				request->channels[i] = chan;
9313 				i++;
9314 			}
9315 		}
9316 	}
9317 
9318 	if (!i) {
9319 		err = -EINVAL;
9320 		goto out_free;
9321 	}
9322 
9323 	request->n_channels = i;
9324 
9325 	i = 0;
9326 	if (n_ssids) {
9327 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9328 				    tmp) {
9329 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9330 				err = -EINVAL;
9331 				goto out_free;
9332 			}
9333 			request->ssids[i].ssid_len = nla_len(attr);
9334 			memcpy(request->ssids[i].ssid, nla_data(attr),
9335 			       nla_len(attr));
9336 			i++;
9337 		}
9338 	}
9339 
9340 	i = 0;
9341 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9342 		nla_for_each_nested(attr,
9343 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9344 				    tmp) {
9345 			struct nlattr *ssid, *bssid, *rssi;
9346 
9347 			err = nla_parse_nested_deprecated(tb,
9348 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9349 							  attr,
9350 							  nl80211_match_policy,
9351 							  NULL);
9352 			if (err)
9353 				goto out_free;
9354 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9355 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9356 
9357 			if (!ssid && !bssid) {
9358 				i++;
9359 				continue;
9360 			}
9361 
9362 			if (WARN_ON(i >= n_match_sets)) {
9363 				/* this indicates a programming error,
9364 				 * the loop above should have verified
9365 				 * things properly
9366 				 */
9367 				err = -EINVAL;
9368 				goto out_free;
9369 			}
9370 
9371 			if (ssid) {
9372 				memcpy(request->match_sets[i].ssid.ssid,
9373 				       nla_data(ssid), nla_len(ssid));
9374 				request->match_sets[i].ssid.ssid_len =
9375 					nla_len(ssid);
9376 			}
9377 			if (bssid)
9378 				memcpy(request->match_sets[i].bssid,
9379 				       nla_data(bssid), ETH_ALEN);
9380 
9381 			/* special attribute - old implementation w/a */
9382 			request->match_sets[i].rssi_thold = default_match_rssi;
9383 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9384 			if (rssi)
9385 				request->match_sets[i].rssi_thold =
9386 					nla_get_s32(rssi);
9387 
9388 			/* Parse per band RSSI attribute */
9389 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9390 				&request->match_sets[i],
9391 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9392 				request->match_sets[i].rssi_thold);
9393 			if (err)
9394 				goto out_free;
9395 
9396 			i++;
9397 		}
9398 
9399 		/* there was no other matchset, so the RSSI one is alone */
9400 		if (i == 0 && n_match_sets)
9401 			request->match_sets[0].rssi_thold = default_match_rssi;
9402 
9403 		request->min_rssi_thold = INT_MAX;
9404 		for (i = 0; i < n_match_sets; i++)
9405 			request->min_rssi_thold =
9406 				min(request->match_sets[i].rssi_thold,
9407 				    request->min_rssi_thold);
9408 	} else {
9409 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9410 	}
9411 
9412 	if (ie_len) {
9413 		request->ie_len = ie_len;
9414 		memcpy((void *)request->ie,
9415 		       nla_data(attrs[NL80211_ATTR_IE]),
9416 		       request->ie_len);
9417 	}
9418 
9419 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9420 	if (err)
9421 		goto out_free;
9422 
9423 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9424 		request->delay =
9425 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9426 
9427 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9428 		request->relative_rssi = nla_get_s8(
9429 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9430 		request->relative_rssi_set = true;
9431 	}
9432 
9433 	if (request->relative_rssi_set &&
9434 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9435 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9436 
9437 		rssi_adjust = nla_data(
9438 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9439 		request->rssi_adjust.band = rssi_adjust->band;
9440 		request->rssi_adjust.delta = rssi_adjust->delta;
9441 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9442 			err = -EINVAL;
9443 			goto out_free;
9444 		}
9445 	}
9446 
9447 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9448 	if (err)
9449 		goto out_free;
9450 
9451 	request->scan_start = jiffies;
9452 
9453 	return request;
9454 
9455 out_free:
9456 	kfree(request);
9457 	return ERR_PTR(err);
9458 }
9459 
9460 static int nl80211_start_sched_scan(struct sk_buff *skb,
9461 				    struct genl_info *info)
9462 {
9463 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9464 	struct net_device *dev = info->user_ptr[1];
9465 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9466 	struct cfg80211_sched_scan_request *sched_scan_req;
9467 	bool want_multi;
9468 	int err;
9469 
9470 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9471 		return -EOPNOTSUPP;
9472 
9473 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9474 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9475 	if (err)
9476 		return err;
9477 
9478 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9479 						  info->attrs,
9480 						  rdev->wiphy.max_match_sets);
9481 
9482 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9483 	if (err)
9484 		goto out_err;
9485 
9486 	/* leave request id zero for legacy request
9487 	 * or if driver does not support multi-scheduled scan
9488 	 */
9489 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9490 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9491 
9492 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9493 	if (err)
9494 		goto out_free;
9495 
9496 	sched_scan_req->dev = dev;
9497 	sched_scan_req->wiphy = &rdev->wiphy;
9498 
9499 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9500 		sched_scan_req->owner_nlportid = info->snd_portid;
9501 
9502 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9503 
9504 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9505 	return 0;
9506 
9507 out_free:
9508 	kfree(sched_scan_req);
9509 out_err:
9510 	return err;
9511 }
9512 
9513 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9514 				   struct genl_info *info)
9515 {
9516 	struct cfg80211_sched_scan_request *req;
9517 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9518 	u64 cookie;
9519 
9520 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9521 		return -EOPNOTSUPP;
9522 
9523 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9524 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9525 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9526 	}
9527 
9528 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9529 				     struct cfg80211_sched_scan_request,
9530 				     list);
9531 	if (!req || req->reqid ||
9532 	    (req->owner_nlportid &&
9533 	     req->owner_nlportid != info->snd_portid))
9534 		return -ENOENT;
9535 
9536 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9537 }
9538 
9539 static int nl80211_start_radar_detection(struct sk_buff *skb,
9540 					 struct genl_info *info)
9541 {
9542 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9543 	struct net_device *dev = info->user_ptr[1];
9544 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9545 	struct wiphy *wiphy = wdev->wiphy;
9546 	struct cfg80211_chan_def chandef;
9547 	enum nl80211_dfs_regions dfs_region;
9548 	unsigned int cac_time_ms;
9549 	int err = -EINVAL;
9550 
9551 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9552 
9553 	wiphy_lock(wiphy);
9554 
9555 	dfs_region = reg_get_dfs_region(wiphy);
9556 	if (dfs_region == NL80211_DFS_UNSET)
9557 		goto unlock;
9558 
9559 	err = nl80211_parse_chandef(rdev, info, &chandef);
9560 	if (err)
9561 		goto unlock;
9562 
9563 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9564 	if (err < 0)
9565 		goto unlock;
9566 
9567 	if (err == 0) {
9568 		err = -EINVAL;
9569 		goto unlock;
9570 	}
9571 
9572 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9573 		err = -EINVAL;
9574 		goto unlock;
9575 	}
9576 
9577 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9578 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9579 								&chandef);
9580 		goto unlock;
9581 	}
9582 
9583 	if (netif_carrier_ok(dev)) {
9584 		err = -EBUSY;
9585 		goto unlock;
9586 	}
9587 
9588 	if (wdev->cac_started) {
9589 		err = -EBUSY;
9590 		goto unlock;
9591 	}
9592 
9593 	/* CAC start is offloaded to HW and can't be started manually */
9594 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9595 		err = -EOPNOTSUPP;
9596 		goto unlock;
9597 	}
9598 
9599 	if (!rdev->ops->start_radar_detection) {
9600 		err = -EOPNOTSUPP;
9601 		goto unlock;
9602 	}
9603 
9604 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9605 	if (WARN_ON(!cac_time_ms))
9606 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9607 
9608 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9609 	if (!err) {
9610 		wdev->links[0].ap.chandef = chandef;
9611 		wdev->cac_started = true;
9612 		wdev->cac_start_time = jiffies;
9613 		wdev->cac_time_ms = cac_time_ms;
9614 	}
9615 unlock:
9616 	wiphy_unlock(wiphy);
9617 
9618 	return err;
9619 }
9620 
9621 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9622 					  struct genl_info *info)
9623 {
9624 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9625 	struct net_device *dev = info->user_ptr[1];
9626 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9627 	struct wiphy *wiphy = wdev->wiphy;
9628 	struct cfg80211_chan_def chandef;
9629 	enum nl80211_dfs_regions dfs_region;
9630 	int err;
9631 
9632 	dfs_region = reg_get_dfs_region(wiphy);
9633 	if (dfs_region == NL80211_DFS_UNSET) {
9634 		GENL_SET_ERR_MSG(info,
9635 				 "DFS Region is not set. Unexpected Radar indication");
9636 		return -EINVAL;
9637 	}
9638 
9639 	err = nl80211_parse_chandef(rdev, info, &chandef);
9640 	if (err) {
9641 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9642 		return err;
9643 	}
9644 
9645 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9646 	if (err < 0) {
9647 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9648 		return err;
9649 	}
9650 
9651 	if (err == 0) {
9652 		GENL_SET_ERR_MSG(info,
9653 				 "Unexpected Radar indication for chandef/iftype");
9654 		return -EINVAL;
9655 	}
9656 
9657 	/* Do not process this notification if radar is already detected
9658 	 * by kernel on this channel, and return success.
9659 	 */
9660 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9661 		return 0;
9662 
9663 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9664 
9665 	cfg80211_sched_dfs_chan_update(rdev);
9666 
9667 	rdev->radar_chandef = chandef;
9668 
9669 	/* Propagate this notification to other radios as well */
9670 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9671 
9672 	return 0;
9673 }
9674 
9675 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9676 {
9677 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9678 	unsigned int link_id = nl80211_link_id(info->attrs);
9679 	struct net_device *dev = info->user_ptr[1];
9680 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9681 	struct cfg80211_csa_settings params;
9682 	struct nlattr **csa_attrs = NULL;
9683 	int err;
9684 	bool need_new_beacon = false;
9685 	bool need_handle_dfs_flag = true;
9686 	int len, i;
9687 	u32 cs_count;
9688 
9689 	if (!rdev->ops->channel_switch ||
9690 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9691 		return -EOPNOTSUPP;
9692 
9693 	switch (dev->ieee80211_ptr->iftype) {
9694 	case NL80211_IFTYPE_AP:
9695 	case NL80211_IFTYPE_P2P_GO:
9696 		need_new_beacon = true;
9697 		/* For all modes except AP the handle_dfs flag needs to be
9698 		 * supplied to tell the kernel that userspace will handle radar
9699 		 * events when they happen. Otherwise a switch to a channel
9700 		 * requiring DFS will be rejected.
9701 		 */
9702 		need_handle_dfs_flag = false;
9703 
9704 		/* useless if AP is not running */
9705 		if (!wdev->links[link_id].ap.beacon_interval)
9706 			return -ENOTCONN;
9707 		break;
9708 	case NL80211_IFTYPE_ADHOC:
9709 		if (!wdev->u.ibss.ssid_len)
9710 			return -ENOTCONN;
9711 		break;
9712 	case NL80211_IFTYPE_MESH_POINT:
9713 		if (!wdev->u.mesh.id_len)
9714 			return -ENOTCONN;
9715 		break;
9716 	default:
9717 		return -EOPNOTSUPP;
9718 	}
9719 
9720 	memset(&params, 0, sizeof(params));
9721 	params.beacon_csa.ftm_responder = -1;
9722 
9723 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9724 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9725 		return -EINVAL;
9726 
9727 	/* only important for AP, IBSS and mesh create IEs internally */
9728 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9729 		return -EINVAL;
9730 
9731 	/* Even though the attribute is u32, the specification says
9732 	 * u8, so let's make sure we don't overflow.
9733 	 */
9734 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9735 	if (cs_count > 255)
9736 		return -EINVAL;
9737 
9738 	params.count = cs_count;
9739 
9740 	if (!need_new_beacon)
9741 		goto skip_beacons;
9742 
9743 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9744 	if (err)
9745 		goto free;
9746 
9747 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9748 			    GFP_KERNEL);
9749 	if (!csa_attrs) {
9750 		err = -ENOMEM;
9751 		goto free;
9752 	}
9753 
9754 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9755 					  info->attrs[NL80211_ATTR_CSA_IES],
9756 					  nl80211_policy, info->extack);
9757 	if (err)
9758 		goto free;
9759 
9760 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9761 	if (err)
9762 		goto free;
9763 
9764 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9765 		err = -EINVAL;
9766 		goto free;
9767 	}
9768 
9769 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9770 	if (!len || (len % sizeof(u16))) {
9771 		err = -EINVAL;
9772 		goto free;
9773 	}
9774 
9775 	params.n_counter_offsets_beacon = len / sizeof(u16);
9776 	if (rdev->wiphy.max_num_csa_counters &&
9777 	    (params.n_counter_offsets_beacon >
9778 	     rdev->wiphy.max_num_csa_counters)) {
9779 		err = -EINVAL;
9780 		goto free;
9781 	}
9782 
9783 	params.counter_offsets_beacon =
9784 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9785 
9786 	/* sanity checks - counters should fit and be the same */
9787 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9788 		u16 offset = params.counter_offsets_beacon[i];
9789 
9790 		if (offset >= params.beacon_csa.tail_len) {
9791 			err = -EINVAL;
9792 			goto free;
9793 		}
9794 
9795 		if (params.beacon_csa.tail[offset] != params.count) {
9796 			err = -EINVAL;
9797 			goto free;
9798 		}
9799 	}
9800 
9801 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9802 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9803 		if (!len || (len % sizeof(u16))) {
9804 			err = -EINVAL;
9805 			goto free;
9806 		}
9807 
9808 		params.n_counter_offsets_presp = len / sizeof(u16);
9809 		if (rdev->wiphy.max_num_csa_counters &&
9810 		    (params.n_counter_offsets_presp >
9811 		     rdev->wiphy.max_num_csa_counters)) {
9812 			err = -EINVAL;
9813 			goto free;
9814 		}
9815 
9816 		params.counter_offsets_presp =
9817 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9818 
9819 		/* sanity checks - counters should fit and be the same */
9820 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9821 			u16 offset = params.counter_offsets_presp[i];
9822 
9823 			if (offset >= params.beacon_csa.probe_resp_len) {
9824 				err = -EINVAL;
9825 				goto free;
9826 			}
9827 
9828 			if (params.beacon_csa.probe_resp[offset] !=
9829 			    params.count) {
9830 				err = -EINVAL;
9831 				goto free;
9832 			}
9833 		}
9834 	}
9835 
9836 skip_beacons:
9837 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9838 	if (err)
9839 		goto free;
9840 
9841 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9842 					   wdev->iftype)) {
9843 		err = -EINVAL;
9844 		goto free;
9845 	}
9846 
9847 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9848 					    &params.chandef,
9849 					    wdev->iftype);
9850 	if (err < 0)
9851 		goto free;
9852 
9853 	if (err > 0) {
9854 		params.radar_required = true;
9855 		if (need_handle_dfs_flag &&
9856 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9857 			err = -EINVAL;
9858 			goto free;
9859 		}
9860 	}
9861 
9862 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9863 		params.block_tx = true;
9864 
9865 	wdev_lock(wdev);
9866 	err = rdev_channel_switch(rdev, dev, &params);
9867 	wdev_unlock(wdev);
9868 
9869 free:
9870 	kfree(params.beacon_after.mbssid_ies);
9871 	kfree(params.beacon_csa.mbssid_ies);
9872 	kfree(csa_attrs);
9873 	return err;
9874 }
9875 
9876 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9877 			    u32 seq, int flags,
9878 			    struct cfg80211_registered_device *rdev,
9879 			    struct wireless_dev *wdev,
9880 			    struct cfg80211_internal_bss *intbss)
9881 {
9882 	struct cfg80211_bss *res = &intbss->pub;
9883 	const struct cfg80211_bss_ies *ies;
9884 	unsigned int link_id;
9885 	void *hdr;
9886 	struct nlattr *bss;
9887 
9888 	ASSERT_WDEV_LOCK(wdev);
9889 
9890 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9891 			     NL80211_CMD_NEW_SCAN_RESULTS);
9892 	if (!hdr)
9893 		return -1;
9894 
9895 	genl_dump_check_consistent(cb, hdr);
9896 
9897 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9898 		goto nla_put_failure;
9899 	if (wdev->netdev &&
9900 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9901 		goto nla_put_failure;
9902 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9903 			      NL80211_ATTR_PAD))
9904 		goto nla_put_failure;
9905 
9906 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9907 	if (!bss)
9908 		goto nla_put_failure;
9909 	if ((!is_zero_ether_addr(res->bssid) &&
9910 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9911 		goto nla_put_failure;
9912 
9913 	rcu_read_lock();
9914 	/* indicate whether we have probe response data or not */
9915 	if (rcu_access_pointer(res->proberesp_ies) &&
9916 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9917 		goto fail_unlock_rcu;
9918 
9919 	/* this pointer prefers to be pointed to probe response data
9920 	 * but is always valid
9921 	 */
9922 	ies = rcu_dereference(res->ies);
9923 	if (ies) {
9924 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9925 				      NL80211_BSS_PAD))
9926 			goto fail_unlock_rcu;
9927 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9928 					ies->len, ies->data))
9929 			goto fail_unlock_rcu;
9930 	}
9931 
9932 	/* and this pointer is always (unless driver didn't know) beacon data */
9933 	ies = rcu_dereference(res->beacon_ies);
9934 	if (ies && ies->from_beacon) {
9935 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9936 				      NL80211_BSS_PAD))
9937 			goto fail_unlock_rcu;
9938 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9939 					ies->len, ies->data))
9940 			goto fail_unlock_rcu;
9941 	}
9942 	rcu_read_unlock();
9943 
9944 	if (res->beacon_interval &&
9945 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9946 		goto nla_put_failure;
9947 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9948 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9949 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9950 			res->channel->freq_offset) ||
9951 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9952 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9953 			jiffies_to_msecs(jiffies - intbss->ts)))
9954 		goto nla_put_failure;
9955 
9956 	if (intbss->parent_tsf &&
9957 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9958 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9959 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9960 		     intbss->parent_bssid)))
9961 		goto nla_put_failure;
9962 
9963 	if (intbss->ts_boottime &&
9964 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9965 			      intbss->ts_boottime, NL80211_BSS_PAD))
9966 		goto nla_put_failure;
9967 
9968 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9969 				intbss->pub.chain_signal,
9970 				NL80211_BSS_CHAIN_SIGNAL))
9971 		goto nla_put_failure;
9972 
9973 	switch (rdev->wiphy.signal_type) {
9974 	case CFG80211_SIGNAL_TYPE_MBM:
9975 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9976 			goto nla_put_failure;
9977 		break;
9978 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9979 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9980 			goto nla_put_failure;
9981 		break;
9982 	default:
9983 		break;
9984 	}
9985 
9986 	switch (wdev->iftype) {
9987 	case NL80211_IFTYPE_P2P_CLIENT:
9988 	case NL80211_IFTYPE_STATION:
9989 		for_each_valid_link(wdev, link_id) {
9990 			if (intbss == wdev->links[link_id].client.current_bss &&
9991 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
9992 					 NL80211_BSS_STATUS_ASSOCIATED) ||
9993 			     (wdev->valid_links &&
9994 			      nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
9995 					 link_id))))
9996 				goto nla_put_failure;
9997 		}
9998 		break;
9999 	case NL80211_IFTYPE_ADHOC:
10000 		if (intbss == wdev->u.ibss.current_bss &&
10001 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10002 				NL80211_BSS_STATUS_IBSS_JOINED))
10003 			goto nla_put_failure;
10004 		break;
10005 	default:
10006 		break;
10007 	}
10008 
10009 	nla_nest_end(msg, bss);
10010 
10011 	genlmsg_end(msg, hdr);
10012 	return 0;
10013 
10014  fail_unlock_rcu:
10015 	rcu_read_unlock();
10016  nla_put_failure:
10017 	genlmsg_cancel(msg, hdr);
10018 	return -EMSGSIZE;
10019 }
10020 
10021 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10022 {
10023 	struct cfg80211_registered_device *rdev;
10024 	struct cfg80211_internal_bss *scan;
10025 	struct wireless_dev *wdev;
10026 	int start = cb->args[2], idx = 0;
10027 	int err;
10028 
10029 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10030 	if (err)
10031 		return err;
10032 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10033 	__acquire(&rdev->wiphy.mtx);
10034 
10035 	wdev_lock(wdev);
10036 	spin_lock_bh(&rdev->bss_lock);
10037 
10038 	/*
10039 	 * dump_scan will be called multiple times to break up the scan results
10040 	 * into multiple messages.  It is unlikely that any more bss-es will be
10041 	 * expired after the first call, so only call only call this on the
10042 	 * first dump_scan invocation.
10043 	 */
10044 	if (start == 0)
10045 		cfg80211_bss_expire(rdev);
10046 
10047 	cb->seq = rdev->bss_generation;
10048 
10049 	list_for_each_entry(scan, &rdev->bss_list, list) {
10050 		if (++idx <= start)
10051 			continue;
10052 		if (nl80211_send_bss(skb, cb,
10053 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10054 				rdev, wdev, scan) < 0) {
10055 			idx--;
10056 			break;
10057 		}
10058 	}
10059 
10060 	spin_unlock_bh(&rdev->bss_lock);
10061 	wdev_unlock(wdev);
10062 
10063 	cb->args[2] = idx;
10064 	wiphy_unlock(&rdev->wiphy);
10065 
10066 	return skb->len;
10067 }
10068 
10069 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10070 			       int flags, struct net_device *dev,
10071 			       bool allow_radio_stats,
10072 			       struct survey_info *survey)
10073 {
10074 	void *hdr;
10075 	struct nlattr *infoattr;
10076 
10077 	/* skip radio stats if userspace didn't request them */
10078 	if (!survey->channel && !allow_radio_stats)
10079 		return 0;
10080 
10081 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10082 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10083 	if (!hdr)
10084 		return -ENOMEM;
10085 
10086 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10087 		goto nla_put_failure;
10088 
10089 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10090 	if (!infoattr)
10091 		goto nla_put_failure;
10092 
10093 	if (survey->channel &&
10094 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10095 			survey->channel->center_freq))
10096 		goto nla_put_failure;
10097 
10098 	if (survey->channel && survey->channel->freq_offset &&
10099 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10100 			survey->channel->freq_offset))
10101 		goto nla_put_failure;
10102 
10103 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10104 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10105 		goto nla_put_failure;
10106 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10107 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10108 		goto nla_put_failure;
10109 	if ((survey->filled & SURVEY_INFO_TIME) &&
10110 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10111 			survey->time, NL80211_SURVEY_INFO_PAD))
10112 		goto nla_put_failure;
10113 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10114 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10115 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10116 		goto nla_put_failure;
10117 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10118 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10119 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10120 		goto nla_put_failure;
10121 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10122 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10123 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10124 		goto nla_put_failure;
10125 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10126 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10127 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10128 		goto nla_put_failure;
10129 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10130 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10131 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10132 		goto nla_put_failure;
10133 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10134 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10135 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10136 		goto nla_put_failure;
10137 
10138 	nla_nest_end(msg, infoattr);
10139 
10140 	genlmsg_end(msg, hdr);
10141 	return 0;
10142 
10143  nla_put_failure:
10144 	genlmsg_cancel(msg, hdr);
10145 	return -EMSGSIZE;
10146 }
10147 
10148 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10149 {
10150 	struct nlattr **attrbuf;
10151 	struct survey_info survey;
10152 	struct cfg80211_registered_device *rdev;
10153 	struct wireless_dev *wdev;
10154 	int survey_idx = cb->args[2];
10155 	int res;
10156 	bool radio_stats;
10157 
10158 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10159 	if (!attrbuf)
10160 		return -ENOMEM;
10161 
10162 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10163 	if (res) {
10164 		kfree(attrbuf);
10165 		return res;
10166 	}
10167 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10168 	__acquire(&rdev->wiphy.mtx);
10169 
10170 	/* prepare_wdev_dump parsed the attributes */
10171 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10172 
10173 	if (!wdev->netdev) {
10174 		res = -EINVAL;
10175 		goto out_err;
10176 	}
10177 
10178 	if (!rdev->ops->dump_survey) {
10179 		res = -EOPNOTSUPP;
10180 		goto out_err;
10181 	}
10182 
10183 	while (1) {
10184 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10185 		if (res == -ENOENT)
10186 			break;
10187 		if (res)
10188 			goto out_err;
10189 
10190 		/* don't send disabled channels, but do send non-channel data */
10191 		if (survey.channel &&
10192 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10193 			survey_idx++;
10194 			continue;
10195 		}
10196 
10197 		if (nl80211_send_survey(skb,
10198 				NETLINK_CB(cb->skb).portid,
10199 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10200 				wdev->netdev, radio_stats, &survey) < 0)
10201 			goto out;
10202 		survey_idx++;
10203 	}
10204 
10205  out:
10206 	cb->args[2] = survey_idx;
10207 	res = skb->len;
10208  out_err:
10209 	kfree(attrbuf);
10210 	wiphy_unlock(&rdev->wiphy);
10211 	return res;
10212 }
10213 
10214 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10215 {
10216 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10217 				  NL80211_WPA_VERSION_2 |
10218 				  NL80211_WPA_VERSION_3));
10219 }
10220 
10221 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10222 {
10223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10224 	struct net_device *dev = info->user_ptr[1];
10225 	struct ieee80211_channel *chan;
10226 	const u8 *bssid, *ssid;
10227 	int err, ssid_len;
10228 	enum nl80211_auth_type auth_type;
10229 	struct key_parse key;
10230 	bool local_state_change;
10231 	struct cfg80211_auth_request req = {};
10232 	u32 freq;
10233 
10234 	if (!info->attrs[NL80211_ATTR_MAC])
10235 		return -EINVAL;
10236 
10237 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10238 		return -EINVAL;
10239 
10240 	if (!info->attrs[NL80211_ATTR_SSID])
10241 		return -EINVAL;
10242 
10243 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10244 		return -EINVAL;
10245 
10246 	err = nl80211_parse_key(info, &key);
10247 	if (err)
10248 		return err;
10249 
10250 	if (key.idx >= 0) {
10251 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10252 			return -EINVAL;
10253 		if (!key.p.key || !key.p.key_len)
10254 			return -EINVAL;
10255 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10256 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10257 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10258 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10259 			return -EINVAL;
10260 		if (key.idx > 3)
10261 			return -EINVAL;
10262 	} else {
10263 		key.p.key_len = 0;
10264 		key.p.key = NULL;
10265 	}
10266 
10267 	if (key.idx >= 0) {
10268 		int i;
10269 		bool ok = false;
10270 
10271 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10272 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10273 				ok = true;
10274 				break;
10275 			}
10276 		}
10277 		if (!ok)
10278 			return -EINVAL;
10279 	}
10280 
10281 	if (!rdev->ops->auth)
10282 		return -EOPNOTSUPP;
10283 
10284 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10285 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10286 		return -EOPNOTSUPP;
10287 
10288 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10289 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10290 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10291 		freq +=
10292 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10293 
10294 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10295 	if (!chan)
10296 		return -EINVAL;
10297 
10298 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10299 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10300 
10301 	if (info->attrs[NL80211_ATTR_IE]) {
10302 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10303 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10304 	}
10305 
10306 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10307 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10308 		return -EINVAL;
10309 
10310 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10311 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10312 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10313 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10314 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10315 		return -EINVAL;
10316 
10317 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10318 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10319 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10320 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10321 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10322 			return -EINVAL;
10323 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10324 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10325 	}
10326 
10327 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10328 
10329 	/*
10330 	 * Since we no longer track auth state, ignore
10331 	 * requests to only change local state.
10332 	 */
10333 	if (local_state_change)
10334 		return 0;
10335 
10336 	req.auth_type = auth_type;
10337 	req.key = key.p.key;
10338 	req.key_len = key.p.key_len;
10339 	req.key_idx = key.idx;
10340 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10341 	if (req.link_id >= 0) {
10342 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10343 			return -EINVAL;
10344 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10345 	}
10346 
10347 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10348 				   IEEE80211_BSS_TYPE_ESS,
10349 				   IEEE80211_PRIVACY_ANY);
10350 	if (!req.bss)
10351 		return -ENOENT;
10352 
10353 	wdev_lock(dev->ieee80211_ptr);
10354 	err = cfg80211_mlme_auth(rdev, dev, &req);
10355 	wdev_unlock(dev->ieee80211_ptr);
10356 
10357 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10358 
10359 	return err;
10360 }
10361 
10362 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10363 				     struct genl_info *info)
10364 {
10365 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10366 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10367 		return -EINVAL;
10368 	}
10369 
10370 	if (!rdev->ops->tx_control_port ||
10371 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10372 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10373 		return -EOPNOTSUPP;
10374 
10375 	return 0;
10376 }
10377 
10378 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10379 				   struct genl_info *info,
10380 				   struct cfg80211_crypto_settings *settings,
10381 				   int cipher_limit)
10382 {
10383 	memset(settings, 0, sizeof(*settings));
10384 
10385 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10386 
10387 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10388 		u16 proto;
10389 
10390 		proto = nla_get_u16(
10391 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10392 		settings->control_port_ethertype = cpu_to_be16(proto);
10393 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10394 		    proto != ETH_P_PAE)
10395 			return -EINVAL;
10396 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10397 			settings->control_port_no_encrypt = true;
10398 	} else
10399 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10400 
10401 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10402 		int r = validate_pae_over_nl80211(rdev, info);
10403 
10404 		if (r < 0)
10405 			return r;
10406 
10407 		settings->control_port_over_nl80211 = true;
10408 
10409 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10410 			settings->control_port_no_preauth = true;
10411 	}
10412 
10413 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10414 		void *data;
10415 		int len, i;
10416 
10417 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10418 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10419 		settings->n_ciphers_pairwise = len / sizeof(u32);
10420 
10421 		if (len % sizeof(u32))
10422 			return -EINVAL;
10423 
10424 		if (settings->n_ciphers_pairwise > cipher_limit)
10425 			return -EINVAL;
10426 
10427 		memcpy(settings->ciphers_pairwise, data, len);
10428 
10429 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10430 			if (!cfg80211_supported_cipher_suite(
10431 					&rdev->wiphy,
10432 					settings->ciphers_pairwise[i]))
10433 				return -EINVAL;
10434 	}
10435 
10436 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10437 		settings->cipher_group =
10438 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10439 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10440 						     settings->cipher_group))
10441 			return -EINVAL;
10442 	}
10443 
10444 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10445 		settings->wpa_versions =
10446 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10447 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10448 			return -EINVAL;
10449 	}
10450 
10451 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10452 		void *data;
10453 		int len;
10454 
10455 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10456 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10457 		settings->n_akm_suites = len / sizeof(u32);
10458 
10459 		if (len % sizeof(u32))
10460 			return -EINVAL;
10461 
10462 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10463 			return -EINVAL;
10464 
10465 		memcpy(settings->akm_suites, data, len);
10466 	}
10467 
10468 	if (info->attrs[NL80211_ATTR_PMK]) {
10469 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10470 			return -EINVAL;
10471 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10472 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10473 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10474 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10475 			return -EINVAL;
10476 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10477 	}
10478 
10479 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10480 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10481 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10482 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10483 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10484 			return -EINVAL;
10485 		settings->sae_pwd =
10486 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10487 		settings->sae_pwd_len =
10488 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10489 	}
10490 
10491 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10492 		settings->sae_pwe =
10493 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10494 	else
10495 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10496 
10497 	return 0;
10498 }
10499 
10500 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10501 					      const u8 *ssid, int ssid_len,
10502 					      struct nlattr **attrs,
10503 					      const u8 **bssid_out)
10504 {
10505 	struct ieee80211_channel *chan;
10506 	struct cfg80211_bss *bss;
10507 	const u8 *bssid;
10508 	u32 freq;
10509 
10510 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10511 		return ERR_PTR(-EINVAL);
10512 
10513 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10514 
10515 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10516 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10517 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10518 
10519 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10520 	if (!chan)
10521 		return ERR_PTR(-EINVAL);
10522 
10523 	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10524 			       ssid, ssid_len,
10525 			       IEEE80211_BSS_TYPE_ESS,
10526 			       IEEE80211_PRIVACY_ANY);
10527 	if (!bss)
10528 		return ERR_PTR(-ENOENT);
10529 
10530 	*bssid_out = bssid;
10531 	return bss;
10532 }
10533 
10534 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10535 {
10536 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10537 	struct net_device *dev = info->user_ptr[1];
10538 	struct cfg80211_assoc_request req = {};
10539 	struct nlattr **attrs = NULL;
10540 	const u8 *bssid, *ssid;
10541 	unsigned int link_id;
10542 	int err, ssid_len;
10543 
10544 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10545 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10546 		return -EPERM;
10547 
10548 	if (!info->attrs[NL80211_ATTR_SSID])
10549 		return -EINVAL;
10550 
10551 	if (!rdev->ops->assoc)
10552 		return -EOPNOTSUPP;
10553 
10554 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10555 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10556 		return -EOPNOTSUPP;
10557 
10558 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10559 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10560 
10561 	if (info->attrs[NL80211_ATTR_IE]) {
10562 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10563 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10564 	}
10565 
10566 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10567 		enum nl80211_mfp mfp =
10568 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10569 		if (mfp == NL80211_MFP_REQUIRED)
10570 			req.use_mfp = true;
10571 		else if (mfp != NL80211_MFP_NO)
10572 			return -EINVAL;
10573 	}
10574 
10575 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10576 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10577 
10578 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10579 		req.flags |= ASSOC_REQ_DISABLE_HT;
10580 
10581 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10582 		memcpy(&req.ht_capa_mask,
10583 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10584 		       sizeof(req.ht_capa_mask));
10585 
10586 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10587 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10588 			return -EINVAL;
10589 		memcpy(&req.ht_capa,
10590 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10591 		       sizeof(req.ht_capa));
10592 	}
10593 
10594 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10595 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10596 
10597 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10598 		req.flags |= ASSOC_REQ_DISABLE_HE;
10599 
10600 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
10601 		req.flags |= ASSOC_REQ_DISABLE_EHT;
10602 
10603 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10604 		memcpy(&req.vht_capa_mask,
10605 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10606 		       sizeof(req.vht_capa_mask));
10607 
10608 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10609 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10610 			return -EINVAL;
10611 		memcpy(&req.vht_capa,
10612 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10613 		       sizeof(req.vht_capa));
10614 	}
10615 
10616 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10617 		if (!((rdev->wiphy.features &
10618 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10619 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10620 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10621 					     NL80211_EXT_FEATURE_RRM))
10622 			return -EINVAL;
10623 		req.flags |= ASSOC_REQ_USE_RRM;
10624 	}
10625 
10626 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10627 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10628 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10629 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10630 			return -EINVAL;
10631 		req.fils_nonces =
10632 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10633 	}
10634 
10635 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10636 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10637 			return -EINVAL;
10638 		memcpy(&req.s1g_capa_mask,
10639 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10640 		       sizeof(req.s1g_capa_mask));
10641 	}
10642 
10643 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10644 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10645 			return -EINVAL;
10646 		memcpy(&req.s1g_capa,
10647 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10648 		       sizeof(req.s1g_capa));
10649 	}
10650 
10651 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10652 
10653 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
10654 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
10655 		struct nlattr *link;
10656 		int rem = 0;
10657 
10658 		if (req.link_id < 0)
10659 			return -EINVAL;
10660 
10661 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10662 			return -EINVAL;
10663 
10664 		if (info->attrs[NL80211_ATTR_MAC] ||
10665 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10666 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
10667 			return -EINVAL;
10668 
10669 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10670 
10671 		attrs = kzalloc(attrsize, GFP_KERNEL);
10672 		if (!attrs)
10673 			return -ENOMEM;
10674 
10675 		nla_for_each_nested(link,
10676 				    info->attrs[NL80211_ATTR_MLO_LINKS],
10677 				    rem) {
10678 			memset(attrs, 0, attrsize);
10679 
10680 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
10681 					 link, NULL, NULL);
10682 
10683 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
10684 				err = -EINVAL;
10685 				goto free;
10686 			}
10687 
10688 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
10689 			/* cannot use the same link ID again */
10690 			if (req.links[link_id].bss) {
10691 				err = -EINVAL;
10692 				goto free;
10693 			}
10694 			req.links[link_id].bss =
10695 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
10696 						  &bssid);
10697 			if (IS_ERR(req.links[link_id].bss)) {
10698 				err = PTR_ERR(req.links[link_id].bss);
10699 				goto free;
10700 			}
10701 
10702 			if (attrs[NL80211_ATTR_IE]) {
10703 				req.links[link_id].elems =
10704 					nla_data(attrs[NL80211_ATTR_IE]);
10705 				req.links[link_id].elems_len =
10706 					nla_len(attrs[NL80211_ATTR_IE]);
10707 			}
10708 		}
10709 
10710 		if (!req.links[req.link_id].bss) {
10711 			err = -EINVAL;
10712 			goto free;
10713 		}
10714 
10715 		kfree(attrs);
10716 		attrs = NULL;
10717 	} else {
10718 		if (req.link_id >= 0)
10719 			return -EINVAL;
10720 
10721 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
10722 					    &bssid);
10723 		if (IS_ERR(req.bss))
10724 			return PTR_ERR(req.bss);
10725 	}
10726 
10727 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10728 	if (!err) {
10729 		wdev_lock(dev->ieee80211_ptr);
10730 
10731 		err = cfg80211_mlme_assoc(rdev, dev, &req);
10732 
10733 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10734 			dev->ieee80211_ptr->conn_owner_nlportid =
10735 				info->snd_portid;
10736 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10737 			       bssid, ETH_ALEN);
10738 		}
10739 
10740 		wdev_unlock(dev->ieee80211_ptr);
10741 	}
10742 
10743 free:
10744 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
10745 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
10746 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10747 	kfree(attrs);
10748 
10749 	return err;
10750 }
10751 
10752 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10753 {
10754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10755 	struct net_device *dev = info->user_ptr[1];
10756 	const u8 *ie = NULL, *bssid;
10757 	int ie_len = 0, err;
10758 	u16 reason_code;
10759 	bool local_state_change;
10760 
10761 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10762 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10763 		return -EPERM;
10764 
10765 	if (!info->attrs[NL80211_ATTR_MAC])
10766 		return -EINVAL;
10767 
10768 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10769 		return -EINVAL;
10770 
10771 	if (!rdev->ops->deauth)
10772 		return -EOPNOTSUPP;
10773 
10774 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10775 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10776 		return -EOPNOTSUPP;
10777 
10778 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10779 
10780 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10781 	if (reason_code == 0) {
10782 		/* Reason Code 0 is reserved */
10783 		return -EINVAL;
10784 	}
10785 
10786 	if (info->attrs[NL80211_ATTR_IE]) {
10787 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10788 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10789 	}
10790 
10791 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10792 
10793 	wdev_lock(dev->ieee80211_ptr);
10794 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10795 				   local_state_change);
10796 	wdev_unlock(dev->ieee80211_ptr);
10797 	return err;
10798 }
10799 
10800 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10801 {
10802 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10803 	struct net_device *dev = info->user_ptr[1];
10804 	const u8 *ie = NULL, *bssid;
10805 	int ie_len = 0, err;
10806 	u16 reason_code;
10807 	bool local_state_change;
10808 
10809 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10810 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10811 		return -EPERM;
10812 
10813 	if (!info->attrs[NL80211_ATTR_MAC])
10814 		return -EINVAL;
10815 
10816 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10817 		return -EINVAL;
10818 
10819 	if (!rdev->ops->disassoc)
10820 		return -EOPNOTSUPP;
10821 
10822 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10823 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10824 		return -EOPNOTSUPP;
10825 
10826 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10827 
10828 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10829 	if (reason_code == 0) {
10830 		/* Reason Code 0 is reserved */
10831 		return -EINVAL;
10832 	}
10833 
10834 	if (info->attrs[NL80211_ATTR_IE]) {
10835 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10836 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10837 	}
10838 
10839 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10840 
10841 	wdev_lock(dev->ieee80211_ptr);
10842 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10843 				     local_state_change);
10844 	wdev_unlock(dev->ieee80211_ptr);
10845 	return err;
10846 }
10847 
10848 static bool
10849 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10850 			 int mcast_rate[NUM_NL80211_BANDS],
10851 			 int rateval)
10852 {
10853 	struct wiphy *wiphy = &rdev->wiphy;
10854 	bool found = false;
10855 	int band, i;
10856 
10857 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10858 		struct ieee80211_supported_band *sband;
10859 
10860 		sband = wiphy->bands[band];
10861 		if (!sband)
10862 			continue;
10863 
10864 		for (i = 0; i < sband->n_bitrates; i++) {
10865 			if (sband->bitrates[i].bitrate == rateval) {
10866 				mcast_rate[band] = i + 1;
10867 				found = true;
10868 				break;
10869 			}
10870 		}
10871 	}
10872 
10873 	return found;
10874 }
10875 
10876 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10877 {
10878 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10879 	struct net_device *dev = info->user_ptr[1];
10880 	struct cfg80211_ibss_params ibss;
10881 	struct wiphy *wiphy;
10882 	struct cfg80211_cached_keys *connkeys = NULL;
10883 	int err;
10884 
10885 	memset(&ibss, 0, sizeof(ibss));
10886 
10887 	if (!info->attrs[NL80211_ATTR_SSID] ||
10888 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10889 		return -EINVAL;
10890 
10891 	ibss.beacon_interval = 100;
10892 
10893 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10894 		ibss.beacon_interval =
10895 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10896 
10897 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10898 					   ibss.beacon_interval);
10899 	if (err)
10900 		return err;
10901 
10902 	if (!rdev->ops->join_ibss)
10903 		return -EOPNOTSUPP;
10904 
10905 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10906 		return -EOPNOTSUPP;
10907 
10908 	wiphy = &rdev->wiphy;
10909 
10910 	if (info->attrs[NL80211_ATTR_MAC]) {
10911 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10912 
10913 		if (!is_valid_ether_addr(ibss.bssid))
10914 			return -EINVAL;
10915 	}
10916 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10917 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10918 
10919 	if (info->attrs[NL80211_ATTR_IE]) {
10920 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10921 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10922 	}
10923 
10924 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10925 	if (err)
10926 		return err;
10927 
10928 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10929 				     NL80211_IFTYPE_ADHOC))
10930 		return -EINVAL;
10931 
10932 	switch (ibss.chandef.width) {
10933 	case NL80211_CHAN_WIDTH_5:
10934 	case NL80211_CHAN_WIDTH_10:
10935 	case NL80211_CHAN_WIDTH_20_NOHT:
10936 		break;
10937 	case NL80211_CHAN_WIDTH_20:
10938 	case NL80211_CHAN_WIDTH_40:
10939 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10940 			return -EINVAL;
10941 		break;
10942 	case NL80211_CHAN_WIDTH_80:
10943 	case NL80211_CHAN_WIDTH_80P80:
10944 	case NL80211_CHAN_WIDTH_160:
10945 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10946 			return -EINVAL;
10947 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10948 					     NL80211_EXT_FEATURE_VHT_IBSS))
10949 			return -EINVAL;
10950 		break;
10951 	case NL80211_CHAN_WIDTH_320:
10952 		return -EINVAL;
10953 	default:
10954 		return -EINVAL;
10955 	}
10956 
10957 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10958 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10959 
10960 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10961 		u8 *rates =
10962 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10963 		int n_rates =
10964 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10965 		struct ieee80211_supported_band *sband =
10966 			wiphy->bands[ibss.chandef.chan->band];
10967 
10968 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10969 					     &ibss.basic_rates);
10970 		if (err)
10971 			return err;
10972 	}
10973 
10974 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10975 		memcpy(&ibss.ht_capa_mask,
10976 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10977 		       sizeof(ibss.ht_capa_mask));
10978 
10979 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10980 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10981 			return -EINVAL;
10982 		memcpy(&ibss.ht_capa,
10983 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10984 		       sizeof(ibss.ht_capa));
10985 	}
10986 
10987 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10988 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10989 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10990 		return -EINVAL;
10991 
10992 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10993 		bool no_ht = false;
10994 
10995 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10996 		if (IS_ERR(connkeys))
10997 			return PTR_ERR(connkeys);
10998 
10999 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11000 		    no_ht) {
11001 			kfree_sensitive(connkeys);
11002 			return -EINVAL;
11003 		}
11004 	}
11005 
11006 	ibss.control_port =
11007 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11008 
11009 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11010 		int r = validate_pae_over_nl80211(rdev, info);
11011 
11012 		if (r < 0) {
11013 			kfree_sensitive(connkeys);
11014 			return r;
11015 		}
11016 
11017 		ibss.control_port_over_nl80211 = true;
11018 	}
11019 
11020 	ibss.userspace_handles_dfs =
11021 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11022 
11023 	wdev_lock(dev->ieee80211_ptr);
11024 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11025 	if (err)
11026 		kfree_sensitive(connkeys);
11027 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11028 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11029 	wdev_unlock(dev->ieee80211_ptr);
11030 
11031 	return err;
11032 }
11033 
11034 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11035 {
11036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11037 	struct net_device *dev = info->user_ptr[1];
11038 
11039 	if (!rdev->ops->leave_ibss)
11040 		return -EOPNOTSUPP;
11041 
11042 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11043 		return -EOPNOTSUPP;
11044 
11045 	return cfg80211_leave_ibss(rdev, dev, false);
11046 }
11047 
11048 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11049 {
11050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11051 	struct net_device *dev = info->user_ptr[1];
11052 	int mcast_rate[NUM_NL80211_BANDS];
11053 	u32 nla_rate;
11054 	int err;
11055 
11056 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11057 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11058 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11059 		return -EOPNOTSUPP;
11060 
11061 	if (!rdev->ops->set_mcast_rate)
11062 		return -EOPNOTSUPP;
11063 
11064 	memset(mcast_rate, 0, sizeof(mcast_rate));
11065 
11066 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11067 		return -EINVAL;
11068 
11069 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11070 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11071 		return -EINVAL;
11072 
11073 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
11074 
11075 	return err;
11076 }
11077 
11078 static struct sk_buff *
11079 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11080 			    struct wireless_dev *wdev, int approxlen,
11081 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11082 			    enum nl80211_attrs attr,
11083 			    const struct nl80211_vendor_cmd_info *info,
11084 			    gfp_t gfp)
11085 {
11086 	struct sk_buff *skb;
11087 	void *hdr;
11088 	struct nlattr *data;
11089 
11090 	skb = nlmsg_new(approxlen + 100, gfp);
11091 	if (!skb)
11092 		return NULL;
11093 
11094 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11095 	if (!hdr) {
11096 		kfree_skb(skb);
11097 		return NULL;
11098 	}
11099 
11100 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11101 		goto nla_put_failure;
11102 
11103 	if (info) {
11104 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11105 				info->vendor_id))
11106 			goto nla_put_failure;
11107 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11108 				info->subcmd))
11109 			goto nla_put_failure;
11110 	}
11111 
11112 	if (wdev) {
11113 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11114 				      wdev_id(wdev), NL80211_ATTR_PAD))
11115 			goto nla_put_failure;
11116 		if (wdev->netdev &&
11117 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11118 				wdev->netdev->ifindex))
11119 			goto nla_put_failure;
11120 	}
11121 
11122 	data = nla_nest_start_noflag(skb, attr);
11123 	if (!data)
11124 		goto nla_put_failure;
11125 
11126 	((void **)skb->cb)[0] = rdev;
11127 	((void **)skb->cb)[1] = hdr;
11128 	((void **)skb->cb)[2] = data;
11129 
11130 	return skb;
11131 
11132  nla_put_failure:
11133 	kfree_skb(skb);
11134 	return NULL;
11135 }
11136 
11137 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11138 					   struct wireless_dev *wdev,
11139 					   enum nl80211_commands cmd,
11140 					   enum nl80211_attrs attr,
11141 					   unsigned int portid,
11142 					   int vendor_event_idx,
11143 					   int approxlen, gfp_t gfp)
11144 {
11145 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11146 	const struct nl80211_vendor_cmd_info *info;
11147 
11148 	switch (cmd) {
11149 	case NL80211_CMD_TESTMODE:
11150 		if (WARN_ON(vendor_event_idx != -1))
11151 			return NULL;
11152 		info = NULL;
11153 		break;
11154 	case NL80211_CMD_VENDOR:
11155 		if (WARN_ON(vendor_event_idx < 0 ||
11156 			    vendor_event_idx >= wiphy->n_vendor_events))
11157 			return NULL;
11158 		info = &wiphy->vendor_events[vendor_event_idx];
11159 		break;
11160 	default:
11161 		WARN_ON(1);
11162 		return NULL;
11163 	}
11164 
11165 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11166 					   cmd, attr, info, gfp);
11167 }
11168 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11169 
11170 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11171 {
11172 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11173 	void *hdr = ((void **)skb->cb)[1];
11174 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11175 	struct nlattr *data = ((void **)skb->cb)[2];
11176 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11177 
11178 	/* clear CB data for netlink core to own from now on */
11179 	memset(skb->cb, 0, sizeof(skb->cb));
11180 
11181 	nla_nest_end(skb, data);
11182 	genlmsg_end(skb, hdr);
11183 
11184 	if (nlhdr->nlmsg_pid) {
11185 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11186 				nlhdr->nlmsg_pid);
11187 	} else {
11188 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11189 			mcgrp = NL80211_MCGRP_VENDOR;
11190 
11191 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11192 					skb, 0, mcgrp, gfp);
11193 	}
11194 }
11195 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11196 
11197 #ifdef CONFIG_NL80211_TESTMODE
11198 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11199 {
11200 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11201 	struct wireless_dev *wdev;
11202 	int err;
11203 
11204 	lockdep_assert_held(&rdev->wiphy.mtx);
11205 
11206 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11207 					  info->attrs);
11208 
11209 	if (!rdev->ops->testmode_cmd)
11210 		return -EOPNOTSUPP;
11211 
11212 	if (IS_ERR(wdev)) {
11213 		err = PTR_ERR(wdev);
11214 		if (err != -EINVAL)
11215 			return err;
11216 		wdev = NULL;
11217 	} else if (wdev->wiphy != &rdev->wiphy) {
11218 		return -EINVAL;
11219 	}
11220 
11221 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11222 		return -EINVAL;
11223 
11224 	rdev->cur_cmd_info = info;
11225 	err = rdev_testmode_cmd(rdev, wdev,
11226 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11227 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11228 	rdev->cur_cmd_info = NULL;
11229 
11230 	return err;
11231 }
11232 
11233 static int nl80211_testmode_dump(struct sk_buff *skb,
11234 				 struct netlink_callback *cb)
11235 {
11236 	struct cfg80211_registered_device *rdev;
11237 	struct nlattr **attrbuf = NULL;
11238 	int err;
11239 	long phy_idx;
11240 	void *data = NULL;
11241 	int data_len = 0;
11242 
11243 	rtnl_lock();
11244 
11245 	if (cb->args[0]) {
11246 		/*
11247 		 * 0 is a valid index, but not valid for args[0],
11248 		 * so we need to offset by 1.
11249 		 */
11250 		phy_idx = cb->args[0] - 1;
11251 
11252 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11253 		if (!rdev) {
11254 			err = -ENOENT;
11255 			goto out_err;
11256 		}
11257 	} else {
11258 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11259 				  GFP_KERNEL);
11260 		if (!attrbuf) {
11261 			err = -ENOMEM;
11262 			goto out_err;
11263 		}
11264 
11265 		err = nlmsg_parse_deprecated(cb->nlh,
11266 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11267 					     attrbuf, nl80211_fam.maxattr,
11268 					     nl80211_policy, NULL);
11269 		if (err)
11270 			goto out_err;
11271 
11272 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11273 		if (IS_ERR(rdev)) {
11274 			err = PTR_ERR(rdev);
11275 			goto out_err;
11276 		}
11277 		phy_idx = rdev->wiphy_idx;
11278 
11279 		if (attrbuf[NL80211_ATTR_TESTDATA])
11280 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11281 	}
11282 
11283 	if (cb->args[1]) {
11284 		data = nla_data((void *)cb->args[1]);
11285 		data_len = nla_len((void *)cb->args[1]);
11286 	}
11287 
11288 	if (!rdev->ops->testmode_dump) {
11289 		err = -EOPNOTSUPP;
11290 		goto out_err;
11291 	}
11292 
11293 	while (1) {
11294 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11295 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11296 					   NL80211_CMD_TESTMODE);
11297 		struct nlattr *tmdata;
11298 
11299 		if (!hdr)
11300 			break;
11301 
11302 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11303 			genlmsg_cancel(skb, hdr);
11304 			break;
11305 		}
11306 
11307 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11308 		if (!tmdata) {
11309 			genlmsg_cancel(skb, hdr);
11310 			break;
11311 		}
11312 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11313 		nla_nest_end(skb, tmdata);
11314 
11315 		if (err == -ENOBUFS || err == -ENOENT) {
11316 			genlmsg_cancel(skb, hdr);
11317 			break;
11318 		} else if (err) {
11319 			genlmsg_cancel(skb, hdr);
11320 			goto out_err;
11321 		}
11322 
11323 		genlmsg_end(skb, hdr);
11324 	}
11325 
11326 	err = skb->len;
11327 	/* see above */
11328 	cb->args[0] = phy_idx + 1;
11329  out_err:
11330 	kfree(attrbuf);
11331 	rtnl_unlock();
11332 	return err;
11333 }
11334 #endif
11335 
11336 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11337 {
11338 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11339 	struct net_device *dev = info->user_ptr[1];
11340 	struct cfg80211_connect_params connect;
11341 	struct wiphy *wiphy;
11342 	struct cfg80211_cached_keys *connkeys = NULL;
11343 	u32 freq = 0;
11344 	int err;
11345 
11346 	memset(&connect, 0, sizeof(connect));
11347 
11348 	if (!info->attrs[NL80211_ATTR_SSID] ||
11349 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11350 		return -EINVAL;
11351 
11352 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11353 		connect.auth_type =
11354 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11355 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11356 					     NL80211_CMD_CONNECT))
11357 			return -EINVAL;
11358 	} else
11359 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11360 
11361 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11362 
11363 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11364 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11365 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11366 		return -EINVAL;
11367 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11368 
11369 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11370 				      NL80211_MAX_NR_CIPHER_SUITES);
11371 	if (err)
11372 		return err;
11373 
11374 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11375 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11376 		return -EOPNOTSUPP;
11377 
11378 	wiphy = &rdev->wiphy;
11379 
11380 	connect.bg_scan_period = -1;
11381 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11382 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11383 		connect.bg_scan_period =
11384 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11385 	}
11386 
11387 	if (info->attrs[NL80211_ATTR_MAC])
11388 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11389 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11390 		connect.bssid_hint =
11391 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11392 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11393 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11394 
11395 	if (info->attrs[NL80211_ATTR_IE]) {
11396 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11397 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11398 	}
11399 
11400 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11401 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11402 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11403 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11404 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11405 			return -EOPNOTSUPP;
11406 	} else {
11407 		connect.mfp = NL80211_MFP_NO;
11408 	}
11409 
11410 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11411 		connect.prev_bssid =
11412 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11413 
11414 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11415 		freq = MHZ_TO_KHZ(nla_get_u32(
11416 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11417 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11418 		freq +=
11419 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11420 
11421 	if (freq) {
11422 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11423 		if (!connect.channel)
11424 			return -EINVAL;
11425 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11426 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11427 		freq = MHZ_TO_KHZ(freq);
11428 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11429 		if (!connect.channel_hint)
11430 			return -EINVAL;
11431 	}
11432 
11433 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11434 		connect.edmg.channels =
11435 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11436 
11437 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11438 			connect.edmg.bw_config =
11439 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11440 	}
11441 
11442 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11443 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11444 		if (IS_ERR(connkeys))
11445 			return PTR_ERR(connkeys);
11446 	}
11447 
11448 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11449 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11450 
11451 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11452 		memcpy(&connect.ht_capa_mask,
11453 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11454 		       sizeof(connect.ht_capa_mask));
11455 
11456 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11457 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11458 			kfree_sensitive(connkeys);
11459 			return -EINVAL;
11460 		}
11461 		memcpy(&connect.ht_capa,
11462 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11463 		       sizeof(connect.ht_capa));
11464 	}
11465 
11466 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11467 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11468 
11469 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11470 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11471 
11472 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11473 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11474 
11475 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11476 		memcpy(&connect.vht_capa_mask,
11477 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11478 		       sizeof(connect.vht_capa_mask));
11479 
11480 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11481 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11482 			kfree_sensitive(connkeys);
11483 			return -EINVAL;
11484 		}
11485 		memcpy(&connect.vht_capa,
11486 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11487 		       sizeof(connect.vht_capa));
11488 	}
11489 
11490 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11491 		if (!((rdev->wiphy.features &
11492 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11493 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11494 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11495 					     NL80211_EXT_FEATURE_RRM)) {
11496 			kfree_sensitive(connkeys);
11497 			return -EINVAL;
11498 		}
11499 		connect.flags |= ASSOC_REQ_USE_RRM;
11500 	}
11501 
11502 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11503 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11504 		kfree_sensitive(connkeys);
11505 		return -EOPNOTSUPP;
11506 	}
11507 
11508 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11509 		/* bss selection makes no sense if bssid is set */
11510 		if (connect.bssid) {
11511 			kfree_sensitive(connkeys);
11512 			return -EINVAL;
11513 		}
11514 
11515 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11516 				       wiphy, &connect.bss_select);
11517 		if (err) {
11518 			kfree_sensitive(connkeys);
11519 			return err;
11520 		}
11521 	}
11522 
11523 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11524 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11525 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11526 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11527 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11528 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11529 		connect.fils_erp_username =
11530 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11531 		connect.fils_erp_username_len =
11532 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11533 		connect.fils_erp_realm =
11534 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11535 		connect.fils_erp_realm_len =
11536 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11537 		connect.fils_erp_next_seq_num =
11538 			nla_get_u16(
11539 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11540 		connect.fils_erp_rrk =
11541 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11542 		connect.fils_erp_rrk_len =
11543 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11544 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11545 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11546 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11547 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11548 		kfree_sensitive(connkeys);
11549 		return -EINVAL;
11550 	}
11551 
11552 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11553 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11554 			kfree_sensitive(connkeys);
11555 			GENL_SET_ERR_MSG(info,
11556 					 "external auth requires connection ownership");
11557 			return -EINVAL;
11558 		}
11559 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11560 	}
11561 
11562 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
11563 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
11564 
11565 	wdev_lock(dev->ieee80211_ptr);
11566 
11567 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11568 			       connect.prev_bssid);
11569 	if (err)
11570 		kfree_sensitive(connkeys);
11571 
11572 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11573 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11574 		if (connect.bssid)
11575 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11576 			       connect.bssid, ETH_ALEN);
11577 		else
11578 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11579 	}
11580 
11581 	wdev_unlock(dev->ieee80211_ptr);
11582 
11583 	return err;
11584 }
11585 
11586 static int nl80211_update_connect_params(struct sk_buff *skb,
11587 					 struct genl_info *info)
11588 {
11589 	struct cfg80211_connect_params connect = {};
11590 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11591 	struct net_device *dev = info->user_ptr[1];
11592 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11593 	bool fils_sk_offload;
11594 	u32 auth_type;
11595 	u32 changed = 0;
11596 	int ret;
11597 
11598 	if (!rdev->ops->update_connect_params)
11599 		return -EOPNOTSUPP;
11600 
11601 	if (info->attrs[NL80211_ATTR_IE]) {
11602 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11603 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11604 		changed |= UPDATE_ASSOC_IES;
11605 	}
11606 
11607 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11608 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11609 
11610 	/*
11611 	 * when driver supports fils-sk offload all attributes must be
11612 	 * provided. So the else covers "fils-sk-not-all" and
11613 	 * "no-fils-sk-any".
11614 	 */
11615 	if (fils_sk_offload &&
11616 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11617 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11618 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11619 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11620 		connect.fils_erp_username =
11621 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11622 		connect.fils_erp_username_len =
11623 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11624 		connect.fils_erp_realm =
11625 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11626 		connect.fils_erp_realm_len =
11627 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11628 		connect.fils_erp_next_seq_num =
11629 			nla_get_u16(
11630 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11631 		connect.fils_erp_rrk =
11632 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11633 		connect.fils_erp_rrk_len =
11634 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11635 		changed |= UPDATE_FILS_ERP_INFO;
11636 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11637 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11638 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11639 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11640 		return -EINVAL;
11641 	}
11642 
11643 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11644 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11645 		if (!nl80211_valid_auth_type(rdev, auth_type,
11646 					     NL80211_CMD_CONNECT))
11647 			return -EINVAL;
11648 
11649 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11650 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11651 			return -EINVAL;
11652 
11653 		connect.auth_type = auth_type;
11654 		changed |= UPDATE_AUTH_TYPE;
11655 	}
11656 
11657 	wdev_lock(dev->ieee80211_ptr);
11658 	if (!wdev->connected)
11659 		ret = -ENOLINK;
11660 	else
11661 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11662 	wdev_unlock(dev->ieee80211_ptr);
11663 
11664 	return ret;
11665 }
11666 
11667 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11668 {
11669 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11670 	struct net_device *dev = info->user_ptr[1];
11671 	u16 reason;
11672 	int ret;
11673 
11674 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11675 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11676 		return -EPERM;
11677 
11678 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11679 		reason = WLAN_REASON_DEAUTH_LEAVING;
11680 	else
11681 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11682 
11683 	if (reason == 0)
11684 		return -EINVAL;
11685 
11686 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11687 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11688 		return -EOPNOTSUPP;
11689 
11690 	wdev_lock(dev->ieee80211_ptr);
11691 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11692 	wdev_unlock(dev->ieee80211_ptr);
11693 	return ret;
11694 }
11695 
11696 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11697 {
11698 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11699 	struct net *net;
11700 	int err;
11701 
11702 	if (info->attrs[NL80211_ATTR_PID]) {
11703 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11704 
11705 		net = get_net_ns_by_pid(pid);
11706 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11707 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11708 
11709 		net = get_net_ns_by_fd(fd);
11710 	} else {
11711 		return -EINVAL;
11712 	}
11713 
11714 	if (IS_ERR(net))
11715 		return PTR_ERR(net);
11716 
11717 	err = 0;
11718 
11719 	/* check if anything to do */
11720 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11721 		err = cfg80211_switch_netns(rdev, net);
11722 
11723 	put_net(net);
11724 	return err;
11725 }
11726 
11727 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11728 {
11729 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11730 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11731 			struct cfg80211_pmksa *pmksa) = NULL;
11732 	struct net_device *dev = info->user_ptr[1];
11733 	struct cfg80211_pmksa pmksa;
11734 
11735 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11736 
11737 	if (!info->attrs[NL80211_ATTR_PMKID])
11738 		return -EINVAL;
11739 
11740 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11741 
11742 	if (info->attrs[NL80211_ATTR_MAC]) {
11743 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11744 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11745 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11746 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11747 		    info->attrs[NL80211_ATTR_PMK])) {
11748 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11749 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11750 		pmksa.cache_id =
11751 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11752 	} else {
11753 		return -EINVAL;
11754 	}
11755 	if (info->attrs[NL80211_ATTR_PMK]) {
11756 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11757 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11758 	}
11759 
11760 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11761 		pmksa.pmk_lifetime =
11762 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11763 
11764 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11765 		pmksa.pmk_reauth_threshold =
11766 			nla_get_u8(
11767 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11768 
11769 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11770 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11771 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11772 	      wiphy_ext_feature_isset(&rdev->wiphy,
11773 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11774 		return -EOPNOTSUPP;
11775 
11776 	switch (info->genlhdr->cmd) {
11777 	case NL80211_CMD_SET_PMKSA:
11778 		rdev_ops = rdev->ops->set_pmksa;
11779 		break;
11780 	case NL80211_CMD_DEL_PMKSA:
11781 		rdev_ops = rdev->ops->del_pmksa;
11782 		break;
11783 	default:
11784 		WARN_ON(1);
11785 		break;
11786 	}
11787 
11788 	if (!rdev_ops)
11789 		return -EOPNOTSUPP;
11790 
11791 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11792 }
11793 
11794 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11795 {
11796 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11797 	struct net_device *dev = info->user_ptr[1];
11798 
11799 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11800 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11801 		return -EOPNOTSUPP;
11802 
11803 	if (!rdev->ops->flush_pmksa)
11804 		return -EOPNOTSUPP;
11805 
11806 	return rdev_flush_pmksa(rdev, dev);
11807 }
11808 
11809 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11810 {
11811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11812 	struct net_device *dev = info->user_ptr[1];
11813 	u8 action_code, dialog_token;
11814 	u32 peer_capability = 0;
11815 	u16 status_code;
11816 	u8 *peer;
11817 	bool initiator;
11818 
11819 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11820 	    !rdev->ops->tdls_mgmt)
11821 		return -EOPNOTSUPP;
11822 
11823 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11824 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11825 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11826 	    !info->attrs[NL80211_ATTR_IE] ||
11827 	    !info->attrs[NL80211_ATTR_MAC])
11828 		return -EINVAL;
11829 
11830 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11831 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11832 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11833 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11834 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11835 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11836 		peer_capability =
11837 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11838 
11839 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11840 			      dialog_token, status_code, peer_capability,
11841 			      initiator,
11842 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11843 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11844 }
11845 
11846 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11847 {
11848 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11849 	struct net_device *dev = info->user_ptr[1];
11850 	enum nl80211_tdls_operation operation;
11851 	u8 *peer;
11852 
11853 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11854 	    !rdev->ops->tdls_oper)
11855 		return -EOPNOTSUPP;
11856 
11857 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11858 	    !info->attrs[NL80211_ATTR_MAC])
11859 		return -EINVAL;
11860 
11861 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11862 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11863 
11864 	return rdev_tdls_oper(rdev, dev, peer, operation);
11865 }
11866 
11867 static int nl80211_remain_on_channel(struct sk_buff *skb,
11868 				     struct genl_info *info)
11869 {
11870 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11871 	unsigned int link_id = nl80211_link_id(info->attrs);
11872 	struct wireless_dev *wdev = info->user_ptr[1];
11873 	struct cfg80211_chan_def chandef;
11874 	struct sk_buff *msg;
11875 	void *hdr;
11876 	u64 cookie;
11877 	u32 duration;
11878 	int err;
11879 
11880 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11881 	    !info->attrs[NL80211_ATTR_DURATION])
11882 		return -EINVAL;
11883 
11884 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11885 
11886 	if (!rdev->ops->remain_on_channel ||
11887 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11888 		return -EOPNOTSUPP;
11889 
11890 	/*
11891 	 * We should be on that channel for at least a minimum amount of
11892 	 * time (10ms) but no longer than the driver supports.
11893 	 */
11894 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11895 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11896 		return -EINVAL;
11897 
11898 	err = nl80211_parse_chandef(rdev, info, &chandef);
11899 	if (err)
11900 		return err;
11901 
11902 	wdev_lock(wdev);
11903 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
11904 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
11905 
11906 		oper_chandef = wdev_chandef(wdev, link_id);
11907 
11908 		if (WARN_ON(!oper_chandef)) {
11909 			/* cannot happen since we must beacon to get here */
11910 			WARN_ON(1);
11911 			wdev_unlock(wdev);
11912 			return -EBUSY;
11913 		}
11914 
11915 		/* note: returns first one if identical chandefs */
11916 		compat_chandef = cfg80211_chandef_compatible(&chandef,
11917 							     oper_chandef);
11918 
11919 		if (compat_chandef != &chandef) {
11920 			wdev_unlock(wdev);
11921 			return -EBUSY;
11922 		}
11923 	}
11924 	wdev_unlock(wdev);
11925 
11926 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11927 	if (!msg)
11928 		return -ENOMEM;
11929 
11930 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11931 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11932 	if (!hdr) {
11933 		err = -ENOBUFS;
11934 		goto free_msg;
11935 	}
11936 
11937 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11938 				     duration, &cookie);
11939 
11940 	if (err)
11941 		goto free_msg;
11942 
11943 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11944 			      NL80211_ATTR_PAD))
11945 		goto nla_put_failure;
11946 
11947 	genlmsg_end(msg, hdr);
11948 
11949 	return genlmsg_reply(msg, info);
11950 
11951  nla_put_failure:
11952 	err = -ENOBUFS;
11953  free_msg:
11954 	nlmsg_free(msg);
11955 	return err;
11956 }
11957 
11958 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11959 					    struct genl_info *info)
11960 {
11961 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11962 	struct wireless_dev *wdev = info->user_ptr[1];
11963 	u64 cookie;
11964 
11965 	if (!info->attrs[NL80211_ATTR_COOKIE])
11966 		return -EINVAL;
11967 
11968 	if (!rdev->ops->cancel_remain_on_channel)
11969 		return -EOPNOTSUPP;
11970 
11971 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11972 
11973 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11974 }
11975 
11976 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11977 				       struct genl_info *info)
11978 {
11979 	struct cfg80211_bitrate_mask mask;
11980 	unsigned int link_id = nl80211_link_id(info->attrs);
11981 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11982 	struct net_device *dev = info->user_ptr[1];
11983 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11984 	int err;
11985 
11986 	if (!rdev->ops->set_bitrate_mask)
11987 		return -EOPNOTSUPP;
11988 
11989 	wdev_lock(wdev);
11990 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11991 					    NL80211_ATTR_TX_RATES, &mask,
11992 					    dev, true, link_id);
11993 	if (err)
11994 		goto out;
11995 
11996 	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
11997 out:
11998 	wdev_unlock(wdev);
11999 	return err;
12000 }
12001 
12002 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12003 {
12004 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12005 	struct wireless_dev *wdev = info->user_ptr[1];
12006 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12007 
12008 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12009 		return -EINVAL;
12010 
12011 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12012 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12013 
12014 	switch (wdev->iftype) {
12015 	case NL80211_IFTYPE_STATION:
12016 	case NL80211_IFTYPE_ADHOC:
12017 	case NL80211_IFTYPE_P2P_CLIENT:
12018 	case NL80211_IFTYPE_AP:
12019 	case NL80211_IFTYPE_AP_VLAN:
12020 	case NL80211_IFTYPE_MESH_POINT:
12021 	case NL80211_IFTYPE_P2P_GO:
12022 	case NL80211_IFTYPE_P2P_DEVICE:
12023 		break;
12024 	case NL80211_IFTYPE_NAN:
12025 	default:
12026 		return -EOPNOTSUPP;
12027 	}
12028 
12029 	/* not much point in registering if we can't reply */
12030 	if (!rdev->ops->mgmt_tx)
12031 		return -EOPNOTSUPP;
12032 
12033 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12034 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12035 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12036 		GENL_SET_ERR_MSG(info,
12037 				 "multicast RX registrations are not supported");
12038 		return -EOPNOTSUPP;
12039 	}
12040 
12041 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12042 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12043 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12044 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12045 					   info->extack);
12046 }
12047 
12048 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12049 {
12050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12051 	struct wireless_dev *wdev = info->user_ptr[1];
12052 	struct cfg80211_chan_def chandef;
12053 	int err;
12054 	void *hdr = NULL;
12055 	u64 cookie;
12056 	struct sk_buff *msg = NULL;
12057 	struct cfg80211_mgmt_tx_params params = {
12058 		.dont_wait_for_ack =
12059 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12060 	};
12061 
12062 	if (!info->attrs[NL80211_ATTR_FRAME])
12063 		return -EINVAL;
12064 
12065 	if (!rdev->ops->mgmt_tx)
12066 		return -EOPNOTSUPP;
12067 
12068 	switch (wdev->iftype) {
12069 	case NL80211_IFTYPE_P2P_DEVICE:
12070 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12071 			return -EINVAL;
12072 		break;
12073 	case NL80211_IFTYPE_STATION:
12074 	case NL80211_IFTYPE_ADHOC:
12075 	case NL80211_IFTYPE_P2P_CLIENT:
12076 	case NL80211_IFTYPE_AP:
12077 	case NL80211_IFTYPE_AP_VLAN:
12078 	case NL80211_IFTYPE_MESH_POINT:
12079 	case NL80211_IFTYPE_P2P_GO:
12080 		break;
12081 	case NL80211_IFTYPE_NAN:
12082 	default:
12083 		return -EOPNOTSUPP;
12084 	}
12085 
12086 	if (info->attrs[NL80211_ATTR_DURATION]) {
12087 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12088 			return -EINVAL;
12089 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12090 
12091 		/*
12092 		 * We should wait on the channel for at least a minimum amount
12093 		 * of time (10ms) but no longer than the driver supports.
12094 		 */
12095 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12096 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12097 			return -EINVAL;
12098 	}
12099 
12100 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12101 
12102 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12103 		return -EINVAL;
12104 
12105 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12106 
12107 	/* get the channel if any has been specified, otherwise pass NULL to
12108 	 * the driver. The latter will use the current one
12109 	 */
12110 	chandef.chan = NULL;
12111 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12112 		err = nl80211_parse_chandef(rdev, info, &chandef);
12113 		if (err)
12114 			return err;
12115 	}
12116 
12117 	if (!chandef.chan && params.offchan)
12118 		return -EINVAL;
12119 
12120 	wdev_lock(wdev);
12121 	if (params.offchan &&
12122 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12123 		wdev_unlock(wdev);
12124 		return -EBUSY;
12125 	}
12126 	wdev_unlock(wdev);
12127 
12128 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12129 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12130 
12131 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12132 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12133 		int i;
12134 
12135 		if (len % sizeof(u16))
12136 			return -EINVAL;
12137 
12138 		params.n_csa_offsets = len / sizeof(u16);
12139 		params.csa_offsets =
12140 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12141 
12142 		/* check that all the offsets fit the frame */
12143 		for (i = 0; i < params.n_csa_offsets; i++) {
12144 			if (params.csa_offsets[i] >= params.len)
12145 				return -EINVAL;
12146 		}
12147 	}
12148 
12149 	if (!params.dont_wait_for_ack) {
12150 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12151 		if (!msg)
12152 			return -ENOMEM;
12153 
12154 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12155 				     NL80211_CMD_FRAME);
12156 		if (!hdr) {
12157 			err = -ENOBUFS;
12158 			goto free_msg;
12159 		}
12160 	}
12161 
12162 	params.chan = chandef.chan;
12163 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12164 	if (err)
12165 		goto free_msg;
12166 
12167 	if (msg) {
12168 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12169 				      NL80211_ATTR_PAD))
12170 			goto nla_put_failure;
12171 
12172 		genlmsg_end(msg, hdr);
12173 		return genlmsg_reply(msg, info);
12174 	}
12175 
12176 	return 0;
12177 
12178  nla_put_failure:
12179 	err = -ENOBUFS;
12180  free_msg:
12181 	nlmsg_free(msg);
12182 	return err;
12183 }
12184 
12185 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12186 {
12187 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12188 	struct wireless_dev *wdev = info->user_ptr[1];
12189 	u64 cookie;
12190 
12191 	if (!info->attrs[NL80211_ATTR_COOKIE])
12192 		return -EINVAL;
12193 
12194 	if (!rdev->ops->mgmt_tx_cancel_wait)
12195 		return -EOPNOTSUPP;
12196 
12197 	switch (wdev->iftype) {
12198 	case NL80211_IFTYPE_STATION:
12199 	case NL80211_IFTYPE_ADHOC:
12200 	case NL80211_IFTYPE_P2P_CLIENT:
12201 	case NL80211_IFTYPE_AP:
12202 	case NL80211_IFTYPE_AP_VLAN:
12203 	case NL80211_IFTYPE_P2P_GO:
12204 	case NL80211_IFTYPE_P2P_DEVICE:
12205 		break;
12206 	case NL80211_IFTYPE_NAN:
12207 	default:
12208 		return -EOPNOTSUPP;
12209 	}
12210 
12211 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12212 
12213 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12214 }
12215 
12216 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12217 {
12218 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12219 	struct wireless_dev *wdev;
12220 	struct net_device *dev = info->user_ptr[1];
12221 	u8 ps_state;
12222 	bool state;
12223 	int err;
12224 
12225 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12226 		return -EINVAL;
12227 
12228 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12229 
12230 	wdev = dev->ieee80211_ptr;
12231 
12232 	if (!rdev->ops->set_power_mgmt)
12233 		return -EOPNOTSUPP;
12234 
12235 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12236 
12237 	if (state == wdev->ps)
12238 		return 0;
12239 
12240 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12241 	if (!err)
12242 		wdev->ps = state;
12243 	return err;
12244 }
12245 
12246 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12247 {
12248 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12249 	enum nl80211_ps_state ps_state;
12250 	struct wireless_dev *wdev;
12251 	struct net_device *dev = info->user_ptr[1];
12252 	struct sk_buff *msg;
12253 	void *hdr;
12254 	int err;
12255 
12256 	wdev = dev->ieee80211_ptr;
12257 
12258 	if (!rdev->ops->set_power_mgmt)
12259 		return -EOPNOTSUPP;
12260 
12261 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12262 	if (!msg)
12263 		return -ENOMEM;
12264 
12265 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12266 			     NL80211_CMD_GET_POWER_SAVE);
12267 	if (!hdr) {
12268 		err = -ENOBUFS;
12269 		goto free_msg;
12270 	}
12271 
12272 	if (wdev->ps)
12273 		ps_state = NL80211_PS_ENABLED;
12274 	else
12275 		ps_state = NL80211_PS_DISABLED;
12276 
12277 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12278 		goto nla_put_failure;
12279 
12280 	genlmsg_end(msg, hdr);
12281 	return genlmsg_reply(msg, info);
12282 
12283  nla_put_failure:
12284 	err = -ENOBUFS;
12285  free_msg:
12286 	nlmsg_free(msg);
12287 	return err;
12288 }
12289 
12290 static const struct nla_policy
12291 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12292 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12293 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12294 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12295 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12296 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12297 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12298 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12299 };
12300 
12301 static int nl80211_set_cqm_txe(struct genl_info *info,
12302 			       u32 rate, u32 pkts, u32 intvl)
12303 {
12304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12305 	struct net_device *dev = info->user_ptr[1];
12306 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12307 
12308 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12309 		return -EINVAL;
12310 
12311 	if (!rdev->ops->set_cqm_txe_config)
12312 		return -EOPNOTSUPP;
12313 
12314 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12315 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12316 		return -EOPNOTSUPP;
12317 
12318 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12319 }
12320 
12321 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12322 				    struct net_device *dev)
12323 {
12324 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12325 	s32 last, low, high;
12326 	u32 hyst;
12327 	int i, n, low_index;
12328 	int err;
12329 
12330 	/* RSSI reporting disabled? */
12331 	if (!wdev->cqm_config)
12332 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12333 
12334 	/*
12335 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12336 	 * event has been received yet, we should receive an event after a
12337 	 * connection is established and enough beacons received to calculate
12338 	 * the average.
12339 	 */
12340 	if (!wdev->cqm_config->last_rssi_event_value &&
12341 	    wdev->links[0].client.current_bss &&
12342 	    rdev->ops->get_station) {
12343 		struct station_info sinfo = {};
12344 		u8 *mac_addr;
12345 
12346 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12347 
12348 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12349 		if (err)
12350 			return err;
12351 
12352 		cfg80211_sinfo_release_content(&sinfo);
12353 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12354 			wdev->cqm_config->last_rssi_event_value =
12355 				(s8) sinfo.rx_beacon_signal_avg;
12356 	}
12357 
12358 	last = wdev->cqm_config->last_rssi_event_value;
12359 	hyst = wdev->cqm_config->rssi_hyst;
12360 	n = wdev->cqm_config->n_rssi_thresholds;
12361 
12362 	for (i = 0; i < n; i++) {
12363 		i = array_index_nospec(i, n);
12364 		if (last < wdev->cqm_config->rssi_thresholds[i])
12365 			break;
12366 	}
12367 
12368 	low_index = i - 1;
12369 	if (low_index >= 0) {
12370 		low_index = array_index_nospec(low_index, n);
12371 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12372 	} else {
12373 		low = S32_MIN;
12374 	}
12375 	if (i < n) {
12376 		i = array_index_nospec(i, n);
12377 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12378 	} else {
12379 		high = S32_MAX;
12380 	}
12381 
12382 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12383 }
12384 
12385 static int nl80211_set_cqm_rssi(struct genl_info *info,
12386 				const s32 *thresholds, int n_thresholds,
12387 				u32 hysteresis)
12388 {
12389 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12390 	struct net_device *dev = info->user_ptr[1];
12391 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12392 	int i, err;
12393 	s32 prev = S32_MIN;
12394 
12395 	/* Check all values negative and sorted */
12396 	for (i = 0; i < n_thresholds; i++) {
12397 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12398 			return -EINVAL;
12399 
12400 		prev = thresholds[i];
12401 	}
12402 
12403 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12404 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12405 		return -EOPNOTSUPP;
12406 
12407 	wdev_lock(wdev);
12408 	cfg80211_cqm_config_free(wdev);
12409 	wdev_unlock(wdev);
12410 
12411 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12412 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12413 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12414 
12415 		return rdev_set_cqm_rssi_config(rdev, dev,
12416 						thresholds[0], hysteresis);
12417 	}
12418 
12419 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12420 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12421 		return -EOPNOTSUPP;
12422 
12423 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12424 		n_thresholds = 0;
12425 
12426 	wdev_lock(wdev);
12427 	if (n_thresholds) {
12428 		struct cfg80211_cqm_config *cqm_config;
12429 
12430 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12431 						 n_thresholds),
12432 				     GFP_KERNEL);
12433 		if (!cqm_config) {
12434 			err = -ENOMEM;
12435 			goto unlock;
12436 		}
12437 
12438 		cqm_config->rssi_hyst = hysteresis;
12439 		cqm_config->n_rssi_thresholds = n_thresholds;
12440 		memcpy(cqm_config->rssi_thresholds, thresholds,
12441 		       flex_array_size(cqm_config, rssi_thresholds,
12442 				       n_thresholds));
12443 
12444 		wdev->cqm_config = cqm_config;
12445 	}
12446 
12447 	err = cfg80211_cqm_rssi_update(rdev, dev);
12448 
12449 unlock:
12450 	wdev_unlock(wdev);
12451 
12452 	return err;
12453 }
12454 
12455 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12456 {
12457 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12458 	struct nlattr *cqm;
12459 	int err;
12460 
12461 	cqm = info->attrs[NL80211_ATTR_CQM];
12462 	if (!cqm)
12463 		return -EINVAL;
12464 
12465 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12466 					  nl80211_attr_cqm_policy,
12467 					  info->extack);
12468 	if (err)
12469 		return err;
12470 
12471 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12472 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12473 		const s32 *thresholds =
12474 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12475 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12476 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12477 
12478 		if (len % 4)
12479 			return -EINVAL;
12480 
12481 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12482 					    hysteresis);
12483 	}
12484 
12485 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12486 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12487 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12488 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12489 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12490 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12491 
12492 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12493 	}
12494 
12495 	return -EINVAL;
12496 }
12497 
12498 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12499 {
12500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12501 	struct net_device *dev = info->user_ptr[1];
12502 	struct ocb_setup setup = {};
12503 	int err;
12504 
12505 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12506 	if (err)
12507 		return err;
12508 
12509 	return cfg80211_join_ocb(rdev, dev, &setup);
12510 }
12511 
12512 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12513 {
12514 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12515 	struct net_device *dev = info->user_ptr[1];
12516 
12517 	return cfg80211_leave_ocb(rdev, dev);
12518 }
12519 
12520 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12521 {
12522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12523 	struct net_device *dev = info->user_ptr[1];
12524 	struct mesh_config cfg;
12525 	struct mesh_setup setup;
12526 	int err;
12527 
12528 	/* start with default */
12529 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12530 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12531 
12532 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12533 		/* and parse parameters if given */
12534 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12535 		if (err)
12536 			return err;
12537 	}
12538 
12539 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12540 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12541 		return -EINVAL;
12542 
12543 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12544 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12545 
12546 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12547 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12548 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12549 			return -EINVAL;
12550 
12551 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12552 		setup.beacon_interval =
12553 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12554 
12555 		err = cfg80211_validate_beacon_int(rdev,
12556 						   NL80211_IFTYPE_MESH_POINT,
12557 						   setup.beacon_interval);
12558 		if (err)
12559 			return err;
12560 	}
12561 
12562 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12563 		setup.dtim_period =
12564 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12565 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12566 			return -EINVAL;
12567 	}
12568 
12569 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12570 		/* parse additional setup parameters if given */
12571 		err = nl80211_parse_mesh_setup(info, &setup);
12572 		if (err)
12573 			return err;
12574 	}
12575 
12576 	if (setup.user_mpm)
12577 		cfg.auto_open_plinks = false;
12578 
12579 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12580 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12581 		if (err)
12582 			return err;
12583 	} else {
12584 		/* __cfg80211_join_mesh() will sort it out */
12585 		setup.chandef.chan = NULL;
12586 	}
12587 
12588 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12589 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12590 		int n_rates =
12591 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12592 		struct ieee80211_supported_band *sband;
12593 
12594 		if (!setup.chandef.chan)
12595 			return -EINVAL;
12596 
12597 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12598 
12599 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12600 					     &setup.basic_rates);
12601 		if (err)
12602 			return err;
12603 	}
12604 
12605 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12606 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12607 						    NL80211_ATTR_TX_RATES,
12608 						    &setup.beacon_rate,
12609 						    dev, false, 0);
12610 		if (err)
12611 			return err;
12612 
12613 		if (!setup.chandef.chan)
12614 			return -EINVAL;
12615 
12616 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12617 					      &setup.beacon_rate);
12618 		if (err)
12619 			return err;
12620 	}
12621 
12622 	setup.userspace_handles_dfs =
12623 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12624 
12625 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12626 		int r = validate_pae_over_nl80211(rdev, info);
12627 
12628 		if (r < 0)
12629 			return r;
12630 
12631 		setup.control_port_over_nl80211 = true;
12632 	}
12633 
12634 	wdev_lock(dev->ieee80211_ptr);
12635 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12636 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12637 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12638 	wdev_unlock(dev->ieee80211_ptr);
12639 
12640 	return err;
12641 }
12642 
12643 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12644 {
12645 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12646 	struct net_device *dev = info->user_ptr[1];
12647 
12648 	return cfg80211_leave_mesh(rdev, dev);
12649 }
12650 
12651 #ifdef CONFIG_PM
12652 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12653 					struct cfg80211_registered_device *rdev)
12654 {
12655 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12656 	struct nlattr *nl_pats, *nl_pat;
12657 	int i, pat_len;
12658 
12659 	if (!wowlan->n_patterns)
12660 		return 0;
12661 
12662 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12663 	if (!nl_pats)
12664 		return -ENOBUFS;
12665 
12666 	for (i = 0; i < wowlan->n_patterns; i++) {
12667 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12668 		if (!nl_pat)
12669 			return -ENOBUFS;
12670 		pat_len = wowlan->patterns[i].pattern_len;
12671 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12672 			    wowlan->patterns[i].mask) ||
12673 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12674 			    wowlan->patterns[i].pattern) ||
12675 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12676 				wowlan->patterns[i].pkt_offset))
12677 			return -ENOBUFS;
12678 		nla_nest_end(msg, nl_pat);
12679 	}
12680 	nla_nest_end(msg, nl_pats);
12681 
12682 	return 0;
12683 }
12684 
12685 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12686 				   struct cfg80211_wowlan_tcp *tcp)
12687 {
12688 	struct nlattr *nl_tcp;
12689 
12690 	if (!tcp)
12691 		return 0;
12692 
12693 	nl_tcp = nla_nest_start_noflag(msg,
12694 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12695 	if (!nl_tcp)
12696 		return -ENOBUFS;
12697 
12698 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12699 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12700 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12701 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12702 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12703 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12704 		    tcp->payload_len, tcp->payload) ||
12705 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12706 			tcp->data_interval) ||
12707 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12708 		    tcp->wake_len, tcp->wake_data) ||
12709 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12710 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12711 		return -ENOBUFS;
12712 
12713 	if (tcp->payload_seq.len &&
12714 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12715 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12716 		return -ENOBUFS;
12717 
12718 	if (tcp->payload_tok.len &&
12719 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12720 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12721 		    &tcp->payload_tok))
12722 		return -ENOBUFS;
12723 
12724 	nla_nest_end(msg, nl_tcp);
12725 
12726 	return 0;
12727 }
12728 
12729 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12730 				  struct cfg80211_sched_scan_request *req)
12731 {
12732 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12733 	int i;
12734 
12735 	if (!req)
12736 		return 0;
12737 
12738 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12739 	if (!nd)
12740 		return -ENOBUFS;
12741 
12742 	if (req->n_scan_plans == 1 &&
12743 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12744 			req->scan_plans[0].interval * 1000))
12745 		return -ENOBUFS;
12746 
12747 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12748 		return -ENOBUFS;
12749 
12750 	if (req->relative_rssi_set) {
12751 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12752 
12753 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12754 			       req->relative_rssi))
12755 			return -ENOBUFS;
12756 
12757 		rssi_adjust.band = req->rssi_adjust.band;
12758 		rssi_adjust.delta = req->rssi_adjust.delta;
12759 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12760 			    sizeof(rssi_adjust), &rssi_adjust))
12761 			return -ENOBUFS;
12762 	}
12763 
12764 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12765 	if (!freqs)
12766 		return -ENOBUFS;
12767 
12768 	for (i = 0; i < req->n_channels; i++) {
12769 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12770 			return -ENOBUFS;
12771 	}
12772 
12773 	nla_nest_end(msg, freqs);
12774 
12775 	if (req->n_match_sets) {
12776 		matches = nla_nest_start_noflag(msg,
12777 						NL80211_ATTR_SCHED_SCAN_MATCH);
12778 		if (!matches)
12779 			return -ENOBUFS;
12780 
12781 		for (i = 0; i < req->n_match_sets; i++) {
12782 			match = nla_nest_start_noflag(msg, i);
12783 			if (!match)
12784 				return -ENOBUFS;
12785 
12786 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12787 				    req->match_sets[i].ssid.ssid_len,
12788 				    req->match_sets[i].ssid.ssid))
12789 				return -ENOBUFS;
12790 			nla_nest_end(msg, match);
12791 		}
12792 		nla_nest_end(msg, matches);
12793 	}
12794 
12795 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12796 	if (!scan_plans)
12797 		return -ENOBUFS;
12798 
12799 	for (i = 0; i < req->n_scan_plans; i++) {
12800 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12801 		if (!scan_plan)
12802 			return -ENOBUFS;
12803 
12804 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12805 				req->scan_plans[i].interval) ||
12806 		    (req->scan_plans[i].iterations &&
12807 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12808 				 req->scan_plans[i].iterations)))
12809 			return -ENOBUFS;
12810 		nla_nest_end(msg, scan_plan);
12811 	}
12812 	nla_nest_end(msg, scan_plans);
12813 
12814 	nla_nest_end(msg, nd);
12815 
12816 	return 0;
12817 }
12818 
12819 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12820 {
12821 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12822 	struct sk_buff *msg;
12823 	void *hdr;
12824 	u32 size = NLMSG_DEFAULT_SIZE;
12825 
12826 	if (!rdev->wiphy.wowlan)
12827 		return -EOPNOTSUPP;
12828 
12829 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12830 		/* adjust size to have room for all the data */
12831 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12832 			rdev->wiphy.wowlan_config->tcp->payload_len +
12833 			rdev->wiphy.wowlan_config->tcp->wake_len +
12834 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12835 	}
12836 
12837 	msg = nlmsg_new(size, GFP_KERNEL);
12838 	if (!msg)
12839 		return -ENOMEM;
12840 
12841 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12842 			     NL80211_CMD_GET_WOWLAN);
12843 	if (!hdr)
12844 		goto nla_put_failure;
12845 
12846 	if (rdev->wiphy.wowlan_config) {
12847 		struct nlattr *nl_wowlan;
12848 
12849 		nl_wowlan = nla_nest_start_noflag(msg,
12850 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12851 		if (!nl_wowlan)
12852 			goto nla_put_failure;
12853 
12854 		if ((rdev->wiphy.wowlan_config->any &&
12855 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12856 		    (rdev->wiphy.wowlan_config->disconnect &&
12857 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12858 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12859 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12860 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12861 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12862 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12863 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12864 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12865 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12866 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12867 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12868 			goto nla_put_failure;
12869 
12870 		if (nl80211_send_wowlan_patterns(msg, rdev))
12871 			goto nla_put_failure;
12872 
12873 		if (nl80211_send_wowlan_tcp(msg,
12874 					    rdev->wiphy.wowlan_config->tcp))
12875 			goto nla_put_failure;
12876 
12877 		if (nl80211_send_wowlan_nd(
12878 			    msg,
12879 			    rdev->wiphy.wowlan_config->nd_config))
12880 			goto nla_put_failure;
12881 
12882 		nla_nest_end(msg, nl_wowlan);
12883 	}
12884 
12885 	genlmsg_end(msg, hdr);
12886 	return genlmsg_reply(msg, info);
12887 
12888 nla_put_failure:
12889 	nlmsg_free(msg);
12890 	return -ENOBUFS;
12891 }
12892 
12893 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12894 				    struct nlattr *attr,
12895 				    struct cfg80211_wowlan *trig)
12896 {
12897 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12898 	struct cfg80211_wowlan_tcp *cfg;
12899 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12900 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12901 	u32 size;
12902 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12903 	int err, port;
12904 
12905 	if (!rdev->wiphy.wowlan->tcp)
12906 		return -EINVAL;
12907 
12908 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12909 					  nl80211_wowlan_tcp_policy, NULL);
12910 	if (err)
12911 		return err;
12912 
12913 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12914 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12915 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12916 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12917 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12918 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12919 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12920 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12921 		return -EINVAL;
12922 
12923 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12924 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12925 		return -EINVAL;
12926 
12927 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12928 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12929 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12930 		return -EINVAL;
12931 
12932 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12933 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12934 		return -EINVAL;
12935 
12936 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12937 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12938 		return -EINVAL;
12939 
12940 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12941 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12942 
12943 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12944 		tokens_size = tokln - sizeof(*tok);
12945 
12946 		if (!tok->len || tokens_size % tok->len)
12947 			return -EINVAL;
12948 		if (!rdev->wiphy.wowlan->tcp->tok)
12949 			return -EINVAL;
12950 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12951 			return -EINVAL;
12952 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12953 			return -EINVAL;
12954 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12955 			return -EINVAL;
12956 		if (tok->offset + tok->len > data_size)
12957 			return -EINVAL;
12958 	}
12959 
12960 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12961 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12962 		if (!rdev->wiphy.wowlan->tcp->seq)
12963 			return -EINVAL;
12964 		if (seq->len == 0 || seq->len > 4)
12965 			return -EINVAL;
12966 		if (seq->len + seq->offset > data_size)
12967 			return -EINVAL;
12968 	}
12969 
12970 	size = sizeof(*cfg);
12971 	size += data_size;
12972 	size += wake_size + wake_mask_size;
12973 	size += tokens_size;
12974 
12975 	cfg = kzalloc(size, GFP_KERNEL);
12976 	if (!cfg)
12977 		return -ENOMEM;
12978 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12979 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12980 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12981 	       ETH_ALEN);
12982 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12983 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12984 	else
12985 		port = 0;
12986 #ifdef CONFIG_INET
12987 	/* allocate a socket and port for it and use it */
12988 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12989 			    IPPROTO_TCP, &cfg->sock, 1);
12990 	if (err) {
12991 		kfree(cfg);
12992 		return err;
12993 	}
12994 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12995 		sock_release(cfg->sock);
12996 		kfree(cfg);
12997 		return -EADDRINUSE;
12998 	}
12999 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13000 #else
13001 	if (!port) {
13002 		kfree(cfg);
13003 		return -EINVAL;
13004 	}
13005 	cfg->src_port = port;
13006 #endif
13007 
13008 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13009 	cfg->payload_len = data_size;
13010 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13011 	memcpy((void *)cfg->payload,
13012 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13013 	       data_size);
13014 	if (seq)
13015 		cfg->payload_seq = *seq;
13016 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13017 	cfg->wake_len = wake_size;
13018 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13019 	memcpy((void *)cfg->wake_data,
13020 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13021 	       wake_size);
13022 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13023 			 data_size + wake_size;
13024 	memcpy((void *)cfg->wake_mask,
13025 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13026 	       wake_mask_size);
13027 	if (tok) {
13028 		cfg->tokens_size = tokens_size;
13029 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
13030 	}
13031 
13032 	trig->tcp = cfg;
13033 
13034 	return 0;
13035 }
13036 
13037 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13038 				   const struct wiphy_wowlan_support *wowlan,
13039 				   struct nlattr *attr,
13040 				   struct cfg80211_wowlan *trig)
13041 {
13042 	struct nlattr **tb;
13043 	int err;
13044 
13045 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13046 	if (!tb)
13047 		return -ENOMEM;
13048 
13049 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13050 		err = -EOPNOTSUPP;
13051 		goto out;
13052 	}
13053 
13054 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13055 					  nl80211_policy, NULL);
13056 	if (err)
13057 		goto out;
13058 
13059 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13060 						   wowlan->max_nd_match_sets);
13061 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13062 	if (err)
13063 		trig->nd_config = NULL;
13064 
13065 out:
13066 	kfree(tb);
13067 	return err;
13068 }
13069 
13070 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13071 {
13072 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13073 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13074 	struct cfg80211_wowlan new_triggers = {};
13075 	struct cfg80211_wowlan *ntrig;
13076 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13077 	int err, i;
13078 	bool prev_enabled = rdev->wiphy.wowlan_config;
13079 	bool regular = false;
13080 
13081 	if (!wowlan)
13082 		return -EOPNOTSUPP;
13083 
13084 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13085 		cfg80211_rdev_free_wowlan(rdev);
13086 		rdev->wiphy.wowlan_config = NULL;
13087 		goto set_wakeup;
13088 	}
13089 
13090 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13091 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13092 					  nl80211_wowlan_policy, info->extack);
13093 	if (err)
13094 		return err;
13095 
13096 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13097 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13098 			return -EINVAL;
13099 		new_triggers.any = true;
13100 	}
13101 
13102 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13103 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13104 			return -EINVAL;
13105 		new_triggers.disconnect = true;
13106 		regular = true;
13107 	}
13108 
13109 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13110 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13111 			return -EINVAL;
13112 		new_triggers.magic_pkt = true;
13113 		regular = true;
13114 	}
13115 
13116 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13117 		return -EINVAL;
13118 
13119 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13120 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13121 			return -EINVAL;
13122 		new_triggers.gtk_rekey_failure = true;
13123 		regular = true;
13124 	}
13125 
13126 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13127 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13128 			return -EINVAL;
13129 		new_triggers.eap_identity_req = true;
13130 		regular = true;
13131 	}
13132 
13133 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13134 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13135 			return -EINVAL;
13136 		new_triggers.four_way_handshake = true;
13137 		regular = true;
13138 	}
13139 
13140 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13141 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13142 			return -EINVAL;
13143 		new_triggers.rfkill_release = true;
13144 		regular = true;
13145 	}
13146 
13147 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13148 		struct nlattr *pat;
13149 		int n_patterns = 0;
13150 		int rem, pat_len, mask_len, pkt_offset;
13151 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13152 
13153 		regular = true;
13154 
13155 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13156 				    rem)
13157 			n_patterns++;
13158 		if (n_patterns > wowlan->n_patterns)
13159 			return -EINVAL;
13160 
13161 		new_triggers.patterns = kcalloc(n_patterns,
13162 						sizeof(new_triggers.patterns[0]),
13163 						GFP_KERNEL);
13164 		if (!new_triggers.patterns)
13165 			return -ENOMEM;
13166 
13167 		new_triggers.n_patterns = n_patterns;
13168 		i = 0;
13169 
13170 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13171 				    rem) {
13172 			u8 *mask_pat;
13173 
13174 			err = nla_parse_nested_deprecated(pat_tb,
13175 							  MAX_NL80211_PKTPAT,
13176 							  pat,
13177 							  nl80211_packet_pattern_policy,
13178 							  info->extack);
13179 			if (err)
13180 				goto error;
13181 
13182 			err = -EINVAL;
13183 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13184 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13185 				goto error;
13186 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13187 			mask_len = DIV_ROUND_UP(pat_len, 8);
13188 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13189 				goto error;
13190 			if (pat_len > wowlan->pattern_max_len ||
13191 			    pat_len < wowlan->pattern_min_len)
13192 				goto error;
13193 
13194 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13195 				pkt_offset = 0;
13196 			else
13197 				pkt_offset = nla_get_u32(
13198 					pat_tb[NL80211_PKTPAT_OFFSET]);
13199 			if (pkt_offset > wowlan->max_pkt_offset)
13200 				goto error;
13201 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13202 
13203 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13204 			if (!mask_pat) {
13205 				err = -ENOMEM;
13206 				goto error;
13207 			}
13208 			new_triggers.patterns[i].mask = mask_pat;
13209 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13210 			       mask_len);
13211 			mask_pat += mask_len;
13212 			new_triggers.patterns[i].pattern = mask_pat;
13213 			new_triggers.patterns[i].pattern_len = pat_len;
13214 			memcpy(mask_pat,
13215 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13216 			       pat_len);
13217 			i++;
13218 		}
13219 	}
13220 
13221 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13222 		regular = true;
13223 		err = nl80211_parse_wowlan_tcp(
13224 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13225 			&new_triggers);
13226 		if (err)
13227 			goto error;
13228 	}
13229 
13230 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13231 		regular = true;
13232 		err = nl80211_parse_wowlan_nd(
13233 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13234 			&new_triggers);
13235 		if (err)
13236 			goto error;
13237 	}
13238 
13239 	/* The 'any' trigger means the device continues operating more or less
13240 	 * as in its normal operation mode and wakes up the host on most of the
13241 	 * normal interrupts (like packet RX, ...)
13242 	 * It therefore makes little sense to combine with the more constrained
13243 	 * wakeup trigger modes.
13244 	 */
13245 	if (new_triggers.any && regular) {
13246 		err = -EINVAL;
13247 		goto error;
13248 	}
13249 
13250 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13251 	if (!ntrig) {
13252 		err = -ENOMEM;
13253 		goto error;
13254 	}
13255 	cfg80211_rdev_free_wowlan(rdev);
13256 	rdev->wiphy.wowlan_config = ntrig;
13257 
13258  set_wakeup:
13259 	if (rdev->ops->set_wakeup &&
13260 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13261 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13262 
13263 	return 0;
13264  error:
13265 	for (i = 0; i < new_triggers.n_patterns; i++)
13266 		kfree(new_triggers.patterns[i].mask);
13267 	kfree(new_triggers.patterns);
13268 	if (new_triggers.tcp && new_triggers.tcp->sock)
13269 		sock_release(new_triggers.tcp->sock);
13270 	kfree(new_triggers.tcp);
13271 	kfree(new_triggers.nd_config);
13272 	return err;
13273 }
13274 #endif
13275 
13276 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13277 				       struct cfg80211_registered_device *rdev)
13278 {
13279 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13280 	int i, j, pat_len;
13281 	struct cfg80211_coalesce_rules *rule;
13282 
13283 	if (!rdev->coalesce->n_rules)
13284 		return 0;
13285 
13286 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13287 	if (!nl_rules)
13288 		return -ENOBUFS;
13289 
13290 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13291 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13292 		if (!nl_rule)
13293 			return -ENOBUFS;
13294 
13295 		rule = &rdev->coalesce->rules[i];
13296 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13297 				rule->delay))
13298 			return -ENOBUFS;
13299 
13300 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13301 				rule->condition))
13302 			return -ENOBUFS;
13303 
13304 		nl_pats = nla_nest_start_noflag(msg,
13305 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13306 		if (!nl_pats)
13307 			return -ENOBUFS;
13308 
13309 		for (j = 0; j < rule->n_patterns; j++) {
13310 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13311 			if (!nl_pat)
13312 				return -ENOBUFS;
13313 			pat_len = rule->patterns[j].pattern_len;
13314 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13315 				    DIV_ROUND_UP(pat_len, 8),
13316 				    rule->patterns[j].mask) ||
13317 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13318 				    rule->patterns[j].pattern) ||
13319 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13320 					rule->patterns[j].pkt_offset))
13321 				return -ENOBUFS;
13322 			nla_nest_end(msg, nl_pat);
13323 		}
13324 		nla_nest_end(msg, nl_pats);
13325 		nla_nest_end(msg, nl_rule);
13326 	}
13327 	nla_nest_end(msg, nl_rules);
13328 
13329 	return 0;
13330 }
13331 
13332 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13333 {
13334 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13335 	struct sk_buff *msg;
13336 	void *hdr;
13337 
13338 	if (!rdev->wiphy.coalesce)
13339 		return -EOPNOTSUPP;
13340 
13341 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13342 	if (!msg)
13343 		return -ENOMEM;
13344 
13345 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13346 			     NL80211_CMD_GET_COALESCE);
13347 	if (!hdr)
13348 		goto nla_put_failure;
13349 
13350 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13351 		goto nla_put_failure;
13352 
13353 	genlmsg_end(msg, hdr);
13354 	return genlmsg_reply(msg, info);
13355 
13356 nla_put_failure:
13357 	nlmsg_free(msg);
13358 	return -ENOBUFS;
13359 }
13360 
13361 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13362 {
13363 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13364 	int i, j;
13365 	struct cfg80211_coalesce_rules *rule;
13366 
13367 	if (!coalesce)
13368 		return;
13369 
13370 	for (i = 0; i < coalesce->n_rules; i++) {
13371 		rule = &coalesce->rules[i];
13372 		for (j = 0; j < rule->n_patterns; j++)
13373 			kfree(rule->patterns[j].mask);
13374 		kfree(rule->patterns);
13375 	}
13376 	kfree(coalesce->rules);
13377 	kfree(coalesce);
13378 	rdev->coalesce = NULL;
13379 }
13380 
13381 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13382 				       struct nlattr *rule,
13383 				       struct cfg80211_coalesce_rules *new_rule)
13384 {
13385 	int err, i;
13386 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13387 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13388 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13389 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13390 
13391 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13392 					  rule, nl80211_coalesce_policy, NULL);
13393 	if (err)
13394 		return err;
13395 
13396 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13397 		new_rule->delay =
13398 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13399 	if (new_rule->delay > coalesce->max_delay)
13400 		return -EINVAL;
13401 
13402 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13403 		new_rule->condition =
13404 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13405 
13406 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13407 		return -EINVAL;
13408 
13409 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13410 			    rem)
13411 		n_patterns++;
13412 	if (n_patterns > coalesce->n_patterns)
13413 		return -EINVAL;
13414 
13415 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13416 				     GFP_KERNEL);
13417 	if (!new_rule->patterns)
13418 		return -ENOMEM;
13419 
13420 	new_rule->n_patterns = n_patterns;
13421 	i = 0;
13422 
13423 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13424 			    rem) {
13425 		u8 *mask_pat;
13426 
13427 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13428 						  pat,
13429 						  nl80211_packet_pattern_policy,
13430 						  NULL);
13431 		if (err)
13432 			return err;
13433 
13434 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13435 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13436 			return -EINVAL;
13437 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13438 		mask_len = DIV_ROUND_UP(pat_len, 8);
13439 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13440 			return -EINVAL;
13441 		if (pat_len > coalesce->pattern_max_len ||
13442 		    pat_len < coalesce->pattern_min_len)
13443 			return -EINVAL;
13444 
13445 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13446 			pkt_offset = 0;
13447 		else
13448 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13449 		if (pkt_offset > coalesce->max_pkt_offset)
13450 			return -EINVAL;
13451 		new_rule->patterns[i].pkt_offset = pkt_offset;
13452 
13453 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13454 		if (!mask_pat)
13455 			return -ENOMEM;
13456 
13457 		new_rule->patterns[i].mask = mask_pat;
13458 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13459 		       mask_len);
13460 
13461 		mask_pat += mask_len;
13462 		new_rule->patterns[i].pattern = mask_pat;
13463 		new_rule->patterns[i].pattern_len = pat_len;
13464 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13465 		       pat_len);
13466 		i++;
13467 	}
13468 
13469 	return 0;
13470 }
13471 
13472 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13473 {
13474 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13475 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13476 	struct cfg80211_coalesce new_coalesce = {};
13477 	struct cfg80211_coalesce *n_coalesce;
13478 	int err, rem_rule, n_rules = 0, i, j;
13479 	struct nlattr *rule;
13480 	struct cfg80211_coalesce_rules *tmp_rule;
13481 
13482 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13483 		return -EOPNOTSUPP;
13484 
13485 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13486 		cfg80211_rdev_free_coalesce(rdev);
13487 		rdev_set_coalesce(rdev, NULL);
13488 		return 0;
13489 	}
13490 
13491 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13492 			    rem_rule)
13493 		n_rules++;
13494 	if (n_rules > coalesce->n_rules)
13495 		return -EINVAL;
13496 
13497 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13498 				     GFP_KERNEL);
13499 	if (!new_coalesce.rules)
13500 		return -ENOMEM;
13501 
13502 	new_coalesce.n_rules = n_rules;
13503 	i = 0;
13504 
13505 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13506 			    rem_rule) {
13507 		err = nl80211_parse_coalesce_rule(rdev, rule,
13508 						  &new_coalesce.rules[i]);
13509 		if (err)
13510 			goto error;
13511 
13512 		i++;
13513 	}
13514 
13515 	err = rdev_set_coalesce(rdev, &new_coalesce);
13516 	if (err)
13517 		goto error;
13518 
13519 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13520 	if (!n_coalesce) {
13521 		err = -ENOMEM;
13522 		goto error;
13523 	}
13524 	cfg80211_rdev_free_coalesce(rdev);
13525 	rdev->coalesce = n_coalesce;
13526 
13527 	return 0;
13528 error:
13529 	for (i = 0; i < new_coalesce.n_rules; i++) {
13530 		tmp_rule = &new_coalesce.rules[i];
13531 		for (j = 0; j < tmp_rule->n_patterns; j++)
13532 			kfree(tmp_rule->patterns[j].mask);
13533 		kfree(tmp_rule->patterns);
13534 	}
13535 	kfree(new_coalesce.rules);
13536 
13537 	return err;
13538 }
13539 
13540 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13541 {
13542 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13543 	struct net_device *dev = info->user_ptr[1];
13544 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13545 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13546 	struct cfg80211_gtk_rekey_data rekey_data = {};
13547 	int err;
13548 
13549 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13550 		return -EINVAL;
13551 
13552 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13553 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13554 					  nl80211_rekey_policy, info->extack);
13555 	if (err)
13556 		return err;
13557 
13558 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13559 	    !tb[NL80211_REKEY_DATA_KCK])
13560 		return -EINVAL;
13561 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13562 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13563 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13564 		return -ERANGE;
13565 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13566 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13567 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13568 		return -ERANGE;
13569 
13570 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13571 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13572 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13573 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13574 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13575 	if (tb[NL80211_REKEY_DATA_AKM])
13576 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13577 
13578 	wdev_lock(wdev);
13579 	if (!wdev->connected) {
13580 		err = -ENOTCONN;
13581 		goto out;
13582 	}
13583 
13584 	if (!rdev->ops->set_rekey_data) {
13585 		err = -EOPNOTSUPP;
13586 		goto out;
13587 	}
13588 
13589 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13590  out:
13591 	wdev_unlock(wdev);
13592 	return err;
13593 }
13594 
13595 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13596 					     struct genl_info *info)
13597 {
13598 	struct net_device *dev = info->user_ptr[1];
13599 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13600 
13601 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13602 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13603 		return -EINVAL;
13604 
13605 	if (wdev->ap_unexpected_nlportid)
13606 		return -EBUSY;
13607 
13608 	wdev->ap_unexpected_nlportid = info->snd_portid;
13609 	return 0;
13610 }
13611 
13612 static int nl80211_probe_client(struct sk_buff *skb,
13613 				struct genl_info *info)
13614 {
13615 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13616 	struct net_device *dev = info->user_ptr[1];
13617 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13618 	struct sk_buff *msg;
13619 	void *hdr;
13620 	const u8 *addr;
13621 	u64 cookie;
13622 	int err;
13623 
13624 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13625 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13626 		return -EOPNOTSUPP;
13627 
13628 	if (!info->attrs[NL80211_ATTR_MAC])
13629 		return -EINVAL;
13630 
13631 	if (!rdev->ops->probe_client)
13632 		return -EOPNOTSUPP;
13633 
13634 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13635 	if (!msg)
13636 		return -ENOMEM;
13637 
13638 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13639 			     NL80211_CMD_PROBE_CLIENT);
13640 	if (!hdr) {
13641 		err = -ENOBUFS;
13642 		goto free_msg;
13643 	}
13644 
13645 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13646 
13647 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13648 	if (err)
13649 		goto free_msg;
13650 
13651 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13652 			      NL80211_ATTR_PAD))
13653 		goto nla_put_failure;
13654 
13655 	genlmsg_end(msg, hdr);
13656 
13657 	return genlmsg_reply(msg, info);
13658 
13659  nla_put_failure:
13660 	err = -ENOBUFS;
13661  free_msg:
13662 	nlmsg_free(msg);
13663 	return err;
13664 }
13665 
13666 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13667 {
13668 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13669 	struct cfg80211_beacon_registration *reg, *nreg;
13670 	int rv;
13671 
13672 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13673 		return -EOPNOTSUPP;
13674 
13675 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13676 	if (!nreg)
13677 		return -ENOMEM;
13678 
13679 	/* First, check if already registered. */
13680 	spin_lock_bh(&rdev->beacon_registrations_lock);
13681 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13682 		if (reg->nlportid == info->snd_portid) {
13683 			rv = -EALREADY;
13684 			goto out_err;
13685 		}
13686 	}
13687 	/* Add it to the list */
13688 	nreg->nlportid = info->snd_portid;
13689 	list_add(&nreg->list, &rdev->beacon_registrations);
13690 
13691 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13692 
13693 	return 0;
13694 out_err:
13695 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13696 	kfree(nreg);
13697 	return rv;
13698 }
13699 
13700 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13701 {
13702 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13703 	struct wireless_dev *wdev = info->user_ptr[1];
13704 	int err;
13705 
13706 	if (!rdev->ops->start_p2p_device)
13707 		return -EOPNOTSUPP;
13708 
13709 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13710 		return -EOPNOTSUPP;
13711 
13712 	if (wdev_running(wdev))
13713 		return 0;
13714 
13715 	if (rfkill_blocked(rdev->wiphy.rfkill))
13716 		return -ERFKILL;
13717 
13718 	err = rdev_start_p2p_device(rdev, wdev);
13719 	if (err)
13720 		return err;
13721 
13722 	wdev->is_running = true;
13723 	rdev->opencount++;
13724 
13725 	return 0;
13726 }
13727 
13728 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13729 {
13730 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13731 	struct wireless_dev *wdev = info->user_ptr[1];
13732 
13733 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13734 		return -EOPNOTSUPP;
13735 
13736 	if (!rdev->ops->stop_p2p_device)
13737 		return -EOPNOTSUPP;
13738 
13739 	cfg80211_stop_p2p_device(rdev, wdev);
13740 
13741 	return 0;
13742 }
13743 
13744 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13745 {
13746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13747 	struct wireless_dev *wdev = info->user_ptr[1];
13748 	struct cfg80211_nan_conf conf = {};
13749 	int err;
13750 
13751 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13752 		return -EOPNOTSUPP;
13753 
13754 	if (wdev_running(wdev))
13755 		return -EEXIST;
13756 
13757 	if (rfkill_blocked(rdev->wiphy.rfkill))
13758 		return -ERFKILL;
13759 
13760 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13761 		return -EINVAL;
13762 
13763 	conf.master_pref =
13764 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13765 
13766 	if (info->attrs[NL80211_ATTR_BANDS]) {
13767 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13768 
13769 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13770 			return -EOPNOTSUPP;
13771 
13772 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13773 			return -EINVAL;
13774 
13775 		conf.bands = bands;
13776 	}
13777 
13778 	err = rdev_start_nan(rdev, wdev, &conf);
13779 	if (err)
13780 		return err;
13781 
13782 	wdev->is_running = true;
13783 	rdev->opencount++;
13784 
13785 	return 0;
13786 }
13787 
13788 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13789 {
13790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13791 	struct wireless_dev *wdev = info->user_ptr[1];
13792 
13793 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13794 		return -EOPNOTSUPP;
13795 
13796 	cfg80211_stop_nan(rdev, wdev);
13797 
13798 	return 0;
13799 }
13800 
13801 static int validate_nan_filter(struct nlattr *filter_attr)
13802 {
13803 	struct nlattr *attr;
13804 	int len = 0, n_entries = 0, rem;
13805 
13806 	nla_for_each_nested(attr, filter_attr, rem) {
13807 		len += nla_len(attr);
13808 		n_entries++;
13809 	}
13810 
13811 	if (len >= U8_MAX)
13812 		return -EINVAL;
13813 
13814 	return n_entries;
13815 }
13816 
13817 static int handle_nan_filter(struct nlattr *attr_filter,
13818 			     struct cfg80211_nan_func *func,
13819 			     bool tx)
13820 {
13821 	struct nlattr *attr;
13822 	int n_entries, rem, i;
13823 	struct cfg80211_nan_func_filter *filter;
13824 
13825 	n_entries = validate_nan_filter(attr_filter);
13826 	if (n_entries < 0)
13827 		return n_entries;
13828 
13829 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13830 
13831 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13832 	if (!filter)
13833 		return -ENOMEM;
13834 
13835 	i = 0;
13836 	nla_for_each_nested(attr, attr_filter, rem) {
13837 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13838 		if (!filter[i].filter)
13839 			goto err;
13840 
13841 		filter[i].len = nla_len(attr);
13842 		i++;
13843 	}
13844 	if (tx) {
13845 		func->num_tx_filters = n_entries;
13846 		func->tx_filters = filter;
13847 	} else {
13848 		func->num_rx_filters = n_entries;
13849 		func->rx_filters = filter;
13850 	}
13851 
13852 	return 0;
13853 
13854 err:
13855 	i = 0;
13856 	nla_for_each_nested(attr, attr_filter, rem) {
13857 		kfree(filter[i].filter);
13858 		i++;
13859 	}
13860 	kfree(filter);
13861 	return -ENOMEM;
13862 }
13863 
13864 static int nl80211_nan_add_func(struct sk_buff *skb,
13865 				struct genl_info *info)
13866 {
13867 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13868 	struct wireless_dev *wdev = info->user_ptr[1];
13869 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13870 	struct cfg80211_nan_func *func;
13871 	struct sk_buff *msg = NULL;
13872 	void *hdr = NULL;
13873 	int err = 0;
13874 
13875 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13876 		return -EOPNOTSUPP;
13877 
13878 	if (!wdev_running(wdev))
13879 		return -ENOTCONN;
13880 
13881 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13882 		return -EINVAL;
13883 
13884 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13885 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13886 					  nl80211_nan_func_policy,
13887 					  info->extack);
13888 	if (err)
13889 		return err;
13890 
13891 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13892 	if (!func)
13893 		return -ENOMEM;
13894 
13895 	func->cookie = cfg80211_assign_cookie(rdev);
13896 
13897 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13898 		err = -EINVAL;
13899 		goto out;
13900 	}
13901 
13902 
13903 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13904 
13905 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13906 		err = -EINVAL;
13907 		goto out;
13908 	}
13909 
13910 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13911 	       sizeof(func->service_id));
13912 
13913 	func->close_range =
13914 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13915 
13916 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13917 		func->serv_spec_info_len =
13918 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13919 		func->serv_spec_info =
13920 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13921 				func->serv_spec_info_len,
13922 				GFP_KERNEL);
13923 		if (!func->serv_spec_info) {
13924 			err = -ENOMEM;
13925 			goto out;
13926 		}
13927 	}
13928 
13929 	if (tb[NL80211_NAN_FUNC_TTL])
13930 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13931 
13932 	switch (func->type) {
13933 	case NL80211_NAN_FUNC_PUBLISH:
13934 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13935 			err = -EINVAL;
13936 			goto out;
13937 		}
13938 
13939 		func->publish_type =
13940 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13941 		func->publish_bcast =
13942 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13943 
13944 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13945 			func->publish_bcast) {
13946 			err = -EINVAL;
13947 			goto out;
13948 		}
13949 		break;
13950 	case NL80211_NAN_FUNC_SUBSCRIBE:
13951 		func->subscribe_active =
13952 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13953 		break;
13954 	case NL80211_NAN_FUNC_FOLLOW_UP:
13955 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13956 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13957 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13958 			err = -EINVAL;
13959 			goto out;
13960 		}
13961 
13962 		func->followup_id =
13963 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13964 		func->followup_reqid =
13965 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13966 		memcpy(func->followup_dest.addr,
13967 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13968 		       sizeof(func->followup_dest.addr));
13969 		if (func->ttl) {
13970 			err = -EINVAL;
13971 			goto out;
13972 		}
13973 		break;
13974 	default:
13975 		err = -EINVAL;
13976 		goto out;
13977 	}
13978 
13979 	if (tb[NL80211_NAN_FUNC_SRF]) {
13980 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13981 
13982 		err = nla_parse_nested_deprecated(srf_tb,
13983 						  NL80211_NAN_SRF_ATTR_MAX,
13984 						  tb[NL80211_NAN_FUNC_SRF],
13985 						  nl80211_nan_srf_policy,
13986 						  info->extack);
13987 		if (err)
13988 			goto out;
13989 
13990 		func->srf_include =
13991 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13992 
13993 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13994 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13995 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13996 				err = -EINVAL;
13997 				goto out;
13998 			}
13999 
14000 			func->srf_bf_len =
14001 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14002 			func->srf_bf =
14003 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14004 					func->srf_bf_len, GFP_KERNEL);
14005 			if (!func->srf_bf) {
14006 				err = -ENOMEM;
14007 				goto out;
14008 			}
14009 
14010 			func->srf_bf_idx =
14011 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14012 		} else {
14013 			struct nlattr *attr, *mac_attr =
14014 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14015 			int n_entries, rem, i = 0;
14016 
14017 			if (!mac_attr) {
14018 				err = -EINVAL;
14019 				goto out;
14020 			}
14021 
14022 			n_entries = validate_acl_mac_addrs(mac_attr);
14023 			if (n_entries <= 0) {
14024 				err = -EINVAL;
14025 				goto out;
14026 			}
14027 
14028 			func->srf_num_macs = n_entries;
14029 			func->srf_macs =
14030 				kcalloc(n_entries, sizeof(*func->srf_macs),
14031 					GFP_KERNEL);
14032 			if (!func->srf_macs) {
14033 				err = -ENOMEM;
14034 				goto out;
14035 			}
14036 
14037 			nla_for_each_nested(attr, mac_attr, rem)
14038 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14039 				       sizeof(*func->srf_macs));
14040 		}
14041 	}
14042 
14043 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14044 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14045 					func, true);
14046 		if (err)
14047 			goto out;
14048 	}
14049 
14050 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14051 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14052 					func, false);
14053 		if (err)
14054 			goto out;
14055 	}
14056 
14057 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14058 	if (!msg) {
14059 		err = -ENOMEM;
14060 		goto out;
14061 	}
14062 
14063 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14064 			     NL80211_CMD_ADD_NAN_FUNCTION);
14065 	/* This can't really happen - we just allocated 4KB */
14066 	if (WARN_ON(!hdr)) {
14067 		err = -ENOMEM;
14068 		goto out;
14069 	}
14070 
14071 	err = rdev_add_nan_func(rdev, wdev, func);
14072 out:
14073 	if (err < 0) {
14074 		cfg80211_free_nan_func(func);
14075 		nlmsg_free(msg);
14076 		return err;
14077 	}
14078 
14079 	/* propagate the instance id and cookie to userspace  */
14080 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14081 			      NL80211_ATTR_PAD))
14082 		goto nla_put_failure;
14083 
14084 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14085 	if (!func_attr)
14086 		goto nla_put_failure;
14087 
14088 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14089 		       func->instance_id))
14090 		goto nla_put_failure;
14091 
14092 	nla_nest_end(msg, func_attr);
14093 
14094 	genlmsg_end(msg, hdr);
14095 	return genlmsg_reply(msg, info);
14096 
14097 nla_put_failure:
14098 	nlmsg_free(msg);
14099 	return -ENOBUFS;
14100 }
14101 
14102 static int nl80211_nan_del_func(struct sk_buff *skb,
14103 			       struct genl_info *info)
14104 {
14105 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14106 	struct wireless_dev *wdev = info->user_ptr[1];
14107 	u64 cookie;
14108 
14109 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14110 		return -EOPNOTSUPP;
14111 
14112 	if (!wdev_running(wdev))
14113 		return -ENOTCONN;
14114 
14115 	if (!info->attrs[NL80211_ATTR_COOKIE])
14116 		return -EINVAL;
14117 
14118 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14119 
14120 	rdev_del_nan_func(rdev, wdev, cookie);
14121 
14122 	return 0;
14123 }
14124 
14125 static int nl80211_nan_change_config(struct sk_buff *skb,
14126 				     struct genl_info *info)
14127 {
14128 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14129 	struct wireless_dev *wdev = info->user_ptr[1];
14130 	struct cfg80211_nan_conf conf = {};
14131 	u32 changed = 0;
14132 
14133 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14134 		return -EOPNOTSUPP;
14135 
14136 	if (!wdev_running(wdev))
14137 		return -ENOTCONN;
14138 
14139 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14140 		conf.master_pref =
14141 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14142 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14143 			return -EINVAL;
14144 
14145 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14146 	}
14147 
14148 	if (info->attrs[NL80211_ATTR_BANDS]) {
14149 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14150 
14151 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14152 			return -EOPNOTSUPP;
14153 
14154 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14155 			return -EINVAL;
14156 
14157 		conf.bands = bands;
14158 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14159 	}
14160 
14161 	if (!changed)
14162 		return -EINVAL;
14163 
14164 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14165 }
14166 
14167 void cfg80211_nan_match(struct wireless_dev *wdev,
14168 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14169 {
14170 	struct wiphy *wiphy = wdev->wiphy;
14171 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14172 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14173 	struct sk_buff *msg;
14174 	void *hdr;
14175 
14176 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14177 		return;
14178 
14179 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14180 	if (!msg)
14181 		return;
14182 
14183 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14184 	if (!hdr) {
14185 		nlmsg_free(msg);
14186 		return;
14187 	}
14188 
14189 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14190 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14191 					 wdev->netdev->ifindex)) ||
14192 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14193 			      NL80211_ATTR_PAD))
14194 		goto nla_put_failure;
14195 
14196 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14197 			      NL80211_ATTR_PAD) ||
14198 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14199 		goto nla_put_failure;
14200 
14201 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14202 	if (!match_attr)
14203 		goto nla_put_failure;
14204 
14205 	local_func_attr = nla_nest_start_noflag(msg,
14206 						NL80211_NAN_MATCH_FUNC_LOCAL);
14207 	if (!local_func_attr)
14208 		goto nla_put_failure;
14209 
14210 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14211 		goto nla_put_failure;
14212 
14213 	nla_nest_end(msg, local_func_attr);
14214 
14215 	peer_func_attr = nla_nest_start_noflag(msg,
14216 					       NL80211_NAN_MATCH_FUNC_PEER);
14217 	if (!peer_func_attr)
14218 		goto nla_put_failure;
14219 
14220 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14221 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14222 		goto nla_put_failure;
14223 
14224 	if (match->info && match->info_len &&
14225 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14226 		    match->info))
14227 		goto nla_put_failure;
14228 
14229 	nla_nest_end(msg, peer_func_attr);
14230 	nla_nest_end(msg, match_attr);
14231 	genlmsg_end(msg, hdr);
14232 
14233 	if (!wdev->owner_nlportid)
14234 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14235 					msg, 0, NL80211_MCGRP_NAN, gfp);
14236 	else
14237 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14238 				wdev->owner_nlportid);
14239 
14240 	return;
14241 
14242 nla_put_failure:
14243 	nlmsg_free(msg);
14244 }
14245 EXPORT_SYMBOL(cfg80211_nan_match);
14246 
14247 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14248 				  u8 inst_id,
14249 				  enum nl80211_nan_func_term_reason reason,
14250 				  u64 cookie, gfp_t gfp)
14251 {
14252 	struct wiphy *wiphy = wdev->wiphy;
14253 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14254 	struct sk_buff *msg;
14255 	struct nlattr *func_attr;
14256 	void *hdr;
14257 
14258 	if (WARN_ON(!inst_id))
14259 		return;
14260 
14261 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14262 	if (!msg)
14263 		return;
14264 
14265 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14266 	if (!hdr) {
14267 		nlmsg_free(msg);
14268 		return;
14269 	}
14270 
14271 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14272 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14273 					 wdev->netdev->ifindex)) ||
14274 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14275 			      NL80211_ATTR_PAD))
14276 		goto nla_put_failure;
14277 
14278 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14279 			      NL80211_ATTR_PAD))
14280 		goto nla_put_failure;
14281 
14282 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14283 	if (!func_attr)
14284 		goto nla_put_failure;
14285 
14286 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14287 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14288 		goto nla_put_failure;
14289 
14290 	nla_nest_end(msg, func_attr);
14291 	genlmsg_end(msg, hdr);
14292 
14293 	if (!wdev->owner_nlportid)
14294 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14295 					msg, 0, NL80211_MCGRP_NAN, gfp);
14296 	else
14297 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14298 				wdev->owner_nlportid);
14299 
14300 	return;
14301 
14302 nla_put_failure:
14303 	nlmsg_free(msg);
14304 }
14305 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14306 
14307 static int nl80211_get_protocol_features(struct sk_buff *skb,
14308 					 struct genl_info *info)
14309 {
14310 	void *hdr;
14311 	struct sk_buff *msg;
14312 
14313 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14314 	if (!msg)
14315 		return -ENOMEM;
14316 
14317 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14318 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14319 	if (!hdr)
14320 		goto nla_put_failure;
14321 
14322 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14323 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14324 		goto nla_put_failure;
14325 
14326 	genlmsg_end(msg, hdr);
14327 	return genlmsg_reply(msg, info);
14328 
14329  nla_put_failure:
14330 	kfree_skb(msg);
14331 	return -ENOBUFS;
14332 }
14333 
14334 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14335 {
14336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14337 	struct cfg80211_update_ft_ies_params ft_params;
14338 	struct net_device *dev = info->user_ptr[1];
14339 
14340 	if (!rdev->ops->update_ft_ies)
14341 		return -EOPNOTSUPP;
14342 
14343 	if (!info->attrs[NL80211_ATTR_MDID] ||
14344 	    !info->attrs[NL80211_ATTR_IE])
14345 		return -EINVAL;
14346 
14347 	memset(&ft_params, 0, sizeof(ft_params));
14348 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14349 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14350 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14351 
14352 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14353 }
14354 
14355 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14356 				       struct genl_info *info)
14357 {
14358 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14359 	struct wireless_dev *wdev = info->user_ptr[1];
14360 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14361 	u16 duration;
14362 	int ret;
14363 
14364 	if (!rdev->ops->crit_proto_start)
14365 		return -EOPNOTSUPP;
14366 
14367 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14368 		return -EINVAL;
14369 
14370 	if (rdev->crit_proto_nlportid)
14371 		return -EBUSY;
14372 
14373 	/* determine protocol if provided */
14374 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14375 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14376 
14377 	if (proto >= NUM_NL80211_CRIT_PROTO)
14378 		return -EINVAL;
14379 
14380 	/* timeout must be provided */
14381 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14382 		return -EINVAL;
14383 
14384 	duration =
14385 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14386 
14387 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14388 	if (!ret)
14389 		rdev->crit_proto_nlportid = info->snd_portid;
14390 
14391 	return ret;
14392 }
14393 
14394 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14395 				      struct genl_info *info)
14396 {
14397 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14398 	struct wireless_dev *wdev = info->user_ptr[1];
14399 
14400 	if (!rdev->ops->crit_proto_stop)
14401 		return -EOPNOTSUPP;
14402 
14403 	if (rdev->crit_proto_nlportid) {
14404 		rdev->crit_proto_nlportid = 0;
14405 		rdev_crit_proto_stop(rdev, wdev);
14406 	}
14407 	return 0;
14408 }
14409 
14410 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14411 				       struct nlattr *attr,
14412 				       struct netlink_ext_ack *extack)
14413 {
14414 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14415 		if (attr->nla_type & NLA_F_NESTED) {
14416 			NL_SET_ERR_MSG_ATTR(extack, attr,
14417 					    "unexpected nested data");
14418 			return -EINVAL;
14419 		}
14420 
14421 		return 0;
14422 	}
14423 
14424 	if (!(attr->nla_type & NLA_F_NESTED)) {
14425 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14426 		return -EINVAL;
14427 	}
14428 
14429 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14430 }
14431 
14432 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14433 {
14434 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14435 	struct wireless_dev *wdev =
14436 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14437 					   info->attrs);
14438 	int i, err;
14439 	u32 vid, subcmd;
14440 
14441 	if (!rdev->wiphy.vendor_commands)
14442 		return -EOPNOTSUPP;
14443 
14444 	if (IS_ERR(wdev)) {
14445 		err = PTR_ERR(wdev);
14446 		if (err != -EINVAL)
14447 			return err;
14448 		wdev = NULL;
14449 	} else if (wdev->wiphy != &rdev->wiphy) {
14450 		return -EINVAL;
14451 	}
14452 
14453 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14454 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14455 		return -EINVAL;
14456 
14457 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14458 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14459 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14460 		const struct wiphy_vendor_command *vcmd;
14461 		void *data = NULL;
14462 		int len = 0;
14463 
14464 		vcmd = &rdev->wiphy.vendor_commands[i];
14465 
14466 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14467 			continue;
14468 
14469 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14470 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14471 			if (!wdev)
14472 				return -EINVAL;
14473 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14474 			    !wdev->netdev)
14475 				return -EINVAL;
14476 
14477 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14478 				if (!wdev_running(wdev))
14479 					return -ENETDOWN;
14480 			}
14481 		} else {
14482 			wdev = NULL;
14483 		}
14484 
14485 		if (!vcmd->doit)
14486 			return -EOPNOTSUPP;
14487 
14488 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14489 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14490 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14491 
14492 			err = nl80211_vendor_check_policy(vcmd,
14493 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14494 					info->extack);
14495 			if (err)
14496 				return err;
14497 		}
14498 
14499 		rdev->cur_cmd_info = info;
14500 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14501 		rdev->cur_cmd_info = NULL;
14502 		return err;
14503 	}
14504 
14505 	return -EOPNOTSUPP;
14506 }
14507 
14508 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14509 				       struct netlink_callback *cb,
14510 				       struct cfg80211_registered_device **rdev,
14511 				       struct wireless_dev **wdev)
14512 {
14513 	struct nlattr **attrbuf;
14514 	u32 vid, subcmd;
14515 	unsigned int i;
14516 	int vcmd_idx = -1;
14517 	int err;
14518 	void *data = NULL;
14519 	unsigned int data_len = 0;
14520 
14521 	if (cb->args[0]) {
14522 		/* subtract the 1 again here */
14523 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14524 		struct wireless_dev *tmp;
14525 
14526 		if (!wiphy)
14527 			return -ENODEV;
14528 		*rdev = wiphy_to_rdev(wiphy);
14529 		*wdev = NULL;
14530 
14531 		if (cb->args[1]) {
14532 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14533 				if (tmp->identifier == cb->args[1] - 1) {
14534 					*wdev = tmp;
14535 					break;
14536 				}
14537 			}
14538 		}
14539 
14540 		/* keep rtnl locked in successful case */
14541 		return 0;
14542 	}
14543 
14544 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14545 	if (!attrbuf)
14546 		return -ENOMEM;
14547 
14548 	err = nlmsg_parse_deprecated(cb->nlh,
14549 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14550 				     attrbuf, nl80211_fam.maxattr,
14551 				     nl80211_policy, NULL);
14552 	if (err)
14553 		goto out;
14554 
14555 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14556 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14557 		err = -EINVAL;
14558 		goto out;
14559 	}
14560 
14561 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14562 	if (IS_ERR(*wdev))
14563 		*wdev = NULL;
14564 
14565 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14566 	if (IS_ERR(*rdev)) {
14567 		err = PTR_ERR(*rdev);
14568 		goto out;
14569 	}
14570 
14571 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14572 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14573 
14574 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14575 		const struct wiphy_vendor_command *vcmd;
14576 
14577 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14578 
14579 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14580 			continue;
14581 
14582 		if (!vcmd->dumpit) {
14583 			err = -EOPNOTSUPP;
14584 			goto out;
14585 		}
14586 
14587 		vcmd_idx = i;
14588 		break;
14589 	}
14590 
14591 	if (vcmd_idx < 0) {
14592 		err = -EOPNOTSUPP;
14593 		goto out;
14594 	}
14595 
14596 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14597 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14598 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14599 
14600 		err = nl80211_vendor_check_policy(
14601 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14602 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14603 				cb->extack);
14604 		if (err)
14605 			goto out;
14606 	}
14607 
14608 	/* 0 is the first index - add 1 to parse only once */
14609 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14610 	/* add 1 to know if it was NULL */
14611 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14612 	cb->args[2] = vcmd_idx;
14613 	cb->args[3] = (unsigned long)data;
14614 	cb->args[4] = data_len;
14615 
14616 	/* keep rtnl locked in successful case */
14617 	err = 0;
14618 out:
14619 	kfree(attrbuf);
14620 	return err;
14621 }
14622 
14623 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14624 				   struct netlink_callback *cb)
14625 {
14626 	struct cfg80211_registered_device *rdev;
14627 	struct wireless_dev *wdev;
14628 	unsigned int vcmd_idx;
14629 	const struct wiphy_vendor_command *vcmd;
14630 	void *data;
14631 	int data_len;
14632 	int err;
14633 	struct nlattr *vendor_data;
14634 
14635 	rtnl_lock();
14636 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14637 	if (err)
14638 		goto out;
14639 
14640 	vcmd_idx = cb->args[2];
14641 	data = (void *)cb->args[3];
14642 	data_len = cb->args[4];
14643 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14644 
14645 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14646 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14647 		if (!wdev) {
14648 			err = -EINVAL;
14649 			goto out;
14650 		}
14651 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14652 		    !wdev->netdev) {
14653 			err = -EINVAL;
14654 			goto out;
14655 		}
14656 
14657 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14658 			if (!wdev_running(wdev)) {
14659 				err = -ENETDOWN;
14660 				goto out;
14661 			}
14662 		}
14663 	}
14664 
14665 	while (1) {
14666 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14667 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14668 					   NL80211_CMD_VENDOR);
14669 		if (!hdr)
14670 			break;
14671 
14672 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14673 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14674 					       wdev_id(wdev),
14675 					       NL80211_ATTR_PAD))) {
14676 			genlmsg_cancel(skb, hdr);
14677 			break;
14678 		}
14679 
14680 		vendor_data = nla_nest_start_noflag(skb,
14681 						    NL80211_ATTR_VENDOR_DATA);
14682 		if (!vendor_data) {
14683 			genlmsg_cancel(skb, hdr);
14684 			break;
14685 		}
14686 
14687 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14688 				   (unsigned long *)&cb->args[5]);
14689 		nla_nest_end(skb, vendor_data);
14690 
14691 		if (err == -ENOBUFS || err == -ENOENT) {
14692 			genlmsg_cancel(skb, hdr);
14693 			break;
14694 		} else if (err <= 0) {
14695 			genlmsg_cancel(skb, hdr);
14696 			goto out;
14697 		}
14698 
14699 		genlmsg_end(skb, hdr);
14700 	}
14701 
14702 	err = skb->len;
14703  out:
14704 	rtnl_unlock();
14705 	return err;
14706 }
14707 
14708 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14709 					   enum nl80211_commands cmd,
14710 					   enum nl80211_attrs attr,
14711 					   int approxlen)
14712 {
14713 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14714 
14715 	if (WARN_ON(!rdev->cur_cmd_info))
14716 		return NULL;
14717 
14718 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14719 					   rdev->cur_cmd_info->snd_portid,
14720 					   rdev->cur_cmd_info->snd_seq,
14721 					   cmd, attr, NULL, GFP_KERNEL);
14722 }
14723 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14724 
14725 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14726 {
14727 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14728 	void *hdr = ((void **)skb->cb)[1];
14729 	struct nlattr *data = ((void **)skb->cb)[2];
14730 
14731 	/* clear CB data for netlink core to own from now on */
14732 	memset(skb->cb, 0, sizeof(skb->cb));
14733 
14734 	if (WARN_ON(!rdev->cur_cmd_info)) {
14735 		kfree_skb(skb);
14736 		return -EINVAL;
14737 	}
14738 
14739 	nla_nest_end(skb, data);
14740 	genlmsg_end(skb, hdr);
14741 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14742 }
14743 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14744 
14745 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14746 {
14747 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14748 
14749 	if (WARN_ON(!rdev->cur_cmd_info))
14750 		return 0;
14751 
14752 	return rdev->cur_cmd_info->snd_portid;
14753 }
14754 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14755 
14756 static int nl80211_set_qos_map(struct sk_buff *skb,
14757 			       struct genl_info *info)
14758 {
14759 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14760 	struct cfg80211_qos_map *qos_map = NULL;
14761 	struct net_device *dev = info->user_ptr[1];
14762 	u8 *pos, len, num_des, des_len, des;
14763 	int ret;
14764 
14765 	if (!rdev->ops->set_qos_map)
14766 		return -EOPNOTSUPP;
14767 
14768 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14769 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14770 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14771 
14772 		if (len % 2)
14773 			return -EINVAL;
14774 
14775 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14776 		if (!qos_map)
14777 			return -ENOMEM;
14778 
14779 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14780 		if (num_des) {
14781 			des_len = num_des *
14782 				sizeof(struct cfg80211_dscp_exception);
14783 			memcpy(qos_map->dscp_exception, pos, des_len);
14784 			qos_map->num_des = num_des;
14785 			for (des = 0; des < num_des; des++) {
14786 				if (qos_map->dscp_exception[des].up > 7) {
14787 					kfree(qos_map);
14788 					return -EINVAL;
14789 				}
14790 			}
14791 			pos += des_len;
14792 		}
14793 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14794 	}
14795 
14796 	wdev_lock(dev->ieee80211_ptr);
14797 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14798 	if (!ret)
14799 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14800 	wdev_unlock(dev->ieee80211_ptr);
14801 
14802 	kfree(qos_map);
14803 	return ret;
14804 }
14805 
14806 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14807 {
14808 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14809 	struct net_device *dev = info->user_ptr[1];
14810 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14811 	const u8 *peer;
14812 	u8 tsid, up;
14813 	u16 admitted_time = 0;
14814 	int err;
14815 
14816 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14817 		return -EOPNOTSUPP;
14818 
14819 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14820 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14821 		return -EINVAL;
14822 
14823 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14824 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14825 
14826 	/* WMM uses TIDs 0-7 even for TSPEC */
14827 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14828 		/* TODO: handle 802.11 TSPEC/admission control
14829 		 * need more attributes for that (e.g. BA session requirement);
14830 		 * change the WMM adminssion test above to allow both then
14831 		 */
14832 		return -EINVAL;
14833 	}
14834 
14835 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14836 
14837 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14838 		admitted_time =
14839 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14840 		if (!admitted_time)
14841 			return -EINVAL;
14842 	}
14843 
14844 	wdev_lock(wdev);
14845 	switch (wdev->iftype) {
14846 	case NL80211_IFTYPE_STATION:
14847 	case NL80211_IFTYPE_P2P_CLIENT:
14848 		if (wdev->connected)
14849 			break;
14850 		err = -ENOTCONN;
14851 		goto out;
14852 	default:
14853 		err = -EOPNOTSUPP;
14854 		goto out;
14855 	}
14856 
14857 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14858 
14859  out:
14860 	wdev_unlock(wdev);
14861 	return err;
14862 }
14863 
14864 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14865 {
14866 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14867 	struct net_device *dev = info->user_ptr[1];
14868 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14869 	const u8 *peer;
14870 	u8 tsid;
14871 	int err;
14872 
14873 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14874 		return -EINVAL;
14875 
14876 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14877 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14878 
14879 	wdev_lock(wdev);
14880 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14881 	wdev_unlock(wdev);
14882 
14883 	return err;
14884 }
14885 
14886 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14887 				       struct genl_info *info)
14888 {
14889 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14890 	struct net_device *dev = info->user_ptr[1];
14891 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14892 	struct cfg80211_chan_def chandef = {};
14893 	const u8 *addr;
14894 	u8 oper_class;
14895 	int err;
14896 
14897 	if (!rdev->ops->tdls_channel_switch ||
14898 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14899 		return -EOPNOTSUPP;
14900 
14901 	switch (dev->ieee80211_ptr->iftype) {
14902 	case NL80211_IFTYPE_STATION:
14903 	case NL80211_IFTYPE_P2P_CLIENT:
14904 		break;
14905 	default:
14906 		return -EOPNOTSUPP;
14907 	}
14908 
14909 	if (!info->attrs[NL80211_ATTR_MAC] ||
14910 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14911 		return -EINVAL;
14912 
14913 	err = nl80211_parse_chandef(rdev, info, &chandef);
14914 	if (err)
14915 		return err;
14916 
14917 	/*
14918 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14919 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14920 	 * specification is not defined for them.
14921 	 */
14922 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14923 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14924 	    chandef.width != NL80211_CHAN_WIDTH_20)
14925 		return -EINVAL;
14926 
14927 	/* we will be active on the TDLS link */
14928 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14929 					   wdev->iftype))
14930 		return -EINVAL;
14931 
14932 	/* don't allow switching to DFS channels */
14933 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14934 		return -EINVAL;
14935 
14936 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14937 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14938 
14939 	wdev_lock(wdev);
14940 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14941 	wdev_unlock(wdev);
14942 
14943 	return err;
14944 }
14945 
14946 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14947 					      struct genl_info *info)
14948 {
14949 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14950 	struct net_device *dev = info->user_ptr[1];
14951 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14952 	const u8 *addr;
14953 
14954 	if (!rdev->ops->tdls_channel_switch ||
14955 	    !rdev->ops->tdls_cancel_channel_switch ||
14956 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14957 		return -EOPNOTSUPP;
14958 
14959 	switch (dev->ieee80211_ptr->iftype) {
14960 	case NL80211_IFTYPE_STATION:
14961 	case NL80211_IFTYPE_P2P_CLIENT:
14962 		break;
14963 	default:
14964 		return -EOPNOTSUPP;
14965 	}
14966 
14967 	if (!info->attrs[NL80211_ATTR_MAC])
14968 		return -EINVAL;
14969 
14970 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14971 
14972 	wdev_lock(wdev);
14973 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14974 	wdev_unlock(wdev);
14975 
14976 	return 0;
14977 }
14978 
14979 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14980 					    struct genl_info *info)
14981 {
14982 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14983 	struct net_device *dev = info->user_ptr[1];
14984 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14985 	const struct nlattr *nla;
14986 	bool enabled;
14987 
14988 	if (!rdev->ops->set_multicast_to_unicast)
14989 		return -EOPNOTSUPP;
14990 
14991 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14992 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14993 		return -EOPNOTSUPP;
14994 
14995 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14996 	enabled = nla_get_flag(nla);
14997 
14998 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14999 }
15000 
15001 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15002 {
15003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15004 	struct net_device *dev = info->user_ptr[1];
15005 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15006 	struct cfg80211_pmk_conf pmk_conf = {};
15007 	int ret;
15008 
15009 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15010 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15011 		return -EOPNOTSUPP;
15012 
15013 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15014 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15015 		return -EOPNOTSUPP;
15016 
15017 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15018 		return -EINVAL;
15019 
15020 	wdev_lock(wdev);
15021 	if (!wdev->connected) {
15022 		ret = -ENOTCONN;
15023 		goto out;
15024 	}
15025 
15026 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15027 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15028 		ret = -EINVAL;
15029 		goto out;
15030 	}
15031 
15032 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15033 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15034 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15035 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15036 		ret = -EINVAL;
15037 		goto out;
15038 	}
15039 
15040 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15041 		pmk_conf.pmk_r0_name =
15042 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15043 
15044 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15045 out:
15046 	wdev_unlock(wdev);
15047 	return ret;
15048 }
15049 
15050 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15051 {
15052 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15053 	struct net_device *dev = info->user_ptr[1];
15054 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15055 	const u8 *aa;
15056 	int ret;
15057 
15058 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15059 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15060 		return -EOPNOTSUPP;
15061 
15062 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15063 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15064 		return -EOPNOTSUPP;
15065 
15066 	if (!info->attrs[NL80211_ATTR_MAC])
15067 		return -EINVAL;
15068 
15069 	wdev_lock(wdev);
15070 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15071 	ret = rdev_del_pmk(rdev, dev, aa);
15072 	wdev_unlock(wdev);
15073 
15074 	return ret;
15075 }
15076 
15077 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15078 {
15079 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15080 	struct net_device *dev = info->user_ptr[1];
15081 	struct cfg80211_external_auth_params params;
15082 
15083 	if (!rdev->ops->external_auth)
15084 		return -EOPNOTSUPP;
15085 
15086 	if (!info->attrs[NL80211_ATTR_SSID] &&
15087 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15088 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15089 		return -EINVAL;
15090 
15091 	if (!info->attrs[NL80211_ATTR_BSSID])
15092 		return -EINVAL;
15093 
15094 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15095 		return -EINVAL;
15096 
15097 	memset(&params, 0, sizeof(params));
15098 
15099 	if (info->attrs[NL80211_ATTR_SSID]) {
15100 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15101 		if (params.ssid.ssid_len == 0)
15102 			return -EINVAL;
15103 		memcpy(params.ssid.ssid,
15104 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15105 		       params.ssid.ssid_len);
15106 	}
15107 
15108 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15109 	       ETH_ALEN);
15110 
15111 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15112 
15113 	if (info->attrs[NL80211_ATTR_PMKID])
15114 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15115 
15116 	return rdev_external_auth(rdev, dev, &params);
15117 }
15118 
15119 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15120 {
15121 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15122 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15123 	struct net_device *dev = info->user_ptr[1];
15124 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15125 	const u8 *buf;
15126 	size_t len;
15127 	u8 *dest;
15128 	u16 proto;
15129 	bool noencrypt;
15130 	u64 cookie = 0;
15131 	int err;
15132 
15133 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15134 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15135 		return -EOPNOTSUPP;
15136 
15137 	if (!rdev->ops->tx_control_port)
15138 		return -EOPNOTSUPP;
15139 
15140 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15141 	    !info->attrs[NL80211_ATTR_MAC] ||
15142 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15143 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15144 		return -EINVAL;
15145 	}
15146 
15147 	wdev_lock(wdev);
15148 
15149 	switch (wdev->iftype) {
15150 	case NL80211_IFTYPE_AP:
15151 	case NL80211_IFTYPE_P2P_GO:
15152 	case NL80211_IFTYPE_MESH_POINT:
15153 		break;
15154 	case NL80211_IFTYPE_ADHOC:
15155 		if (wdev->u.ibss.current_bss)
15156 			break;
15157 		err = -ENOTCONN;
15158 		goto out;
15159 	case NL80211_IFTYPE_STATION:
15160 	case NL80211_IFTYPE_P2P_CLIENT:
15161 		if (wdev->connected)
15162 			break;
15163 		err = -ENOTCONN;
15164 		goto out;
15165 	default:
15166 		err = -EOPNOTSUPP;
15167 		goto out;
15168 	}
15169 
15170 	wdev_unlock(wdev);
15171 
15172 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15173 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15174 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15175 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15176 	noencrypt =
15177 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15178 
15179 	err = rdev_tx_control_port(rdev, dev, buf, len,
15180 				   dest, cpu_to_be16(proto), noencrypt,
15181 				   dont_wait_for_ack ? NULL : &cookie);
15182 	if (!err && !dont_wait_for_ack)
15183 		nl_set_extack_cookie_u64(info->extack, cookie);
15184 	return err;
15185  out:
15186 	wdev_unlock(wdev);
15187 	return err;
15188 }
15189 
15190 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15191 					   struct genl_info *info)
15192 {
15193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15194 	struct net_device *dev = info->user_ptr[1];
15195 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15196 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15197 	unsigned int link_id = nl80211_link_id(info->attrs);
15198 	struct sk_buff *msg;
15199 	void *hdr;
15200 	struct nlattr *ftm_stats_attr;
15201 	int err;
15202 
15203 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15204 	    !wdev->links[link_id].ap.beacon_interval)
15205 		return -EOPNOTSUPP;
15206 
15207 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15208 	if (err)
15209 		return err;
15210 
15211 	if (!ftm_stats.filled)
15212 		return -ENODATA;
15213 
15214 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15215 	if (!msg)
15216 		return -ENOMEM;
15217 
15218 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15219 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15220 	if (!hdr)
15221 		goto nla_put_failure;
15222 
15223 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15224 		goto nla_put_failure;
15225 
15226 	ftm_stats_attr = nla_nest_start_noflag(msg,
15227 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15228 	if (!ftm_stats_attr)
15229 		goto nla_put_failure;
15230 
15231 #define SET_FTM(field, name, type)					 \
15232 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15233 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15234 			     ftm_stats.field))				 \
15235 		goto nla_put_failure; } while (0)
15236 #define SET_FTM_U64(field, name)					 \
15237 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15238 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15239 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15240 		goto nla_put_failure; } while (0)
15241 
15242 	SET_FTM(success_num, SUCCESS_NUM, u32);
15243 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15244 	SET_FTM(failed_num, FAILED_NUM, u32);
15245 	SET_FTM(asap_num, ASAP_NUM, u32);
15246 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15247 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15248 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15249 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15250 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15251 #undef SET_FTM
15252 
15253 	nla_nest_end(msg, ftm_stats_attr);
15254 
15255 	genlmsg_end(msg, hdr);
15256 	return genlmsg_reply(msg, info);
15257 
15258 nla_put_failure:
15259 	nlmsg_free(msg);
15260 	return -ENOBUFS;
15261 }
15262 
15263 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15264 {
15265 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15266 	struct cfg80211_update_owe_info owe_info;
15267 	struct net_device *dev = info->user_ptr[1];
15268 
15269 	if (!rdev->ops->update_owe_info)
15270 		return -EOPNOTSUPP;
15271 
15272 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15273 	    !info->attrs[NL80211_ATTR_MAC])
15274 		return -EINVAL;
15275 
15276 	memset(&owe_info, 0, sizeof(owe_info));
15277 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15278 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15279 
15280 	if (info->attrs[NL80211_ATTR_IE]) {
15281 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15282 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15283 	}
15284 
15285 	return rdev_update_owe_info(rdev, dev, &owe_info);
15286 }
15287 
15288 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15289 {
15290 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15291 	struct net_device *dev = info->user_ptr[1];
15292 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15293 	struct station_info sinfo = {};
15294 	const u8 *buf;
15295 	size_t len;
15296 	u8 *dest;
15297 	int err;
15298 
15299 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15300 		return -EOPNOTSUPP;
15301 
15302 	if (!info->attrs[NL80211_ATTR_MAC] ||
15303 	    !info->attrs[NL80211_ATTR_FRAME]) {
15304 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15305 		return -EINVAL;
15306 	}
15307 
15308 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15309 		return -EOPNOTSUPP;
15310 
15311 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15312 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15313 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15314 
15315 	if (len < sizeof(struct ethhdr))
15316 		return -EINVAL;
15317 
15318 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15319 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15320 		return -EINVAL;
15321 
15322 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15323 	if (err)
15324 		return err;
15325 
15326 	cfg80211_sinfo_release_content(&sinfo);
15327 
15328 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15329 }
15330 
15331 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15332 			  struct nlattr *attrs[], struct net_device *dev,
15333 			  struct cfg80211_tid_cfg *tid_conf,
15334 			  struct genl_info *info, const u8 *peer,
15335 			  unsigned int link_id)
15336 {
15337 	struct netlink_ext_ack *extack = info->extack;
15338 	u64 mask;
15339 	int err;
15340 
15341 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15342 		return -EINVAL;
15343 
15344 	tid_conf->config_override =
15345 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15346 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15347 
15348 	if (tid_conf->config_override) {
15349 		if (rdev->ops->reset_tid_config) {
15350 			err = rdev_reset_tid_config(rdev, dev, peer,
15351 						    tid_conf->tids);
15352 			if (err)
15353 				return err;
15354 		} else {
15355 			return -EINVAL;
15356 		}
15357 	}
15358 
15359 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15360 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15361 		tid_conf->noack =
15362 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15363 	}
15364 
15365 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15366 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15367 		tid_conf->retry_short =
15368 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15369 
15370 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15371 			return -EINVAL;
15372 	}
15373 
15374 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15375 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15376 		tid_conf->retry_long =
15377 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15378 
15379 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15380 			return -EINVAL;
15381 	}
15382 
15383 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15384 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15385 		tid_conf->ampdu =
15386 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15387 	}
15388 
15389 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15390 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15391 		tid_conf->rtscts =
15392 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15393 	}
15394 
15395 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15396 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15397 		tid_conf->amsdu =
15398 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15399 	}
15400 
15401 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15402 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15403 
15404 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15405 
15406 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15407 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15408 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15409 						    &tid_conf->txrate_mask, dev,
15410 						    true, link_id);
15411 			if (err)
15412 				return err;
15413 
15414 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15415 		}
15416 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15417 	}
15418 
15419 	if (peer)
15420 		mask = rdev->wiphy.tid_config_support.peer;
15421 	else
15422 		mask = rdev->wiphy.tid_config_support.vif;
15423 
15424 	if (tid_conf->mask & ~mask) {
15425 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15426 		return -ENOTSUPP;
15427 	}
15428 
15429 	return 0;
15430 }
15431 
15432 static int nl80211_set_tid_config(struct sk_buff *skb,
15433 				  struct genl_info *info)
15434 {
15435 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15436 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15437 	unsigned int link_id = nl80211_link_id(info->attrs);
15438 	struct net_device *dev = info->user_ptr[1];
15439 	struct cfg80211_tid_config *tid_config;
15440 	struct nlattr *tid;
15441 	int conf_idx = 0, rem_conf;
15442 	int ret = -EINVAL;
15443 	u32 num_conf = 0;
15444 
15445 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15446 		return -EINVAL;
15447 
15448 	if (!rdev->ops->set_tid_config)
15449 		return -EOPNOTSUPP;
15450 
15451 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15452 			    rem_conf)
15453 		num_conf++;
15454 
15455 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15456 			     GFP_KERNEL);
15457 	if (!tid_config)
15458 		return -ENOMEM;
15459 
15460 	tid_config->n_tid_conf = num_conf;
15461 
15462 	if (info->attrs[NL80211_ATTR_MAC])
15463 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15464 
15465 	wdev_lock(dev->ieee80211_ptr);
15466 
15467 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15468 			    rem_conf) {
15469 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15470 				       tid, NULL, NULL);
15471 
15472 		if (ret)
15473 			goto bad_tid_conf;
15474 
15475 		ret = parse_tid_conf(rdev, attrs, dev,
15476 				     &tid_config->tid_conf[conf_idx],
15477 				     info, tid_config->peer, link_id);
15478 		if (ret)
15479 			goto bad_tid_conf;
15480 
15481 		conf_idx++;
15482 	}
15483 
15484 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15485 
15486 bad_tid_conf:
15487 	kfree(tid_config);
15488 	wdev_unlock(dev->ieee80211_ptr);
15489 	return ret;
15490 }
15491 
15492 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15493 {
15494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15495 	struct cfg80211_color_change_settings params = {};
15496 	struct net_device *dev = info->user_ptr[1];
15497 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15498 	struct nlattr **tb;
15499 	u16 offset;
15500 	int err;
15501 
15502 	if (!rdev->ops->color_change)
15503 		return -EOPNOTSUPP;
15504 
15505 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15506 				     NL80211_EXT_FEATURE_BSS_COLOR))
15507 		return -EOPNOTSUPP;
15508 
15509 	if (wdev->iftype != NL80211_IFTYPE_AP)
15510 		return -EOPNOTSUPP;
15511 
15512 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15513 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15514 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15515 		return -EINVAL;
15516 
15517 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15518 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15519 
15520 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15521 	if (err)
15522 		return err;
15523 
15524 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15525 	if (!tb)
15526 		return -ENOMEM;
15527 
15528 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15529 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15530 			       nl80211_policy, info->extack);
15531 	if (err)
15532 		goto out;
15533 
15534 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15535 	if (err)
15536 		goto out;
15537 
15538 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15539 		err = -EINVAL;
15540 		goto out;
15541 	}
15542 
15543 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15544 		err = -EINVAL;
15545 		goto out;
15546 	}
15547 
15548 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15549 	if (offset >= params.beacon_color_change.tail_len) {
15550 		err = -EINVAL;
15551 		goto out;
15552 	}
15553 
15554 	if (params.beacon_color_change.tail[offset] != params.count) {
15555 		err = -EINVAL;
15556 		goto out;
15557 	}
15558 
15559 	params.counter_offset_beacon = offset;
15560 
15561 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15562 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15563 		    sizeof(u16)) {
15564 			err = -EINVAL;
15565 			goto out;
15566 		}
15567 
15568 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15569 		if (offset >= params.beacon_color_change.probe_resp_len) {
15570 			err = -EINVAL;
15571 			goto out;
15572 		}
15573 
15574 		if (params.beacon_color_change.probe_resp[offset] !=
15575 		    params.count) {
15576 			err = -EINVAL;
15577 			goto out;
15578 		}
15579 
15580 		params.counter_offset_presp = offset;
15581 	}
15582 
15583 	wdev_lock(wdev);
15584 	err = rdev_color_change(rdev, dev, &params);
15585 	wdev_unlock(wdev);
15586 
15587 out:
15588 	kfree(params.beacon_next.mbssid_ies);
15589 	kfree(params.beacon_color_change.mbssid_ies);
15590 	kfree(tb);
15591 	return err;
15592 }
15593 
15594 static int nl80211_set_fils_aad(struct sk_buff *skb,
15595 				struct genl_info *info)
15596 {
15597 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15598 	struct net_device *dev = info->user_ptr[1];
15599 	struct cfg80211_fils_aad fils_aad = {};
15600 	u8 *nonces;
15601 
15602 	if (!info->attrs[NL80211_ATTR_MAC] ||
15603 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15604 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15605 		return -EINVAL;
15606 
15607 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15608 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15609 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15610 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15611 	fils_aad.snonce = nonces;
15612 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15613 
15614 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15615 }
15616 
15617 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
15618 {
15619 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15620 	unsigned int link_id = nl80211_link_id(info->attrs);
15621 	struct net_device *dev = info->user_ptr[1];
15622 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15623 	int ret;
15624 
15625 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
15626 		return -EINVAL;
15627 
15628 	switch (wdev->iftype) {
15629 	case NL80211_IFTYPE_AP:
15630 		break;
15631 	default:
15632 		return -EINVAL;
15633 	}
15634 
15635 	if (!info->attrs[NL80211_ATTR_MAC] ||
15636 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
15637 		return -EINVAL;
15638 
15639 	wdev_lock(wdev);
15640 	wdev->valid_links |= BIT(link_id);
15641 	ether_addr_copy(wdev->links[link_id].addr,
15642 			nla_data(info->attrs[NL80211_ATTR_MAC]));
15643 
15644 	ret = rdev_add_intf_link(rdev, wdev, link_id);
15645 	if (ret) {
15646 		wdev->valid_links &= ~BIT(link_id);
15647 		eth_zero_addr(wdev->links[link_id].addr);
15648 	}
15649 	wdev_unlock(wdev);
15650 
15651 	return ret;
15652 }
15653 
15654 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
15655 {
15656 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15657 	unsigned int link_id = nl80211_link_id(info->attrs);
15658 	struct net_device *dev = info->user_ptr[1];
15659 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15660 
15661 	/* cannot remove if there's no link */
15662 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
15663 		return -EINVAL;
15664 
15665 	switch (wdev->iftype) {
15666 	case NL80211_IFTYPE_AP:
15667 		break;
15668 	default:
15669 		return -EINVAL;
15670 	}
15671 
15672 	/* FIXME: stop the link operations first */
15673 
15674 	wdev_lock(wdev);
15675 	wdev->valid_links &= ~BIT(link_id);
15676 
15677 	rdev_del_intf_link(rdev, wdev, link_id);
15678 
15679 	eth_zero_addr(wdev->links[link_id].addr);
15680 	wdev_unlock(wdev);
15681 
15682 	return 0;
15683 }
15684 
15685 #define NL80211_FLAG_NEED_WIPHY		0x01
15686 #define NL80211_FLAG_NEED_NETDEV	0x02
15687 #define NL80211_FLAG_NEED_RTNL		0x04
15688 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15689 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15690 					 NL80211_FLAG_CHECK_NETDEV_UP)
15691 #define NL80211_FLAG_NEED_WDEV		0x10
15692 /* If a netdev is associated, it must be UP, P2P must be started */
15693 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15694 					 NL80211_FLAG_CHECK_NETDEV_UP)
15695 #define NL80211_FLAG_CLEAR_SKB		0x20
15696 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15697 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
15698 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
15699 
15700 #define INTERNAL_FLAG_SELECTORS(__sel)			\
15701 	SELECTOR(__sel, NONE, 0) /* must be first */	\
15702 	SELECTOR(__sel, WIPHY,				\
15703 		 NL80211_FLAG_NEED_WIPHY)		\
15704 	SELECTOR(__sel, WDEV,				\
15705 		 NL80211_FLAG_NEED_WDEV)		\
15706 	SELECTOR(__sel, NETDEV,				\
15707 		 NL80211_FLAG_NEED_NETDEV)		\
15708 	SELECTOR(__sel, NETDEV_LINK,			\
15709 		 NL80211_FLAG_NEED_NETDEV |		\
15710 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
15711 	SELECTOR(__sel, NETDEV_NO_MLO,			\
15712 		 NL80211_FLAG_NEED_NETDEV |		\
15713 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
15714 	SELECTOR(__sel, WIPHY_RTNL,			\
15715 		 NL80211_FLAG_NEED_WIPHY |		\
15716 		 NL80211_FLAG_NEED_RTNL)		\
15717 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
15718 		 NL80211_FLAG_NEED_WIPHY |		\
15719 		 NL80211_FLAG_NEED_RTNL |		\
15720 		 NL80211_FLAG_NO_WIPHY_MTX)		\
15721 	SELECTOR(__sel, WDEV_RTNL,			\
15722 		 NL80211_FLAG_NEED_WDEV |		\
15723 		 NL80211_FLAG_NEED_RTNL)		\
15724 	SELECTOR(__sel, NETDEV_RTNL,			\
15725 		 NL80211_FLAG_NEED_NETDEV |		\
15726 		 NL80211_FLAG_NEED_RTNL)		\
15727 	SELECTOR(__sel, NETDEV_UP,			\
15728 		 NL80211_FLAG_NEED_NETDEV_UP)		\
15729 	SELECTOR(__sel, NETDEV_UP_LINK,			\
15730 		 NL80211_FLAG_NEED_NETDEV_UP |		\
15731 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
15732 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
15733 		 NL80211_FLAG_NEED_NETDEV_UP |		\
15734 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
15735 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
15736 		 NL80211_FLAG_NEED_NETDEV_UP |		\
15737 		 NL80211_FLAG_CLEAR_SKB |		\
15738 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
15739 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
15740 		 NL80211_FLAG_NEED_NETDEV_UP |		\
15741 		 NL80211_FLAG_NO_WIPHY_MTX)		\
15742 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
15743 		 NL80211_FLAG_NEED_NETDEV_UP |		\
15744 		 NL80211_FLAG_NO_WIPHY_MTX |		\
15745 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
15746 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
15747 		 NL80211_FLAG_NEED_NETDEV_UP |		\
15748 		 NL80211_FLAG_CLEAR_SKB)		\
15749 	SELECTOR(__sel, WDEV_UP,			\
15750 		 NL80211_FLAG_NEED_WDEV_UP)		\
15751 	SELECTOR(__sel, WDEV_UP_LINK,			\
15752 		 NL80211_FLAG_NEED_WDEV_UP |		\
15753 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
15754 	SELECTOR(__sel, WDEV_UP_RTNL,			\
15755 		 NL80211_FLAG_NEED_WDEV_UP |		\
15756 		 NL80211_FLAG_NEED_RTNL)		\
15757 	SELECTOR(__sel, WIPHY_CLEAR,			\
15758 		 NL80211_FLAG_NEED_WIPHY |		\
15759 		 NL80211_FLAG_CLEAR_SKB)
15760 
15761 enum nl80211_internal_flags_selector {
15762 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
15763 	INTERNAL_FLAG_SELECTORS(_)
15764 #undef SELECTOR
15765 };
15766 
15767 static u32 nl80211_internal_flags[] = {
15768 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
15769 	INTERNAL_FLAG_SELECTORS(_)
15770 #undef SELECTOR
15771 };
15772 
15773 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15774 			    struct genl_info *info)
15775 {
15776 	struct cfg80211_registered_device *rdev = NULL;
15777 	struct wireless_dev *wdev = NULL;
15778 	struct net_device *dev = NULL;
15779 	u32 internal_flags;
15780 	int err;
15781 
15782 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
15783 		return -EINVAL;
15784 
15785 	internal_flags = nl80211_internal_flags[ops->internal_flags];
15786 
15787 	rtnl_lock();
15788 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
15789 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15790 		if (IS_ERR(rdev)) {
15791 			err = PTR_ERR(rdev);
15792 			goto out_unlock;
15793 		}
15794 		info->user_ptr[0] = rdev;
15795 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
15796 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
15797 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15798 						  info->attrs);
15799 		if (IS_ERR(wdev)) {
15800 			err = PTR_ERR(wdev);
15801 			goto out_unlock;
15802 		}
15803 
15804 		dev = wdev->netdev;
15805 		dev_hold(dev);
15806 		rdev = wiphy_to_rdev(wdev->wiphy);
15807 
15808 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
15809 			if (!dev) {
15810 				err = -EINVAL;
15811 				goto out_unlock;
15812 			}
15813 
15814 			info->user_ptr[1] = dev;
15815 		} else {
15816 			info->user_ptr[1] = wdev;
15817 		}
15818 
15819 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15820 		    !wdev_running(wdev)) {
15821 			err = -ENETDOWN;
15822 			goto out_unlock;
15823 		}
15824 
15825 		info->user_ptr[0] = rdev;
15826 	}
15827 
15828 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
15829 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
15830 
15831 		if (!wdev) {
15832 			err = -EINVAL;
15833 			goto out_unlock;
15834 		}
15835 
15836 		/* MLO -> require valid link ID */
15837 		if (wdev->valid_links &&
15838 		    (!link_id ||
15839 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
15840 			err = -EINVAL;
15841 			goto out_unlock;
15842 		}
15843 
15844 		/* non-MLO -> no link ID attribute accepted */
15845 		if (!wdev->valid_links && link_id) {
15846 			err = -EINVAL;
15847 			goto out_unlock;
15848 		}
15849 	}
15850 
15851 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
15852 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
15853 		    (wdev && wdev->valid_links)) {
15854 			err = -EINVAL;
15855 			goto out_unlock;
15856 		}
15857 	}
15858 
15859 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15860 		wiphy_lock(&rdev->wiphy);
15861 		/* we keep the mutex locked until post_doit */
15862 		__release(&rdev->wiphy.mtx);
15863 	}
15864 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
15865 		rtnl_unlock();
15866 
15867 	return 0;
15868 out_unlock:
15869 	rtnl_unlock();
15870 	dev_put(dev);
15871 	return err;
15872 }
15873 
15874 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15875 			      struct genl_info *info)
15876 {
15877 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
15878 
15879 	if (info->user_ptr[1]) {
15880 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
15881 			struct wireless_dev *wdev = info->user_ptr[1];
15882 
15883 			dev_put(wdev->netdev);
15884 		} else {
15885 			dev_put(info->user_ptr[1]);
15886 		}
15887 	}
15888 
15889 	if (info->user_ptr[0] &&
15890 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15891 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15892 
15893 		/* we kept the mutex locked since pre_doit */
15894 		__acquire(&rdev->wiphy.mtx);
15895 		wiphy_unlock(&rdev->wiphy);
15896 	}
15897 
15898 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
15899 		rtnl_unlock();
15900 
15901 	/* If needed, clear the netlink message payload from the SKB
15902 	 * as it might contain key data that shouldn't stick around on
15903 	 * the heap after the SKB is freed. The netlink message header
15904 	 * is still needed for further processing, so leave it intact.
15905 	 */
15906 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
15907 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15908 
15909 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15910 	}
15911 }
15912 
15913 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15914 				     struct cfg80211_sar_specs *sar_specs,
15915 				     struct nlattr *spec[], int index)
15916 {
15917 	u32 range_index, i;
15918 
15919 	if (!sar_specs || !spec)
15920 		return -EINVAL;
15921 
15922 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15923 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15924 		return -EINVAL;
15925 
15926 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15927 
15928 	/* check if range_index exceeds num_freq_ranges */
15929 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15930 		return -EINVAL;
15931 
15932 	/* check if range_index duplicates */
15933 	for (i = 0; i < index; i++) {
15934 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15935 			return -EINVAL;
15936 	}
15937 
15938 	sar_specs->sub_specs[index].power =
15939 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15940 
15941 	sar_specs->sub_specs[index].freq_range_index = range_index;
15942 
15943 	return 0;
15944 }
15945 
15946 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15947 {
15948 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15949 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15950 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15951 	struct cfg80211_sar_specs *sar_spec;
15952 	enum nl80211_sar_type type;
15953 	struct nlattr *spec_list;
15954 	u32 specs;
15955 	int rem, err;
15956 
15957 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15958 		return -EOPNOTSUPP;
15959 
15960 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15961 		return -EINVAL;
15962 
15963 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15964 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15965 			 NULL, NULL);
15966 
15967 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15968 		return -EINVAL;
15969 
15970 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15971 	if (type != rdev->wiphy.sar_capa->type)
15972 		return -EINVAL;
15973 
15974 	specs = 0;
15975 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15976 		specs++;
15977 
15978 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15979 		return -EINVAL;
15980 
15981 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15982 	if (!sar_spec)
15983 		return -ENOMEM;
15984 
15985 	sar_spec->type = type;
15986 	specs = 0;
15987 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15988 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15989 				 spec_list, NULL, NULL);
15990 
15991 		switch (type) {
15992 		case NL80211_SAR_TYPE_POWER:
15993 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15994 						      spec, specs)) {
15995 				err = -EINVAL;
15996 				goto error;
15997 			}
15998 			break;
15999 		default:
16000 			err = -EINVAL;
16001 			goto error;
16002 		}
16003 		specs++;
16004 	}
16005 
16006 	sar_spec->num_sub_specs = specs;
16007 
16008 	rdev->cur_cmd_info = info;
16009 	err = rdev_set_sar_specs(rdev, sar_spec);
16010 	rdev->cur_cmd_info = NULL;
16011 error:
16012 	kfree(sar_spec);
16013 	return err;
16014 }
16015 
16016 #define SELECTOR(__sel, name, value) \
16017 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16018 int __missing_selector(void);
16019 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16020 
16021 static const struct genl_ops nl80211_ops[] = {
16022 	{
16023 		.cmd = NL80211_CMD_GET_WIPHY,
16024 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16025 		.doit = nl80211_get_wiphy,
16026 		.dumpit = nl80211_dump_wiphy,
16027 		.done = nl80211_dump_wiphy_done,
16028 		/* can be retrieved by unprivileged users */
16029 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16030 	},
16031 };
16032 
16033 static const struct genl_small_ops nl80211_small_ops[] = {
16034 	{
16035 		.cmd = NL80211_CMD_SET_WIPHY,
16036 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16037 		.doit = nl80211_set_wiphy,
16038 		.flags = GENL_UNS_ADMIN_PERM,
16039 	},
16040 	{
16041 		.cmd = NL80211_CMD_GET_INTERFACE,
16042 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16043 		.doit = nl80211_get_interface,
16044 		.dumpit = nl80211_dump_interface,
16045 		/* can be retrieved by unprivileged users */
16046 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16047 	},
16048 	{
16049 		.cmd = NL80211_CMD_SET_INTERFACE,
16050 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16051 		.doit = nl80211_set_interface,
16052 		.flags = GENL_UNS_ADMIN_PERM,
16053 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16054 					 NL80211_FLAG_NEED_RTNL),
16055 	},
16056 	{
16057 		.cmd = NL80211_CMD_NEW_INTERFACE,
16058 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16059 		.doit = nl80211_new_interface,
16060 		.flags = GENL_UNS_ADMIN_PERM,
16061 		.internal_flags =
16062 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16063 			       NL80211_FLAG_NEED_RTNL |
16064 			       /* we take the wiphy mutex later ourselves */
16065 			       NL80211_FLAG_NO_WIPHY_MTX),
16066 	},
16067 	{
16068 		.cmd = NL80211_CMD_DEL_INTERFACE,
16069 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16070 		.doit = nl80211_del_interface,
16071 		.flags = GENL_UNS_ADMIN_PERM,
16072 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16073 					 NL80211_FLAG_NEED_RTNL),
16074 	},
16075 	{
16076 		.cmd = NL80211_CMD_GET_KEY,
16077 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16078 		.doit = nl80211_get_key,
16079 		.flags = GENL_UNS_ADMIN_PERM,
16080 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16081 	},
16082 	{
16083 		.cmd = NL80211_CMD_SET_KEY,
16084 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16085 		.doit = nl80211_set_key,
16086 		.flags = GENL_UNS_ADMIN_PERM,
16087 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16088 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16089 					 NL80211_FLAG_CLEAR_SKB),
16090 	},
16091 	{
16092 		.cmd = NL80211_CMD_NEW_KEY,
16093 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16094 		.doit = nl80211_new_key,
16095 		.flags = GENL_UNS_ADMIN_PERM,
16096 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16097 					 NL80211_FLAG_CLEAR_SKB),
16098 	},
16099 	{
16100 		.cmd = NL80211_CMD_DEL_KEY,
16101 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16102 		.doit = nl80211_del_key,
16103 		.flags = GENL_UNS_ADMIN_PERM,
16104 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16105 	},
16106 	{
16107 		.cmd = NL80211_CMD_SET_BEACON,
16108 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16109 		.flags = GENL_UNS_ADMIN_PERM,
16110 		.doit = nl80211_set_beacon,
16111 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16112 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16113 	},
16114 	{
16115 		.cmd = NL80211_CMD_START_AP,
16116 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16117 		.flags = GENL_UNS_ADMIN_PERM,
16118 		.doit = nl80211_start_ap,
16119 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16120 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16121 	},
16122 	{
16123 		.cmd = NL80211_CMD_STOP_AP,
16124 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16125 		.flags = GENL_UNS_ADMIN_PERM,
16126 		.doit = nl80211_stop_ap,
16127 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16128 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16129 	},
16130 	{
16131 		.cmd = NL80211_CMD_GET_STATION,
16132 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16133 		.doit = nl80211_get_station,
16134 		.dumpit = nl80211_dump_station,
16135 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16136 	},
16137 	{
16138 		.cmd = NL80211_CMD_SET_STATION,
16139 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16140 		.doit = nl80211_set_station,
16141 		.flags = GENL_UNS_ADMIN_PERM,
16142 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16143 	},
16144 	{
16145 		.cmd = NL80211_CMD_NEW_STATION,
16146 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16147 		.doit = nl80211_new_station,
16148 		.flags = GENL_UNS_ADMIN_PERM,
16149 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16150 	},
16151 	{
16152 		.cmd = NL80211_CMD_DEL_STATION,
16153 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16154 		.doit = nl80211_del_station,
16155 		.flags = GENL_UNS_ADMIN_PERM,
16156 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16157 	},
16158 	{
16159 		.cmd = NL80211_CMD_GET_MPATH,
16160 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16161 		.doit = nl80211_get_mpath,
16162 		.dumpit = nl80211_dump_mpath,
16163 		.flags = GENL_UNS_ADMIN_PERM,
16164 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16165 	},
16166 	{
16167 		.cmd = NL80211_CMD_GET_MPP,
16168 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16169 		.doit = nl80211_get_mpp,
16170 		.dumpit = nl80211_dump_mpp,
16171 		.flags = GENL_UNS_ADMIN_PERM,
16172 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16173 	},
16174 	{
16175 		.cmd = NL80211_CMD_SET_MPATH,
16176 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16177 		.doit = nl80211_set_mpath,
16178 		.flags = GENL_UNS_ADMIN_PERM,
16179 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16180 	},
16181 	{
16182 		.cmd = NL80211_CMD_NEW_MPATH,
16183 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16184 		.doit = nl80211_new_mpath,
16185 		.flags = GENL_UNS_ADMIN_PERM,
16186 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16187 	},
16188 	{
16189 		.cmd = NL80211_CMD_DEL_MPATH,
16190 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16191 		.doit = nl80211_del_mpath,
16192 		.flags = GENL_UNS_ADMIN_PERM,
16193 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16194 	},
16195 	{
16196 		.cmd = NL80211_CMD_SET_BSS,
16197 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16198 		.doit = nl80211_set_bss,
16199 		.flags = GENL_UNS_ADMIN_PERM,
16200 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16201 	},
16202 	{
16203 		.cmd = NL80211_CMD_GET_REG,
16204 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16205 		.doit = nl80211_get_reg_do,
16206 		.dumpit = nl80211_get_reg_dump,
16207 		/* can be retrieved by unprivileged users */
16208 	},
16209 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16210 	{
16211 		.cmd = NL80211_CMD_SET_REG,
16212 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16213 		.doit = nl80211_set_reg,
16214 		.flags = GENL_ADMIN_PERM,
16215 	},
16216 #endif
16217 	{
16218 		.cmd = NL80211_CMD_REQ_SET_REG,
16219 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16220 		.doit = nl80211_req_set_reg,
16221 		.flags = GENL_ADMIN_PERM,
16222 	},
16223 	{
16224 		.cmd = NL80211_CMD_RELOAD_REGDB,
16225 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16226 		.doit = nl80211_reload_regdb,
16227 		.flags = GENL_ADMIN_PERM,
16228 	},
16229 	{
16230 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16231 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16232 		.doit = nl80211_get_mesh_config,
16233 		/* can be retrieved by unprivileged users */
16234 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16235 	},
16236 	{
16237 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16238 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16239 		.doit = nl80211_update_mesh_config,
16240 		.flags = GENL_UNS_ADMIN_PERM,
16241 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16242 	},
16243 	{
16244 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16245 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16246 		.doit = nl80211_trigger_scan,
16247 		.flags = GENL_UNS_ADMIN_PERM,
16248 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16249 	},
16250 	{
16251 		.cmd = NL80211_CMD_ABORT_SCAN,
16252 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16253 		.doit = nl80211_abort_scan,
16254 		.flags = GENL_UNS_ADMIN_PERM,
16255 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16256 	},
16257 	{
16258 		.cmd = NL80211_CMD_GET_SCAN,
16259 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16260 		.dumpit = nl80211_dump_scan,
16261 	},
16262 	{
16263 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16264 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16265 		.doit = nl80211_start_sched_scan,
16266 		.flags = GENL_UNS_ADMIN_PERM,
16267 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16268 	},
16269 	{
16270 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16271 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16272 		.doit = nl80211_stop_sched_scan,
16273 		.flags = GENL_UNS_ADMIN_PERM,
16274 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16275 	},
16276 	{
16277 		.cmd = NL80211_CMD_AUTHENTICATE,
16278 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16279 		.doit = nl80211_authenticate,
16280 		.flags = GENL_UNS_ADMIN_PERM,
16281 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16282 					 NL80211_FLAG_CLEAR_SKB),
16283 	},
16284 	{
16285 		.cmd = NL80211_CMD_ASSOCIATE,
16286 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16287 		.doit = nl80211_associate,
16288 		.flags = GENL_UNS_ADMIN_PERM,
16289 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16290 					 NL80211_FLAG_CLEAR_SKB),
16291 	},
16292 	{
16293 		.cmd = NL80211_CMD_DEAUTHENTICATE,
16294 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16295 		.doit = nl80211_deauthenticate,
16296 		.flags = GENL_UNS_ADMIN_PERM,
16297 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16298 	},
16299 	{
16300 		.cmd = NL80211_CMD_DISASSOCIATE,
16301 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16302 		.doit = nl80211_disassociate,
16303 		.flags = GENL_UNS_ADMIN_PERM,
16304 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16305 	},
16306 	{
16307 		.cmd = NL80211_CMD_JOIN_IBSS,
16308 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16309 		.doit = nl80211_join_ibss,
16310 		.flags = GENL_UNS_ADMIN_PERM,
16311 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16312 	},
16313 	{
16314 		.cmd = NL80211_CMD_LEAVE_IBSS,
16315 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16316 		.doit = nl80211_leave_ibss,
16317 		.flags = GENL_UNS_ADMIN_PERM,
16318 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16319 	},
16320 #ifdef CONFIG_NL80211_TESTMODE
16321 	{
16322 		.cmd = NL80211_CMD_TESTMODE,
16323 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16324 		.doit = nl80211_testmode_do,
16325 		.dumpit = nl80211_testmode_dump,
16326 		.flags = GENL_UNS_ADMIN_PERM,
16327 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16328 	},
16329 #endif
16330 	{
16331 		.cmd = NL80211_CMD_CONNECT,
16332 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16333 		.doit = nl80211_connect,
16334 		.flags = GENL_UNS_ADMIN_PERM,
16335 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16336 					 NL80211_FLAG_CLEAR_SKB),
16337 	},
16338 	{
16339 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
16340 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16341 		.doit = nl80211_update_connect_params,
16342 		.flags = GENL_ADMIN_PERM,
16343 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16344 					 NL80211_FLAG_CLEAR_SKB),
16345 	},
16346 	{
16347 		.cmd = NL80211_CMD_DISCONNECT,
16348 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16349 		.doit = nl80211_disconnect,
16350 		.flags = GENL_UNS_ADMIN_PERM,
16351 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16352 	},
16353 	{
16354 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
16355 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16356 		.doit = nl80211_wiphy_netns,
16357 		.flags = GENL_UNS_ADMIN_PERM,
16358 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16359 					 NL80211_FLAG_NEED_RTNL |
16360 					 NL80211_FLAG_NO_WIPHY_MTX),
16361 	},
16362 	{
16363 		.cmd = NL80211_CMD_GET_SURVEY,
16364 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16365 		.dumpit = nl80211_dump_survey,
16366 	},
16367 	{
16368 		.cmd = NL80211_CMD_SET_PMKSA,
16369 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16370 		.doit = nl80211_setdel_pmksa,
16371 		.flags = GENL_UNS_ADMIN_PERM,
16372 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16373 					 NL80211_FLAG_CLEAR_SKB),
16374 	},
16375 	{
16376 		.cmd = NL80211_CMD_DEL_PMKSA,
16377 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16378 		.doit = nl80211_setdel_pmksa,
16379 		.flags = GENL_UNS_ADMIN_PERM,
16380 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16381 	},
16382 	{
16383 		.cmd = NL80211_CMD_FLUSH_PMKSA,
16384 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16385 		.doit = nl80211_flush_pmksa,
16386 		.flags = GENL_UNS_ADMIN_PERM,
16387 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16388 	},
16389 	{
16390 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
16391 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16392 		.doit = nl80211_remain_on_channel,
16393 		.flags = GENL_UNS_ADMIN_PERM,
16394 		/* FIXME: requiring a link ID here is probably not good */
16395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16396 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16397 	},
16398 	{
16399 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16401 		.doit = nl80211_cancel_remain_on_channel,
16402 		.flags = GENL_UNS_ADMIN_PERM,
16403 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16404 	},
16405 	{
16406 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
16407 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16408 		.doit = nl80211_set_tx_bitrate_mask,
16409 		.flags = GENL_UNS_ADMIN_PERM,
16410 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16411 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16412 	},
16413 	{
16414 		.cmd = NL80211_CMD_REGISTER_FRAME,
16415 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16416 		.doit = nl80211_register_mgmt,
16417 		.flags = GENL_UNS_ADMIN_PERM,
16418 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16419 	},
16420 	{
16421 		.cmd = NL80211_CMD_FRAME,
16422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16423 		.doit = nl80211_tx_mgmt,
16424 		.flags = GENL_UNS_ADMIN_PERM,
16425 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16426 	},
16427 	{
16428 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
16429 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16430 		.doit = nl80211_tx_mgmt_cancel_wait,
16431 		.flags = GENL_UNS_ADMIN_PERM,
16432 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16433 	},
16434 	{
16435 		.cmd = NL80211_CMD_SET_POWER_SAVE,
16436 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16437 		.doit = nl80211_set_power_save,
16438 		.flags = GENL_UNS_ADMIN_PERM,
16439 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16440 	},
16441 	{
16442 		.cmd = NL80211_CMD_GET_POWER_SAVE,
16443 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16444 		.doit = nl80211_get_power_save,
16445 		/* can be retrieved by unprivileged users */
16446 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16447 	},
16448 	{
16449 		.cmd = NL80211_CMD_SET_CQM,
16450 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16451 		.doit = nl80211_set_cqm,
16452 		.flags = GENL_UNS_ADMIN_PERM,
16453 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16454 	},
16455 	{
16456 		.cmd = NL80211_CMD_SET_CHANNEL,
16457 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16458 		.doit = nl80211_set_channel,
16459 		.flags = GENL_UNS_ADMIN_PERM,
16460 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16461 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16462 	},
16463 	{
16464 		.cmd = NL80211_CMD_JOIN_MESH,
16465 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16466 		.doit = nl80211_join_mesh,
16467 		.flags = GENL_UNS_ADMIN_PERM,
16468 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16469 	},
16470 	{
16471 		.cmd = NL80211_CMD_LEAVE_MESH,
16472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16473 		.doit = nl80211_leave_mesh,
16474 		.flags = GENL_UNS_ADMIN_PERM,
16475 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16476 	},
16477 	{
16478 		.cmd = NL80211_CMD_JOIN_OCB,
16479 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16480 		.doit = nl80211_join_ocb,
16481 		.flags = GENL_UNS_ADMIN_PERM,
16482 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16483 	},
16484 	{
16485 		.cmd = NL80211_CMD_LEAVE_OCB,
16486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16487 		.doit = nl80211_leave_ocb,
16488 		.flags = GENL_UNS_ADMIN_PERM,
16489 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16490 	},
16491 #ifdef CONFIG_PM
16492 	{
16493 		.cmd = NL80211_CMD_GET_WOWLAN,
16494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16495 		.doit = nl80211_get_wowlan,
16496 		/* can be retrieved by unprivileged users */
16497 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16498 	},
16499 	{
16500 		.cmd = NL80211_CMD_SET_WOWLAN,
16501 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16502 		.doit = nl80211_set_wowlan,
16503 		.flags = GENL_UNS_ADMIN_PERM,
16504 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16505 	},
16506 #endif
16507 	{
16508 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
16509 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16510 		.doit = nl80211_set_rekey_data,
16511 		.flags = GENL_UNS_ADMIN_PERM,
16512 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16513 					 NL80211_FLAG_CLEAR_SKB),
16514 	},
16515 	{
16516 		.cmd = NL80211_CMD_TDLS_MGMT,
16517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16518 		.doit = nl80211_tdls_mgmt,
16519 		.flags = GENL_UNS_ADMIN_PERM,
16520 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16521 	},
16522 	{
16523 		.cmd = NL80211_CMD_TDLS_OPER,
16524 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16525 		.doit = nl80211_tdls_oper,
16526 		.flags = GENL_UNS_ADMIN_PERM,
16527 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16528 	},
16529 	{
16530 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
16531 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16532 		.doit = nl80211_register_unexpected_frame,
16533 		.flags = GENL_UNS_ADMIN_PERM,
16534 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16535 	},
16536 	{
16537 		.cmd = NL80211_CMD_PROBE_CLIENT,
16538 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16539 		.doit = nl80211_probe_client,
16540 		.flags = GENL_UNS_ADMIN_PERM,
16541 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16542 	},
16543 	{
16544 		.cmd = NL80211_CMD_REGISTER_BEACONS,
16545 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16546 		.doit = nl80211_register_beacons,
16547 		.flags = GENL_UNS_ADMIN_PERM,
16548 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16549 	},
16550 	{
16551 		.cmd = NL80211_CMD_SET_NOACK_MAP,
16552 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16553 		.doit = nl80211_set_noack_map,
16554 		.flags = GENL_UNS_ADMIN_PERM,
16555 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16556 	},
16557 	{
16558 		.cmd = NL80211_CMD_START_P2P_DEVICE,
16559 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16560 		.doit = nl80211_start_p2p_device,
16561 		.flags = GENL_UNS_ADMIN_PERM,
16562 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16563 					 NL80211_FLAG_NEED_RTNL),
16564 	},
16565 	{
16566 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
16567 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16568 		.doit = nl80211_stop_p2p_device,
16569 		.flags = GENL_UNS_ADMIN_PERM,
16570 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16571 					 NL80211_FLAG_NEED_RTNL),
16572 	},
16573 	{
16574 		.cmd = NL80211_CMD_START_NAN,
16575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16576 		.doit = nl80211_start_nan,
16577 		.flags = GENL_ADMIN_PERM,
16578 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16579 					 NL80211_FLAG_NEED_RTNL),
16580 	},
16581 	{
16582 		.cmd = NL80211_CMD_STOP_NAN,
16583 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16584 		.doit = nl80211_stop_nan,
16585 		.flags = GENL_ADMIN_PERM,
16586 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16587 					 NL80211_FLAG_NEED_RTNL),
16588 	},
16589 	{
16590 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
16591 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16592 		.doit = nl80211_nan_add_func,
16593 		.flags = GENL_ADMIN_PERM,
16594 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16595 	},
16596 	{
16597 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
16598 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16599 		.doit = nl80211_nan_del_func,
16600 		.flags = GENL_ADMIN_PERM,
16601 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16602 	},
16603 	{
16604 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
16605 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16606 		.doit = nl80211_nan_change_config,
16607 		.flags = GENL_ADMIN_PERM,
16608 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16609 	},
16610 	{
16611 		.cmd = NL80211_CMD_SET_MCAST_RATE,
16612 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16613 		.doit = nl80211_set_mcast_rate,
16614 		.flags = GENL_UNS_ADMIN_PERM,
16615 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16616 	},
16617 	{
16618 		.cmd = NL80211_CMD_SET_MAC_ACL,
16619 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16620 		.doit = nl80211_set_mac_acl,
16621 		.flags = GENL_UNS_ADMIN_PERM,
16622 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16623 					 NL80211_FLAG_MLO_UNSUPPORTED),
16624 	},
16625 	{
16626 		.cmd = NL80211_CMD_RADAR_DETECT,
16627 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16628 		.doit = nl80211_start_radar_detection,
16629 		.flags = GENL_UNS_ADMIN_PERM,
16630 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16631 					 NL80211_FLAG_NO_WIPHY_MTX |
16632 					 NL80211_FLAG_MLO_UNSUPPORTED),
16633 	},
16634 	{
16635 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
16636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16637 		.doit = nl80211_get_protocol_features,
16638 	},
16639 	{
16640 		.cmd = NL80211_CMD_UPDATE_FT_IES,
16641 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16642 		.doit = nl80211_update_ft_ies,
16643 		.flags = GENL_UNS_ADMIN_PERM,
16644 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16645 	},
16646 	{
16647 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
16648 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16649 		.doit = nl80211_crit_protocol_start,
16650 		.flags = GENL_UNS_ADMIN_PERM,
16651 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16652 	},
16653 	{
16654 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
16655 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16656 		.doit = nl80211_crit_protocol_stop,
16657 		.flags = GENL_UNS_ADMIN_PERM,
16658 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16659 	},
16660 	{
16661 		.cmd = NL80211_CMD_GET_COALESCE,
16662 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16663 		.doit = nl80211_get_coalesce,
16664 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16665 	},
16666 	{
16667 		.cmd = NL80211_CMD_SET_COALESCE,
16668 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16669 		.doit = nl80211_set_coalesce,
16670 		.flags = GENL_UNS_ADMIN_PERM,
16671 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16672 	},
16673 	{
16674 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16675 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16676 		.doit = nl80211_channel_switch,
16677 		.flags = GENL_UNS_ADMIN_PERM,
16678 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16679 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16680 	},
16681 	{
16682 		.cmd = NL80211_CMD_VENDOR,
16683 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16684 		.doit = nl80211_vendor_cmd,
16685 		.dumpit = nl80211_vendor_cmd_dump,
16686 		.flags = GENL_UNS_ADMIN_PERM,
16687 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16688 					 NL80211_FLAG_CLEAR_SKB),
16689 	},
16690 	{
16691 		.cmd = NL80211_CMD_SET_QOS_MAP,
16692 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16693 		.doit = nl80211_set_qos_map,
16694 		.flags = GENL_UNS_ADMIN_PERM,
16695 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16696 	},
16697 	{
16698 		.cmd = NL80211_CMD_ADD_TX_TS,
16699 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16700 		.doit = nl80211_add_tx_ts,
16701 		.flags = GENL_UNS_ADMIN_PERM,
16702 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16703 					 NL80211_FLAG_MLO_UNSUPPORTED),
16704 	},
16705 	{
16706 		.cmd = NL80211_CMD_DEL_TX_TS,
16707 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16708 		.doit = nl80211_del_tx_ts,
16709 		.flags = GENL_UNS_ADMIN_PERM,
16710 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16711 	},
16712 	{
16713 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16714 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16715 		.doit = nl80211_tdls_channel_switch,
16716 		.flags = GENL_UNS_ADMIN_PERM,
16717 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16718 	},
16719 	{
16720 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16721 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16722 		.doit = nl80211_tdls_cancel_channel_switch,
16723 		.flags = GENL_UNS_ADMIN_PERM,
16724 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16725 	},
16726 	{
16727 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16728 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16729 		.doit = nl80211_set_multicast_to_unicast,
16730 		.flags = GENL_UNS_ADMIN_PERM,
16731 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16732 	},
16733 	{
16734 		.cmd = NL80211_CMD_SET_PMK,
16735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16736 		.doit = nl80211_set_pmk,
16737 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16738 					 NL80211_FLAG_CLEAR_SKB),
16739 	},
16740 	{
16741 		.cmd = NL80211_CMD_DEL_PMK,
16742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16743 		.doit = nl80211_del_pmk,
16744 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16745 	},
16746 	{
16747 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16748 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16749 		.doit = nl80211_external_auth,
16750 		.flags = GENL_ADMIN_PERM,
16751 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16752 	},
16753 	{
16754 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16755 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16756 		.doit = nl80211_tx_control_port,
16757 		.flags = GENL_UNS_ADMIN_PERM,
16758 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16759 	},
16760 	{
16761 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16762 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16763 		.doit = nl80211_get_ftm_responder_stats,
16764 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16765 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16766 	},
16767 	{
16768 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16769 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16770 		.doit = nl80211_pmsr_start,
16771 		.flags = GENL_UNS_ADMIN_PERM,
16772 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16773 	},
16774 	{
16775 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16776 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16777 		.doit = nl80211_notify_radar_detection,
16778 		.flags = GENL_UNS_ADMIN_PERM,
16779 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16780 	},
16781 	{
16782 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16783 		.doit = nl80211_update_owe_info,
16784 		.flags = GENL_ADMIN_PERM,
16785 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16786 	},
16787 	{
16788 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16789 		.doit = nl80211_probe_mesh_link,
16790 		.flags = GENL_UNS_ADMIN_PERM,
16791 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16792 	},
16793 	{
16794 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16795 		.doit = nl80211_set_tid_config,
16796 		.flags = GENL_UNS_ADMIN_PERM,
16797 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16798 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16799 	},
16800 	{
16801 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16803 		.doit = nl80211_set_sar_specs,
16804 		.flags = GENL_UNS_ADMIN_PERM,
16805 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16806 					 NL80211_FLAG_NEED_RTNL),
16807 	},
16808 	{
16809 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16810 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16811 		.doit = nl80211_color_change,
16812 		.flags = GENL_UNS_ADMIN_PERM,
16813 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16814 	},
16815 	{
16816 		.cmd = NL80211_CMD_SET_FILS_AAD,
16817 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16818 		.doit = nl80211_set_fils_aad,
16819 		.flags = GENL_UNS_ADMIN_PERM,
16820 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16821 	},
16822 	{
16823 		.cmd = NL80211_CMD_ADD_LINK,
16824 		.doit = nl80211_add_link,
16825 		.flags = GENL_UNS_ADMIN_PERM,
16826 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16827 	},
16828 	{
16829 		.cmd = NL80211_CMD_REMOVE_LINK,
16830 		.doit = nl80211_remove_link,
16831 		.flags = GENL_UNS_ADMIN_PERM,
16832 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16833 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16834 	},
16835 };
16836 
16837 static struct genl_family nl80211_fam __ro_after_init = {
16838 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16839 	.hdrsize = 0,			/* no private header */
16840 	.version = 1,			/* no particular meaning now */
16841 	.maxattr = NL80211_ATTR_MAX,
16842 	.policy = nl80211_policy,
16843 	.netnsok = true,
16844 	.pre_doit = nl80211_pre_doit,
16845 	.post_doit = nl80211_post_doit,
16846 	.module = THIS_MODULE,
16847 	.ops = nl80211_ops,
16848 	.n_ops = ARRAY_SIZE(nl80211_ops),
16849 	.small_ops = nl80211_small_ops,
16850 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16851 	.mcgrps = nl80211_mcgrps,
16852 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16853 	.parallel_ops = true,
16854 };
16855 
16856 /* notification functions */
16857 
16858 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16859 			  enum nl80211_commands cmd)
16860 {
16861 	struct sk_buff *msg;
16862 	struct nl80211_dump_wiphy_state state = {};
16863 
16864 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16865 		cmd != NL80211_CMD_DEL_WIPHY);
16866 
16867 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16868 	if (!msg)
16869 		return;
16870 
16871 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16872 		nlmsg_free(msg);
16873 		return;
16874 	}
16875 
16876 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16877 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16878 }
16879 
16880 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16881 				struct wireless_dev *wdev,
16882 				enum nl80211_commands cmd)
16883 {
16884 	struct sk_buff *msg;
16885 
16886 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16887 	if (!msg)
16888 		return;
16889 
16890 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16891 		nlmsg_free(msg);
16892 		return;
16893 	}
16894 
16895 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16896 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16897 }
16898 
16899 static int nl80211_add_scan_req(struct sk_buff *msg,
16900 				struct cfg80211_registered_device *rdev)
16901 {
16902 	struct cfg80211_scan_request *req = rdev->scan_req;
16903 	struct nlattr *nest;
16904 	int i;
16905 	struct cfg80211_scan_info *info;
16906 
16907 	if (WARN_ON(!req))
16908 		return 0;
16909 
16910 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16911 	if (!nest)
16912 		goto nla_put_failure;
16913 	for (i = 0; i < req->n_ssids; i++) {
16914 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16915 			goto nla_put_failure;
16916 	}
16917 	nla_nest_end(msg, nest);
16918 
16919 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16920 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16921 		if (!nest)
16922 			goto nla_put_failure;
16923 		for (i = 0; i < req->n_channels; i++) {
16924 			if (nla_put_u32(msg, i,
16925 				   ieee80211_channel_to_khz(req->channels[i])))
16926 				goto nla_put_failure;
16927 		}
16928 		nla_nest_end(msg, nest);
16929 	} else {
16930 		nest = nla_nest_start_noflag(msg,
16931 					     NL80211_ATTR_SCAN_FREQUENCIES);
16932 		if (!nest)
16933 			goto nla_put_failure;
16934 		for (i = 0; i < req->n_channels; i++) {
16935 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16936 				goto nla_put_failure;
16937 		}
16938 		nla_nest_end(msg, nest);
16939 	}
16940 
16941 	if (req->ie &&
16942 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16943 		goto nla_put_failure;
16944 
16945 	if (req->flags &&
16946 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16947 		goto nla_put_failure;
16948 
16949 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16950 		&rdev->scan_req->info;
16951 	if (info->scan_start_tsf &&
16952 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16953 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16954 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16955 		     info->tsf_bssid)))
16956 		goto nla_put_failure;
16957 
16958 	return 0;
16959  nla_put_failure:
16960 	return -ENOBUFS;
16961 }
16962 
16963 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16964 				 struct cfg80211_registered_device *rdev,
16965 				 struct wireless_dev *wdev,
16966 				 u32 portid, u32 seq, int flags,
16967 				 u32 cmd)
16968 {
16969 	void *hdr;
16970 
16971 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16972 	if (!hdr)
16973 		return -1;
16974 
16975 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16976 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16977 					 wdev->netdev->ifindex)) ||
16978 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16979 			      NL80211_ATTR_PAD))
16980 		goto nla_put_failure;
16981 
16982 	/* ignore errors and send incomplete event anyway */
16983 	nl80211_add_scan_req(msg, rdev);
16984 
16985 	genlmsg_end(msg, hdr);
16986 	return 0;
16987 
16988  nla_put_failure:
16989 	genlmsg_cancel(msg, hdr);
16990 	return -EMSGSIZE;
16991 }
16992 
16993 static int
16994 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16995 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16996 {
16997 	void *hdr;
16998 
16999 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17000 	if (!hdr)
17001 		return -1;
17002 
17003 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17004 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17005 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17006 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17007 			      NL80211_ATTR_PAD))
17008 		goto nla_put_failure;
17009 
17010 	genlmsg_end(msg, hdr);
17011 	return 0;
17012 
17013  nla_put_failure:
17014 	genlmsg_cancel(msg, hdr);
17015 	return -EMSGSIZE;
17016 }
17017 
17018 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17019 			     struct wireless_dev *wdev)
17020 {
17021 	struct sk_buff *msg;
17022 
17023 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17024 	if (!msg)
17025 		return;
17026 
17027 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17028 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17029 		nlmsg_free(msg);
17030 		return;
17031 	}
17032 
17033 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17034 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17035 }
17036 
17037 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17038 				       struct wireless_dev *wdev, bool aborted)
17039 {
17040 	struct sk_buff *msg;
17041 
17042 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17043 	if (!msg)
17044 		return NULL;
17045 
17046 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17047 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17048 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17049 		nlmsg_free(msg);
17050 		return NULL;
17051 	}
17052 
17053 	return msg;
17054 }
17055 
17056 /* send message created by nl80211_build_scan_msg() */
17057 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17058 			   struct sk_buff *msg)
17059 {
17060 	if (!msg)
17061 		return;
17062 
17063 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17064 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17065 }
17066 
17067 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17068 {
17069 	struct sk_buff *msg;
17070 
17071 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17072 	if (!msg)
17073 		return;
17074 
17075 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17076 		nlmsg_free(msg);
17077 		return;
17078 	}
17079 
17080 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17081 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17082 }
17083 
17084 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17085 					  struct regulatory_request *request)
17086 {
17087 	/* Userspace can always count this one always being set */
17088 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17089 		goto nla_put_failure;
17090 
17091 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17092 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17093 			       NL80211_REGDOM_TYPE_WORLD))
17094 			goto nla_put_failure;
17095 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17096 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17097 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17098 			goto nla_put_failure;
17099 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17100 		   request->intersect) {
17101 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17102 			       NL80211_REGDOM_TYPE_INTERSECTION))
17103 			goto nla_put_failure;
17104 	} else {
17105 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17106 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17107 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17108 				   request->alpha2))
17109 			goto nla_put_failure;
17110 	}
17111 
17112 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17113 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17114 
17115 		if (wiphy &&
17116 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17117 			goto nla_put_failure;
17118 
17119 		if (wiphy &&
17120 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17121 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17122 			goto nla_put_failure;
17123 	}
17124 
17125 	return true;
17126 
17127 nla_put_failure:
17128 	return false;
17129 }
17130 
17131 /*
17132  * This can happen on global regulatory changes or device specific settings
17133  * based on custom regulatory domains.
17134  */
17135 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17136 				     struct regulatory_request *request)
17137 {
17138 	struct sk_buff *msg;
17139 	void *hdr;
17140 
17141 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17142 	if (!msg)
17143 		return;
17144 
17145 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17146 	if (!hdr)
17147 		goto nla_put_failure;
17148 
17149 	if (!nl80211_reg_change_event_fill(msg, request))
17150 		goto nla_put_failure;
17151 
17152 	genlmsg_end(msg, hdr);
17153 
17154 	rcu_read_lock();
17155 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17156 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17157 	rcu_read_unlock();
17158 
17159 	return;
17160 
17161 nla_put_failure:
17162 	nlmsg_free(msg);
17163 }
17164 
17165 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17166 				    struct net_device *netdev,
17167 				    const u8 *buf, size_t len,
17168 				    enum nl80211_commands cmd, gfp_t gfp,
17169 				    int uapsd_queues, const u8 *req_ies,
17170 				    size_t req_ies_len, bool reconnect)
17171 {
17172 	struct sk_buff *msg;
17173 	void *hdr;
17174 
17175 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17176 	if (!msg)
17177 		return;
17178 
17179 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17180 	if (!hdr) {
17181 		nlmsg_free(msg);
17182 		return;
17183 	}
17184 
17185 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17186 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17187 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17188 	    (req_ies &&
17189 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17190 		goto nla_put_failure;
17191 
17192 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17193 		goto nla_put_failure;
17194 
17195 	if (uapsd_queues >= 0) {
17196 		struct nlattr *nla_wmm =
17197 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17198 		if (!nla_wmm)
17199 			goto nla_put_failure;
17200 
17201 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17202 			       uapsd_queues))
17203 			goto nla_put_failure;
17204 
17205 		nla_nest_end(msg, nla_wmm);
17206 	}
17207 
17208 	genlmsg_end(msg, hdr);
17209 
17210 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17211 				NL80211_MCGRP_MLME, gfp);
17212 	return;
17213 
17214  nla_put_failure:
17215 	nlmsg_free(msg);
17216 }
17217 
17218 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17219 			  struct net_device *netdev, const u8 *buf,
17220 			  size_t len, gfp_t gfp)
17221 {
17222 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17223 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17224 				false);
17225 }
17226 
17227 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17228 			   struct net_device *netdev, const u8 *buf,
17229 			   size_t len, gfp_t gfp, int uapsd_queues,
17230 			   const u8 *req_ies, size_t req_ies_len)
17231 {
17232 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17233 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
17234 				req_ies, req_ies_len, false);
17235 }
17236 
17237 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17238 			 struct net_device *netdev, const u8 *buf,
17239 			 size_t len, bool reconnect, gfp_t gfp)
17240 {
17241 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17242 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17243 				reconnect);
17244 }
17245 
17246 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17247 			   struct net_device *netdev, const u8 *buf,
17248 			   size_t len, bool reconnect, gfp_t gfp)
17249 {
17250 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17251 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17252 				reconnect);
17253 }
17254 
17255 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17256 				  size_t len)
17257 {
17258 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17259 	struct wiphy *wiphy = wdev->wiphy;
17260 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17261 	const struct ieee80211_mgmt *mgmt = (void *)buf;
17262 	u32 cmd;
17263 
17264 	if (WARN_ON(len < 2))
17265 		return;
17266 
17267 	if (ieee80211_is_deauth(mgmt->frame_control)) {
17268 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
17269 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
17270 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
17271 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
17272 		if (wdev->unprot_beacon_reported &&
17273 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
17274 			return;
17275 		cmd = NL80211_CMD_UNPROT_BEACON;
17276 		wdev->unprot_beacon_reported = jiffies;
17277 	} else {
17278 		return;
17279 	}
17280 
17281 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
17282 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
17283 				NULL, 0, false);
17284 }
17285 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
17286 
17287 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
17288 				      struct net_device *netdev, int cmd,
17289 				      const u8 *addr, gfp_t gfp)
17290 {
17291 	struct sk_buff *msg;
17292 	void *hdr;
17293 
17294 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17295 	if (!msg)
17296 		return;
17297 
17298 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17299 	if (!hdr) {
17300 		nlmsg_free(msg);
17301 		return;
17302 	}
17303 
17304 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17305 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17306 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17307 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17308 		goto nla_put_failure;
17309 
17310 	genlmsg_end(msg, hdr);
17311 
17312 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17313 				NL80211_MCGRP_MLME, gfp);
17314 	return;
17315 
17316  nla_put_failure:
17317 	nlmsg_free(msg);
17318 }
17319 
17320 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
17321 			       struct net_device *netdev, const u8 *addr,
17322 			       gfp_t gfp)
17323 {
17324 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
17325 				  addr, gfp);
17326 }
17327 
17328 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
17329 				struct net_device *netdev, const u8 *addr,
17330 				gfp_t gfp)
17331 {
17332 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
17333 				  addr, gfp);
17334 }
17335 
17336 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
17337 				 struct net_device *netdev,
17338 				 struct cfg80211_connect_resp_params *cr,
17339 				 gfp_t gfp)
17340 {
17341 	struct sk_buff *msg;
17342 	void *hdr;
17343 	unsigned int link;
17344 	size_t link_info_size = 0;
17345 	const u8 *connected_addr = cr->valid_links ?
17346 				   cr->ap_mld_addr : cr->links[0].bssid;
17347 
17348 	if (cr->valid_links) {
17349 		for_each_valid_link(cr, link) {
17350 			/* Nested attribute header */
17351 			link_info_size += NLA_HDRLEN;
17352 			/* Link ID */
17353 			link_info_size += nla_total_size(sizeof(u8));
17354 			link_info_size += cr->links[link].addr ?
17355 					  nla_total_size(ETH_ALEN) : 0;
17356 			link_info_size += (cr->links[link].bssid ||
17357 					   cr->links[link].bss) ?
17358 					  nla_total_size(ETH_ALEN) : 0;
17359 		}
17360 	}
17361 
17362 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
17363 			cr->fils.kek_len + cr->fils.pmk_len +
17364 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
17365 			gfp);
17366 	if (!msg)
17367 		return;
17368 
17369 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
17370 	if (!hdr) {
17371 		nlmsg_free(msg);
17372 		return;
17373 	}
17374 
17375 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17376 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17377 	    (connected_addr &&
17378 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
17379 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
17380 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
17381 			cr->status) ||
17382 	    (cr->status < 0 &&
17383 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17384 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
17385 			  cr->timeout_reason))) ||
17386 	    (cr->req_ie &&
17387 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
17388 	    (cr->resp_ie &&
17389 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
17390 		     cr->resp_ie)) ||
17391 	    (cr->fils.update_erp_next_seq_num &&
17392 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
17393 			 cr->fils.erp_next_seq_num)) ||
17394 	    (cr->status == WLAN_STATUS_SUCCESS &&
17395 	     ((cr->fils.kek &&
17396 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
17397 		       cr->fils.kek)) ||
17398 	      (cr->fils.pmk &&
17399 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
17400 	      (cr->fils.pmkid &&
17401 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
17402 		goto nla_put_failure;
17403 
17404 	if (cr->valid_links) {
17405 		int i = 1;
17406 		struct nlattr *nested;
17407 
17408 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
17409 		if (!nested)
17410 			goto nla_put_failure;
17411 
17412 		for_each_valid_link(cr, link) {
17413 			struct nlattr *nested_mlo_links;
17414 			const u8 *bssid = cr->links[link].bss ?
17415 					  cr->links[link].bss->bssid :
17416 					  cr->links[link].bssid;
17417 
17418 			nested_mlo_links = nla_nest_start(msg, i);
17419 			if (!nested_mlo_links)
17420 				goto nla_put_failure;
17421 
17422 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
17423 			    (bssid &&
17424 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
17425 			    (cr->links[link].addr &&
17426 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
17427 				     cr->links[link].addr)))
17428 				goto nla_put_failure;
17429 
17430 			nla_nest_end(msg, nested_mlo_links);
17431 			i++;
17432 		}
17433 		nla_nest_end(msg, nested);
17434 	}
17435 
17436 	genlmsg_end(msg, hdr);
17437 
17438 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17439 				NL80211_MCGRP_MLME, gfp);
17440 	return;
17441 
17442  nla_put_failure:
17443 	nlmsg_free(msg);
17444 }
17445 
17446 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
17447 			 struct net_device *netdev,
17448 			 struct cfg80211_roam_info *info, gfp_t gfp)
17449 {
17450 	struct sk_buff *msg;
17451 	void *hdr;
17452 	size_t link_info_size = 0;
17453 	unsigned int link;
17454 	const u8 *connected_addr = info->ap_mld_addr ?
17455 				   info->ap_mld_addr :
17456 				   (info->links[0].bss ?
17457 				    info->links[0].bss->bssid :
17458 				    info->links[0].bssid);
17459 
17460 	if (info->valid_links) {
17461 		for_each_valid_link(info, link) {
17462 			/* Nested attribute header */
17463 			link_info_size += NLA_HDRLEN;
17464 			/* Link ID */
17465 			link_info_size += nla_total_size(sizeof(u8));
17466 			link_info_size += info->links[link].addr ?
17467 					  nla_total_size(ETH_ALEN) : 0;
17468 			link_info_size += (info->links[link].bssid ||
17469 					   info->links[link].bss) ?
17470 					  nla_total_size(ETH_ALEN) : 0;
17471 		}
17472 	}
17473 
17474 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
17475 			info->fils.kek_len + info->fils.pmk_len +
17476 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
17477 			link_info_size, gfp);
17478 	if (!msg)
17479 		return;
17480 
17481 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
17482 	if (!hdr) {
17483 		nlmsg_free(msg);
17484 		return;
17485 	}
17486 
17487 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17488 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17489 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
17490 	    (info->req_ie &&
17491 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
17492 		     info->req_ie)) ||
17493 	    (info->resp_ie &&
17494 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
17495 		     info->resp_ie)) ||
17496 	    (info->fils.update_erp_next_seq_num &&
17497 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
17498 			 info->fils.erp_next_seq_num)) ||
17499 	    (info->fils.kek &&
17500 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
17501 		     info->fils.kek)) ||
17502 	    (info->fils.pmk &&
17503 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
17504 	    (info->fils.pmkid &&
17505 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
17506 		goto nla_put_failure;
17507 
17508 	if (info->valid_links) {
17509 		int i = 1;
17510 		struct nlattr *nested;
17511 
17512 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
17513 		if (!nested)
17514 			goto nla_put_failure;
17515 
17516 		for_each_valid_link(info, link) {
17517 			struct nlattr *nested_mlo_links;
17518 			const u8 *bssid = info->links[link].bss ?
17519 					  info->links[link].bss->bssid :
17520 					  info->links[link].bssid;
17521 
17522 			nested_mlo_links = nla_nest_start(msg, i);
17523 			if (!nested_mlo_links)
17524 				goto nla_put_failure;
17525 
17526 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
17527 			    (bssid &&
17528 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
17529 			    (info->links[link].addr &&
17530 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
17531 				     info->links[link].addr)))
17532 				goto nla_put_failure;
17533 
17534 			nla_nest_end(msg, nested_mlo_links);
17535 			i++;
17536 		}
17537 		nla_nest_end(msg, nested);
17538 	}
17539 
17540 	genlmsg_end(msg, hdr);
17541 
17542 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17543 				NL80211_MCGRP_MLME, gfp);
17544 	return;
17545 
17546  nla_put_failure:
17547 	nlmsg_free(msg);
17548 }
17549 
17550 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
17551 				  struct net_device *netdev, const u8 *bssid)
17552 {
17553 	struct sk_buff *msg;
17554 	void *hdr;
17555 
17556 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17557 	if (!msg)
17558 		return;
17559 
17560 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
17561 	if (!hdr) {
17562 		nlmsg_free(msg);
17563 		return;
17564 	}
17565 
17566 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17567 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17568 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17569 		goto nla_put_failure;
17570 
17571 	genlmsg_end(msg, hdr);
17572 
17573 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17574 				NL80211_MCGRP_MLME, GFP_KERNEL);
17575 	return;
17576 
17577  nla_put_failure:
17578 	nlmsg_free(msg);
17579 }
17580 
17581 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
17582 			       struct net_device *netdev, u16 reason,
17583 			       const u8 *ie, size_t ie_len, bool from_ap)
17584 {
17585 	struct sk_buff *msg;
17586 	void *hdr;
17587 
17588 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
17589 	if (!msg)
17590 		return;
17591 
17592 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
17593 	if (!hdr) {
17594 		nlmsg_free(msg);
17595 		return;
17596 	}
17597 
17598 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17599 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17600 	    (reason &&
17601 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
17602 	    (from_ap &&
17603 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
17604 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
17605 		goto nla_put_failure;
17606 
17607 	genlmsg_end(msg, hdr);
17608 
17609 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17610 				NL80211_MCGRP_MLME, GFP_KERNEL);
17611 	return;
17612 
17613  nla_put_failure:
17614 	nlmsg_free(msg);
17615 }
17616 
17617 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
17618 			     struct net_device *netdev, const u8 *bssid,
17619 			     gfp_t gfp)
17620 {
17621 	struct sk_buff *msg;
17622 	void *hdr;
17623 
17624 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17625 	if (!msg)
17626 		return;
17627 
17628 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
17629 	if (!hdr) {
17630 		nlmsg_free(msg);
17631 		return;
17632 	}
17633 
17634 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17635 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17636 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17637 		goto nla_put_failure;
17638 
17639 	genlmsg_end(msg, hdr);
17640 
17641 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17642 				NL80211_MCGRP_MLME, gfp);
17643 	return;
17644 
17645  nla_put_failure:
17646 	nlmsg_free(msg);
17647 }
17648 
17649 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
17650 					const u8 *ie, u8 ie_len,
17651 					int sig_dbm, gfp_t gfp)
17652 {
17653 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17654 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17655 	struct sk_buff *msg;
17656 	void *hdr;
17657 
17658 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
17659 		return;
17660 
17661 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
17662 
17663 	msg = nlmsg_new(100 + ie_len, gfp);
17664 	if (!msg)
17665 		return;
17666 
17667 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
17668 	if (!hdr) {
17669 		nlmsg_free(msg);
17670 		return;
17671 	}
17672 
17673 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17674 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17675 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17676 	    (ie_len && ie &&
17677 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
17678 	    (sig_dbm &&
17679 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
17680 		goto nla_put_failure;
17681 
17682 	genlmsg_end(msg, hdr);
17683 
17684 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17685 				NL80211_MCGRP_MLME, gfp);
17686 	return;
17687 
17688  nla_put_failure:
17689 	nlmsg_free(msg);
17690 }
17691 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
17692 
17693 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
17694 				 struct net_device *netdev, const u8 *addr,
17695 				 enum nl80211_key_type key_type, int key_id,
17696 				 const u8 *tsc, gfp_t gfp)
17697 {
17698 	struct sk_buff *msg;
17699 	void *hdr;
17700 
17701 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17702 	if (!msg)
17703 		return;
17704 
17705 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
17706 	if (!hdr) {
17707 		nlmsg_free(msg);
17708 		return;
17709 	}
17710 
17711 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17712 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17713 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
17714 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
17715 	    (key_id != -1 &&
17716 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
17717 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
17718 		goto nla_put_failure;
17719 
17720 	genlmsg_end(msg, hdr);
17721 
17722 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17723 				NL80211_MCGRP_MLME, gfp);
17724 	return;
17725 
17726  nla_put_failure:
17727 	nlmsg_free(msg);
17728 }
17729 
17730 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
17731 				    struct ieee80211_channel *channel_before,
17732 				    struct ieee80211_channel *channel_after)
17733 {
17734 	struct sk_buff *msg;
17735 	void *hdr;
17736 	struct nlattr *nl_freq;
17737 
17738 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
17739 	if (!msg)
17740 		return;
17741 
17742 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
17743 	if (!hdr) {
17744 		nlmsg_free(msg);
17745 		return;
17746 	}
17747 
17748 	/*
17749 	 * Since we are applying the beacon hint to a wiphy we know its
17750 	 * wiphy_idx is valid
17751 	 */
17752 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
17753 		goto nla_put_failure;
17754 
17755 	/* Before */
17756 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
17757 	if (!nl_freq)
17758 		goto nla_put_failure;
17759 
17760 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
17761 		goto nla_put_failure;
17762 	nla_nest_end(msg, nl_freq);
17763 
17764 	/* After */
17765 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
17766 	if (!nl_freq)
17767 		goto nla_put_failure;
17768 
17769 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
17770 		goto nla_put_failure;
17771 	nla_nest_end(msg, nl_freq);
17772 
17773 	genlmsg_end(msg, hdr);
17774 
17775 	rcu_read_lock();
17776 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17777 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17778 	rcu_read_unlock();
17779 
17780 	return;
17781 
17782 nla_put_failure:
17783 	nlmsg_free(msg);
17784 }
17785 
17786 static void nl80211_send_remain_on_chan_event(
17787 	int cmd, struct cfg80211_registered_device *rdev,
17788 	struct wireless_dev *wdev, u64 cookie,
17789 	struct ieee80211_channel *chan,
17790 	unsigned int duration, gfp_t gfp)
17791 {
17792 	struct sk_buff *msg;
17793 	void *hdr;
17794 
17795 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17796 	if (!msg)
17797 		return;
17798 
17799 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17800 	if (!hdr) {
17801 		nlmsg_free(msg);
17802 		return;
17803 	}
17804 
17805 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17806 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17807 					 wdev->netdev->ifindex)) ||
17808 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17809 			      NL80211_ATTR_PAD) ||
17810 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17811 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17812 			NL80211_CHAN_NO_HT) ||
17813 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17814 			      NL80211_ATTR_PAD))
17815 		goto nla_put_failure;
17816 
17817 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17818 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17819 		goto nla_put_failure;
17820 
17821 	genlmsg_end(msg, hdr);
17822 
17823 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17824 				NL80211_MCGRP_MLME, gfp);
17825 	return;
17826 
17827  nla_put_failure:
17828 	nlmsg_free(msg);
17829 }
17830 
17831 void cfg80211_assoc_comeback(struct net_device *netdev,
17832 			     struct cfg80211_bss *bss, u32 timeout)
17833 {
17834 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
17835 	struct wiphy *wiphy = wdev->wiphy;
17836 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17837 	struct sk_buff *msg;
17838 	void *hdr;
17839 
17840 	trace_cfg80211_assoc_comeback(wdev, bss->bssid, timeout);
17841 
17842 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17843 	if (!msg)
17844 		return;
17845 
17846 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
17847 	if (!hdr) {
17848 		nlmsg_free(msg);
17849 		return;
17850 	}
17851 
17852 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17853 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17854 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bss->bssid) ||
17855 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
17856 		goto nla_put_failure;
17857 
17858 	genlmsg_end(msg, hdr);
17859 
17860 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17861 				NL80211_MCGRP_MLME, GFP_KERNEL);
17862 	return;
17863 
17864  nla_put_failure:
17865 	nlmsg_free(msg);
17866 }
17867 EXPORT_SYMBOL(cfg80211_assoc_comeback);
17868 
17869 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17870 			       struct ieee80211_channel *chan,
17871 			       unsigned int duration, gfp_t gfp)
17872 {
17873 	struct wiphy *wiphy = wdev->wiphy;
17874 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17875 
17876 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17877 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17878 					  rdev, wdev, cookie, chan,
17879 					  duration, gfp);
17880 }
17881 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17882 
17883 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17884 					struct ieee80211_channel *chan,
17885 					gfp_t gfp)
17886 {
17887 	struct wiphy *wiphy = wdev->wiphy;
17888 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17889 
17890 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17891 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17892 					  rdev, wdev, cookie, chan, 0, gfp);
17893 }
17894 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17895 
17896 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17897 					struct ieee80211_channel *chan,
17898 					gfp_t gfp)
17899 {
17900 	struct wiphy *wiphy = wdev->wiphy;
17901 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17902 
17903 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17904 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17905 					  rdev, wdev, cookie, chan, 0, gfp);
17906 }
17907 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17908 
17909 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17910 		      struct station_info *sinfo, gfp_t gfp)
17911 {
17912 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17913 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17914 	struct sk_buff *msg;
17915 
17916 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17917 
17918 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17919 	if (!msg)
17920 		return;
17921 
17922 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17923 				 rdev, dev, mac_addr, sinfo) < 0) {
17924 		nlmsg_free(msg);
17925 		return;
17926 	}
17927 
17928 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17929 				NL80211_MCGRP_MLME, gfp);
17930 }
17931 EXPORT_SYMBOL(cfg80211_new_sta);
17932 
17933 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17934 			    struct station_info *sinfo, gfp_t gfp)
17935 {
17936 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17937 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17938 	struct sk_buff *msg;
17939 	struct station_info empty_sinfo = {};
17940 
17941 	if (!sinfo)
17942 		sinfo = &empty_sinfo;
17943 
17944 	trace_cfg80211_del_sta(dev, mac_addr);
17945 
17946 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17947 	if (!msg) {
17948 		cfg80211_sinfo_release_content(sinfo);
17949 		return;
17950 	}
17951 
17952 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17953 				 rdev, dev, mac_addr, sinfo) < 0) {
17954 		nlmsg_free(msg);
17955 		return;
17956 	}
17957 
17958 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17959 				NL80211_MCGRP_MLME, gfp);
17960 }
17961 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17962 
17963 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17964 			  enum nl80211_connect_failed_reason reason,
17965 			  gfp_t gfp)
17966 {
17967 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17968 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17969 	struct sk_buff *msg;
17970 	void *hdr;
17971 
17972 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17973 	if (!msg)
17974 		return;
17975 
17976 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17977 	if (!hdr) {
17978 		nlmsg_free(msg);
17979 		return;
17980 	}
17981 
17982 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17983 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17984 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17985 		goto nla_put_failure;
17986 
17987 	genlmsg_end(msg, hdr);
17988 
17989 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17990 				NL80211_MCGRP_MLME, gfp);
17991 	return;
17992 
17993  nla_put_failure:
17994 	nlmsg_free(msg);
17995 }
17996 EXPORT_SYMBOL(cfg80211_conn_failed);
17997 
17998 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17999 				       const u8 *addr, gfp_t gfp)
18000 {
18001 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18002 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18003 	struct sk_buff *msg;
18004 	void *hdr;
18005 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18006 
18007 	if (!nlportid)
18008 		return false;
18009 
18010 	msg = nlmsg_new(100, gfp);
18011 	if (!msg)
18012 		return true;
18013 
18014 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18015 	if (!hdr) {
18016 		nlmsg_free(msg);
18017 		return true;
18018 	}
18019 
18020 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18021 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18022 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18023 		goto nla_put_failure;
18024 
18025 	genlmsg_end(msg, hdr);
18026 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18027 	return true;
18028 
18029  nla_put_failure:
18030 	nlmsg_free(msg);
18031 	return true;
18032 }
18033 
18034 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18035 				const u8 *addr, gfp_t gfp)
18036 {
18037 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18038 	bool ret;
18039 
18040 	trace_cfg80211_rx_spurious_frame(dev, addr);
18041 
18042 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18043 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18044 		trace_cfg80211_return_bool(false);
18045 		return false;
18046 	}
18047 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18048 					 addr, gfp);
18049 	trace_cfg80211_return_bool(ret);
18050 	return ret;
18051 }
18052 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18053 
18054 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18055 					const u8 *addr, gfp_t gfp)
18056 {
18057 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18058 	bool ret;
18059 
18060 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18061 
18062 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18063 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18064 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18065 		trace_cfg80211_return_bool(false);
18066 		return false;
18067 	}
18068 	ret = __nl80211_unexpected_frame(dev,
18069 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18070 					 addr, gfp);
18071 	trace_cfg80211_return_bool(ret);
18072 	return ret;
18073 }
18074 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18075 
18076 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18077 		      struct wireless_dev *wdev, u32 nlportid,
18078 		      int freq, int sig_dbm,
18079 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
18080 {
18081 	struct net_device *netdev = wdev->netdev;
18082 	struct sk_buff *msg;
18083 	void *hdr;
18084 
18085 	msg = nlmsg_new(100 + len, gfp);
18086 	if (!msg)
18087 		return -ENOMEM;
18088 
18089 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18090 	if (!hdr) {
18091 		nlmsg_free(msg);
18092 		return -ENOMEM;
18093 	}
18094 
18095 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18096 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18097 					netdev->ifindex)) ||
18098 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18099 			      NL80211_ATTR_PAD) ||
18100 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
18101 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
18102 	    (sig_dbm &&
18103 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
18104 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
18105 	    (flags &&
18106 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
18107 		goto nla_put_failure;
18108 
18109 	genlmsg_end(msg, hdr);
18110 
18111 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18112 
18113  nla_put_failure:
18114 	nlmsg_free(msg);
18115 	return -ENOBUFS;
18116 }
18117 
18118 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
18119 				    const u8 *buf, size_t len, bool ack,
18120 				    gfp_t gfp, enum nl80211_commands command)
18121 {
18122 	struct wiphy *wiphy = wdev->wiphy;
18123 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18124 	struct net_device *netdev = wdev->netdev;
18125 	struct sk_buff *msg;
18126 	void *hdr;
18127 
18128 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18129 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
18130 	else
18131 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
18132 
18133 	msg = nlmsg_new(100 + len, gfp);
18134 	if (!msg)
18135 		return;
18136 
18137 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18138 	if (!hdr) {
18139 		nlmsg_free(msg);
18140 		return;
18141 	}
18142 
18143 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18144 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18145 				   netdev->ifindex)) ||
18146 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18147 			      NL80211_ATTR_PAD) ||
18148 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
18149 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18150 			      NL80211_ATTR_PAD) ||
18151 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
18152 		goto nla_put_failure;
18153 
18154 	genlmsg_end(msg, hdr);
18155 
18156 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18157 				NL80211_MCGRP_MLME, gfp);
18158 	return;
18159 
18160 nla_put_failure:
18161 	nlmsg_free(msg);
18162 }
18163 
18164 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18165 				     const u8 *buf, size_t len, bool ack,
18166 				     gfp_t gfp)
18167 {
18168 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
18169 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
18170 }
18171 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
18172 
18173 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
18174 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
18175 {
18176 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
18177 				NL80211_CMD_FRAME_TX_STATUS);
18178 }
18179 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
18180 
18181 static int __nl80211_rx_control_port(struct net_device *dev,
18182 				     struct sk_buff *skb,
18183 				     bool unencrypted, gfp_t gfp)
18184 {
18185 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18186 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18187 	struct ethhdr *ehdr = eth_hdr(skb);
18188 	const u8 *addr = ehdr->h_source;
18189 	u16 proto = be16_to_cpu(skb->protocol);
18190 	struct sk_buff *msg;
18191 	void *hdr;
18192 	struct nlattr *frame;
18193 
18194 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
18195 
18196 	if (!nlportid)
18197 		return -ENOENT;
18198 
18199 	msg = nlmsg_new(100 + skb->len, gfp);
18200 	if (!msg)
18201 		return -ENOMEM;
18202 
18203 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
18204 	if (!hdr) {
18205 		nlmsg_free(msg);
18206 		return -ENOBUFS;
18207 	}
18208 
18209 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18210 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18211 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18212 			      NL80211_ATTR_PAD) ||
18213 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18214 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
18215 	    (unencrypted && nla_put_flag(msg,
18216 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
18217 		goto nla_put_failure;
18218 
18219 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
18220 	if (!frame)
18221 		goto nla_put_failure;
18222 
18223 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
18224 	genlmsg_end(msg, hdr);
18225 
18226 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18227 
18228  nla_put_failure:
18229 	nlmsg_free(msg);
18230 	return -ENOBUFS;
18231 }
18232 
18233 bool cfg80211_rx_control_port(struct net_device *dev,
18234 			      struct sk_buff *skb, bool unencrypted)
18235 {
18236 	int ret;
18237 
18238 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
18239 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
18240 	trace_cfg80211_return_bool(ret == 0);
18241 	return ret == 0;
18242 }
18243 EXPORT_SYMBOL(cfg80211_rx_control_port);
18244 
18245 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
18246 					    const char *mac, gfp_t gfp)
18247 {
18248 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18249 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18250 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18251 	void **cb;
18252 
18253 	if (!msg)
18254 		return NULL;
18255 
18256 	cb = (void **)msg->cb;
18257 
18258 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
18259 	if (!cb[0]) {
18260 		nlmsg_free(msg);
18261 		return NULL;
18262 	}
18263 
18264 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18265 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18266 		goto nla_put_failure;
18267 
18268 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18269 		goto nla_put_failure;
18270 
18271 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
18272 	if (!cb[1])
18273 		goto nla_put_failure;
18274 
18275 	cb[2] = rdev;
18276 
18277 	return msg;
18278  nla_put_failure:
18279 	nlmsg_free(msg);
18280 	return NULL;
18281 }
18282 
18283 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
18284 {
18285 	void **cb = (void **)msg->cb;
18286 	struct cfg80211_registered_device *rdev = cb[2];
18287 
18288 	nla_nest_end(msg, cb[1]);
18289 	genlmsg_end(msg, cb[0]);
18290 
18291 	memset(msg->cb, 0, sizeof(msg->cb));
18292 
18293 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18294 				NL80211_MCGRP_MLME, gfp);
18295 }
18296 
18297 void cfg80211_cqm_rssi_notify(struct net_device *dev,
18298 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
18299 			      s32 rssi_level, gfp_t gfp)
18300 {
18301 	struct sk_buff *msg;
18302 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18303 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18304 
18305 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
18306 
18307 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
18308 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
18309 		return;
18310 
18311 	if (wdev->cqm_config) {
18312 		wdev->cqm_config->last_rssi_event_value = rssi_level;
18313 
18314 		cfg80211_cqm_rssi_update(rdev, dev);
18315 
18316 		if (rssi_level == 0)
18317 			rssi_level = wdev->cqm_config->last_rssi_event_value;
18318 	}
18319 
18320 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
18321 	if (!msg)
18322 		return;
18323 
18324 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
18325 			rssi_event))
18326 		goto nla_put_failure;
18327 
18328 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
18329 				      rssi_level))
18330 		goto nla_put_failure;
18331 
18332 	cfg80211_send_cqm(msg, gfp);
18333 
18334 	return;
18335 
18336  nla_put_failure:
18337 	nlmsg_free(msg);
18338 }
18339 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
18340 
18341 void cfg80211_cqm_txe_notify(struct net_device *dev,
18342 			     const u8 *peer, u32 num_packets,
18343 			     u32 rate, u32 intvl, gfp_t gfp)
18344 {
18345 	struct sk_buff *msg;
18346 
18347 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
18348 	if (!msg)
18349 		return;
18350 
18351 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
18352 		goto nla_put_failure;
18353 
18354 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
18355 		goto nla_put_failure;
18356 
18357 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
18358 		goto nla_put_failure;
18359 
18360 	cfg80211_send_cqm(msg, gfp);
18361 	return;
18362 
18363  nla_put_failure:
18364 	nlmsg_free(msg);
18365 }
18366 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
18367 
18368 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
18369 				 const u8 *peer, u32 num_packets, gfp_t gfp)
18370 {
18371 	struct sk_buff *msg;
18372 
18373 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
18374 
18375 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
18376 	if (!msg)
18377 		return;
18378 
18379 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
18380 		goto nla_put_failure;
18381 
18382 	cfg80211_send_cqm(msg, gfp);
18383 	return;
18384 
18385  nla_put_failure:
18386 	nlmsg_free(msg);
18387 }
18388 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
18389 
18390 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
18391 {
18392 	struct sk_buff *msg;
18393 
18394 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
18395 	if (!msg)
18396 		return;
18397 
18398 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
18399 		goto nla_put_failure;
18400 
18401 	cfg80211_send_cqm(msg, gfp);
18402 	return;
18403 
18404  nla_put_failure:
18405 	nlmsg_free(msg);
18406 }
18407 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
18408 
18409 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
18410 				     struct net_device *netdev, const u8 *bssid,
18411 				     const u8 *replay_ctr, gfp_t gfp)
18412 {
18413 	struct sk_buff *msg;
18414 	struct nlattr *rekey_attr;
18415 	void *hdr;
18416 
18417 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18418 	if (!msg)
18419 		return;
18420 
18421 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
18422 	if (!hdr) {
18423 		nlmsg_free(msg);
18424 		return;
18425 	}
18426 
18427 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18428 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18429 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18430 		goto nla_put_failure;
18431 
18432 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
18433 	if (!rekey_attr)
18434 		goto nla_put_failure;
18435 
18436 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
18437 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
18438 		goto nla_put_failure;
18439 
18440 	nla_nest_end(msg, rekey_attr);
18441 
18442 	genlmsg_end(msg, hdr);
18443 
18444 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18445 				NL80211_MCGRP_MLME, gfp);
18446 	return;
18447 
18448  nla_put_failure:
18449 	nlmsg_free(msg);
18450 }
18451 
18452 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
18453 			       const u8 *replay_ctr, gfp_t gfp)
18454 {
18455 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18456 	struct wiphy *wiphy = wdev->wiphy;
18457 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18458 
18459 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
18460 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
18461 }
18462 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
18463 
18464 static void
18465 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
18466 			       struct net_device *netdev, int index,
18467 			       const u8 *bssid, bool preauth, gfp_t gfp)
18468 {
18469 	struct sk_buff *msg;
18470 	struct nlattr *attr;
18471 	void *hdr;
18472 
18473 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18474 	if (!msg)
18475 		return;
18476 
18477 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
18478 	if (!hdr) {
18479 		nlmsg_free(msg);
18480 		return;
18481 	}
18482 
18483 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18484 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
18485 		goto nla_put_failure;
18486 
18487 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
18488 	if (!attr)
18489 		goto nla_put_failure;
18490 
18491 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
18492 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
18493 	    (preauth &&
18494 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
18495 		goto nla_put_failure;
18496 
18497 	nla_nest_end(msg, attr);
18498 
18499 	genlmsg_end(msg, hdr);
18500 
18501 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18502 				NL80211_MCGRP_MLME, gfp);
18503 	return;
18504 
18505  nla_put_failure:
18506 	nlmsg_free(msg);
18507 }
18508 
18509 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
18510 				     const u8 *bssid, bool preauth, gfp_t gfp)
18511 {
18512 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18513 	struct wiphy *wiphy = wdev->wiphy;
18514 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18515 
18516 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
18517 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
18518 }
18519 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
18520 
18521 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
18522 				     struct net_device *netdev,
18523 				     struct cfg80211_chan_def *chandef,
18524 				     gfp_t gfp,
18525 				     enum nl80211_commands notif,
18526 				     u8 count, bool quiet)
18527 {
18528 	struct sk_buff *msg;
18529 	void *hdr;
18530 
18531 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18532 	if (!msg)
18533 		return;
18534 
18535 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
18536 	if (!hdr) {
18537 		nlmsg_free(msg);
18538 		return;
18539 	}
18540 
18541 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
18542 		goto nla_put_failure;
18543 
18544 	if (nl80211_send_chandef(msg, chandef))
18545 		goto nla_put_failure;
18546 
18547 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
18548 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
18549 			goto nla_put_failure;
18550 		if (quiet &&
18551 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
18552 			goto nla_put_failure;
18553 	}
18554 
18555 	genlmsg_end(msg, hdr);
18556 
18557 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18558 				NL80211_MCGRP_MLME, gfp);
18559 	return;
18560 
18561  nla_put_failure:
18562 	nlmsg_free(msg);
18563 }
18564 
18565 void cfg80211_ch_switch_notify(struct net_device *dev,
18566 			       struct cfg80211_chan_def *chandef,
18567 			       unsigned int link_id)
18568 {
18569 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18570 	struct wiphy *wiphy = wdev->wiphy;
18571 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18572 
18573 	ASSERT_WDEV_LOCK(wdev);
18574 	WARN_INVALID_LINK_ID(wdev, link_id);
18575 
18576 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
18577 
18578 	switch (wdev->iftype) {
18579 	case NL80211_IFTYPE_STATION:
18580 	case NL80211_IFTYPE_P2P_CLIENT:
18581 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
18582 			cfg80211_update_assoc_bss_entry(wdev, link_id,
18583 							chandef->chan);
18584 		break;
18585 	case NL80211_IFTYPE_MESH_POINT:
18586 		wdev->u.mesh.chandef = *chandef;
18587 		wdev->u.mesh.preset_chandef = *chandef;
18588 		break;
18589 	case NL80211_IFTYPE_AP:
18590 	case NL80211_IFTYPE_P2P_GO:
18591 		wdev->links[link_id].ap.chandef = *chandef;
18592 		break;
18593 	case NL80211_IFTYPE_ADHOC:
18594 		wdev->u.ibss.chandef = *chandef;
18595 		break;
18596 	default:
18597 		WARN_ON(1);
18598 		break;
18599 	}
18600 
18601 	cfg80211_sched_dfs_chan_update(rdev);
18602 
18603 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
18604 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
18605 }
18606 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
18607 
18608 void cfg80211_ch_switch_started_notify(struct net_device *dev,
18609 				       struct cfg80211_chan_def *chandef,
18610 				       u8 count, bool quiet)
18611 {
18612 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18613 	struct wiphy *wiphy = wdev->wiphy;
18614 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18615 
18616 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
18617 
18618 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
18619 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
18620 				 count, quiet);
18621 }
18622 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
18623 
18624 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
18625 			      enum nl80211_commands cmd, u8 count,
18626 			      u64 color_bitmap)
18627 {
18628 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18629 	struct wiphy *wiphy = wdev->wiphy;
18630 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18631 	struct sk_buff *msg;
18632 	void *hdr;
18633 
18634 	ASSERT_WDEV_LOCK(wdev);
18635 
18636 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
18637 
18638 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18639 	if (!msg)
18640 		return -ENOMEM;
18641 
18642 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18643 	if (!hdr)
18644 		goto nla_put_failure;
18645 
18646 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18647 		goto nla_put_failure;
18648 
18649 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
18650 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
18651 		goto nla_put_failure;
18652 
18653 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
18654 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
18655 			      color_bitmap, NL80211_ATTR_PAD))
18656 		goto nla_put_failure;
18657 
18658 	genlmsg_end(msg, hdr);
18659 
18660 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
18661 				       msg, 0, NL80211_MCGRP_MLME, gfp);
18662 
18663 nla_put_failure:
18664 	nlmsg_free(msg);
18665 	return -EINVAL;
18666 }
18667 EXPORT_SYMBOL(cfg80211_bss_color_notify);
18668 
18669 void
18670 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
18671 		     const struct cfg80211_chan_def *chandef,
18672 		     enum nl80211_radar_event event,
18673 		     struct net_device *netdev, gfp_t gfp)
18674 {
18675 	struct sk_buff *msg;
18676 	void *hdr;
18677 
18678 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18679 	if (!msg)
18680 		return;
18681 
18682 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
18683 	if (!hdr) {
18684 		nlmsg_free(msg);
18685 		return;
18686 	}
18687 
18688 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18689 		goto nla_put_failure;
18690 
18691 	/* NOP and radar events don't need a netdev parameter */
18692 	if (netdev) {
18693 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
18694 
18695 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18696 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18697 				      NL80211_ATTR_PAD))
18698 			goto nla_put_failure;
18699 	}
18700 
18701 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
18702 		goto nla_put_failure;
18703 
18704 	if (nl80211_send_chandef(msg, chandef))
18705 		goto nla_put_failure;
18706 
18707 	genlmsg_end(msg, hdr);
18708 
18709 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18710 				NL80211_MCGRP_MLME, gfp);
18711 	return;
18712 
18713  nla_put_failure:
18714 	nlmsg_free(msg);
18715 }
18716 
18717 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
18718 				       struct sta_opmode_info *sta_opmode,
18719 				       gfp_t gfp)
18720 {
18721 	struct sk_buff *msg;
18722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18723 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18724 	void *hdr;
18725 
18726 	if (WARN_ON(!mac))
18727 		return;
18728 
18729 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18730 	if (!msg)
18731 		return;
18732 
18733 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
18734 	if (!hdr) {
18735 		nlmsg_free(msg);
18736 		return;
18737 	}
18738 
18739 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18740 		goto nla_put_failure;
18741 
18742 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18743 		goto nla_put_failure;
18744 
18745 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18746 		goto nla_put_failure;
18747 
18748 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
18749 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
18750 		goto nla_put_failure;
18751 
18752 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
18753 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
18754 		goto nla_put_failure;
18755 
18756 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
18757 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
18758 		goto nla_put_failure;
18759 
18760 	genlmsg_end(msg, hdr);
18761 
18762 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18763 				NL80211_MCGRP_MLME, gfp);
18764 
18765 	return;
18766 
18767 nla_put_failure:
18768 	nlmsg_free(msg);
18769 }
18770 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
18771 
18772 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
18773 			   u64 cookie, bool acked, s32 ack_signal,
18774 			   bool is_valid_ack_signal, gfp_t gfp)
18775 {
18776 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18777 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18778 	struct sk_buff *msg;
18779 	void *hdr;
18780 
18781 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
18782 
18783 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18784 
18785 	if (!msg)
18786 		return;
18787 
18788 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
18789 	if (!hdr) {
18790 		nlmsg_free(msg);
18791 		return;
18792 	}
18793 
18794 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18795 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18796 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18797 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18798 			      NL80211_ATTR_PAD) ||
18799 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18800 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
18801 						ack_signal)))
18802 		goto nla_put_failure;
18803 
18804 	genlmsg_end(msg, hdr);
18805 
18806 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18807 				NL80211_MCGRP_MLME, gfp);
18808 	return;
18809 
18810  nla_put_failure:
18811 	nlmsg_free(msg);
18812 }
18813 EXPORT_SYMBOL(cfg80211_probe_status);
18814 
18815 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
18816 				     size_t len, int freq, int sig_dbm)
18817 {
18818 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18819 	struct sk_buff *msg;
18820 	void *hdr;
18821 	struct cfg80211_beacon_registration *reg;
18822 
18823 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
18824 
18825 	spin_lock_bh(&rdev->beacon_registrations_lock);
18826 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
18827 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
18828 		if (!msg) {
18829 			spin_unlock_bh(&rdev->beacon_registrations_lock);
18830 			return;
18831 		}
18832 
18833 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18834 		if (!hdr)
18835 			goto nla_put_failure;
18836 
18837 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18838 		    (freq &&
18839 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
18840 				  KHZ_TO_MHZ(freq)) ||
18841 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
18842 				  freq % 1000))) ||
18843 		    (sig_dbm &&
18844 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
18845 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
18846 			goto nla_put_failure;
18847 
18848 		genlmsg_end(msg, hdr);
18849 
18850 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
18851 	}
18852 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18853 	return;
18854 
18855  nla_put_failure:
18856 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18857 	nlmsg_free(msg);
18858 }
18859 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18860 
18861 #ifdef CONFIG_PM
18862 static int cfg80211_net_detect_results(struct sk_buff *msg,
18863 				       struct cfg80211_wowlan_wakeup *wakeup)
18864 {
18865 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18866 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18867 	int i, j;
18868 
18869 	nl_results = nla_nest_start_noflag(msg,
18870 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18871 	if (!nl_results)
18872 		return -EMSGSIZE;
18873 
18874 	for (i = 0; i < nd->n_matches; i++) {
18875 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18876 
18877 		nl_match = nla_nest_start_noflag(msg, i);
18878 		if (!nl_match)
18879 			break;
18880 
18881 		/* The SSID attribute is optional in nl80211, but for
18882 		 * simplicity reasons it's always present in the
18883 		 * cfg80211 structure.  If a driver can't pass the
18884 		 * SSID, that needs to be changed.  A zero length SSID
18885 		 * is still a valid SSID (wildcard), so it cannot be
18886 		 * used for this purpose.
18887 		 */
18888 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18889 			    match->ssid.ssid)) {
18890 			nla_nest_cancel(msg, nl_match);
18891 			goto out;
18892 		}
18893 
18894 		if (match->n_channels) {
18895 			nl_freqs = nla_nest_start_noflag(msg,
18896 							 NL80211_ATTR_SCAN_FREQUENCIES);
18897 			if (!nl_freqs) {
18898 				nla_nest_cancel(msg, nl_match);
18899 				goto out;
18900 			}
18901 
18902 			for (j = 0; j < match->n_channels; j++) {
18903 				if (nla_put_u32(msg, j, match->channels[j])) {
18904 					nla_nest_cancel(msg, nl_freqs);
18905 					nla_nest_cancel(msg, nl_match);
18906 					goto out;
18907 				}
18908 			}
18909 
18910 			nla_nest_end(msg, nl_freqs);
18911 		}
18912 
18913 		nla_nest_end(msg, nl_match);
18914 	}
18915 
18916 out:
18917 	nla_nest_end(msg, nl_results);
18918 	return 0;
18919 }
18920 
18921 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18922 				   struct cfg80211_wowlan_wakeup *wakeup,
18923 				   gfp_t gfp)
18924 {
18925 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18926 	struct sk_buff *msg;
18927 	void *hdr;
18928 	int size = 200;
18929 
18930 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18931 
18932 	if (wakeup)
18933 		size += wakeup->packet_present_len;
18934 
18935 	msg = nlmsg_new(size, gfp);
18936 	if (!msg)
18937 		return;
18938 
18939 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18940 	if (!hdr)
18941 		goto free_msg;
18942 
18943 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18944 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18945 			      NL80211_ATTR_PAD))
18946 		goto free_msg;
18947 
18948 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18949 					wdev->netdev->ifindex))
18950 		goto free_msg;
18951 
18952 	if (wakeup) {
18953 		struct nlattr *reasons;
18954 
18955 		reasons = nla_nest_start_noflag(msg,
18956 						NL80211_ATTR_WOWLAN_TRIGGERS);
18957 		if (!reasons)
18958 			goto free_msg;
18959 
18960 		if (wakeup->disconnect &&
18961 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18962 			goto free_msg;
18963 		if (wakeup->magic_pkt &&
18964 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18965 			goto free_msg;
18966 		if (wakeup->gtk_rekey_failure &&
18967 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18968 			goto free_msg;
18969 		if (wakeup->eap_identity_req &&
18970 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18971 			goto free_msg;
18972 		if (wakeup->four_way_handshake &&
18973 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18974 			goto free_msg;
18975 		if (wakeup->rfkill_release &&
18976 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18977 			goto free_msg;
18978 
18979 		if (wakeup->pattern_idx >= 0 &&
18980 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18981 				wakeup->pattern_idx))
18982 			goto free_msg;
18983 
18984 		if (wakeup->tcp_match &&
18985 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18986 			goto free_msg;
18987 
18988 		if (wakeup->tcp_connlost &&
18989 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18990 			goto free_msg;
18991 
18992 		if (wakeup->tcp_nomoretokens &&
18993 		    nla_put_flag(msg,
18994 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18995 			goto free_msg;
18996 
18997 		if (wakeup->packet) {
18998 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18999 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19000 
19001 			if (!wakeup->packet_80211) {
19002 				pkt_attr =
19003 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19004 				len_attr =
19005 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19006 			}
19007 
19008 			if (wakeup->packet_len &&
19009 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19010 				goto free_msg;
19011 
19012 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19013 				    wakeup->packet))
19014 				goto free_msg;
19015 		}
19016 
19017 		if (wakeup->net_detect &&
19018 		    cfg80211_net_detect_results(msg, wakeup))
19019 				goto free_msg;
19020 
19021 		nla_nest_end(msg, reasons);
19022 	}
19023 
19024 	genlmsg_end(msg, hdr);
19025 
19026 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19027 				NL80211_MCGRP_MLME, gfp);
19028 	return;
19029 
19030  free_msg:
19031 	nlmsg_free(msg);
19032 }
19033 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19034 #endif
19035 
19036 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19037 				enum nl80211_tdls_operation oper,
19038 				u16 reason_code, gfp_t gfp)
19039 {
19040 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19041 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19042 	struct sk_buff *msg;
19043 	void *hdr;
19044 
19045 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19046 					 reason_code);
19047 
19048 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19049 	if (!msg)
19050 		return;
19051 
19052 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19053 	if (!hdr) {
19054 		nlmsg_free(msg);
19055 		return;
19056 	}
19057 
19058 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19059 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19060 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19061 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19062 	    (reason_code > 0 &&
19063 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19064 		goto nla_put_failure;
19065 
19066 	genlmsg_end(msg, hdr);
19067 
19068 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19069 				NL80211_MCGRP_MLME, gfp);
19070 	return;
19071 
19072  nla_put_failure:
19073 	nlmsg_free(msg);
19074 }
19075 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19076 
19077 static int nl80211_netlink_notify(struct notifier_block * nb,
19078 				  unsigned long state,
19079 				  void *_notify)
19080 {
19081 	struct netlink_notify *notify = _notify;
19082 	struct cfg80211_registered_device *rdev;
19083 	struct wireless_dev *wdev;
19084 	struct cfg80211_beacon_registration *reg, *tmp;
19085 
19086 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19087 		return NOTIFY_DONE;
19088 
19089 	rcu_read_lock();
19090 
19091 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19092 		struct cfg80211_sched_scan_request *sched_scan_req;
19093 
19094 		list_for_each_entry_rcu(sched_scan_req,
19095 					&rdev->sched_scan_req_list,
19096 					list) {
19097 			if (sched_scan_req->owner_nlportid == notify->portid) {
19098 				sched_scan_req->nl_owner_dead = true;
19099 				schedule_work(&rdev->sched_scan_stop_wk);
19100 			}
19101 		}
19102 
19103 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19104 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19105 
19106 			if (wdev->owner_nlportid == notify->portid) {
19107 				wdev->nl_owner_dead = true;
19108 				schedule_work(&rdev->destroy_work);
19109 			} else if (wdev->conn_owner_nlportid == notify->portid) {
19110 				schedule_work(&wdev->disconnect_wk);
19111 			}
19112 
19113 			cfg80211_release_pmsr(wdev, notify->portid);
19114 		}
19115 
19116 		spin_lock_bh(&rdev->beacon_registrations_lock);
19117 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
19118 					 list) {
19119 			if (reg->nlportid == notify->portid) {
19120 				list_del(&reg->list);
19121 				kfree(reg);
19122 				break;
19123 			}
19124 		}
19125 		spin_unlock_bh(&rdev->beacon_registrations_lock);
19126 	}
19127 
19128 	rcu_read_unlock();
19129 
19130 	/*
19131 	 * It is possible that the user space process that is controlling the
19132 	 * indoor setting disappeared, so notify the regulatory core.
19133 	 */
19134 	regulatory_netlink_notify(notify->portid);
19135 	return NOTIFY_OK;
19136 }
19137 
19138 static struct notifier_block nl80211_netlink_notifier = {
19139 	.notifier_call = nl80211_netlink_notify,
19140 };
19141 
19142 void cfg80211_ft_event(struct net_device *netdev,
19143 		       struct cfg80211_ft_event_params *ft_event)
19144 {
19145 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19146 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19147 	struct sk_buff *msg;
19148 	void *hdr;
19149 
19150 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
19151 
19152 	if (!ft_event->target_ap)
19153 		return;
19154 
19155 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
19156 			GFP_KERNEL);
19157 	if (!msg)
19158 		return;
19159 
19160 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
19161 	if (!hdr)
19162 		goto out;
19163 
19164 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19165 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19166 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
19167 		goto out;
19168 
19169 	if (ft_event->ies &&
19170 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
19171 		goto out;
19172 	if (ft_event->ric_ies &&
19173 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
19174 		    ft_event->ric_ies))
19175 		goto out;
19176 
19177 	genlmsg_end(msg, hdr);
19178 
19179 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19180 				NL80211_MCGRP_MLME, GFP_KERNEL);
19181 	return;
19182  out:
19183 	nlmsg_free(msg);
19184 }
19185 EXPORT_SYMBOL(cfg80211_ft_event);
19186 
19187 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
19188 {
19189 	struct cfg80211_registered_device *rdev;
19190 	struct sk_buff *msg;
19191 	void *hdr;
19192 	u32 nlportid;
19193 
19194 	rdev = wiphy_to_rdev(wdev->wiphy);
19195 	if (!rdev->crit_proto_nlportid)
19196 		return;
19197 
19198 	nlportid = rdev->crit_proto_nlportid;
19199 	rdev->crit_proto_nlportid = 0;
19200 
19201 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19202 	if (!msg)
19203 		return;
19204 
19205 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
19206 	if (!hdr)
19207 		goto nla_put_failure;
19208 
19209 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19210 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19211 			      NL80211_ATTR_PAD))
19212 		goto nla_put_failure;
19213 
19214 	genlmsg_end(msg, hdr);
19215 
19216 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19217 	return;
19218 
19219  nla_put_failure:
19220 	nlmsg_free(msg);
19221 }
19222 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
19223 
19224 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
19225 {
19226 	struct wiphy *wiphy = wdev->wiphy;
19227 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19228 	struct sk_buff *msg;
19229 	void *hdr;
19230 
19231 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19232 	if (!msg)
19233 		return;
19234 
19235 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
19236 	if (!hdr)
19237 		goto out;
19238 
19239 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19240 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
19241 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19242 			      NL80211_ATTR_PAD))
19243 		goto out;
19244 
19245 	genlmsg_end(msg, hdr);
19246 
19247 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
19248 				NL80211_MCGRP_MLME, GFP_KERNEL);
19249 	return;
19250  out:
19251 	nlmsg_free(msg);
19252 }
19253 
19254 int cfg80211_external_auth_request(struct net_device *dev,
19255 				   struct cfg80211_external_auth_params *params,
19256 				   gfp_t gfp)
19257 {
19258 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19259 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19260 	struct sk_buff *msg;
19261 	void *hdr;
19262 
19263 	if (!wdev->conn_owner_nlportid)
19264 		return -EINVAL;
19265 
19266 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19267 	if (!msg)
19268 		return -ENOMEM;
19269 
19270 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
19271 	if (!hdr)
19272 		goto nla_put_failure;
19273 
19274 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19275 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19276 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
19277 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
19278 			params->action) ||
19279 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
19280 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
19281 		    params->ssid.ssid))
19282 		goto nla_put_failure;
19283 
19284 	genlmsg_end(msg, hdr);
19285 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
19286 			wdev->conn_owner_nlportid);
19287 	return 0;
19288 
19289  nla_put_failure:
19290 	nlmsg_free(msg);
19291 	return -ENOBUFS;
19292 }
19293 EXPORT_SYMBOL(cfg80211_external_auth_request);
19294 
19295 void cfg80211_update_owe_info_event(struct net_device *netdev,
19296 				    struct cfg80211_update_owe_info *owe_info,
19297 				    gfp_t gfp)
19298 {
19299 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19300 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19301 	struct sk_buff *msg;
19302 	void *hdr;
19303 
19304 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
19305 
19306 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19307 	if (!msg)
19308 		return;
19309 
19310 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
19311 	if (!hdr)
19312 		goto nla_put_failure;
19313 
19314 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19315 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19316 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
19317 		goto nla_put_failure;
19318 
19319 	if (!owe_info->ie_len ||
19320 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
19321 		goto nla_put_failure;
19322 
19323 	genlmsg_end(msg, hdr);
19324 
19325 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19326 				NL80211_MCGRP_MLME, gfp);
19327 	return;
19328 
19329 nla_put_failure:
19330 	genlmsg_cancel(msg, hdr);
19331 	nlmsg_free(msg);
19332 }
19333 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
19334 
19335 /* initialisation/exit functions */
19336 
19337 int __init nl80211_init(void)
19338 {
19339 	int err;
19340 
19341 	err = genl_register_family(&nl80211_fam);
19342 	if (err)
19343 		return err;
19344 
19345 	err = netlink_register_notifier(&nl80211_netlink_notifier);
19346 	if (err)
19347 		goto err_out;
19348 
19349 	return 0;
19350  err_out:
19351 	genl_unregister_family(&nl80211_fam);
19352 	return err;
19353 }
19354 
19355 void nl80211_exit(void)
19356 {
19357 	netlink_unregister_notifier(&nl80211_netlink_notifier);
19358 	genl_unregister_family(&nl80211_fam);
19359 }
19360